“In China, they have a shortage of women," tweeted Dutch ethical hacker Victor Gevers over the weekend. " So an organization started to build a database to start registering over 1.8 million women with all kinds of details like phone numbers, addresses, education, location, ID number, marital status, and a 'BreedReady' status."
Somewhat ironically, the tweet came the day after International Women's Day.
"The youngest girl in this database is 15y," Gevers pointed out. "The youngest woman with BreedReady: "1" status is 18y. The average age is a bit above 32y, and the most aged woman with a BR:1 is 39 and with a BR:0 is 95y. All are single [89%], divorced [10%] or widow [1%]. About 82% lives in 北京市 [Beijing]."
Gevers, founder of non-profit group GDI.Foundation and Innovation Manager at the Dutch Ministry of Interior found the data cache in his latest trawl for insecure open MongoDB databases. The database was taken offline after news of the breach.
China's population challenge
In a subsequent tweet, Gevers referred to an Economist article, 'a shortage of brides in China is causing major social shifts', which claims that China is missing some 60 million women as a result of the country's one-child policy, which was introduced in 1979 and has consequently bent "society out of shape" given the preference for male children who were considered better able to support their parents in old age.
There followed a social media debate as to whether this breach came from a dating site or something more onerous and governmental. There was also a suggestion that 'BreedReady' might be a clumsy age classification or even a mistranslation relating to whether a woman already had children.
In January, CNN reported a Chinese think tank's findings that the country "will face an 'unstoppable' population decline over the coming decades, with fewer and fewer workers struggling to support an increasingly aging society," the report cautioned that "the era of negative population growth is almost here."
And so, as the BBC explained in December, "in the next 10 years, the number of Chinese women aged 23-30 will decrease by 40%, a huge drop in this child-bearing age group... The declining birth rate is now one of the most talked-about topics across China - and there's a real sense of crisis. After decades spent trying to curb the population, state propaganda slogans now exhort couples to 'have children for the country', prompting criticism on social media that government policy is intrusive and insensitive."
Intrusive and insensitive would seem fairly apt descriptions of the fields in this insecure database.
Casting the net
This is the latest example of dystopian data breaches from China. Gevers' research hit the headlines last month when he exposed the SenseNets data breach with more than 2.5 million records relating to the near real-time movement of Xinjiang Muslims. A database which he explained at the time "contains over 2.565.724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, pass photo, employer and which locations with trackers they have passed in the last 24 hours which is about 6.680.348 records."
That data cache included multiple tagged location descriptions, including 'mosque', betraying the extent of the surveillance state Beijing has deployed in Xinjiang where upwards of a million people have been forced into re-education camps and policed by technology. The province has become a testing laboratory for the country's leading surveillance companies. And in the closed Chinese market, this has been a boon for the industry and a major driver behind the U.S. action against leading players like Huawei, Hikvision and Dahua.
China has built a surveillance hothouse that is second to none. Staggering investment rounds for new high-tech entrants, justified by access to endless state procurements of video capture, facial recognition and citizen monitoring, has led to a global market-lead. The oppression of the Uighurs and the electronically enforced policing further east are testaments to organization and determination. Underpinning the surveillance state are the many databases that drive initiatives such as citizen ('social credit') scoring and zero-tolerance policing.
Securing the surveillance state
According to Gevers, China is second only to the U.S. in the number of open databases of this kind that can be found by trawling online. And, judging by what we have seen so far this year, the data being harvested confirms the dystopian fears about the state's thirst for data- and surveillance-driven population control.
How this impacts on the broader debate raging between the U.S. and Beijing about China's technology sector and any prohibitions on export sales, remains to be seen. There is clearly a cultural and political divide that has now been exposed as something of a Pandora's Box. One might think that if you were going to track your population through facial recognition and capture information such as breeding age then you might focus on the security of such information. But apparently not.