The flagship newspaper for the Chinese Communist Party (CCP) has called for tough measures to deal with the sale of personal and confidential data in the lead up to the implementation of landmark legislation on data security.
China is about to launch strict new data security rules, with the “Data Security Law” (中华人民共和国数据安全法) scheduled to come into effect on 1 September.
The People’s Daily reports that private data is still being publicly offered for sale via online channels in China, including Baidu chat forums and e-commerce platforms such as Alibaba’s Taboo.
In a report entitled “Online Platform Hidden Confidential Data Transactions – The Information Security Sphere Urgently Needs to Sweep out Criminality” (网络平台暗藏隐私数据交易 信息安全领域亟待), the People’s Daily said that data sales are often accompanied by piquant pitches such as:
- “Communication logs of internal staff at national enterprises, veracity can be checked,”
- “Dianping store data – 30 million in volume,”
- “Collection of mobile phone footage data with testing support,” and
- “Collection of original Weibo data.”
One seller said he could provide bespoke data services for sectors including vehicle insurance, online lending and credit cards, stressing the ability to provide real-time data for clients as opposed to “data which has been resold through multiple hands.”
According to the seller the vehicle insurance data came from multiple platforms in order to ensure an ample volume, while samples of the data included the full names, ID numbers, mobile phone numbers, license plates and vehicle models of insurance customers.
Sellers on e-commerce platforms such as Taobao also offer data search and data collection “reptile” services, involving content on local officials in cities around China, MIMIC clinical data bases, as well as data from leading online companies such as Meituan. “Reptile” (爬虫) services in this case refers to the use of tools for the rapid and automated collection of data on the Internet.
“Under normal circumstances, if reptiles are used to collect public data and then package it for sale, this is not at all prohibited by law,” said Xiao Sa (肖飒), a legal researcher from Bank of China.
“However, even if it’s public data, if the reptile behaviour is inappropriate there is still considerable legal risk, and the parties involved could face lawsuits for rights infringements or inappropriate competitive conduct.”
Tong Lei (童磊), a data expert from 360 Group, said that sources of the data were oftentimes internal staff procuring it inappropriately.
“An increasing number of data breaches occur within enterprises themselves,” Tong said. “Preventing data breaches and ensuring compliant data operations are the key difficulty faced at present by the majority of companies.”