Link

In western China, thought police instill fear

From the Associated Press:

Southern Xinjiang, where Korla is located, is one of the most heavily policed places on earth.

In Hotan, police depots with flashing lights and foot patrols are set up every 500 meters. Motorcades of more than 40 armored vehicles rumble down city boulevards. Police checkpoints on every other block stop cars to check identification and smartphones for religious content.

Xinjiang’s published budget data shows public security spending this year is on track to increase 50 percent from 2016 to roughly 45 billion yuan ($6.8 billion) after rising 40 percent a year ago. It’s quadrupled since 2009, when a Uighur riot broke out in Urumqi, killing nearly 200 people.

But much of the policing goes unseen.

Shoppers entering the Hotan bazaar must pass through metal detectors and place their national identification cards on a reader while having their faces scanned. AP reporters were stopped outside a hotel by a police officer who said the public security bureau had been remotely tracking the reporters’ movements by watching surveillance camera footage.

The government’s tracking efforts have extended to vehicles, genes and even voices. A biometric data collection program appears to have been formalized last year under “Document No. 44,” a regional public security directive to “comprehensively collect three-dimensional portraits, voiceprints, DNA and fingerprints.” The document’s full text remains secret, but the AP found at least three contracts referring to the 2016 directive in recent purchase orders for equipment such as microphones and voice analyzers.

The extent of the of technical and human surveillance, and punishments that are meted out for failing to adequately monitor family members and friends, is horrifying.1 And while the surveillance undertaken in this area of China is particularly severe, the kinds of monitoring that occur in China is more extensive and ever-present throughout the country than many people who haven’t travelled into China can appreciate. The Chinese surveillance infrastructure is the kind of apparatus that exists to sustain itself, first and foremost, by ensuring that contrary ideologies and philosophies are threatened and — where possible — rendered impotent by way of threats and fear.

  1. While much of the contemporary surveillance is now provided by Chinese-based companies it’s worth remembering that, historically, this equipment was sold by Western companies.
Link

Alibaba’s Jack Ma Urges China to Use Data to Combat Crime

Bloomberg reporting on Alibaba’s Jack Ma:

In his speech, Ma stuck mainly to the issue of crime prevention. In Alibaba’s hometown of Hangzhou alone, the number of surveillance cameras may already surpass that of New York’s, Ma said. Humans can’t handle the sheer amount of data amassed, which is where artificial intelligence comes in, he added.

“The future legal and security system cannot be separated from the internet and big data,” Ma said.

In North America, we’re trialling automated bail systems, where the amount set and likelihood of receiving bail is predicated on big data algorithms. While it’s important to look abroad and see what foreign countries are doing we mustn’t forget what is being done here in the process.

Quote

And then there’s the sheer randomness of it all. Some services you can’t access for no apparent reason, others are so slow that you can’t figure out if they’re blocked or just snail-paced. And as I experience this, I wish some of our politicians and media people, those who see net neutrality as the enemy, I wish they’d come here and experience what a radical version of non-neutrality is. Again, I have a VPN service to overcome most of this (at the cost of speed) but most people don’t and/or can’t afford one.

Don’t get me wrong, I’m not suggesting that not enshrining net neutrality is the equivalent of doing what the Chinese (or Iranian, or Indian) government does. But I look at the UK’s blocking mechanisms supposed to protect children but really targeting just about any kind of site for arcane reasons that no one can figure out, and I think that what I have here is an extreme version of the same thing.

* Benoit Felton, “Behind the Great Firewall
Link

NSA Revelations Kill IBM Hardware Sales in China

For several months there have been warnings that the NSA revelations will seriously upset American technology companies’ bottom lines. Though not directly implicated in any of the leaks thus far it appears that IBM’s Chinese growth predictions have just been fed through a wood chipper. From Zerohedge:

In mid-August, an anonymous source told the Shanghai Securities News, a branch of the state-owned Xinhua News Agency, which reports directly to the Propaganda and Public Information Departments of the Communist Party, that IBM, along with Oracle and EMC, have become targets of the Ministry of Public Security and the cabinet-level Development Research Centre due to the Snowden revelations.

“At present, thanks to their technological superiority, many of our core information technology systems are basically dominated by foreign hardware and software firms, but the Prism scandal implies security problems,” the source said, according to Reuters. So the government would launch an investigation into these security problems, the source said.

Absolute stonewalling ensued. IBM told Reuters that it was unable to comment. Oracle and EMC weren’t available for comment. The Ministry of Public Security refused to comment. The Development Research Centre knew nothing of any such investigation. The Ministry of Industry and Information Technology “could not confirm anything because of the matter’s sensitivity.”

This is the first quantitative indication of the price Corporate America has to pay for gorging at the big trough of the US Intelligence Community, and particularly the NSA with its endlessly ballooning budget. For once, there is a price to be paid, if only temporarily, for helping build a perfect, seamless, borderless surveillance society. The companies will deny it. At the same time, they’ll be looking for solutions. China, Russia, and Brazil are too important to just get kicked out of – and other countries might follow suit.

Now, IBM et al. aren’t necessarily purely victim to the NSA’s massive surveillance practices: there likely are legitimate domestic market changes that are also affecting the ability of Western companies to sell product in China and other Asian-Pacific countries. But still, that NSA can be used to justify retreats from Western products indicates how even companies not clearly and directly implicated in the scandals stand to lose. One has to wonder whether the economic losses that will be incurred following the NSA revelations are equal to, or exceed, any economic gains linked to the spying.

Quote
Quote

I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it’s not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this “GhostNet”. I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community – be it academics, think tankers, NGO employees, and government officials – are consistently targeted by the kind of “social malware” attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what’s going on in the community. Let me give you two recent examples:

On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said “Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful”. Attached was a PDF named “China_Military_Power_Report_2009.pdf”, exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn’t, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn’t sent an email like that.

In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn’t have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.

And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I’m glad that the issue is continuing to get coverage in the mainstream press.

* Gemmy, from a 2009 comment on GhostNet
Quote

The actors that represent the majority of users today, stakeholders from the South, the developing world, and the non-English segments of the net, will do more to shape the future of cyberspace than any discussions at the Pentagon or in policy circles in North America and Europe. To understand how and in what ways cyberspace will be characterized in years to come we need to think beyond the beltway, beyond Silicon Valley, and into the streets of Shanghai, Nairobi, and Tehran. The contests occurring in those spaces deserve our attention today, if for no other reason than that they provide a glimpse of the types of global issues that will drive cyberspace governance in the future.

* Ronald Deibert and Rafal Rohozinski, “Contesting Cyberspace and the Coming Crisis of Authority”
Link

Surprise: American Equipment Spies on Iranians

Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;

Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”

The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.

ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.

ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.

The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.

Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.

In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.

Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.