Pages

5 December 2019

China Just Weaponized The Smartphone: Here’s Why You Should Be Concerned

by Zak Doffman

“File sharing has never been simpler,” claim the developers behind the viral mobile app Zapya. “You can share files from device to device for free—Zapya allows you to seamlessly transfer massive files across multiple platforms.” It’s a compelling pitch—DewMobile, the app’s Shanghai-based developers, claim 450 million downloads since its 2012 launch. Somewhat awkwardly, though, it now appears that the authorities in Xinjiang have been “targeting” Zapya users among the minority Uighur population. If the app is found on a device, it’s reason enough for an investigation. And depending on what files have been shared, that investigation could lead to internment.

The Zapya revelations can be found among a leaked cache of documents that expose the surveillance ecosystem deployed in Xinjiang. The China Cables, published by the International Consortium of Investigative Journalists, detail the deployment of a no holds barred surveillance laboratory, where patterns of life can be monitored and the population can be controlled. Missteps run the risk of internment, and internment can only be escaped through modified thinking and behaviour.


It isn’t just Zapya, of course, and its developers had not responded to a request for comment at the time of publishing. Allegations that the authorities actively monitor communications on Tencent’s WeChat have long been made, and Western apps like WhatsApp are an immediate red flag. “Uighurs inside and outside China now live with the knowledge that their communications are constantly monitored by the authorities,” ICIJ says in its analysis of the leaked documents.

In May, I reported that those same Xinjiang authorities had commissioned their own mobile app to access the Integrated Joint Operations Platform (IJOP), a surveillance platform that packages multiple data sources on the region’s subjugated population. It’s a neat concept if you’re a surveillance state—take every data source you can think of—communication and travel records, hits from facial recognition cameras, utilities usage, engagement with neighbours, comings and goings from places of residence—and then use AI to flag deviations, predictive policing for the small screen. Human Rights Watch (HRW) exposed the story, describing it as “algorithms of oppression.”

Then in July, a joint investigation by Motherboard, the Guardian, the New York Times, Süddeutsche Zeitung and Germany’s NDR reported that foreigners crossing into Xinjiang were being “forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities.” Border guards were taking phones and installing the malware—called BXAQ or Feng Cai—to scan the device for files against a target list, including “Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.” Across more than 70,000 target files, the app was also found to be searching for installed copies of the Quran.

A month later, in August came the claims by Hong Kong pro-democracy protesters that Chinese government agencies were exploiting a “bug” in Telegram, the banned but much used encrypted messaging platform, to leak real phone numbers which could then be linked to real identities. The “bug” enabled government agencies—so the theory ran—to load a phone with known protester numbers which would then sync to the anonymised profiles in public groups, exposing the matches. A quick chat with a state-owned telco could then link the number to the person.

And then, between late August and early September, came the even more disturbing news that China had deployed hacked websites to attack iPhones belonging to the Uighur community. Google’s Project Zero warned that “simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.” Initially it was unclear that this was China and the Uighurs—that came later. As did the slightly awkward revelation for Google that the same campaign targeted Android devices in the same way—Apple and Google had a standoff, the real point of the story became kind of lost.

Smartphones can be dangerous. We all know that. These treasure troves of personal information are vulnerable to malware and hacking, exposing our credentials and our data in all kinds of ways. And beyond cybercriminals, these same vulnerabilities have been exploited by nation state sponsored hackers acting on political orders. We have seen multiple campaigns against mobile devices attributed to different countries. But no country has systematically turned the devices on its own population as much as China. Welcome to the weaponization of the smartphone.

The Chinese authorities continue the fiction that what is taking place in Xinjiang is simply an intensive counter-terrorism program, which has local public support and which has made the region safe. “There are no so-called ‘detention camps’ in Xinjiang,” was the official response to the latest leaked documents. “Vocational education and training centres have been established for the prevention of terrorism—[Xinjiang was] a battleground—[with] thousands of terrorist incidents between 1990s and 2016—Since the measures have been taken, there’s no single terrorist incident.”

This weaponisation is wider than Xinjiang and Hong Kong. It’s a switch that has been flicked. In a world where we all carry pocket-sized devices to store all our data, to track our movements and interactions, to get to know us better than anyone else in our lives, China has shown that it only takes a state willing and able to cross the line at scale to create the dystopian reality now unfolding in Xinjiang. Without those mobile devices, it doesn’t work, it becomes materially harder if not impossible.

And that’s the warning from this. China may have opened Pandora’s Box, but it’s been there all this time. The gatekeepers we trust to keep us safe are Apple and Google, in the main, along with Facebook and the Android manufacturers. And that might need some serious thought as to which way it’s likely to go in the long term.

No comments:

Post a Comment