China’s Surveillance State Is Causing a Problem With Data Leaks

Karen Hao, Wall Street Journal:

Tens of thousands more databases in China remain exposed on the internet with no security, totaling over 700 terabytes of data, the largest volume of any country, according to LeakIX, a service which tracks such databases.


All countries struggle to keep their data protected. The U.S. is second to China with nearly 540 terabytes of data left open on the public internet, LeakIX’s analysis shows. China is unique, however, for the comprehensive and sensitive nature of its exposed data — a consequence of the way it centralizes multiple streams of information from government and corporate sources on state-run surveillance platforms.

This is a well-reported story that is absolutely worth your time. Like most Journal articles, I believe it may be paywalled, but I hope you can find a way to read it.

In April, Aric Toler of Bellingcat observed how data Yandex Food was legally obligated to retain, leaked to the web, could be combined with other information to depersonalize it and reveal the names of GRU agents. But the LeakIX chart published by the Journal indicates that Russia, somehow, has fewer leaky servers than China, the U.S., or even Finland.1

It is astonishing to see how much leakier China and the U.S. are compared to anywhere else LeakIX is monitoring. But there are differences: Chinese companies are required by law to store massive amounts information, while American companies often do so based on — please forgive the trite terminology — surveillance capitalist initiatives. Another difference? Given its semi-isolation from much of the rest of the world, the data stored on leaky servers in China is likely domestic, but I would be surprised if that is the case for American servers.

This shows how important data minimization is. If user information is not being stockpiled — for ad targeting or universal surveillance — and unnecessary information is regularly being flushed, there is little to leak. Organizations in authoritarian states do not get to make that decision. Elsewhere, though, it is a choice.

  1. That is not to say it does not have a security problem. Bellingcat has occasionally relied upon Russia’s underground data market. ↥︎