The New York Times today reports that a hacker who calls himself ChinaDan is offering to sell the personal data of more than 1 billion Chinese citizens collected by the government for 10 Bitcoin, or about $200,000.
We’ve often commented on the Chinese Panopticon, in which the government is integrating facial recognition software and location tracking with pervasive surveillance of social media posts and social connections to assemble complete digital dossiers on China’s people. This does not mean, however, that the Chinese state is a monolith of competence. “Although the country has been at the forefront of collecting masses of information on its citizens, it has been less successful in securing and safeguarding that data,” The Times reports. It added that the Chinese government is deeply concerned about its “leaky data industry.”
This is a solid story in which Times reporters diligently tested a large sample of the data, including making phone calls to households targeted by the leak to verify that the sample is accurate. But there is one major perspective missing from this story.
ChinaDan broke Chinese law by hacking a Shanghai police database to get this data. In China’s oppressive regime, he is likely risking his life for a payout. But if he were an American citizen, ChinaDan could own a private data brokerage company that could legally buy this data from major apps and social media companies and then sell our personal information to any private entity, or to any number of agencies of the United States government. He might also be able to legally sell Americans’ personal data in the other direction, to China.
Sensitive data points sold on digital markets include Americans’ location, our browsing histories, and demographic details, all captured to update a precise digital portrait of our interests, beliefs, actions, and movements. This information is then shared with hundreds of bidders in a digital auction.
Companies use this “bidstream” data to create a digital dossier that can predict our behaviors, map our past actions, and reveal our personal relationships.
In the United States, no hacking into a police database is necessary to obtain this data on the open market. By opening the federal wallet, the Defense Intelligence Agency, the Department of Homeland Security, the IRS, and other agencies enjoy warrantless access to our most personal information. The government asserts that the Fourth Amendment’s requirement for a probable cause warrant need not be respected if the government simply buys our data.
While The Times worries about the security of Chinese citizens, we might take a moment to realize that in this one respect things at home are even worse.