China’s Communist government has never shown much concern for the privacy of Chinese citizens. If you have something to hide, the thinking goes, we probably need to know it. In one form or another, surveillance and monitoring have evolved into a well-honed form of social control. And as a result, neither companies nor consumers have traditionally had very high expectations for individual privacy.
That might’ve been fine before more than 700 million Chinese went online, and before the government began counting on sectors such as e-commerce to ease the economy’s dependency on investment and exports. If China’s biggest online players want to chart a bigger role for themselves at home and abroad, they’re going to need to start taking privacy much more seriously.
The problem came into sharp focus this month, with new data showing that Chinese police had arrested 4,261 suspects in 1,886 cases related to the theft of personal information last year. That’s a steep increase from prior years. Between 2010 and 2014, there were roughly 260 prosecutions under China’s law prohibiting the sale of personal information. Last year’s suspects included nearly 400 “industry insiders” in banking, e-commerce, telecommunications and delivery services. One estimate placed losses related to these reported crimes at $13.2 billion. Almost certainly, the scale of the problem is much bigger.
Several factors have made Chinese vulnerable to identity theft. One is cultural. Broadly speaking, Chinese society favors collective rights over individual ones. Privacy, except for the wealthiest and most powerful, has historically been a rare luxury, especially in a country where households were typically crowded, multigenerational and located in tightly knit rural communities. Compared to the snooping most people accepted at home, the government’s poking around in one’s business probably didn’t feel like such an extreme violation.
Companies have taken advantage of this lackadaisical attitude. The service agreement for Alibaba Group Holding’s “Alipay” mobile payments system grants Alipay carte blanche, in perpetuity, to disclose user information to third-party vendors; this can include behavioral profiles based on transaction and location history. Users have almost no recourse if they feel that the data has been misused.
And Alipay is hardly alone. Tencent Holdings, China’s biggest video game company and owner of its most popular social media programs, ranks well below international peers like Google, Facebook and Twitter in its efforts to protect user data. According to a 2015 survey by a Chinese internet security organization, 44 percent of Chinese websites had security vulnerabilities that led to data leakages.
Cyber-thieves have little to fear from the law. Earlier this month, Chinese police arrested a ring of 96 suspects involved in pilfering personal data; one was an engineer at JD.com, one of China’s biggest internet retailers, who had a record of doing the same thing at other internet firms. Many third-party brokers ply their trade in the open.
In one recent, high-profile example, a journalist with one of China’s leading newspapers reported how he was able to obtain a colleague’s banking information, real estate transaction history, hotel reservations, border entry-exit records and travel information for roughly $100. When he tried to report the third-party service he’d hired to provide the data, multiple law enforcement agencies brushed him off.
China can no longer afford that kind of complacency. If Chinese consumers lose faith in local internet companies, the government’s efforts to promote technology and innovation are certain to struggle. And whatever their previous attitudes toward online privacy have been, Chinese are growing more demanding as mobile commerce has become tightly integrated into middle-class lives. Chinese social media exploded with outrage last summer when an 18-year-old high school graduate suffered a fatal heart attack after losing her personal information and being defrauded of her tuition. Newspapers were soon flooded with accounts of similar scams.
Concerns about data security will also cramp Chinese companies’ ambitions to expand overseas. China wants firms such as Alibaba and Tencent to be global brands no less than Facebook or Google; Tencent’s WeChat, China’s most popular social media platform, has more than 70 million users overseas and aspires to more. But if they can’t prevent user data from leaking at home, consumers abroad aren’t likely to trust them either. In 2014, Target saw its profits halved after hackers stole credit card and other personal information from as many as 110 million customers. Chinese companies, largely unknown outside of their home markets, have the added burden of making a good first impression.
The good news is that a consensus is growing in China that the problem must be addressed. Any solution will have to start with the government writing national standards on protecting online data. It can’t end there, though. Earlier this month, during China’s National People’s Congress, Tencent CEO Pony Ma called for standards to be combined with a national system for reporting data breaches, allowing companies like his to close leaks as soon as possible. Such a system might help deter data thieves. More importantly, it would be a reminder to China’s online masses that they, too, have a role to play in protecting their privacy.