China has a thriving black market for personal data
Chinese netizens joined people around the world in marvelling that an American journalist could be accidentally invited into a private group chat with senior American national-security officials. But they have also been intrigued by another data leak closer to home. In March the teenage daughter of Xie Guangjun, an executive at Baidu, a tech giant, got into an apparently innocuous online argument over Korean pop music. After the exchanges escalated, she posted some of the private information of her opponents online. Known in English as doxxing, in China it is called kaihe (“opening the box”) or renrou sousuo (“human flesh search”).
The affair caused a stir. Many suspected the girl had gained access to the information through her father, since Baidu has data on hundreds of millions of Chinese people from its search engine and other apps. Mr Xie and Baidu have denied they were involved. But there is a simpler explanation. Any Chinese teenager can dox someone if they put their mind to it, because the country has a thriving black market for personal data.
Trade in data takes place on messaging apps such as Telegram, which are technically banned in China but easily accessible to the tech-savvy. Brokers offer everything from someone’s current mobile-phone location to their online shopping history. “Whether you’re a businessman…a potential father-in-law, or just in love, you can look into your partner, your son-in-law…or the people you’re lending money to,” promises one broker to their 20,000 Telegram subscribers. When contacted by The Economist, they said they could find details of someone’s hukou (a household-registration document), photo and identity-card number for just 600 yuan ($80).
In 2018 Robin Li, Baidu’s boss, claimed that Chinese people were “not that sensitive about privacy. If they are able to exchange privacy for safety, convenience or efficiency, in many cases they are willing.” That may have once been the case, but attitudes are shifting. A survey by Peking University published in 2020 found that Chinese respondents were more concerned about privacy than those in Germany, Japan, Saudi Arabia, Singapore or America.
They have good reasons to worry. Some who have had their data sold simply get hassled by automated texts or phone calls. But others have been put at risk of blackmail or scams. Gangs of fraudsters, often based in South-East Asia, generate much of the demand for Chinese personal data. From January to November last year China charged more than 67,000 people with online and phone fraud, a 60% increase on the previous year.
China’s government is wising up to the threat. In 2021 it passed a law which set strict requirements on companies to limit the collection and sale of personal data. Regulators have since slapped huge fines on tech giants for slip-ups. Didi, a ride-hailing firm, was fined $1.2bn in 2022 for its lax data management. Last year the police claimed to crack 7,000 cases related to the illegal data trade. In some cases employees at law firms, delivery companies and education consultancies had sold their clients’ data to criminal gangs. In others, hackers had extracted the data from mobile apps.
China’s authorities are themselves a big part of the problem. The world’s biggest surveillance state is very good at collecting data on its citizens but bad at keeping such data safe. Examples abound, and the Chinese media have sometimes been bold in covering the issue. In 2020 a public school in Sichuan province, in south-western China, was found to have uploaded photos of its students, along with their names, grades and identity-card numbers, on an unsecured online database in order to train a facial-recognition system. In 2022 a hacker calling themselves “ChinaDan” stole 1bn records of personal information and criminal cases from the Shanghai police. They appear to have lifted the records from another unsecured database.
Corruption is as much an issue as incompetence, notes Rogier Creemers of the University of Leiden in the Netherlands. Reams of data pass through the hands of ill-paid officials, so it is no surprise that much ends up on the market.
In January the government announced an “action plan” that promised to crack down on “the black and grey industries that illegally obtain, sell or provide data”. For the moment Chinese citizens still tend to trust the government with their data (in part because bad news, such as the Shanghai police data leak, is often censored). But if the problems continue, that could change. “At some point people are going to take you at your word,” says Mr Creemers. “If you are in charge of everything, why are you not solving this problem?” ■
Subscribers can sign up to Drum Tower, our new weekly newsletter, to understand what the world makes of China—and what China makes of the world.