In 2017 China introduced the Cybersecurity Law. It was meant to be a comprehensive data security law that would provide citizens with protection from unauthorized use and distribution of their personal information. A year later, abuse of personal information and the selling of customer data that may not have been authorized remains widespread. The collection and sale of this information is a massive business, and the temptation to acquire it unethically or even illegally is always present due to the ease with which it can be done.
A recent investigation by Reuters revealed that information such as banking records, internet browsing history, vehicle registration and mobile phone usage is widely available from private data brokers. These third-party companies are obtaining some of this data from corrupt employees at banks, phone and internet companies, and in some cases even from the court system. Some of it is obtained through theft and hacking.
This illicit customer data is sold in bulk to these various data brokerages, who use it to compile massive databases profiling the entire population of the country. Just about anyone can then pay for access; marketing companies are frequent customers, paying for tailored lists of specific demographics.
Selling of customer data is often facilitated through the “dark web,” encrypted peer-to-peer networks that are notorious for harboring criminal activity. One recent high-profile example was the theft of data on 130 million clients of Huazhu Hotels Group, the world’s fourth-largest hotel company. The stolen data contained detailed payment and contact information and was sold for eight Bitcoin, or about $56,000 USD.
Though data privacy and security is a global concern, issues surrounding companies selling customer data have been acute in China as of late. Some observers believe that this is due to a culture of outdated practices and inadequate budgeting for security among companies in the country. According to Terry Ray, CTO of Imperva, “Even today, I would estimate that Chinese companies are five to ten years behind Europe and United States in detective and protective controls for data. That’s not say there are no success stories of Chinese companies modeling their data security practices after more modern foreign entities, but that is the exception rather the norm.”
The business of selling customer data
Ray breaks the selling of customer data down into two basic markets: short-lived and long-lived. As he sees it, “two big differences between short-lived data and long-lived data are time to value and future value.”
Short-lived data is that which will not stay current for very long, particularly when the customer learns that there has been a breach of some sort. As Ray explains, “Time to value for short-lived data is usually very high, think credit cards and the combination of matching usernames and passwords. These have very high short-term value, but change very quickly, especially post-breach or upon theft of money or an account take-over … Future value for short-lived data expires very quickly, so while we see some data repositories of this type of data, it is usually significantly less valuable as it ages. Consider that you find a bank charge on your credit card, the first thing you do is call the bank, make a claim for fraud against your account and the bank responds by replacing your credit card and number, thereby making the data stale in the breached data. This can happen quickly reducing the future value of the data.”
Then there is long-lived data, the type that Ray expects to remain valuable over the life of the customer because it is inherently more permanent in nature. “Future value for long-lived data like names, addresses, phone numbers, etc. lasts a very long time and can be resold for years and still have a fairly high level of accuracy … Time to value for long-lived data can be low to high value depending on the reliability, data type and quantity, yet this data also tends to be more widely available from multiple sources due to previous data breaches. This data doesn’t age as quickly as short-lived data: think phone numbers, home addresses, employers, etc. Standard economics of supply and demand apply here, lowering the value of this data since it’s often available from many sources and lowest price often sells well. This data is often cheap enough for buyers to purchase from multiple sources and build a large data repository.”
The fusion of legitimate and illicit data
Of course, data brokerages don’t exclusively deal in stolen data. Many legitimate data firms collect personal information (and are selling customer data) gathered from all sorts of public sources. Public records are one option, but information that people voluntarily share through social media and business networking sites often provides a much richer harvest for a customer database.
This creates a scenario in which data that is not illegal to possess but that was obtained through illicit means can pass from more clearly illegitimate databases to the more legitimate ones that focus on public information. The personal data then becomes entrenched in its public availability even though it should not have been made public in the first place.
The end result can be an almost complete collection of an individual’s personal information and life history available for sale, and at affordable prices to boot.
Perhaps even more concerning to Chinese citizens is the way these illicit databases might end up interacting with the country’s unique “social credit system,” a big data effort which employs a broad variety of personal identity information (down to time spent playing online games) to potentially take rights and freedom of movement away. The country’s development of this system has been opaque, and while it is speculated that information from private databases is incorporated, it is unclear exactly what sources are used or what information is drawn from them.
Data availability in China going forward
China’s Cybersecurity Law is still relatively new, having been active for just a little more than a year now. While it does have some provisions for the handling of personal data and selling customer information, it is not as robust as something like the recently-passed European General Data Protection Regulation (GDPR) in terms of protecting personal privacy.
The implementation of the Cybersecurity Law did bring China from inadequate consequences for data theft to prison sentences and fines for companies selling their customers data illegally. The issue now is enforcement. It can be difficult to trace data theft back to its specific source in such a large country, and even when it is done sometimes the punishments are still light enough (topping out at only several years in prison and capped fines) that the crime is seen as being worth it. The Internet Security Law also still allows for implied consent, meaning that terms that provide legal cover to the company in the collection and distribution of personal data can be buried in the terms of service. The site user is then bound to these terms simply by continuing to use the site.
As long as the status quo remains, it is likely that personal data will remain widely and cheaply available in the country, and that new data will continue to be harvested by way of the existing illicit methods.
Given this, the impetus for data protection necessarily shifts to the end user and to various privacy products and services that they can proactively employ. Chinese nationals, as well as those simply doing business or visiting there, will need to pay closer attention to who holds their identifiable information and what their track record for keeping their data protected is. The personal data business is booming, and even the law can’t seem to slow it down.