What data China collected about 35,000 Aussies—and 2.4 million people globally

The domestic surveillance operations of the Chinese government are well documented, but the scope of the country’s interest in overseas citizens has become clearer as privacy watchers pore over the details of some of the more than 2.4 million overseas organisations and people of interest—including at least 35,000 Australians—collected by a Chinese data-harvesting firm with links to the country’s government.

Personal details of politicians, singers, judges, entrepreneurs and other high-profile Australians—including their dates of birth, address, criminal records, relatives, and political associations—have been collated and stored in a database by Chinese data firm Zhenhua Data that, the ABC reports, has links to the governing Chinese Communist Party and People’s Liberation Army.

Canberra-based firm Internet 2.0 attracted worldwide attention after obtaining a leaked version of the database that included about 250,000 entries, of which some 35,558 related to Australian figures of interest. The data also includes information of about 52,000 Americans, 10,000 Britons, 5,000 Canadians, 1,400 Malaysians, and 793 New Zealanders—as well as politicians and administrators in India, with which China is currently engaged in an ongoing and sometimes-violent border dispute along the Line of Actual Control.

The implications of what the Chinese database collected about foreigners

Zhenhua Data representatives rebutted claims they had engaged in politically motivated spying, saying the data—stored in a database called the Overseas Key Information Database (OKIDB)—was “research” that was simply collated using publicly available sources on the internet, as has long been done by people-finding firms that collate birth, death, tax and other records to profile individuals and their movements over time.

Yet political analysts aren’t so convinced that the data collection—which also reveals considerable interest in Australia’s science and fledgling space sector—is benign.

The data “provides proof of activities that China was believed to engage in, but for the first time, data confirmed these activities,” writes Christopher Balding, an associate professor at Fulbright University Vietnam who left a previous position at a Chinese business school after concerns for his safety.

Balding worked with the Internet 2.0 team in Canberra, which includes co-founder Robert Potter, who has previously been known for his successful penetration of organisations like the World Health Organization and the Wuhan Institute of Virology.

Potter’s team worked with Balding to understand the implications of the database they had acquired, with Balding concluding that “even Chinese ‘experts’ continue to radically underestimate the investment in monitoring and surveillance tools dedicated to controlling and influencing, not just its domestic citizens and institutions, but assets outside of China.”

With Australia engaged in an increasingly vitriolic war of words—one that that has seen journalists jailed and prime ministers warning of “sophisticated” cyber attacks from a country widely agreed to be China—revelations of the country’s intelligence gathering are likely to further stoke tensions.

Yet assistant professor Bruce Baer Arnold, a University of Canberra academic with affiliations to the Australian Privacy Foundation, suggests in a piece in The Conversation that the profiling is intentional and specific, and that “simply having an AI-assisted ‘Who’s Who’ of prominent Australians isn’t necessarily frightening”. Ordinary Australians, he says, have no reason to worry—but should “maintain as much online privacy as possible, whenever possible”.

The privacy-convenience paradox, and citizens’ lack of responsibility for their own data

Despite the outrage amongst privacy-conscious Australians, however, everyday online behaviours are likely to do little to reduce the volume of data available for China, or any other public or private entity, to scrape and analyse.

A recent F5 report highlighted the privacy-convenience paradox that keeps a continuous stream of new data being leaked online, with 43 per cent of Asia-Pacific consumers saying they believe data privacy is the responsibility of businesses and 32 per cent arguing that the government should take responsibility for protecting data.

Just one in four users believes they carry the responsibility to protect their own data, with a similar percentage saying they weren’t even aware of data breaches—and 96 per cent of users continuing to use apps even after those apps have suffered a high-profile breach.

Yet despite the temptation to blame users for privacy inadequacies, in many cases there is no alternative for breached applications and services. A breach of 47 Service NSW email accounts earlier this year, for example, led to the theft of 3.8 million government documents, comprising 738GB of data related to about 186,000 New South Wales citizens.

The scope of the attack only became clear this month, after an extensive for-month review by the government and cyber security experts found that cyber criminals had overwhelmed the agency’s defences. “The cyber incident was a criminal attack,” the agency said, advising that it has “accelerated our cyber security plans and the modernisation of legacy business processes to keep customer information as safe as possible. … Cyber attacks occur daily, and we are often able to intercept them. On this occasion we couldn’t stop the attack.”