A mobile app used by police to track citizens in China’s far west region of Xinjiang shows how some of the country’s biggest technology companies are linked to a mass surveillance system that is more sophisticated than previously known, according to a report from Human Rights Watch.
The app uses facial recognition technology from a firm backed by Alibaba Group Holding to match faces with photo identification and cross-check pictures on different documents, the New York-based group said on Thursday. The app also takes a host of other data points — from electricity and smartphone use to personal relationships to political and religious affiliations — to flag suspicious behavior, the report said.
The watchdog’s report sheds new light on the vast scope of activity China is monitoring as it cracks down on its minority Muslim Uighur population in a bid to stop terrorism before it happens. The U.S. State Department says as many as two million Uighurs are being held in camps in Xinjiang, a number disputed by Chinese authorities even though they haven’t disclosed a figure.
In an address Tuesday, U.S. Secretary of State Michael Pompeo urged corporate America to think twice before doing business in Xinjiang.
“We watch the massive human rights violations in Xinjiang where over a million people are being held in a humanitarian crisis that is the scale of what took place in the 1930s,” he said, according to comments released by the State Department.Human Rights Watch said that so-called data doors at checkpoints may be vacuuming up information from mobile phones from unsuspecting citizens. Some Xinjiang residents who suspected their phones were being used as monitoring devices even buried them in the desert, a move that could later hurt them if the system loses track of their phone, according to Maya Wang, a China researcher for Human Rights Watch.
“The political reeducation camps are one pen, but then you have a series of bigger pens that are like virtual fences,” Wang said.
China’s State Council Information Office did not reply to a request for comment sent by fax. The government has said the surveillance measures in Xinjiang are necessary to prevent terrorism and grow the region’s economy.
Human Rights Watch said information in the report is based on reverse-engineering the police app, which communicates with a database known as Integrated Joint Operations Platform, or IJOP. The group said it enlisted Berlin-based cybersecurity firm Cure53 to conduct a technical assessment of the app after finding that it was publicly available online last year.
IJOP is mainly a tool for data collection, filing reports and prompting “investigative missions” by police. The report called for China to shut down the database behind the app, and for foreign governments to impose targeted sanctions such as visa bans and asset freezes against leaders in Xinjiang.
Human Rights Watch said the mobile app was developed by a unit of state-owned China Electronics Technology Group Corp, a Fortune 500 company known as CETC with $30 billion in revenue and 169,000 employees. The group has expanded its various operations abroad, from developing smart city solutions in Tehran to a cooperation agreement with German engineering group Siemens.
CETC did not respond to calls and emails requesting comment.
The app uses facial recognition technology developed by Beijing-based Megvii under the brand Face++. The company, which sells licenses to use Face++ facial recognition in mobile apps, was considering an initial public offering to raise as much as $1 billion in Hong Kong, Bloomberg News reported in January.
Megvii said it doesn’t have any relationship with the IJOP database nor knowledge of why its technology appeared in the police app. It said it has a contractual relationship with CETC for a Face++ license related to the use of e-government services such as paying bills or unlocking a mobile device.
“Megvii does not host any third party data nor does it have any access to the IJOP platform or the national ID database,” the company said in an emailed reply to questions, adding that Human Rights Watch didn’t provide access to the full report before it was published.
Megvii’s investors include Alibaba Group Holding — co-founded by China’s richest man, Jack Ma — and its affiliate Ant Financial Services, as well as Sinovation Ventures and Foxconn Technology Group. Alibaba and Ant declined to comment, while neither Sinovation or Foxconn responded to requests for comment.
Beyond collecting data and tipping off the police, the IJOP-linked app has a range of other functions. It provides a system for officials to communicate across voice, email and telephone calls, uses Baidu map functionality for geolocation, and allows officials to search for information about people using their name and various other inputs.
Baidu declined to comment.
The Human Rights Watch report provides insight into what type of behavior puts Xinjiang’s citizens on the radar of authorities. Those particularly at risk include people who move in or out of a registered residence, download certain software or content on a mobile phones, or have links to people who are abroad.
The report includes screenshots of the app, which prompts authorities to choose whether data collection is happening in home visits, on the streets, in political education camps, during registration for travel abroad, or when dealing with Xinjiang residents living in the mainland. Higher-level officials with administrative rights also have a sixth choice: collecting information from foreign nationals who have entered Xinjiang.
Officials are then prompted to log on and input data ranging from a person’s height to blood type and political affiliation. Another page examined by Human Rights Watch shows 36 “person types” that attract special attention, including people who don’t socialize with neighbors or those who use “an abnormal amount of electricity.”
The app also uses the central IJOP system to send instructions for officers to investigate certain individuals, prompting them to collect identifying information such as vehicle color and type and log whether they use one of 51 “suspicious” internet tools like WhatsApp or Virtual Private Networks.