As snoop-tastic as China's regime is, it's tempting to gloat a bit when the country suffers a massive data breach of its own that dwarfs the leaks it inflicts on other countries. But regular Chinese citizens have been compromised, not just the government officials who spy on their own people and hack into foreign databases. More remarkably, this is only one of many incidents that illustrate the dangers of the surveillance state's appetite for gathering and hoarding sensitive information under any flag.
"A massive online database apparently containing the personal information of up to one billion Chinese citizens was left unsecured and publicly accessible for more than a year – until an anonymous user in a hacker forum offered to sell the data and brought it to wider attention last week," CNN reported July 5.
That a massive treasure trove of personal details was placed online with minimal protection, reportedly by Shanghai's police, makes an awful sort of sense. China's regime has little regard for anybody's privacy and is imposing an increasingly sophisticated surveillance-and-control state. Why wouldn't officials prioritize their own ease of access over concerns about identity theft and the personal fallout from sticking data that includes criminal records online?
Then again, you'd think China's officialdom might be a little more security-conscious given how much effort they expend on stealing other people's data.
In May 2014, the U.S. Justice Department charged Chinese military hackers with spying on American corporations. Months later, news reports revealed that hackers working for the Chinese government penetrated U.S. government servers looking for information on federal employees.
In July 2020, the feds indicted more Chinese government hackers for their part in "a hacking campaign lasting more than 10 years to the present, targeting companies in countries with high technology industries, including the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom." In September of the same year, the U.S. Cybersecurity and Infrastructure Security Agency announced that hackers with China's Ministry of State Security used "commercially available information sources and open-source exploitation tools to target U.S. Government agency networks."
In March of this year, Mandiant, a cybersecurity firm, revealed that hackers sponsored by the Chinese state were able to "successfully compromise at least six U.S. state government networks."
Many reports about state-sponsored hacking note that this isn't a one-sided affair. U.S. officials don't advertise it, but there's evidence they're doing their part to steal sensitive data from Chinese companies and government agencies. That probably should have been mentioned in a meeting among Shanghai police before they stuck details about a billion people on the internet.
That said, Americans have reason to be concerned about how their own officials misuse vast databases of information, sometimes to aid foreign agents. Last week, the Justice Department indicted five people for "allegedly perpetrating a transnational repression scheme that targeted U.S. residents whose political views and actions are disfavored by the PRC [People's Republic of China] Government." Among them was Craig Miller, a current official with the Department of Homeland Security (DHS), and Derrick Taylor, a retired DHS law enforcement agent.
"Miller and Taylor are charged with obstruction of justice for allegedly destroying evidence after they were approached by FBI agents and asked about their procurement and dissemination of sensitive and confidential information from a restricted federal law enforcement database regarding U.S.-based dissidents from the PRC," notes the Justice Department.
Databases are dangerous in a purely domestic context, too. Agencies including the IRS and police departments across the country have a history of revealing sensitive data with little explanation beyond "whoops!" Breaches can be attributed to sloppiness, personal gain, or score-settling.
"The California Department of Justice has announced that personal information was disclosed in connection with the June 27, 2022 update of its Firearms Dashboard Portal," that agency recently admitted. "Based on the Department's current investigation, the incident exposed the personal information of individuals who were granted or denied a concealed and carry weapons (CCW) permit between 2011-2021."
The breach may also have revealed the identities of those who registered so-called "assault weapons" and other gun-related data. But the concealed-carry disclosure, so soon after the Supreme Court ruled that restrictive carry-permit laws (including, most likely, in California) violate the Constitution, understandably raised eyebrows.
"The only explanations are incompetence or political malice," The Wall Street Journal editorialized, coming to a conclusion that really does cover the bases.
So, from China to the United States and, assuredly, everywhere else, vast databases compiled by government bureaucrats pose enormous danger to the people from whom the information is extracted. Bureaucrats in Shanghai put sensitive details about the public online without implementing basic safeguards. They do so even though they know such data is hacker-bait by the example of their own government. In the U.S., such information is also protected by inadequate security when it isn't weaponized against the public for personal or political reasons.
Incompetence, or at least carelessness, is predictable given that agents of the state are often insulated from consequences. But malice is similarly universal, as a matter of policy under authoritarian regimes, or as a technical abuse that happens whenever it serves the purposes of those with power and access.
After the data breach, China's State Council "highlighted the imperative to firmly safeguard information security," according to a summary of proceedings. "Regulations on security management will be improved, and capacity for security protection will be enhanced to protect personal data and trade secrets in accordance with law."
It's nice to know that empty assurances translate so easily across linguistic and cultural barriers. Sure, a few heads may roll (perhaps literally, in China). But it's not as if the public can easily withhold information from snoopy officials with coercive power, and governments seem unable to resist the temptation to compile data and hoard it in the sloppiest possible way. Chinese officials promise to do better, just as American officials have before. But their databases will be dangerous so long as governments can extract information without consent and store it as they please.