Chinese insiders with access to the state’s surveillance data are selling the data on the black market, according to a report from a cybersecurity firm.

Cybersecurity firm SpyCloud presented their findings at the November Cyberwarcom conference in Arlington, Virginia. They found that black market services advertise cheap and easy searches of Chinese citizens’ data:

The vendors in many cases obtain that sensitive information by recruiting insiders from Chinese surveillance agencies and government contractors and then reselling their access, no questions asked, to online buyers. The result is an ecosystem that operates in full public view where, for as little as a few dollars’ worth of cryptocurrency, anyone can query phone numbers, banking details, hotel and flight records, or even location data on target individuals. (Wired)

Image Credit: Kadmy - Adobe Stock

It’s easier to understand if we keep in mind that in China, many tech workers are paid the equivalent of US$30,000 per year. On the black market, surveillance data can be sold for anywhere from $2700 to $9,700 per day, usually paid in cryptocurrency. That means a tech worker can make up to one-third of a typical annual salary in less than a week.

SpyCloud’s Aurora Johnson told Wired,

And ordinary individuals find themselves working in a system where there’s not much economic and social mobility and where they have unfettered access to these databases of information based on their jobs in government or at technology companies. So they’re abusing that access, in many cases by stealing data and selling it in criminal marketplaces.

Who has access to citizens’ surveillance data?

Whenever I write about China, I find it helpful to think in terms of the 5Ws and H—who, what, when, where, why, and how. After reading the article in Wired and then trying to research this topic, I found myself wondering who was working for whom and how they were able to access to so much surveillance data.

And then I realized that that is the problem. It’s everyone’s problem.

Unlike what happens in the United States and many other countries, in China the private sector is beholden to the government. Any data that a private company has collected can be confiscated for state purposes. Data privacy laws passed in 2021 place restrictions on tech companies but they also give the government a pass to do whatever it wants with citizen data without any accountability.

The Chinese government collects surveillance data on every citizen as part of the Sharp Eyes project that was started in 2016 with the goal of total state surveillance by 2020. This surveillance data is collected through various means including contractors, telecommunications companies, private companies, and local governments. The data is then sent to central locations, allowing the national government to have access to granular data on every person in China.

To enable total state surveillance, telecom companies in China, for example, must supply data that can include everything from bank accounts to keystrokes (and by extension passwords) to the government. Furthermore, local governments who want to impress their federal leaders will go above and beyond to ensure that as much data as possible is collected on citizens, as has been seen in Xinjiang.

It takes many people to operate the largest surveillance state in the world. With several different avenues feeding into a centralized location, some of them are willing to use their access to sell that data on the black market.

Ironically, this data includes information on high-ranking officials, celebrities or law enforcement personnel. Thus, those who created and uphold the surveillance state may also find their private data sold on the black market. For example, The Register reports that SpyCloud researchers could find information on FBI-wanted Fu Qiang, who is a member of China’s APT41 hacker group, as well as members of the People’s Liberation Army and the CEO of I-Soon.

Will your TikTok data end up for sale on the black market?

There is certainly an ethics issue with a surveillance state in which citizens have no choice but to “opt in.” In such a state, very personal information is likely to end up being exposed. However, we should recognize how this also relates to the 170 million Americans who are on TikTok.

Image Credit: anwel - Adobe Stock

As I reported previously, we know TikTok collects granular data on all its users, including cell phone data from other apps on a phone that has the TikTok app installed. Using this data, a watcher can discern things like bank accounts and passwords based on key swipes and log ins. Additionally, researchers found that TikTok collects more data than needed to run the app and that data consistently “geolocated back to China.”

As I am writing this, the U.S. Supreme Court is listening to testimony as to the constitutionality of a forced sell of TikTok by its parent company, ByteDance. If Tik Tok is not sold, app will be banned from U.S. app stores. ByteDance has said that it is unwilling and unable to sell TikTok.

One side of the case says TikTok is a national security concern. Another says banning the platform is unconstitutional because it violates the First Amendment right to free speech. The issue of collecting data on millions of American young people that can later be used for nefarious purposes, like blackmail, was a more convincing national security concern to most of the Supreme Court justices than whether or not TikTok can be used to disseminate foreign propaganda or to sway democratic elections.

The fact that the Chinese government cannot secure its own citizens’ surveillance data gives little confidence that the state, which has access to any data collected by private companies, will do better with other countries’ data. As SpyCloud researcher Aurora Johnson said in a December interview with The Register:

The data is being collected by rich and powerful people that control technology companies and work in the government, but it can also be used against them in all of these scams and fraud and other low-level crimes.

It is disconcerting thing to live in a world where our every move is up for sale to scammers and thieves.