China has a thriving black market for personal data

The Economist

Chinese netizens1 joined people around the world in marvelling 2that an American journalist could be accidentally invited into a private group chat with senior American national-security officials. But they have also been intrigued 3by another data leak closer to home. In March the teenage daughter of Xie Guangjun, an executive 4at Baidu, a tech giant, got into an apparently innocuous 5online argument over Korean pop music. After the exchanges escalated6, she posted some of the private information of her opponents online. Known in English as doxxing, in China it is called kaihe (“opening the box”) or renrou sousuo (“human flesh search”).

The affair caused a stir7. Many suspected 8the girl had gained access 9to the information through her father, since Baidu has data on hundreds of millions of Chinese people from its search engine and other apps. Mr Xie and Baidu have denied they were involved. But there is a simpler explanation. Any Chinese teenager can dox someone if they put their mind to it, because the country has a thriving 10black market for personal data.

Trade in data takes place on messaging apps such as Telegram, which are technically banned in China but easily accessible to the tech-savvy11. Brokers offer everything from someone’s current mobile-phone location to their online shopping history. “Whether you’re a businessman…a potential father-in-law, or just in love, you can look into your partner, your son-in-law…or the people you’re lending money to,” promises one broker to their 20,000 Telegram subscribers. When contacted by The Economist, they said they could find details of someone’s hukou (a household-registration document12), photo and identity-card number for just 600 yuan ($80).

In 2018 Robin Li, Baidu’s boss, claimed that Chinese people were “not that sensitive about privacy. If they are able to exchange privacy for safety, convenience or efficiency, in many cases they are willing.” That may have once been the case, but attitudes are shifting. A survey by Peking University published in 2020 found that Chinese respondents were more concerned about privacy than those in Germany, Japan, Saudi Arabia, Singapore or America.

They have good reasons to worry. Some who have had their data sold simply get hassled 13by automated texts or phone calls. But others have been put at risk of blackmail or scams. Gangs 14of fraudsters15, often based in South-East Asia, generate much of the demand for Chinese personal data. From January to November last year China charged more than 67,000 people with online and phone fraud, a 60% increase on the previous year.

China’s government is wising up to the threat. In 2021 it passed a law which set strict requirements on companies to limit the collection and sale of personal data. Regulators have since slapped 16huge fines on tech giants for slip-ups17. Didi, a ride-hailing firm, was fined $1.2bn in 2022 for its lax 18data management. Last year the police claimed to crack 7,000 cases related to the illegal data trade. In some cases employees at law firms, delivery companies and education consultancies had sold their clients’ data to criminal gangs. In others, hackers had extracted 19the data from mobile apps.

China’s authorities are themselves a big part of the problem. The world’s biggest surveillance 20state is very good at collecting data on its citizens but bad at keeping such data safe. Examples abound, and the Chinese media have sometimes been bold in covering the issue. In 2020 a public school in Sichuan province, in south-western China, was found to have uploaded photos of its students, along with their names, grades and identity-card numbers, on an unsecured online database in order to train a facial-recognition system. In 2022 a hacker calling themselves “ChinaDan” stole 1bn records of personal information and criminal cases from the Shanghai police. They appear to have lifted the records from another unsecured database.

Corruption 21is as much an issue as incompetence22, notes Rogier Creemers of the University of Leiden in the Netherlands. Reams of23 data pass through the hands of ill-paid officials, so it is no surprise that much ends up on the market.

In January the government announced an “action plan” that promised to crack down24 on “the black and grey industries that illegally obtain, sell or provide data”. For the moment Chinese citizens still tend to trust the government with their data (in part because bad news, such as the Shanghai police data leak, is often censored25). But if the problems continue, that could change. “At some point people are going to take you at your word,” says Mr Creemers. “If you are in charge of everything, why are you not solving this problem?”