China’s ‘data doors’ scoop up information straight from your phone
The security screeners scan more than your face, picking up MAC addresses and IMEI numbers
Facial recognition devices have become ubiquitous across China. But what you probably didn’t know is that some of these machines can snatch up information straight from your smartphone.
While they look like regular metal detectors on the outside, they’re much more than that. Aside from facial recognition and ID card verification, the so-called “three-dimensional portrait and integrated data doors” vacuum up MAC addresses, IMEI numbers and other identifying information from electronic devices. This data is unique to a user’s hardware, and it could potentially be used to track people.
A new report from Human Rights Watch uncovered the use of these data doors at certain checkpoints in Xinjiang, where the government is using heavy surveillance to monitor the local Uyghur Muslim minority.
“People that went through it only knew that they were going through facial recognition, but they didn't know identifying information from their electronic devices was also being collected to be logged and tracked,“ said Maya Wang, a senior researcher for China at Human Rights Watch.
China already has the biggest video surveillance network in the world called Skynet. It's also trialing facial recognition blacklists such as those that shame jaywalkers, unlicensed drivers and even bad tourists.
Collecting this kind of information from electronic devices is a new level of privacy invasion. A data door maker called Pingtech explains in a patent that in addition to IMEIs, the devices can pick up mobile phone Wi-Fi MAC addresses, IMSI and ESN numbers for identification and location tracking.
Data doors, however, are not the only way it’s happening. According to Techcrunch, a smart city system with facial recognition cameras in one Beijing districts has also been equipped with sensors that monitor Wi-Fi enabled devices, suggesting it can collect IMEI and IMSI numbers. The system was discovered by Condition:Black security researcher John Wethington after the database was left accessible without a password.
What exactly this information is being used for remains an open question. Numbers such as IMEI are unique identifiers assigned to SIM-capable devices like mobile phones. Independent cyber security expert Greg Walton, who worked on the HRW report, said that aside from identification, mass transit systems might want to harvest unique identifiers from devices to measure traffic.
But this kind of information can be used to track people physically. In many countries, IMEIs and other information from phones are used by the police to track down stolen phones, missing people or suspects (they still need a warrant, at least in the US).
A device’s identifying numbers such as IMEI and IMSI could serve as a beacon for authorities. When this is combined with other data from facial recognition, surveillance cameras, license plates, or even phone records and social media posts, a clearer picture of a person’s life emerges.
“Now I can see who you talk to, on what devices, when you physically met with them,” Wethington explained.
There’s currently no evidence of physical tracking. However, in Xinjiang, where authorities are monitoring and incarcerating the local Uyghur population on a massive scale, the data picked up from electronic devices is being logged in the Integrated Joint Operations Platform (IJOP). This platform is being used by local police to track suspicious behavior, which can be interpreted pretty broadly. Things like not using front doors, not talking to your neighbors or using Virtual Private Networks (VPN) can all be seen as suspicious behavior, according to the report.
The smart city system uncovered in Beijing also used its facial recognition capabilities to identify Uyghurs and individuals with criminal convictions and known drug abuse, TechCrunch’s analysis showed.
Researchers at HRW suggest that the Chinese police are using all this data to develop capabilities for something called reality mining. This is a term for machines collecting and analyzing data on human social behavior to predict patterns of behavior and map social relationships.
This isn’t inherently negative. According to MIT, reality mining could be used for things like stopping the spread of infectious diseases.
Wethington, however, describes it as behavioral surveillance. It relies on spotting anomalies and changes in people’s behaviors that could indicate a threat such as building a bomb or becoming a terrorist.
“The problem is that it's subject to interpretation and rife for abuse,” Wethingon said.
Other countries are also performing surveillance, he added, but none on the scale of China.
Xinjiang and Beijing are likely not the only places in China using the technology. Dilusense, another company that sells data doors, explains on its website that Yiwu city uses its systems to monitor train stations and other public spaces, especially those used by the Muslim population. The company's systems are also being used at the Hong Kong-Zhuhai-Macao bridge, although it's not clear whether all of these locations also collect electronic device information.