As the National People's Congress gathers in Beijing for the beginning of China's "Two Sessions" political season, state media is making an international propaganda push on social media—including on platforms blocked by China's "Great Firewall"—to promote China's "system of democracy."

70 years in 5 minutes: Chinese democracy in the eyes of an American. #TwoSessions pic.twitter.com/wJDlwzyAKy — China Xinhua News (@XHNews) March 2, 2019

That system of democracy apparently involves mass surveillance to tap into the will of the people. While China's growth as a surveillance state has been well-documented, the degree to which the Chinese leadership uses digital tools to shape the national political landscape and to control Chinese citizens has grown even further recently. That's because authorities have been tapping directly into Chinese Communist Party (CCP) members' and other Chinese citizens' online activities and social media profiles.

The little red app

The China Media Project reports that the CPP has mandated party members download a new smartphone application called "Xi Study (Xue Xi) Strong Nation" (学习强国)—an application that provides a library of articles and videos carrying the teachings of Chinese President Xi Jinping. Party and government groups were to institute mandatory group training periods using Xi Study—similar to the periods of study of Mao's "Little Red Book" once required by the party.

The application also tracks how much time each party member spends on each Xi-related activity. Points are awarded every time they complete an activity, with bonus points awarded for completing "Xi Jinping Thought" articles or videos watched during "lively intervals," or huoyue shiduan (活跃时段)—Monday through Friday from 8:30pm to 10pm and on Saturdays and Sundays from 9:30am to 10:30am and 3:30pm to 4:30pm."

Social media posts indicate some government workplaces have set extraordinarily high quotas for the Xi Study points employees must accumulate. A post on China's Douban social media service reported that teachers at a school in one town had been told they had to earn 40 Xi Study points a day; considering that 1 point is awarded for a full 30 minutes of reading articles and videos and 0.1 points are awarded for completion of each piece of media, that could add up to every waking moment of a teacher's spare time. And because the application tracks interaction, it's difficult to use it while doing anything else. (The post has been taken down, and an archive went offline as Ars was reporting this story.)

But you don't have to be a party member to be tracked. While performing scans with the Shodan vulnerability search engine, researchers at the GDI Foundation discovered components of a large-scale social media surveillance platform inadvertently exposed to the Internet.

Your voice is heard

A February 22 China National Computer Emergency Response Team (CNCERT) alert warned that 486 MongoDB database servers out of approximately 25,000 such servers connected to the Internet had "information leakage risks." Apparently, some of those MongoDB servers were part of a social media and messaging collection and processing system used by Chinese law enforcement and security personnel to monitor and investigate citizens' communications.

GDI Foundation, a Netherlands-based non-profit organization, is in the process of building a Global CERT. The group attempts to help secure the Internet by scanning for vulnerable systems and informing the owners of data of their exposure. The Chinese surveillance platform was picked up in such a scan.

"To find the owner of the data, which is not always the owner of the server like the cloud provider," Victor Gevers of the GDI Foundation told Ars, "we need to go into the data. In this case, we found we could not find the owner, so we reached out to the ISP. Within a couple of hours, we noticed they started securing the server as we had advised in the email."

But in exploring the data, it became rapidly evident who was using the system. The surveillance infrastructure, consisting of a large number of synchronized MongoDB servers, apparently collects social media profiles and instant messages from six different platforms segmented by province, according to Gevers. He adds that the infrastructure pulls in approximately 364 million profiles along with their private chat messages and file transfers daily.

The exposed databases revealed not only the collection of the data from social media accounts on services such as TenCent's QQ and WeChat platforms, Alibaba Group's WangWang, and the YY video and streaming platform, but also the workflow behind the collection. "These accounts get linked to a real ID/person," Gevers wrote in a Twitter post on the data. "The data is then distributed over police stations per city/province to separate operator databases with the same surveillance network name."

The “remarkable part”

According to the data viewed by the GDI Foundation team, law enforcement officers in each province then manually investigate between 2,600 and 2,900 messages and profiles per day. Each day, they set up a new database table to track their progress.

"And the most remarkable part is that this network syncs all this data to open MongoDBs in 18 locations," Gevers noted.