🔌🇨🇳🇮🇳CIN #12 - What happens to all the data?🤷🏼‍♂️

As health surveillance kicks into overdrive, people begin to wonder whats going to happen to all their personal data collected in the coronavirus fight

ChinaIndia Networked is a (semi) regular newsletter by me, Dev Lewis, highlighting the networked relationship between the two regions at the intersection of technology, society, and politics. I’m a Fellow at Digital Asia Hub and Yenching Scholar at Peking University.
Follow me on Twitter or write to me at devlewis@protonmail.com.

Welcome to issue 12 of ChinaIndia Networked.

You may recall issue 9 , back in February, raised tech as an ambient part of the COVID-19 new normal, and how data sharing and surveillance is enabling contact tracing and enforcing social distancing.

I also wrote this:

The COVID-19 epidemic is no longer a pure China story anymore, with Japan, South Korea, Singapore, Italy, already seriously affected, and eyes now on the US. ‘The China model’ is already being talked up by the WHO and the Chinese government. Societies around the world may face a testing time confronting the surveillance-liberty dilemma, although lets hope it doesnt get to that point.In China the big question is how much of the mechanisms will stay in play well after the epidemic.

We’ve reached that point.

Dozens of countries around the world are rolling out their own health surveillance apps and devices. India introduced Aarogya Setu, developed by MietY and Niti Ayog, that uses Bluetooth and GPS to detect if you’ve had close contact with a COVID-19 patient—and then theres the selfies! If you have not had to use your country’s app yet its probably just a matter of time.

In China the app is called healthcode 健康码, a public-private effort between Alicloud and Tencent, that aggregates data from companies, as well as government ministries like health, aviation, and railways. Its now got national recognition by the State Council to be used across the country and local governments are to set up Personal Healthcode Information platforms个人健康码等信息平台.

Technology interventions during a health crises typically fall into the following categories, writes CIGI’s Sean Mcdonald: contact tracing, testing and responder capacity, early warning, quarantine and social control, and research and cure.

Contact tracing is an interesting one. A centuries old method of tracing the spread of a disease, it traditionally relies on a the recall of a person who tested positive for a disease— where they went, who they met, etc. Naturally this can be cumbersome and inefficient, and ripe to be super charged by the world’s most powerful surveillance device—our smartphones. This kind of close contact tracing in South Korea, Taiwan, and Singapore is credited to play a key role in early containment of COVID-19.

You may be sitting at home anticipating the end of quarantine and for life to get back to normal but the world we’re about to re-enter is not the same one we left. The virus is not going anywhere —at least not in any meaningful way until we have a vaccine, some 12-18 months from now. The threat of the so-called second wave can send us back to where we started. But we cant just keep sitting at home hiding it out, right?

Introducing thecoronavirus trilemma

(countries) can pick two of three things but cannot have them all: limit deaths, gradually lift lockdowns, or uphold cherished civil liberties. Not all countries are facing up to this reality – the US remains a notable laggard – but most will have to eventually. Those countries that have recognised the choices before them are picking the first two options at the cost of the third, bio-surveillance. It is a choice that has most clearly been made in east Asia. But it is coming to much of the rest of the world too – and will transform the role and reach of the state. 

Soberingly the equation seems clear: your whereabouts and health-info in exchange for the liberty to leave your house and interact with society

In China, before the apps and automated surveillance, in the initial days of the outbreak, to enable contact tracing, every residential community, grocery store, and office building, across the country, become a data collector. Armed with a good o’l pen and paper in hand, the personal information (name, phone, body temperature, national ID) of every person that entered or left is logged.

With the immediate threat of the pandemic appearing to be in its closing stage, questions are being asked: What will become of this data? Who will be responsible if a citizen’s personal information is leaked due to lax data privacy practices? Some citizens are already feeling the implications as phone scams are one on the rise again and many reckon this is directly due to data leaks. This is the topic of this week’s translation, a piece by Southern Metropolis Daily journalists who are asking these question.

We know from surveillance studies and thinkers like Foucault, surveillance is linked to power and existing political, religious, socio-economic, and other divisions in society. As we learn in this story, migrant workers from Hubei must navigate this web to simply to return back to their old lives and homes. In India will the Tablighi Jamaat saga become the start? Need I remind you, all this data collection is happening while India still doesnt have a data protection law.

I’m not predicting doomsday. There are several privacy enduring techniques that people are working on, relying on encryption, protecting anonymity, local device based storage, to name a few. Privacy is not dead, it just got a whole lot harder. As these apps kick in its effectiveness needs to be investigated, as well as the numerous security and design flaws, problems with false positives, and societal harms. This is a thread i’ll continue following in China but also elsewhere.

Finally, last week I kicked off a discussion thread to hear more from YOU. Several subscribers responded and its been interesting to hear what peoples’ quarantine looks like, and what issues are being raised—👉🏽I encourage you to join in.

if you were forwarded this subscribe now for regular updates to your inbox. If you enjoy reading this newsletter consider sharing this with 1 friend or colleague—spread the love.



Store or delete? Who will be responsible for the aftermath of wide-spread data collection during the pandemic?

南方都市报 Southern Metropolis Daily
南都记者蒋琳 Jianglin, Southern Metropolis reporter
南都个人信息保护研究中心研究员尤一炜 You Yiwei, Southern Metropolis Personal Information Protection Research Center Researcher

This translation first appeared on Technode’s members-only weekly newsletter. Start your free trial to get instant access to in-depth coverage of China’s tech industry.

Yingying (pseudonym) recently was the victim of an attempted fraudulent credit card fraud during which the scamster used her name and ID to identify her.

She reckons information she submitted during the epidemic has been leaked.

Yingying left Beijing for her hometown of Suizhou in Hubei before Chinese New Year, and she has been there the whole time since the outbreak. On March 8, she was added into a WeChat group of 100 “Workers unable to return to Beijing,” set up by her Beijing neighborhood committee to facilitate their eventual return.  On joining the group, everyone was asked to change their group alias to include their "name + phone + community name,” as well as regularly monitor and update their body temperature. A few days later, they were asked to submit detailed personal information, including ID numbers, addresses in Beijing, the names of others staying in the current address, and their relationship. "They say they were instructed by their superiors, but didn’t specify who exactly," she says. 

Individuals messages with this information were sent directly within the, group visible to all other members. “If I had a mind to, I could leak the names, ID numbers, mobile phone numbers, and family members of everyone in the group,” she said.

Qingdao netizen Xiaofei (pseudonym) experienced even more bewildering demands for information. To return home, he had to fill out a form issued by his property management company, asking for ethnicity, party member status, education, height, blood type, marital status, WeChat ID, and a lot more. “How is the size of your house, your height, your blood type, your marriage, WeChat, etc. related to epidemic prevention?" asks a very puzzled Xiaofei. 

What if they never delete the data?

Assume a simple daily itinerary like this: one leaves one’s apartment complex, takes the bus, enters an office building, goes to the supermarket to buy food, and then a pharmacy to buy medicine.  A person may need to register their personal information five times a day to different collectors—with how the data is treated up to each collector. Due to the real-name registration system that continues to be implemented, supermarkets, and pharmacies have also joined the ranks of "big fish” collecting personal information—and thus become potential sources for major data leaks.

Compared with paper registrations, the alternative is QR code-based registration, which is more convenient and makes it easier to secure data. If a government department is backed this system, it is naturally easier for it to gain trust. However, because the data processing rules are not transparent enough, even the Health Code (Jiankang Ma) launched by the National Government Service Platform, which asks for similar information to provide health verification to resume work, has been questioned by netizens.

What will happen to such sensitive personal information after the epidemic?

Southern Metropolis reporters sifted through the publicly available information and found that only Yunnan Province gave a clear answer.

As early as Feb. 12, Liu Yuewen, the leader of the Big Data Expert Group of the Yunnan Provincial Public Security Department, publicly stated that the information collected during the epidemic was to be used only for epidemic prevention and control, adding that at the end of the epidemic the data will be destroyed and not used for any other purpose.

The staff of a restaurant that Xiao Wei often visits, which uses a paper personal information registry, told this journalist that its data is only used for close contract tracing will not be given to any government department, and it may only be stored for a period of time after the epidemic. Staff in the community where Yingying is located said all the collected data will be archived in the computer of the local committee and submitted to the Municipal Prevention and Control Headquarters. There is a possibility it may not be deleted after the epidemic.

In fact, many people do not know who they are really giving their information to and how it will be processed after the epidemic. Several netizens have questioned the need for maximum data collection, the lack of clarity on data processing, as well as the measures in place to ensure personal information is not leaked. 

These concerns are not groundless.

In late January, Southern Metropolis reported that the information of more than 7,000 Hubei returnees was circulated among various relatives, friends, and colleagues by Wechat. People received harassing phone calls and text messages as a result. In a case recently cracked by the Changxing police in Huzhou, Zhejiang, the manager of a fast-food chain restaurant took advantage of his position to collect the ID photos of 61 applicants and employees and deceive a pharmacy's ID card identification system to purchase 30 rationed masks. 

The principles are there—but the key lies in implementation 

On Feb. 9, the Central Cyberspace Office issued the "Notice on doing a good job in protecting personal information and using big data to support joint prevention and control" (the "Notice"), ordering that any agency or individual, other than agencies authorized by the State Council’s health departments, shall not use the grounds of epidemic prevention and control or disease prevention to collect and use personal information without the consent of the person whose data is being collected; they shall not use data for other purposes.

However, based on information in the public sphere, Southern Metropolis reporters find that almost no document clearly states how data will be processed after the epidemic.

According to a previous survey initiated by Southern Metropolis, 75.8% of netizens say their personal information was collected during the epidemic. Of them, 70% said they knew the purpose of collecting the information, and just 20% knew how their data would be processed after the outbreak.

Some believe that personal information could be turned to commercial ends by merchants, tied to the sale of financial, insurance or medical supplies, or even fraud. This is exactly what the public is worried about.

“The Notice has actually stated general requirements. All the information collection agencies need to do is implement what the document requires," says Zuo Xiaodong, deputy director of the China Academy of Information Security, argues that local Prevention and Control Command Departments should mandate comprehensive personal information protection protocols when requesting the collection of information. “Data collection is not a trivial matter".

He said that the problem lies in the fact that many Prevention and Control Departments do not have any awareness about protecting personal information. He believes that in addition to biographic information, data through which a person's location can be determined should in principle be destroyed. In the event of a leak, the local Prevention and Control Command should share responsibility with the collecting agency.

Fu Weigang, Executive Dean of the Shanghai Institute of Finance and Law, also argues that the most secure way to protect personal information collected during the epidemic is to destroy it, but says that whether it can be done is another issue. "Logically, whoever requests collection is responsible for the processing." He suggested that notices should be issued to collection agency requesting them to properly store or destroy the data. 

In addition, the relevant departments that oversee personal information protection also have regulatory authority. For example, Zuo Xiaodong said that the market supervision department can supervise merchants: if it is collected through apps, it can be handled by the Internet Information Office and the Ministry of Industry and Information Technology; once a crime is suspected, the public security department will definitely strike.

Zuo said that in epidemic prevention and control, personal information collection lacks established protocols and past experience to follow, which inevitably leads to chaos. In the future, a top-level design should be planned in advance for any major public safety incidents and a coordination mechanism should be established, as well as unified command.

💽🎛Networked Ears and Minds

One album from the independent music scene around the country—because if you’re interested in China and not listening to music coming out of here you’re not doing it right.

Song Dongye 宋冬野 - Banma Banma

Song Dongye is a Beijing-born, folk and ballad singer and song writer, and everything about his songs —the melody, lyrics, vocals, are really beautiful. In fact the whole album is great and my two other picks are Dong Xiaojie 董小姐 and Anheqiao 安河桥.