Three days after the Chinese government locked down Hubei, the province at the centre of the coronavirus outbreak, a local government official more than 1,000km away received data from telecoms carriers alerting her to a list of people who had left Hubei and entered her town.
The data included traces of the estimated locations of users’ mobile phones, showing that many had driven back along the highways from Hubei to Guangdong province in southern China, where the official works in a small town. The location data helped the official’s team “more or less” pin down everyone who came back from Hubei, she said.
But for another Guangdong town, the information it was able to get hold of was much less comprehensive.
“We did identify one man from Hubei on the list who was high-risk. We searched everywhere for him but just couldn’t track him down,” a second official told the Financial Times, speaking on condition of anonymity.
Officials went door to door searching for the man. Finally, they found him — in a neighbouring municipality, where he had not been included on its list of high-risk people.
To the outside world, China can often seem like a monolith, with edicts from Beijing ruthlessly implemented by the rest of the system. US officials regularly accuse the Chinese government of having access to all data held by companies in the country. When dissidents are involved, the surveillance is often swift and decisive — partly because the police and other security services have the greatest power within the government to marshal different sources of data. Extensive coronavirus-related censorship — and punishment of whistleblowers — contributed to the spread of the virus and the public’s inability to protect themselves.
The coronavirus pandemic has also demonstrated a much messier reality. Although China has tools that many other governments would not be able to usually deploy to track potentially infected people, such as location data from individual phones and facial recognition technology, the state’s ability to access personal data is at times limited.
Co-ordination between different areas of the public sector is often sporadic and sometimes marred by bureaucratic rivalries — as the experience of the two Guangdong towns shows. Wary of alienating middle-class customers, whose lives now revolve around a series of apps on their smartphones, many private sector companies are reluctant to be seen handing over data.
And before the coronavirus crisis gripped the country, there was a growing debate about the need for increased protection of personal data — a shift in both laws and attitudes that was encouraged by cyber space regulators.
However, Chinese authorities are now putting considerable pressure on private companies to hand over sensitive data for anti-epidemic purposes and some privacy advocates fear the surveillance measures implemented during the pandemic could become permanent.
“There is no single government repository of all data. Some government departments have a history of not sharing data with each other,” says Samm Sacks, a cyber security fellow at the New America think-tank. “This is not surprising given the tremendous political power that certain kinds of data can yield in the Chinese system, and the differing objectives of different government agencies.”
For all the talk about China as a science superpower, the technology that has made a difference in the outbreak has been the most simple: online questionnaires to relay medical information from citizens to authorities.
The printed QR codes that now hang over many residential compound entrances in China are an example of such information-gathering channels. Put up by building managers, residents are encouraged — but not forced — to scan the codes with their phones. From there, they are directed to links to apps or websites for residents to report their health status and recent travels to their building manager or local authority.
“What is interesting is how old school the party’s playbook has been. This hasn’t been a tech health triumph, this has been a triumph for the party and their old school methods,” says Ryan Manuel, managing director of research firm Official China.
Epidemiologists say robust tracing of potential virus carriers is essential for containing the early stages of an outbreak.
While telecoms data has helped some local governments pin down potential coronavirus cases, there have been many problems with the information. Carriers track phone locations through the transmission towers to which users connect. The location data is not always accurate: depending on cell tower coverage, the estimated locations can be out by as much as 2km.
“We give location data from cell towers, but compared to the GPS data from Alipay, WeChat, Meituan, it’s not that accurate,” says an employee of China Mobile, one of the country’s three telecoms operators, referring to the most downloaded apps for payments, messaging and food delivery respectively.
In other words, state-owned telecoms companies no longer have the lion’s share of accurate user data in China. The best data lies in the hands of private companies such as Alibaba and Tencent.
Taken together, the apps used by the average Chinese city dweller over the course of a day could plot not only their GPS location but every store they had shopped at, meal they had ordered, ride they had hailed, friend they had messaged for meet-up plans and even the rental-bike handles they had touched.
But local governments face obstacles to accessing data from private companies, which have proven even more reluctant than state-owned telecoms groups to hand data over to middle-level officials.
One reason for the difficulty is the complexity of China’s governance system, where different levels have different incentives and tools. Another reason is that privacy concerns have become a surprisingly important issue for parts of the government, as well as for private investors and customers.
Since the implementation of China’s Cyber Security Law in 2017, Beijing has gradually rolled out consumer privacy standards. The Cyberspace Administration of China, a central government regulator which can shut down tech companies overnight, has named and shamed giants from ByteDance to Baidu for poor user privacy practices. The CAC recently issued a notice warning government agencies not to share data for pandemic-prevention purposes that is out of line with data protection standards.
Handing over data is often against companies’ commercial interests, particularly as the likes of Alibaba and Tencent are expanding overseas and do not want to be perceived as being too close to the ruling Communist party, says Mr Manuel.
“We spend a lot of effort resisting Chinese authorities’ attempts to convince us to give over our data,” says an executive at a Chinese technology company.
On top of this, companies understand the risk of data leaks once they share it with any part of the Chinese government. “Tencent and Alibaba don’t want to hand over user data because they see the risk that some middle-manager could sell that data on the black market,” says Philip Beck, chairman of venture capital firm Dubeta.
Mr Beck is a veteran of China’s marketing industry, where state-owned telecoms operators in the mid-2010s once set a precedent for unauthorised selling of user data. Such transactions are rarer after a series of police crackdowns, but the black market for data still exists.
“Hong Kong and NY-listed tech companies are sensitive to any accusation that they are lax with data security,” Mr Beck adds.
At times, it has been complicated for the tech companies to manage the different demands. The local government of Hangzhou, where Alibaba and its payments affiliate Ant Financial are based, was the first to launch a “health code” webpage that gives users a red, yellow or green status based on a self-reported health questionnaire, as well as tracking user locations. The page was embedded in Ant Financial’s Alipay app, and users could voluntarily fill in the questionnaire to gain access to highways and public transport. Beijing’s municipal government followed suit, putting a similar health code app on Tencent’s WeChat messaging service.
Both Alibaba and Tencent firmly deny they provide any of their own users’ data — China’s biggest gold-mine of user behaviour — to the government’s “health code” apps. The companies point out that the government health-code apps hosted on their platforms ask for user consent to share location.
Pandemic-tracking apps are now proliferating as local governments have started trying to gain access to phone GPS location data through the apps, which are more accurate than carrier location data. The test version of the national government’s online services platform links to at least 12 provincial- or major city-level governments’ own health code apps, as well as providing a national-level app.
As is often the case when multiple bureaucracies collide, the health apps have overlapping coverage. On arriving back in Beijing from a trip out of the city, one FT reporter was told by their district authority to ignore the Beijing municipal government’s app and register on another health app used by the district. “One person, six codes”, ran the headline of a local media feature lamenting the multiplication of district- and municipal-level apps.
Citizens can be barred from workplaces and highways in Hangzhou based on the colour of their health code, yet the algorithm behind it is opaque. Users have complained that their codes flicker from green to red, or vice versa, without any explanation.
For all the professed reticence of the companies, the government has used the coronavirus crisis to push for greater sharing of data from private and public sources. Indeed, some in China fear that some of the gains for consumer privacy in the past two years could be lost.
“We have faced challenges combining government and business data during the pandemic since we haven’t done it before,” says one executive at a Chinese tech company who spoke on condition of anonymity. “Data from companies is being used to complement [the government’s response].” One example was information about online purchases in Wuhan in February.
Some privacy advocates are concerned that China’s push to increase surveillance and data-sharing could last beyond the pandemic. Events including the Beijing Olympics, the Tibetan protests in 2008 and the Urumqi riots in 2009 were used to ramp up the development of China’s surveillance state, says Maya Wang, senior China researcher at Human Rights Watch.
There is ample precedent for the state expanding its surveillance under the guise of medical care: in some parts of Xinjiang, where some 1.8m members of China’s Uighur Muslim minority have been detained in camps in recent years, officials collect DNA from residents through a health check-up programme.
Privacy violations have already occurred in a more rudimentary way too: Lisheng Yu, a freelance writer from eastern Jiangsu province who has been to Wuhan, accused authorities in Jiangsu of leaking his personal information in an Excel spreadsheet of Wuhan returnees sent to various WeChat groups.
Victims of similar leaks have come forward on social media, some saying they were harassed through phone calls after their data was released. A government think-tank said that in January and February, 15 per cent or 300 of the 2,000 submissions to the CAC’s personal data infringements complaints platform were about pandemic-related apps.
“The difficult situation we find ourselves in now highlights the importance for China of creating an effective nationwide mechanism for protecting personal information”, says Wu Shenkuo, a cyber law expert at Beijing Normal University, adding that leaks of information could reduce trust in the government.
Under pressure from local officials to control infection rates, building managers have installed more video cameras to track residents who are meant to be in quarantine. At one complex in Beijing, magnetic sensors have been installed on residents’ doors. In another case, a resident was asked to install a webcam inside her living room: she refused. She had a camera installed outside her door instead.
Some buildings and train stations have installed infrared surveillance cameras to screen visitors for fevers. Several facial recognition companies claim they have expanded their offerings to recognise masked people.
Hong Yanqing, a law professor at Peking University who helped draft the data privacy standards, said in an article written with other government affiliated scholars that data collected for anti-pandemic efforts should only be used for that purpose and “deleted after the pandemic is over in accordance with regulations”.
Throughout the public health emergency, the authorities have used records of private WeChat messages and other information shared on social media to identify and punish people. At least 452 people have been punished for “spreading rumours” about the outbreak, according to Chinese Human Rights Defenders, a Hong Kong-based group.
Wuhan police intimidated people who first tried to warn about the virus late last year. The most famous case was of Li Wenliang, a doctor who died from the virus and became a hero to millions after being punished by the police for raising the alarm about the new disease.
Tencent has previously denied storing user messages, but activists and journalists have reported that their WeChat messages were monitored by the police — in some cases years later.
“We can see from how coronavirus has been handled that the police get most of the information because they are the ones who run this mass surveillance infrastructure,” says Ms Wang. “But part of the surveillance project is for the Chinese government to push for integrating data across different departments and systems. Whether this will be successful is an open question.”
Get alerts on Coronavirus pandemic when a new story is published