The Chinese database Victor Gevers found online was not just a collection of old personal details.
It was a compilation of real-time data on more than 2.5 million people in western China, updated constantly with GPS coordinates of their precise whereabouts.
Alongside their names, birthdates and places of employment, there were notes on the places that they had most recently visited — mosque, hotel, restaurant.
Photo: AP
The discovery by Gevers, a Dutch cybersecurity researcher who revealed it on Twitter last week, has given a rare glimpse into China’s extensive surveillance of Xinjiang, a remote region home to an ethnic minority population that is largely Muslim.
The area has been blanketed with police checkpoints and security cameras that apparently are doing more than just recording what happens.
The database Gevers found appears to have been recording people’s movements tracked by facial recognition technology, he said, logging more than 6.7 million coordinates in a span of 24 hours.
It illustrates how far China has taken facial recognition — in ways that would raise alarm about privacy concerns in many other countries — and serves as a reminder of how easily technology companies can leave supposedly private records exposed to global snoopers.
Gevers found that SenseNets, a Chinese facial recognition company, had left the database unprotected for months, exposing people’s addresses, government ID numbers and more.
He said that after he informed SenseNets of the leak, the database became inaccessible.
“This system was open to the entire world and anyone had full access to the data,” Gevers said, adding that a system designed to maintain control over individuals could have been “corrupted by a 12-year-old.”
He said it included the coordinates of places where the individuals had recently been spotted by “trackers” — likely to be surveillance cameras. The stream indicated that the data are constantly being updated with information on people’s whereabouts, he said in an interview over a messaging app.
Gevers posted a graph online showing that 54.9 percent of the people in the database were identified as Han Chinese, while 28.3 percent were Uighur and 8.3 percent were Kazakh, both Muslim ethnic minority groups.
A person who answered the phone at SenseNets declined a request for comment.
The Xinjiang regional government did not respond to faxed questions.
Xinjiang, which borders central Asia in China’s far west, has been subject to severe security measures in recent years as part of what the government says has been a successful program to quash extremist and separatist movements.
The US and other countries have condemned the crackdown, in which an estimated 1 million Uighurs, Kazakhs and other Muslim minorities have been detained in internment camps that the government says are vocational training centers designed to rid the region of latent extremism.
Gulzia, an ethnic Kazakh woman who did not want her last name used out of fear of retribution, said that cameras were being installed everywhere, even in cemeteries, in late 2017. Now living across the border in Kazakhstan, she said by telephone on Monday that she had been confined to house arrest in China and taken to a police station, where they photographed her face and eyes, and collected samples of her voice and fingerprints.
“This can be used instead of your ID card to identify you in the future,” she said they told her. “Even if you get into an accident abroad, we’ll recognize you.”
The security clampdown is far heavier in Xinjiang than in most parts of China, though outside analysts and human rights activists have expressed concern that Xinjiang may be a testing ground for techniques that may be creeping into other parts of the country.
Joseph Atick, a pioneer in facial recognition technology, said that facial recognition products can use algorithms to recognize and track people in a crowd, but that privacy regulations in Europe make it much harder to launch a wide-scale application, such as that of SenseNet.
“The technology around the world is becoming uniform and it is just the political climate that is different and leads to different applications,” he said.
According to a company registry, SenseNets was founded in Shenzhen in 2015 and is majority-owned by Beijing-based NetPosa, a tech firm specializing in video surveillance. Its Web site showcases partnerships with police forces in Jiangsu and Sichuan provinces and Shanghai.
A promotional video boasts about SenseNets’ capacity to use facial and body recognition to track people’s precise movements and identify them even in a crowded or chaotic setting. Another video on its Web site shows surveillance cameras zeroing in on the path of a runaway prisoner, who ends up in an ailing relative’s hospital room.
NetPosa’s Web site says it has offices in Boston and Santa Clara, California. The Web site of NetPosa’s US subsidiary touts its products’ use in urban antiterrorism.
In recent years, NetPosa has been buying stakes in US surveillance start-ups, such as security robot maker Knightscope. In 2017, NetPosa tried to buy the now-bankrupt California surveillance camera maker Arecont, but later backed out, court records show.
In 2010 US chipmaker Intel announced a strategic partnership with NetPosa and an Intel subsidiary bought a stake in the company, but NetPosa said in 2015 that Intel had notified the Chinese firm of its intent to divest its 4.44 stake by 2016.
Gevers said his discovery of the database presented an ethical dilemma. He is the cofounder of GDI Foundation, a Netherlands-based nonprofit that finds and informs entities of online security issues.
He has become well-known in recent years for helping to uncover similarly exposed information on databases built with the open source MongoDB database program and left unsecured by their administrators.
GDI generally reports such discoveries to the entity that holds the information. Part of its mission is to remain neutral and not engage in political controversies.
Hours after he revealed his findings on Twitter, Gevers said, he learned that the system might be used to surveil Xinjiang’s Muslim minority groups.
He said that made him “very angry.”
“I could have destroyed that database with one command,” he said. “But I choose not to play judge and executioner. because it is not my place to do so.”
Four people jailed in the landmark Hong Kong national security trial of "47 democrats" accused of conspiracy to commit subversion were freed today after more than four years behind bars, the second group to be released in a month. Among those freed was long-time political and LGBTQ activist Jimmy Sham (岑子杰), who also led one of Hong Kong’s largest pro-democracy groups, the Civil Human Rights Front, which disbanded in 2021. "Let me spend some time with my family," Sham said after arriving at his home in the Kowloon district of Jordan. "I don’t know how to plan ahead because, to me, it feels
Polish presidential candidates offered different visions of Poland and its relations with Ukraine in a televised debate ahead of next week’s run-off, which remains on a knife-edge. During a head-to-head debate lasting two hours, centrist Warsaw Mayor Rafal Trzaskowski, from Polish Prime Minister Donald Tusk’s governing pro-European coalition, faced the Eurosceptic historian Karol Nawrocki, backed by the right-wing populist Law and Justice party (PiS). The two candidates, who qualified for the second round after coming in the top two places in the first vote on Sunday last week, clashed over Poland’s relations with Ukraine, EU policy and the track records of their
‘A THREAT’: Guyanese President Irfan Ali called on Venezuela to follow international court rulings over the region, whose border Guyana says was ratified back in 1899 Misael Zapara said he would vote in Venezuela’s first elections yesterday for the territory of Essequibo, despite living more than 100km away from the oil-rich Guyana-administered region. Both countries lay claim to Essequibo, which makes up two-thirds of Guyana’s territory and is home to 125,000 of its 800,000 citizens. Guyana has administered the region for decades. The centuries-old dispute has intensified since ExxonMobil discovered massive offshore oil deposits a decade ago, giving Guyana the largest crude oil reserves per capita in the world. Venezuela would elect a governor, eight National Assembly deputies and regional councilors in a newly created constituency for the 160,000
North Korea has detained another official over last week’s failed launch of a warship, which damaged the naval destroyer, state media reported yesterday. Pyongyang announced “a serious accident” at Wednesday last week’s launch ceremony, which crushed sections of the bottom of the new destroyer. North Korean leader Kim Jong-un called the mishap a “criminal act caused by absolute carelessness.” Ri Hyong-son, vice department director of the Munitions Industry Department of the Party Central Committee, was summoned and detained on Sunday, the Korean Central News Agency (KCNA) reported. He was “greatly responsible for the occurrence of the serious accident,” it said. Ri is the fourth person
RSS