China’s Surveillance State Has Tens of Millions of New Targets

One evening in the summer of 2017, local police in China made a surprise inspection of a small private language school, checking the visas of all non-Chinese attendees. Among those present was a foreign doctoral student, who had left his passport at his hotel. “Not to worry,” said the officer. “What’s your name?” The officer took out a handheld device and entered the student’s name. “Is this you?” Displayed on the screen was the researcher’s name, his passport number, and the address of his hotel.

This kind of incident is common in Xinjiang, where China has extensively deployed technology against Muslim minorities. But this episode took place in Yunnan province, near China’s southern border with Myanmar. In fact, public security bureaus—the network of agencies in China that deal with domestic security and intelligence—across the country are using electronic databases coupled with handheld tools to keep track of certain categories of people. These “key individuals,” as they are officially known, range from paroled criminals and users of drugs to foreigners, petitioners, and religious believers.

A review of dozens of local government notices, procurement tenders, and promotional material from Chinese companies indicates that the use of such technologies both predates and extends beyond the current crackdown in Xinjiang, affecting tens of millions of people all over China.

As the Chinese Communist Party identifies new targets for repression under the increasingly authoritarian rule of President Xi Jinping and Chinese companies expand their sales of surveillance equipment abroad, the scale and impact of these databases are likely to increase in the coming years.

The Ministry of Public Security’s 2007 Key Population Management Guidelines define key individuals broadly as those “suspected of threatening national security or public order.” Some specific groups are listed, including serious criminal offenders, people released from prisons or labor camps, and users of illegal drugs.

In practice, a far wider range of people are treated as key individuals by China’s security apparatus, according to an examination of more than 70 local government notices issued in 26 of China’s 34 provinces and administrative regions between 2011 and 2019. Frequently mentioned categories of key individuals include petitioners, members of banned religious groups like Falun Gong, people with mental illnesses, and those involved in “stability maintenance” or “terrorist” activities—two terms that are often applied to rights activists, protesters, and members of ethnic minority groups such as Xinjiang’s Uighurs.

As the number of populations under surveillance has grown, so too has the collection of their personal data. The origins of today’s massive police databases extend back to the introduction of machine-readable “second-generation” national ID cards in the mid-2000s. The cards allowed personal data to be stored electronically and shared easily among branches of the Ministry of Public Security.

In 2006, one of the first nationwide databases of key individuals was launched: the Dynamic Control System. With records on more than 2 million registered users of drugs, the Dynamic Control System was an early example of ID-based location tracking and biometric data collection. It alerts public security offices whenever registered individuals use their national ID numbers to conduct computer-based transactions, such as buying a train ticket. Police can then determine the individuals’ location, intercept them, and conduct a drug test on their urine, the results of which are added to their electronic file. Fingerprints and DNA data are also collected. It was reported in November 2017 that police in Hainan were going door to door collecting DNA samples from registered users of drugs.

The Dynamic Control System soon became a template for other police databases, which Chinese technology firms were contracted to build. By 2008, Hongda Software’s Public Security Personnel Information Management Work System was being used to collect information on practitioners of the Falun Gong meditation and spiritual group, whose adherents have been subjected to a large-scale campaign of intimidation, imprisonment, torture, and extrajudicial killing since 1999. Police were able to record who introduced practitioners to the movement, where and with whom they practiced, and their level of spiritual dedication—criteria that resemble precursors to more recent police assessments of Uighurs as “safe,” “average,” and “unsafe.”

Since the release of Hongda’s system, databases on key individuals have become a lucrative part of the country’s surveillance technology sector. At least 13 tenders for such projects were issued by public security bureaus in seven provinces or centrally administered cities between October 2015 and May 2019, according to information available online.

The companies in question hail from across China, including Shenzhen Yuanzhongrui Technology from Guangdong province, Beijing’s Sensingtech, and Zhejiang province’s Yidiantong Information Technology. Of 40 companies building surveillance database systems, at least 10 provide accompanying handheld devices, such as Sensingtech, while 13 mention mapping or geolocation features, such as Netposa.

The products themselves are not available for direct examination, but help manuals and screenshots of system interfaces are accessible online. Yidiantong’s Key Person Control system allows operators to collect basic identifying information on key individuals (name, date of birth, sex, address) as well as bank account and social media information. Additional categories of data are tailored for particular groups: the results of psychological evaluations for people with mental illnesses; the content of complaints by petitioners; the results of urine tests for users of drugs; or the reason for a foreigner’s visit to China and which Chinese counterpart is responsible for the traveler. Some products, like those offered by Hongda Software and Yidiantong, cover populations that are less typical targets of mass monitoring, including internal migrants and clergy from state-approved religious groups.

The diversity of the products—and of the target populations—reflect the decentralized aspects of Chinese policing. There is a nationwide focus on certain groups and a general desire to enforce “social stability” through high-tech surveillance tools. But which populations are prioritized varies across location and time. Local government notices indicate that military veterans petitioning for improved treatment were a concern across China beginning in 2017, while people going through the “community correction” process (noncustodial sentences roughly equivalent to community service in the West), the mentally ill, and petitioners were targeted in the lead-up to the 19th Party Congress in 2017. Targets may also vary based on the size of local religious populations: Christians are a greater focus for security services in Zhejiang, Muslims in Xinjiang, Falun Gong practitioners in far northeastern provinces, and Tibetan Buddhists in the Tibetan Autonomous Region, Sichuan, and Qinghai. Adding to the diversity of implementation is the lack of a single designated supplier for these technologies, leading to a relatively competitive market.

There are already signs that disparate databases are being combined with broader state surveillance projects. Yidiantong claims that its Key Person Control database is integrated with the information systems of hotels, internet cafes, airports, and railway stations, enabling real-time data sharing with the police. Several companies even boast that their databases are integrated with facial-recognition cameras capable of identifying key individuals in public places.

The regime’s ability to convert data integration into more intensive forms of control and punishment for key individuals is liable to increase. A decade ago, a known dissident, underground Christian, or Falun Gong practitioner might have received a visit from police during politically sensitive periods, such as a Communist Party Congress. Today these same people may be monitored continuously, with police receiving automatic alerts about their movements. As the definition of a key individual continues to expand and new forms of data are added to the tracking systems, there is little to stop police from punishing even minor forms of political or religious dissent and affecting more aspects of a person’s life for longer periods of time.

The hoarding of so much personal information in integrated databases with minimal oversight raises obvious concerns about data security. Other surveillance and data collection systems in China have been found over the past year to have very poor data protection measures, exposing the personal details of millions of people to hackers. Recent official efforts to improve data security have applied almost entirely to how private companies, not the government, handles personal data.

Another concern arises from the potential export of key-individual surveillance technologies to other countries. A study published last month by the Open Technology Fund documents sales of various types of Chinese surveillance and internet censorship equipment to at least 73 countries across five continents. The recipient states are not just other full-fledged autocracies such as Egypt and Azerbaijan, but also countries with semiauthoritarian or even democratic systems, such as Brazil, Malaysia, Tanzania, Poland, and South Korea. At least three technology companies that are listed in the report for providing facial-recognition-enabled cameras to other countries—Dahua, Sensetime, and Hikvision—also offer surveillance technologies aimed at tracking key individuals.

Developing effective responses to these surveillance practices is extremely difficult. At a minimum, though, it is worth alerting both Chinese citizens and foreigners traveling in China about the extent of data collection, allowing vulnerable people to take precautions to protect themselves and their acquaintances.

Rights-conscious investors, whether foreign or Chinese, should closely examine their portfolios and eliminate any direct or indirect support for companies that are complicit in mass surveillance and rights violations, including through international pension funds and venture-capital firms. A loss of capital could reduce the attraction of contracts from China’s security apparatus and dampen enthusiasm for technologies that are specifically designed to track peaceful activism or religious observance.

Finally, officials in democratic settings should be wary of transactions with any of these firms. Among the Chinese commercial entities added this month to a U.S. government export blacklist for their involvement in facilitating repression in Xinjiang, several also sell technologies aimed a broader range of key-individual targets. The United States and democracies in general should apply Xinjiang-style sanctions to Chinese companies that contribute to surveillance-enabled rights violations across the country.

Given the pace at which such dystopian tools of mass repression have proliferated within China, democratic actors should waste no time in halting their spread before they become a fact of life around the world.