29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

The Big Read Coronavirus

China, coronavirus and surveillance: the messy reality of personal

data

Efforts to track cases have been haphazard but technology companies face pressure to hand over
information

Yuan Yang and Nian Liu in Beijing, Sue-Lin Wong in Hong Kong and Qianer Liu in
Shenzhen APRIL 2 2020

Three days after the Chinese government locked down Hubei, the province at the
centre of the coronavirus outbreak, a local government official more than 1,000km
away received data from telecoms carriers alerting her to a list of people who had
left Hubei and entered her town.

The data included traces of the estimated locations of users’ mobile phones,
showing that many had driven back along the highways from Hubei to Guangdong
province in southern China, where the official works in a small town. The location
data helped the official’s team “more or less” pin down everyone who came back
from Hubei, she said.

But for another Guangdong town, the information it was able to get hold of was
much less comprehensive.

“We did identify one man from Hubei on the list who was high-risk. We searched
everywhere for him but just couldn’t track him down,” a second official told the
Financial Times, speaking on condition of anonymity.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 1/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

A worker in protective gear checks the health code of a man outside a shopping centre in Wuhan, the centre of the coronavirus
outbreak, on Tuesday © Roman Pilipey/EPA-EFE/Shutterstock

A woman's temperature is checked at the entrance of a bank in Wuhan © Roman Pilipey/EPA-EFE/Shutterstock

Officials went door to door searching for the man. Finally, they found him — in a
neighbouring municipality, where he had not been included on its list of high-risk
people.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 2/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

To the outside world, China can often seem like a monolith, with edicts from
Beijing ruthlessly implemented by the rest of the system. US officials regularly
accuse the Chinese government of having access to all data held by companies in
the country. When dissidents are involved, the surveillance is often swift and
decisive — partly because the police and other security services have the greatest
power within the government to marshal different sources of data. Extensive
coronavirus-related censorship — and punishment of whistleblowers —
contributed to the spread of the virus and the public’s inability to protect
themselves.

The coronavirus pandemic has also demonstrated a much messier reality.

Although China has tools that many other governments would not be able to
usually deploy to track potentially infected people, such as location data from
individual phones and facial recognition technology, the state’s ability to access
personal data is at times limited.

Co-ordination between different areas of the public sector is often sporadic and
sometimes marred by bureaucratic rivalries — as the experience of the two
Guangdong towns shows. Wary of alienating middle-class customers, whose lives
now revolve around a series of apps on their smartphones, many private sector
companies are reluctant to be seen handing over data.

And before the coronavirus crisis gripped the country, there was a growing debate
about the need for increased protection of personal data — a shift in both laws and
attitudes that was encouraged by cyber space regulators.

Wuhan citizens who have been in quarantine wait for a Covid-19 test at a quarantine hotel in Wuhan © Ng Han Guan/AP

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 3/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

A woman takes the Covid-19 test at the quarantine hotel © Ng Han Guan/AP

However, Chinese authorities are now putting considerable pressure on private

companies to hand over sensitive data for anti-epidemic purposes and some
privacy advocates fear the surveillance measures implemented during the
pandemic could become permanent.

“There is no single government repository of all data. Some government

departments have a history of not sharing data with each other,” says Samm Sacks,
a cyber security fellow at the New America think-tank. “This is not surprising given
the tremendous political power that certain kinds of data can yield in the Chinese
system, and the differing objectives of different government agencies.”

For all the talk about China as a science superpower, the technology that has
made a difference in the outbreak has been the most simple: online questionnaires
to relay medical information from citizens to authorities.

The printed QR codes that now hang over many residential compound entrances in
China are an example of such information-gathering channels. Put up by building
managers, residents are encouraged — but not forced — to scan the codes with
their phones. From there, they are directed to links to apps or websites for
residents to report their health status and recent travels to their building manager
or local authority.

“What is interesting is how old school the party’s playbook has been. This hasn’t
been a tech health triumph, this has been a triumph for the party and their old
school methods,” says Ryan Manuel, managing director of research firm Official
China.

Epidemiologists say robust tracing of potential virus carriers is essential for

containing the early stages of an outbreak.
https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 4/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

While telecoms data has helped some local governments pin down potential
coronavirus cases, there have been many problems with the information. Carriers
track phone locations through the transmission towers to which users connect. The
location data is not always accurate: depending on cell tower coverage, the
estimated locations can be out by as much as 2km.

“We give location data from cell towers, but compared to the GPS data from Alipay,
WeChat, Meituan, it’s not that accurate,” says an employee of China Mobile, one of
the country’s three telecoms operators, referring to the most downloaded apps for
payments, messaging and food delivery respectively.

People wearing masks queue to enter a shopping mall in Wuhan, after Chinese authorities partly lifted the lockdown of the city
© Roman Pilipey/EPA-EFE/Shutterstock

President Xi Jinping, second right, visits a park during an inspection in Hangzhou, in eastern China's Zhejiang province, on
Tuesday © Yan Yan/AP

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 5/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

In other words, state-owned telecoms companies no longer have the lion’s share of
accurate user data in China. The best data lies in the hands of private companies
such as Alibaba and Tencent.

Taken together, the apps used by the average Chinese city dweller over the course
of a day could plot not only their GPS location but every store they had shopped at,
meal they had ordered, ride they had hailed, friend they had messaged for meet-up
plans and even the rental-bike handles they had touched.

But local governments face obstacles to accessing data from private companies,
which have proven even more reluctant than state-owned telecoms groups to hand
data over to middle-level officials.

One reason for the difficulty is the complexity of China’s governance system,
where different levels have different incentives and tools. Another reason is that
privacy concerns have become a surprisingly important issue for parts of the
government, as well as for private investors and customers.

Since the implementation of China’s Cyber Security Law in 2017, Beijing has
gradually rolled out consumer privacy standards. The Cyberspace Administration
of China, a central government regulator which can shut down tech companies
overnight, has named and shamed giants from ByteDance to Baidu for poor user
privacy practices. The CAC recently issued a notice warning government agencies
not to share data for pandemic-prevention purposes that is out of line with data
protection standards.

Handing over data is often against companies’ commercial interests, particularly as

the likes of Alibaba and Tencent are expanding overseas and do not want to be
perceived as being too close to the ruling Communist party, says Mr Manuel.

“We spend a lot of effort resisting Chinese authorities’ attempts to convince us to

give over our data,” says an executive at a Chinese technology company.

On top of this, companies understand the risk of data leaks once they share it with
any part of the Chinese government. “Tencent and Alibaba don’t want to hand over
user data because they see the risk that some middle-manager could sell that data
on the black market,” says Philip Beck, chairman of venture capital firm Dubeta.

Mr Beck is a veteran of China’s marketing industry, where state-owned telecoms

operators in the mid-2010s once set a precedent for unauthorised selling of user
data. Such transactions are rarer after a series of police crackdowns, but the black
market for data still exists.

“Hong Kong and NY-listed tech companies are sensitive to any accusation that they
are lax with data security,” Mr Beck adds.
https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 6/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

A man looks out through barriers built to block buildings from a Wuhan street © Aly Song/Reuters

Volunteers in protective suits disinfect a shopping complex in Wuhan © Aly Song/Reuters

At times, it has been complicated for the tech companies to manage the different
demands. The local government of Hangzhou, where Alibaba and its payments
affiliate Ant Financial are based, was the first to launch a “health code” webpage
that gives users a red, yellow or green status based on a self-reported health
questionnaire, as well as tracking user locations. The page was embedded in Ant
Financial’s Alipay app, and users could voluntarily fill in the questionnaire to gain
access to highways and public transport. Beijing’s municipal government followed
suit, putting a similar health code app on Tencent’s WeChat messaging service.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 7/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

Both Alibaba and Tencent firmly deny they provide any of their own users’ data —
China’s biggest gold-mine of user behaviour — to the government’s “health code”
apps. The companies point out that the government health-code apps hosted on
their platforms ask for user consent to share location.

Pandemic-tracking apps are now proliferating as local governments have started

trying to gain access to phone GPS location data through the apps, which are more
accurate than carrier location data. The test version of the national government’s
online services platform links to at least 12 provincial- or major city-level
governments’ own health code apps, as well as providing a national-level app.

As is often the case when multiple bureaucracies collide, the health apps have
overlapping coverage. On arriving back in Beijing from a trip out of the city, one FT
reporter was told by their district authority to ignore the Beijing municipal
government’s app and register on another health app used by the district. “One
person, six codes”, ran the headline of a local media feature lamenting the
multiplication of district- and municipal-level apps.

Citizens can be barred from workplaces and highways in Hangzhou based on the
colour of their health code, yet the algorithm behind it is opaque. Users have
complained that their codes flicker from green to red, or vice versa, without any
explanation.

For all the professed reticence of the companies, the government has used the
coronavirus crisis to push for greater sharing of data from private and public
sources. Indeed, some in China fear that some of the gains for consumer privacy in
the past two years could be lost.

“We have faced challenges combining government and business data during the
pandemic since we haven’t done it before,” says one executive at a Chinese tech
company who spoke on condition of anonymity. “Data from companies is being
used to complement [the government’s response].” One example was information
about online purchases in Wuhan in February.

Some privacy advocates are concerned that China’s push to increase

surveillance and data-sharing could last beyond the pandemic. Events including
the Beijing Olympics, the Tibetan protests in 2008 and the Urumqi riots in 2009
were used to ramp up the development of China’s surveillance state, says Maya
Wang, senior China researcher at Human Rights Watch.

There is ample precedent for the state expanding its surveillance under the guise of
medical care: in some parts of Xinjiang, where some 1.8m members of China’s
Uighur Muslim minority have been detained in camps in recent years, officials
collect DNA from residents through a health check-up programme.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 8/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

Privacy violations have already occurred in a more rudimentary way too: Lisheng
Yu, a freelance writer from eastern Jiangsu province who has been to Wuhan,
accused authorities in Jiangsu of leaking his personal information in an Excel
spreadsheet of Wuhan returnees sent to various WeChat groups.

Victims of similar leaks have come forward on social media, some saying they were
harassed through phone calls after their data was released. A government think-
tank said that in January and February, 15 per cent or 300 of the 2,000
submissions to the CAC’s personal data infringements complaints platform were
about pandemic-related apps.

“The difficult situation we find ourselves in now highlights the importance for
China of creating an effective nationwide mechanism for protecting personal
information”, says Wu Shenkuo, a cyber law expert at Beijing Normal University,
adding that leaks of information could reduce trust in the government.

Under pressure from local officials to control infection rates, building managers
have installed more video cameras to track residents who are meant to be in
quarantine. At one complex in Beijing, magnetic sensors have been installed on
residents’ doors. In another case, a resident was asked to install a webcam inside
her living room: she refused. She had a camera installed outside her door instead.

Some buildings and train stations have installed infrared surveillance cameras to
screen visitors for fevers. Several facial recognition companies claim they have
expanded their offerings to recognise masked people.

Hong Yanqing, a law professor at Peking University who helped draft the data
privacy standards, said in an article written with other government affiliated
scholars that data collected for anti-pandemic efforts should only be used for that
purpose and “deleted after the pandemic is over in accordance with regulations”.

Throughout the public health emergency, the authorities have used records of
private WeChat messages and other information shared on social media to identify
and punish people. At least 452 people have been punished for “spreading
rumours” about the outbreak, according to Chinese Human Rights Defenders, a
Hong Kong-based group.

Wuhan police intimidated people who first tried to warn about the virus late last
year. The most famous case was of Li Wenliang, a doctor who died from the virus
and became a hero to millions after being punished by the police for raising the
alarm about the new disease.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 9/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

Tencent has previously denied storing user messages, but activists and journalists
have reported that their WeChat messages were monitored by the police — in some
cases years later.

“We can see from how coronavirus has been handled that the police get most of the
information because they are the ones who run this mass surveillance
infrastructure,” says Ms Wang. “But part of the surveillance project is for the
Chinese government to push for integrating data across different departments and
systems. Whether this will be successful is an open question.”

Copyright The Financial Times Limited 2020. All rights reserved.

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 10/11
29/05/2020 China, coronavirus and surveillance: the messy reality of personal data | Financial Times

https://www.ft.com/content/760142e6-740e-11ea-95fe-fcd274e920ca?accessToken=zwAAAXJic7Jokc92AULmdA4R6tOV_vzSdOkgyg.MEUCIA… 11/11