China is closely tracking the locations of almost 2.6m people in its north-west region of Xinjiang, where Uighurs and other Muslim minorities are under a police lockdown, a data leak has revealed.

A facial-recognition company and police contractor called SenseNets collected nearly 6.7m GPS co-ordinates in one database in a 24-hour period, according to security researcher Victor Gevers who found the database.

This location data was matched to names — many of which were Uighur — as well as ID numbers, home addresses, photos, and employers, said Mr Gevers, who said he also discovered a large number of organisations were connecting to the database, including police stations, hotels, and various companies.

Over the past two years Beijing has placed more than 1m Muslims in detention in internment camps in Xinjiang, putting the region in lockdown. Beijing argues its policies are to prevent extremism.

Xinjiang has been China’s major testing ground for integrating facial-recognition technology into its security apparatus. Most security checkpoints stationed along Xinjiang’s major roads use facial recognition cameras — one Canadian journalist has reported how he was tracked for 1,600km using licence-plate recognition cameras.

The US is considering sanctions against the companies and officials involved in China’s repression in Xinjiang. Hikvision, one such Chinese company that is also among the world’s biggest surveillance camera makers, is already banned from US government procurement. Export bans would cripple Chinese surveillance companies, which rely heavily on US components, such as chips from Intel and Nvidia. The FT reported in July that Hikvision has been contracted to install cameras at the entrance of 967 mosques.

SenseNets is a Shenzhen-based company that boasts on its website of the four police contracts it has won across China. As well as providing facial recognition and crowd-analysis services, it sells recording devices.

Victor Gevers' heat map showing the locations of tracking devices in Xinjiang © Victor Gevers

SenseNets’ database was freely accessible on an online server without a login password for half a year, according to server logs read by Mr Gevers, who works for the cyber-security non-profit organisation GDI Foundation. Mr Gevers, emailed the owners of the server describing the problem after he discovered the data leak last week, in line with GDI Foundation’s policy upon discovering leaks. SenseNets did not respond, but appears to have made the server secure so that it can no longer be accessed.

“This database is used by government-affiliated actors to track minorities,” said Bob Diachenko of Security Discovery, a consultancy, who has worked with Mr Gevers before. “It’s an ethical puzzle: I would still report it as Victor did, and continue to spread the word to make sure that this tracking does not happen.”

SenseNets proudly displays on its website its story of helping police in the southern province of Guangdong bring charges against people involved in illegal gatherings, often a euphemism for protests that are politically sensitive.

SenseNets also says it built the facial-recognition surveillance system for police in the eastern city of Lianyungang, near Shanghai.

The operations in Xinjiang are not SenseNets’ only involvement in monitoring China’s ethnic minorities — its website states it has supplied security services to the city of Duyun, the capital of a region in western China which is home to the Miao and Qiannan Buyi minorities.

SenseNets’ parent company NetPosa is listed on the Shenzhen stock exchange. Netposa claims on its website to have almost 2m surveillance cameras online, 1.4m of which are in use. Its website also reveals the company has a branch in Xinjiang. Netposa’s annual revenues have grown rapidly in recent years and its latest filing to the stock exchange forecast net profit of Rmb365m-Rmb480m ($54m-$71m) for 2018.

SenseNets and NetPosa did not respond to immediately to requests for comment on the data leak or on their relationship with the Xinjiang police. The Ministry of Foreign Affairs and the Xinjiang Autonomous Region Police did not respond to requests for comment. A Xinjiang propaganda bureau spokesman said: “I have called the relevant agencies, but they are all unfamiliar with this issue.”

Live facial recognition is being trialled by police in many parts of the world, including the UK, US and India. Japanese company NEC, one of the largest commercial providers of facial recognition systems globally, has supplied systems to all three countries, while Amazon’s Rekognition system is being tested in the US. Computer science experts in face analysis systems have warned that the technology is still nascent, and prone to errors that lead to false positives. Machine learning pioneer Yoshua Bengio, at the University of Montreal, said facial recognition systems were “very stupid” and in their current form would be highly dangerous to deploy widely.

Local authorities in parts of Xinjiang have also been collecting extensive biometric data from residents, including blood samples.

In 2017 residents were asked to install a mobile app named Jingwangweishi, or “web cleaning soldier”, which promised to “clear the trash off your phone”. However Avram Meitner, an independent security researcher, found the app scaned phones for illicit files in order to inform authorities.