The “Zhenhua Leak” reveals a distinct need to establish stronger data protection requirements
Several media outlets reported about how Zhenhua Data located in Shenzhen collected “digital crumbs” of millions of individuals around the world after part of the company’s database was leaked to American academic Christopher Balding. In an interview, Balding described how some patterns in the database show there might be clear objectives behind the collection of these open source data.
Question: China is not the only country that conducts mass-collection of open source data. Western governments and companies also conduct similar activities. What makes it different when a Chinese company collects open source data on a mass scale compared to when a western company collects open source data on a mass scale?
Christopher Balding: As a simple point of comparison, Facebook is collecting data on you so they can sell you things. They can say “click on the Amazon Prime link that we have” or “click on the pair of shoes that you were looking at the other day.” That is the reason they are collecting this data.
The data that Zhenhua is collecting is most certainly not used for that purpose. We can link this company very closely to Chinese security and military intelligence departments. The collected data is being used for very different purposes.
The second thing is there were very likely legal breaches in the collection of this data. A very famous case in 2016 was Cambridge Analytica harvesting the data from Facebook and Zhenhua has basically done the same thing.
There are very likely US and European legal breaches in this case and we even have reason to believe that some of the data is clearly non-public data.
Because the entirety of the database is compiled from multiple sources, I think there are definitely some practices that are above-and-beyond what would be considered as normal data collection processes. I believe there is a distinct need for stronger data privacy and data protection requirements of companies like Google and Facebook.
Question: China has invested lots of resources into its ability to analyze big data. What do you think are the potential risks of China’s growing ability to analyze and use big data?
Christopher Balding: One example is that if you post a picture to Facebook or Twitter, a lot of the times, the location of that picture will be coded into the photograph. Even if you have turned off Twitter’s location finder, if you take a picture and upload it to Twitter, they can still figure out where you are.
One of the things that we see in Zhenhua’s database is their ability to geo-locate a large number of people based on a variety of data. We are monitoring whether they are tracking a large number of military personnel. When we say they are tracking a large number of military personnel, we are not just talking about very senior individuals.
We are talking about hundreds and thousands of very low level personnel. They are following their Twitter and Facebook so they can geo-locate them. I think their ability to extract usable information from those types of environments is very interesting and should be worrisome to a lot of people.
Question: What should be the main takeaway from the revelation of the Zhenhua database?
Christopher Balding: I think it’s fundamentally mistaken to say that because the data is primarily open source, it’s either intelligence that has very little value or intelligence that has no value. That’s a fundamental misconception. The reality is that open source intelligence is very valuable. It probably provides the majority of actionable materials that governments or intelligence agencies use.
I think another thing that was very noticeable to me is that the Shenzhen Zhenhua company is clearly classifying individuals and institutions based upon targeting. What I mean by that is the types of individuals and institutions were clearly put into this database based upon some type of rules or search procedures.
We don’t have those rules or search procedures, but the type of people that they have in the database are basically people with influence, including politicians, professors, or other types of people.
The second slightly lower types of classification are areas that we know China likes to target, including politicians, family members of politicians, academia, think tanks, technology or things like this. It almost looks like they are drawing up a list of targets or a directory of how we go about accessing this technology and influencing that institution. It’s clearly not a random assortment of people. We need to understand that this database was drawn up with very clear objectives in mind.
Question: What should western companies or governments do to ensure that users’ data security is not compromised?
Christopher Balding: This is an instance where maybe a Chinese company might be the impetus to get this started. But even just for democracies around the world, the ability to have protection of data that’s about you is very important.
China is absolutely using that in interesting ways but we even see that level of data being used in interesting ways in the West, whether it is targeted campaign messages by competing politicians or things like that. They have advertisements following you around on your phone.
It’s one of those scenarios where technology is good and we need to recognize that. We also need to recognize that there are downside risks. How do we manage those downside risks? Having that much information with essentially no consequences to companies like this is a worrisome aspect of the social media age.
We should probably think about what are the risks that are being run here and are there ways that can provide greater protection without ending users’ freedom to share things with others. It is important to think about how to do that more safely.
When democratic countries are faced with authoritarian threats that are seeking to influence individuals, politicians or universities, they should probably rethink what are the standards of their data privacy and data security for citizens.
This interview was first published in Mandarin on DW’s Chinese website.
