Investigative Report: How Mass Surveillance Works Inside China

(HRW) – Chinese authorities are using a mobile app to carry out illegal mass surveillance and arbitrary detention of Muslims in China’s western Xinjiang region. The Human Rights Watch report, “China’s Algorithms of Repression’: Reverse Engineering a Xinjiang Police Mass Surveillance App,” presents new evidence about the surveillance state in Xinjiang, where the government has subjected 13 million Turkic Muslims to heightened repression as part of its “Strike Hard Campaign against Violent Terrorism.

Between January 2018 and February 2019, Human Rights Watch was able to reverse engineer the mobile app that officials use to connect to the Integrated Joint Operations Platform (IJOP), the Xinjiang policing program that aggregates data about people and flags those deemed potentially threatening. By examining the design of the app, which at the time was publicly available, Human Rights Watch revealed specifically the kinds of behaviors and people this mass surveillance system targets.

Download Full Report: https://www.hrw.org/sites/default/files/report_pdf/china0519_web3.pdf

Our research shows, for the first time, that Xinjiang police are using illegally gathered information about people’s completely lawful behavior – and using it against them,” said Maya Wang, senior China researcher at Human Rights Watch. “The Chinese government is monitoring every aspect of people’s lives in Xinjiang, picking out those it mistrusts, and subjecting them to extra scrutiny.

Human Rights Watch published screenshots from the IJOP app, in the original Chinese and translated into English. The app’s source code also reveals that the police platform targets 36 types of people for data collection. Those include people who have stopped using smart phones, those who fail to “socialize with neighbors,” and those who “collected money or materials for mosques with enthusiasm.

The IJOP platform tracks everyone in Xinjiang. It monitors people’s movements by tracing their phones, vehicles, and ID cards. It keeps track of people’s use of electricity and gas stations. Human Rights Watch found that the system and some of the region’s checkpoints work together to form a series of invisible or virtual fences. People’s freedom of movement is restricted to varying degrees depending on the level of threat authorities perceive they pose, determined by factors programmed into the system.

A former Xinjiang resident told Human Rights Watch a week after he was released from arbitrary detention: “I was entering a mall, and an orange alarm went off.” The police came and took him to a police station. “I said to them, ‘I was in a detention center and you guys released me because I was innocent.’… The police told me, ‘Just don’t go to any public places.’… I said, ‘What do I do now? Just stay home?’ He said, ‘Yes, that’s better than this, right?

The authorities have programmed the IJOP so that it treats many ordinary and lawful activities as indicators of suspicious behavior. Some of the investigations involve checking people’s phones for any one of the 51 internet tools that are considered suspicious, including WhatsApp, Viber, Telegram, and Virtual Private Networks (VPNs), Human Rights Watch found. The IJOP system also monitors people’s relationships, identifying as suspicious traveling with anyone on a police watch list, for example, or anyone related to someone who has recently obtained a new phone number.

Based on these broad and dubious criteria, the system generates lists of people to be evaluated by officials for detention. Official documents state individuals “who ought to be taken, should be taken,” suggesting the goal is to maximize detentions for people found to be “untrustworthy.” Those people are then interrogated without basic protections. They have no right to legal counsel, and some are tortured or otherwise mistreated, for which they have no effective redress.

The IJOP system was developed by China Electronics Technology Group Corporation (CETC), a major state-owned military contractor in China. The IJOP app was developed by Hebei Far East Communication System Engineering Company (HBFEC), a company that, at the time of the app’s development, was fully owned by CETC.

Under the Strike Hard Campaign, Xinjiang authorities have also collected biometrics, including DNA samples, fingerprints, iris scans, and blood types of all residents in the region ages 12 to 65. The authorities require residents to give voice samples when they apply for passports. All of this data is being entered into centralized, searchable government databases. While Xinjiang’s systems are particularly intrusive, their basic designs are similar to those the police are planning and implementing throughout China.

The Chinese government should immediately shut down the IJOP platform and delete all the data that it has collected from individuals in Xinjiang, Human Rights Watch said. Concerned foreign governments should impose targeted sanctions, such as under the US Global Magnitsky Act, including visa bans and asset freezes, against the Xinjiang Party Secretary, Chen Quanguo, and other senior officials linked to abuses in the Strike Hard Campaign. They should also impose appropriate export control mechanisms to prevent the Chinese government from obtaining technologies used to violate basic rights. United Nations member countries should push for an international fact-finding mission to assess the situation in Xinjiang and report to the UN Human Rights Council.

Full 78 Page Research Presentation:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/05/china0519_web3.pdf”%5D


This article was originally published by Human Rights Watch on May 2nd 2019. It was republished, with permission, using a Creative Commons BY-NC-ND 3.0 US License, in accordance with the Terms & Conditions of Human Rights Watch | Formatting edits, Teets, Videos and pdf added/embedded by Rogue Media Labs

European Parliament Approves Vote To Create International Biometric Database To Secure EU Border Countries

Last week European Parliament approved the establishment of an international biometric database referred to as the Common Identity Repository (CIN), a means to better help international authorities in securing EU borders. According to the systems parameters, the database will include identity records, including names, dates of birth, passport numbers, and other personally identifiable information, in conjunction with biometric information such as fingerprints and facial scans of both EU and non-EU citizens – estimated to encompass roughly 350 million individuals at the start.

More specifically, according to EU officials, “the systems covered by the new rules would include the Schengen Information System, Eurodac, the Visa Information System (VIS) and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS).” Explaining that the move comes in response to an effort to consolidate multiple databases into one browse-able place, serving to consolidate information – thus speeding up and making the jobs of border security officials much easier/proficient – whilst also simultaneously modernizing civilian records  into the 21st century.

With that said however, the vote is not without controversy. In May 2018, in anticipation of this very move, an organization known as State Watch published an investigative report into the pitfalls, short-comings and privacy violations such a database presents – see pdf accompanying this article below. Additionally, the FBI has also come under heavy scrutiny for similar databases in the US, ultimately forced to go to court after it was revealed the agency had been secretly stockpiling the biometrics records of US citizens without alerting them to this – a clear violation of the US Privacy Act in 2016.  While a federal judge did finally rule in their favor in 2017, it was later revealed that the FBI’s biometric database was hacked by the CIA, which was later hacked by Russia, meaning that all US biometric data once owned by the US Government is now out in the wild. For obvious reasons, these are all situations/lessons the EU should look to learn from as they move forward with this new initiative in the future.

Copy – State Watch Investigation: https://statewatch.org/analyses/eu-interop-morphs-into-central-database.pdf

Download CIN Presentation: https://www.securityresearch-cou.eu/sites/default/files/02.Rinkens.Secure%20safe%20societies_EU%20interoperability_4-3_v1.0.pdf

Common Identity Repository (CIN) Slideshow Presentation :

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/04/02.Rinkens.Secure-safe-societies_EU-interoperability_4-3_v1.0.pdf” title=”02.Rinkens.Secure safe societies_EU interoperability_4-3_v1.0″]

The Revolution Is Here, Edje Electronics Develops Biometric Reader for Cats

Admittedly, I am writing this article just for fun, but it is also pretty cool at the same time (🤓). In a concept released to the public for the first time on December 18th, the owner of Edje Electronics, a small business startup, has officially built the framework of a new cat biometric application, sending notifications via text message every time the system detects his pets want to go outside or come back in.

The biometeric system reader was written in Python script through TensorFlow Object Detection Software hosted on a Raspberry Pi server, allowing for a Pi Camera board to track the biometric facial expression of his pets every time they go near the back door to his house. Depending on how the animal moves or behaves, a text message is then sent to a phone letting its owner know if their pet wants to leave the house or come back inside. For example, utilizing the system featured in the video demonstration below, if the web cam picks up on a cat staring outside the door for ten second a text message is prompted and sent to a cell phone letting the cats owner know to let it outside – vice versa. A full tutorial on how you can go about setting this up for your pets, as well as what the system looks like, is available in the web tutorial below.

Researchers Working To Develop Biometric “Master Key” To Bypass Fingerprint Authentication

Researchers at New York University (NYU) and Michigan State University (MSU) are attempting to develop a revolutionary new means of bypassing biometric fingerprint authentication. To do this, developers are attempting to create synthetic digital fingerprints compromised of multiple images of actual fingerprints superimposed onto one another. Using these different combinations of fingerprints, researchers then attempted to employ a dictionary-style hacking attack against biometric authentication systems, hoping to fool, trick or bypass them. What they found was interesting.

Within a given margin of error, hackers were able to successfully bypass every biometric fingerprint authentication system in front of them. More specifically, hackers were able to bypass systems with a 1% False Match Rate (FMR) 76.67% of the time. At a FMR of 0.1%  hackers were able to bypass the system 22.5% of the time and at a FMR of 0.01% hackers were able to bypass the system 1.11% of the time. Their research paper, entitled “DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution,” outlining their design, methodology, analysis and conclusions, was officially released to the public earlier last month.

See full pdf below, or download for yourself here: https://arxiv.org/pdf/1705.07386.pdf

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2018/11/1705.07386.pdf”%5D

Head of Cyber Security for 2020 Olympics Admits He Has Never Used A Computer

Unfortunately, this is a very real headline. As was first reported by Kyodo News, a Japanese based news firm, Japan’s chief cybersecurity strategist, Yoshitaka Sakurada, has personally admitted that he has never used a computer. According to the paper, this revelation came during a Government hearing in Japans lower house session on Wednesday, November 14th 2017. To get the quote exactly right, Sakurada said “Since I was 25 years old and independent, I have instructed my staff and secretaries. I have never used a computer in my life.” Explaining that he believes he need not feel any shame for accepting the position, believing that cybersecurity will rely on the collective actions/efforts of the Japanese Government as a whole, not solely upon himself.

However, this news is particularly troubling considering the fact that Mr. Sakurada will be in charge of mitigating attacks ahead of and during the 2020 Olympic games in Tokyo, Japan. It is important to note that Sakurada was only elected to this position last month and given his statement in office this week, may be seeing his time in office coming to an end much sooner than later – if other lawmakers in Japan have their way, that is. Regardless, for the time being, he very well may be the most under-qualified person to serve in such a position since Donald Trump appointed Rudy Giuliani to be his “Chief Cyber Security Strategist” in 2016.

Cybersecurity ahead of the 2020 games will also be critically important, not just because the country is surrounded by APT’s in China, Russia and North Korea, whom all consider Japan more of an enemy than an ally, but also because the 2020 games is set to unveil/debut the worlds first biometric currency exchange. Meaning that people whom attend the games will be allowed to buy, sell and carry out transactions using nothing more than their own fingerprints – something never before seen. Among other things, besides attempting to be revolutionary and push the envelope, Japans biometric currency system will be established in an attempt to cut down on all the theft, robbery and crime that plagued tourists during the 2016 Olympic games in Basil.