Aug 08, 2017 05:22 PM

In Depth: Big-Data Collection Becomes Big Headache in China

China's lucrative market in internet users' personal information has sparked concern about privacy leaks. Photo: Visual China
China's lucrative market in internet users' personal information has sparked concern about privacy leaks. Photo: Visual China

The explosion of e-commerce and internet finance in China created a huge market of personal information to trade and sell — and also forged a massive big-data industry that grew rapidly and got ahead of regulators.

The highly valuable pieces of data from average people tapping their way through their days on smartphones and computers nourished a chain of business that stitches together government agencies, telecom operators, data dealers, tech firms and other players.

Many of the big players in big data are household names in China, like Tencent Holdings Ltd. and Alibaba Group Holding Ltd. But the lucrative market has also attracted con artists, such as phone scammers allegedly behind the death of a 19-year-old student whose information regarding financial aid may have been leaked.

“The entire data industry is trading personal information” in a way that causes systemic abuses of privacy, said an industry source. “It has been an open secret.”

Plugging the leaks

Most big-data companies say they obtain data legally. But some experts in the field wonder how it was possible for them to have gathered so much data in such a short period of time.

Meanwhile, more and more businesses are emerging in the loosely regulated market. Mushrooming startups, for example, offer data mining and processing services to internet finance and credit scoring companies to assess investors’ financial records and control risks. But the wide scope of data they handle, including personal identity, contacts and financial records, has sparked concerns about privacy leaks.

A 2013 guideline issued by the Ministry of Industry and Information Technology required companies and organizations to get users’ consent before collecting their important personal data, such as identity and contacts. The guidelines also prohibited companies and organizations from saving personal data after use. But the guidelines were not legally binding and have been only loosely implemented.

With so much data-collection taking place, it is no surprise that four out of five internet users say they have experienced a private-information leak, according to a survey released in June 2016 by the Internet Society of China, a non-government industry association.

The frequency explains the public uproar and demand for internet-privacy protection.


So far, Chinese authorities have responded by cracking down harder on data leaks and illegal trading of information. Since March, 4,800 suspects have been arrested nationwide for allegedly hacking and stealing more than 50 billion entries of private information. Meanwhile, police detained 22 people in China on suspicion of selling iPhone user data for a total of 50 million yuan ($7.4 million)

China also put into effect its first Cybersecurity Law on June 1. It consolidates and expands many of China’s existing laws and regulations that touch on privacy protection and sets clear requirements on how personal data should be collected and used for business purposes.

An interpretation of the new law issued by the Supreme Court and the Supreme Procuratorate on the same day toughened up punishment for privacy violations. The judicial interpretation document made clear that information about people’s location, private contacts, financial records and health conditions is sensitive and should be strictly protected. Tech firm must obtain permission before collecting such personal information and must clearly disclose the purpose of the data collection.

Under the new law, unauthorized collection, the disclosure and receipt of a person’s personal information could lead to hefty fines or criminal charges.

The new cybersecurity law “will block the business chain of illegal collecting and using of private data,” said Guo Dagang, secretary general of the Beijing P2P Association.

Strict implementation of the new law may put many existing big-data companies under risk of prosecution, said Han Honghui, a data security expert at Beijing P2P Association.

“If you dig deeply about the sources of their data and ask about whether the data are used with consent, most big-data companies won’t have a clear answer,” Han said.

The Ministry of Public Security, which oversees law enforcement in China, is investigating 15 big-data companies for alleged privacy violations, Caixin learned from separate sources. The investigation list may expand to more than 30 companies, sources said.

In late July, the public security ministry partnered with three other central government agencies in separate effort to evaluate privacy protection measures of popular internet services, including Tencent’s messaging app WeChat and Alibaba’s e-commerce service Taotao.

“Personal-data leakage is hurting everyone now. Big-data companies shouldn’t sacrifice customers’ privacy for the sake of their business growth,” said a criminal investigation expert at the People's Public Security University in Beijing.

Wild growth

Big-data companies engaging in data gathering, mining and analysis have burgeoned in China since 2013, alongside the boom of the internet finance industry. Big-data technology offers an effective solution for financial market players to assess customers’ credit records and manage risks.

Dozens of big-data startups popped up and became darlings of investors. Forerunners, such as Beijing-based 100Credit Financial Data Services Inc., established in 2014, and Hangzhou-based Tongdun Technology, founded in 2013, have finished rounds of fundraising and are preparing for their respective public listings.

Apart from emerging internet lending and financial services companies, traditional banks increasingly rely on big-data companies to get customers’ data. “Big-data companies cannot only help banks target potential clients more precisely, they also provide more abundant and diverse data to improve customers’ profile for better risk control,” a bank staffer said.

Many small banks have fully relied on big-data companies for risk management, said a credit card department staffer of the Industrial and Commercial Bank of China, the country’s largest bank.

According to Tongdun Technology, the company has accumulated more than 30 million entries of personal records with bad credit history in four years of business operations. That is 10 times more than the 3 million entries that credit card centers of China’s eight-largest joint-stock commercial banks combined gathered over the past decade.

Tongdun said daily searches for credit records in its database reached 5 million in mid-June, compared to the over 6 million searches in the National Citizen Identity Information Center (NCIIC) under the Ministry of Public Security and 2.5 million visits to the central bank’s Credit Reference Center (CRC).

“The biggest concerns are the sources of the data and the access to many sensitive personal data,” said Han, the data security expert, adding that many big-data companies are gathering individuals’ locations, IP addresses and other private information when analyzing their credit records, which can be deemed illegal under the newly enacted cybersecurity law.

Unlike e-commerce platforms that collect data from their own customers, big-data company usually get data through web crawling or purchase it from other data sources, said a commercial bank’s credit card executive. But their data gathering practices are facing mounting legal concerns.

“We have discussed again and again whether should we use these data (provided by big-data companies) or not. If not, we will be in a weak position in the competition with internet finance firms as they are all using the data. But we do have concerns that it will encourage illegal activities if we use the data,” the executive said.

Web crawling and other advanced technologies allow companies to extract data from open and authorized sources, such as e-commerce sites that users registered with their personal data. But even if the data is gathered from authorized sources, data-gathering companies should still obtain clear consent from individuals to collect their personal data, a law professor at the People's Public Security University said.

But in practice, some crawler software is embedded with mobile apps, and users give the crawler access to their phone data without realizing it when they agree to the installation of the apps. “They have no idea how their private data were stolen,” a data industry source said.

Experts and regulators are especially concerned about data purchase. Small data dealers in the black market sell the data, which are usually obtained through illegal methods, the source said.

Big-data company Tianji Shuji markets data products, including people’s social security information, private vehicle records and online shopping records, company documents show. But industry sources said there is no official source providing private information such as vehicle records for commercial use in China, raising questions about the source of the data.

A company document from Tongdun shows that the company’s database consists of millions of entries of data from e-commerce providers, public security departments, courts and telecom operators, without mentioning whether it has been authorized to access and gather these data.

“The big-data industry is growing too fast, fueled by various supportive policies. But with inadequate protection on privacy, these policies have become an umbrella,” protecting the violators, said the data industry source.

Tracking the source

More than 90% of Chinese people’s personal identification information is ultimately controlled by government-backed agencies, mainly the NCIIC, the three state-owned telecom operators and banks.

The NCIIC offers identity verification services through eight authorized agents, including China GZT Technology Inc. and E-Capital Transfer Co. Financial institutions such as online payment companies pay millions of yuan for one-year access to the NCIIC’s database to verify the identification of their clients.

But a source close to the NCIIC told Caixin that many payment companies with access to the database are offering identity verification services for other companies without authorization. Some payment companies’ search volumes in the database are far exceeding their actual business capacity, the source said.

“Many payment companies make millions of searches every month, although only 100,000 searches should meet their actual demands based on user number,” he said.

China Telecom Corp. Ltd., China Mobile Communications Corp. and China Unicom are also main sources of personal identity data as they control users’ real name, ID information and telephone numbers.

Industry sources told Caixin that each of the telecoms has set up subsidiary companies offering data services, including users’ phone-bill payment records, location and internet-connection data to credit scoring companies and other clients, even though a 2013 regulation by the Ministry of Industry and Information Technology restricted telecom operators to gather and sell users’ information without permission.

Several credit-scoring company sources told Caixin that Union Mobile Pay Ltd., China’s largest text message service provider founded by China Mobile and China UnionPay, provides detailed personal information involving so much private information that the credit-scoring companies “dare not use” it.

A product document viewed by Caixin showed that Union Mobile Pay offers data such as an individual’s bank-card number and balance, monthly transaction records and cellphone number. An industry source said Union Mobile Pay obtained the data by analyzing text messages about account information it sent to bank-card holders for banks.

Zhang Ge, Union Mobile Pay’s financial information department head, said the company sent 110 billion text messages for banks, securities firms, insurers and fund managers to their clients.

A source close to Union Mobile Pay said there is a risk of privacy violation.

“Union Mobile Pay processes the data and sells the financial related information to financial risk control departments and debt collectors. It puts private information at risk,” the source said. Union Mobile Pay has halted its data business amid tightening scrutiny on cybersecurity and privacy protection, several sources said. Union Mobile Pay declined to comment.

Tightening oversight

The Cybersecurity Law is expected to revamp the big-data industry, setting strict requirements on how companies can collect and use personal information.

Several companies have suspended their big-data business amid the tightening oversight, sources said.

“Companies are waiting to see how strict the new law will be implemented and how penalties will be carried out,” said Han Lai, China head of data recovery and discovery provider Kroll Ontrack.

The fundamental problem of China’s widespread privacy leakage is the regulators’ identification management system. China has been promoting the use of people’s real name and national ID number to register their cellphone numbers, online payment accounts and even delivery services. That “makes regulatory oversight more convenient but creates room for privacy leakage,” an industry expert said.

The expert suggested that China establish an alternative identification system for its citizens to use online that would be equivalent to the existing national ID.

“The big-data era has come too soon, and China has neither set up the infrastructure of identity verification that fits the internet age nor a policy framework to better protect privacy,” the expert said.

Contact reporter Han Wei (

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code