Professor Christopher Balding.png

Several reports—news media and research, has highlighted the Chinese government’s engagement in data collection at a massive scale across multiple domains, for various purposes—including enhancing State security/surveillance. For a better and in-depth understanding of the China’s tech-enhanced data collection—domestically and internationally; on 16 October 2020, the Vivekananda International Foundation (VIF) organised a virtual discussion with Professor Christopher Balding—an Associate Professor at the Fulbright University Vietnam. The primary focus of the discussion was on the data collection by Chinese government/companies through various means as part of surveillance and the paradox of how information works in China.

In his introductory remarks, Dr Arvind Gupta—Director of the VIF, welcomed Prof Balding and recalled a news report of the Indian Express, about China tracking and collecting the information on around 10,000 Indians who are well-known in their respective areas. Along with P Vaidyanathan Iyer—an investigative journalist at the Indian Express, Prof Balding and other team members stumbled on the massive [surveillance] data collected by the Chinese companies based in Shenzhen, China. Admiring the findings, Dr Gupta emphasised that Prof Balding’s work is an act of service to humanity by revealing how China compromises the privacy of the entire world and their surveillance programmes have many dimensions, including the theft of Intellectual Property (IP) rights.

Background of the Data Leak

Discussing his one of the papers on Huawei, Prof Balding highlighted the data leak which was discovered through open-access databases of one of the biggest job websites in China, by the computer security researchers. The data leak consists of around 40 million Curriculum Vitae or Resumes, mostly of the employees working with Huawei. Through these databases, Prof Balding and his team investigated and analysed the information such as the client information, type of work, or the responsibilities—the Huawei employees were engaged in. China is responsible for approximately 35-40 per cent of open-access databases available worldwide. In the process of investigation, several such databases were procured from different sources in China. Prof Balding informed that the purpose of the investigation was to make other nations aware of China’s malicious behaviour across the range of policy domains and how China had obtained this data through illicit means of surveillance.

The Story of the OKIDB Database

The OKIDB databases (part of data leak) were not restricted to a particular topic but to the range of information, mostly of CCTV, security-related databases, storing measurements of an individual or facial recognition, personal characteristics to score them as a terrorist, and financial databases. Prof Balding confirmed that during his interaction with several government policymakers of different countries, there were no indications that other governments were engaged in similar activities [as Chinese] to understand Chinese behaviour across a range of policy domains.

Based on the confidential information obtained from the OKIDB database, it can be confirmed with a high degree of certainty that several Chinese companies are working for Chinese intelligence and military services. Further, Chinese government operates through these companies along with its specialised units such as Hacking divisions, which have plausible deniability but do have links with China’s Ministry of State Security (MSS) or Guoanbu—an intelligence, security and secret police agency.

The interpretation of the OKIDB databases further revealed that it was facilitated to gain an understanding of human, industrial, and institutional terrains of a targeted country. The focus of Chinese intelligence would be on the individuals or institutions of the interest. Regarding information on Indians, the databases were not a random collection of information, but specifically a group of influential Indians. The collection of data targeting individuals were pattern-wise. The pattern included politicians, techies—from specific technical sectors. As an interesting finding, there are several links or information about the nuclear researchers, or individuals linked with the energy sector or companies with nuclear-related operations. It is not confirmed that if the Chinese companies were given a list of names or some parameters of individuals were assigned for monitoring. The profiles were sorted according to the pre-defined scoring mechanism, ranking and other classifications.

IP Databases

Every nation has relationships with each other’s institutions/establishments, but these governments do not maintain the surveillance database like China. The Intellectual Property (IP) databases are another type which surfaced in this data leak; which consists of the surveillance information of foreign IPs. Along with the Patent information, the databases included information on the company, individuals related to the patent. Chinese government carried out such activity for building valuable resources for its firms.

Chinese Tech-Products: A Concern for India

The Chinese brand smartphones, which are extensively used in India, comes with the “End-User Licence Agreement (EULA)”—having clauses that the data or information is stored in China and will be shared with the Chinese government. Through EULA, the Chinese government has built a surveillance state where all data goes back to the government, with users’ consent. There are massive databases, some of them of 20 Terabytes in size, having call logs, VoIP (Voice over IP) logs, communication records of Indians, obtained under the shadows of the EULA. Prof Balding emphasised that for India, the data collection through surveillance is a serious concern because Indians having Chinese phones are individual data points for the Chinese government.

As a concern, Prof Balding put forward the example of Chinese-based company—Hikvision—the supplier of CCTV or video surveillance equipment. Surprisingly, China’s People’s Liberation Army (PLA) owns Hikvision’s research lab. The retail market of security cameras in India mostly consists of products of Chinese companies, and these companies have close links with China’s security services. The “free data storage” offers by these security camera companies are traps for surveillance purposes. China has “phone batteries monitoring” database of 150 million people, to get geo-location of the phones in the database. Think of any product “Made in China”, it has probably monitored and data stored in China, this is a serious concern regarding national security.

The discussion addressed several key points, such as industrial espionage carried out by the Chinese companies on behest of the government, China’s behaviour of surveillance and data collection. In this regard, the lessons for India would be to strengthen its Cyber Security standards and to work on the issues of data protection and privacy as first countermeasure against China’s data collection.