Security vulnerabilities are horrible, but one of them is shedding light on the reach of the Chinese surveillance state. Security researcher Victor Gevers discovered that facial recognition firm SenseNets left a surveillance database completely exposed, revealing that it has been tracking over 2.5 million people in the western province of Xinjiang, where China has targeted Uighur Muslims. The company has been holding on to personally identifying info (such as names and ID card numbers) as well as an extensive amount of location info, including 6.7 million data points tagged with names (such as "mosque" and "hotel") gathered inside of 24 hours.
The data has been exposed for months, Gevers noted.
SenseNets hasn't commented on the findings, but it did start locking down its database after Gevers reported the security hole. He didn't know what he'd come across before disclosing the vulnerability, though, and has since regretted the move knowing that it provided insight into Chinese oversight.
While there aren't definitive conclusions about SenseNets' role, it's believed to be helping the Chinese government track Uighurs as it tries to silence political dissent and religious expression. The collection of the data is worrying by itself, but it's made all the worse by loose security -- hackers and other opportunists could have used the targets' information for fraud or other crimes. It illustrates a frequent issue with mass surveillance: even if officials don't misuse data, it becomes a tempting target for malicious actors who can find weaknesses in the databases.