China's Smart City AI Surveillance System Data Leak Suggests How The Government Monitors Its People

Dhir Acharya


Smart cities are meant to make people’s lives easier by clearing routes for better traffic, ensuring public transport runs on time, as well as monitoring with cameras.

Smart cities are meant to make people’s lives easier by clearing routes for better traffic, ensuring public transport runs on time, as well as monitoring with cameras. Considering how much management data involved in this surveillance system, imagine when it leaks.

It was discovered by security researcher John Wethington that the database of a smart city was left accessible from a web browser, with no password. The researcher then gave the info to TechCrunch.

The multi-gigabyte database, including hundreds of people’s facial recognition scans over months, belonged to Elasticsearch. Alibaba, a Chinese giant tech firm, hosted this data. The customer, whose name Alibaba didn’t reveal, chose its City Brain AI-powered cloud platform.

A spokesperson from Alibaba said that the database was generated by a customer, and it was hosted on Alibaba Cloud and that the company always advises customers to secure their own data by using a safe password.

Also, according to the spokesperson, the company had informed the customer about the leak so that they could take immediate measures. And as a public cloud service provider, the company cannot access the customer’s database. TechCrunch contacted Alibaba and it pulled the data offline not long after.

However, we can still view the system.

While AI tech for smart cities indicates how a city operates, surveillance projects and facial recognition have faced heavy scrutiny from civil liberties advocates. But surveillance systems and smart city are still making their way through privacy concerns to enter cities, including in China and other countries.

The system in this incident monitors residents in at least two eastern Beijing housing communities. It consists of many data collection points, with facial recognition cameras. With the exposed data, anyone able to access the data can view where and when the residents went, and for how long, allowing them to profile a person’s daily life.

The database contains several scans of facial recognition

Alibaba’s technologies such as City Brain help customer understands the information they gather from different sources, including door access controls, license plate readers, facial recognition, Internet-connected and smart devices.

City Brain helps surveillance cameras handle facial details like if someone’s mouth or eyes are open, whether they are wearing a mask or sunglasses, whether they are smiling or if they have beards, etc. In addition, the database includes the approximated age and an “attractive” score of a person.

But the systems have a darker side. Firstly, it labels people with a particular ethnicity like “汉族” for Han Chinese – the majority in the country, and “维族” for Uyghur Muslims – currently under Beijing’s persecution. While the police can use this data to identify suspects even without a name, there’s a risk of data abuse.

The UN human rights committee says that over the past year, the Chinese government has detained over one million Uyghurs in their internment camps. This move is under Beijing’s massive crackdown on the ethnic minority community. And this week, we just learned that the police has an app tracking Uyghur Muslims.

Furthermore, it was found by TechCrunch that the systems also collect data from the police, using it to identify criminal suspects or people of interest, which means the hidden customer may be the government.

Facial recognition scans match the police's real-time data

When the system detects a person, there will be a warning about the time, date, location, and a particular note. TechCrunch has seen several records showing residents’ names and national ID card numbers.

A record noted:

This means the record illustrates a specific camera spotted the face of a person included in the police watchlist. Many records associated with a watchlist indicate the reason for this surveillance, like “released from prison” or “drug addict.”

The system is also capable of giving alerts to the customer about control issues in building access, equipment failures, and smoke alarms. Moreover, it can monitor Wi-Fi-enable devices, like computers and phones, with sensors by Renzixing – a Chinese networking tech manufacturer. They put the sensors everywhere in the district. The database gathers the times and dates passing through its Wi-Fi network radius, it can also collect IMSI and IMEI numbers to identify a user.

While the system covered a small area with just a few dozen of cameras, data collection points, and sensors, the amount of information gather was huge. The database’s size has increased in the past week, meaning it’s collecting data actively.

Wethington stated that AI abuse and weaponization poses a real threat to everyone's security and privacy. It’s hard to tell whether such facial recognition systems poses advantages or disadvantages since there’s barely a definite line between good and bad uses of this tech. The pervasiveness of such systems still raises concerns over privacy, especially to the liberties group.

However, it’s inevitable that these systems are developing and getting more and more powerful as well as ubiquitous, companies can start by making sure the data they collect does not leak.

Next Story