Operating on hostile ground

Thoughts on trying to keep your data and communication safe in China, when the threat actor is the entity who runs the communication network of a country.

Living and working with China as a journalist comes usually with a long rat tail of problems. Generally speaking, the government doesn’t like you, the general population is a little bit suspicious of you and the usual access to places, information or records is often heavily restricted.

One thing most journalists operating in China are concerned about is how to keep your data and your communication private, secure and uninterrupted. The Chinese security services have a long tradition of spying on their own population, activists, outsiders and especially journalists. Over the years their technical proficiency has increased of course. With the advent of digital online communication the Ministry of State Security and the Public Security Bureaus had a complete new field to operate in.

For outsiders who come into the country and who underwent cyber security training before, usually are taught along the traditional patterns: How to avoid scams, (spear) fishing, criminal hacking operations, tailored surveillance software. What is often missing is the mindset that it is not just those traditional tools and particular actors, who might target you, but what happens if a complete online infrastructure is stacked against your trying to communicate securely.

Often national cyber espionage operations have to operate parallel to existing data security measures of digital companies. It is rare in democracies or other more authoritarian countries to have the capability to control the lowest level of the “stack”. Often there are also legal restraints, that can’t be easily ignored if you want a vibrant digital economy to grow. We see this at the moment with the fight over E2E encryption in the UK and the EU.

So what do the Chinese have, that others don’t !? I would argue that even very capable security services like the NSA or GCHQ, despite being technically more proficient, don’t have often the sweeping systemwide abilities that Chinese operators have.

An ( almost ) closed system : From the earliest moments on when the internet made its way into China, the government understood the dangers and values of such a massive information exchange platform. Some sort of institutional state control was baked into the proliferation of online services in China early on. That gave rise to the “Golden Shield”, mainly the Great Firewall of China. Apart from that, there was always a strong regulation of foreign companies coming in to take over aspects of the quickly growing online services world. It was of course not only a question of security but also prudent economically thinking to not completely surrender to often US based companies, but by keeping an eye on the growth of national technology, should be mutual beneficial. For the economy and the Chinese Security services. The combination of all this factors, made it much more difficult to introduce technology and services to the Chinese masses that the government considered “problematic”. In the past that led to a plethora of western companies, like Google, to eventually not proceed with entering the Chinese market as the demands by the CN govt was something the company could not accept ( these days, it might have turned out differently ).

No anonymity: Staying truly anonymous on the internet in China is almost impossible these days. Most services will need some form of real name registration, even if it is just done via your mobile phone number ( which is your quasi ID number ). So whatever you do, you will leave a trace in some or the other way. The system is desigend this way.

Always hold the keys: As secure communication was starting to become more standard with the spread of SSL and similar certification driven encryption, the Chinese government got into the game early and made clear, that all certificates issued to Chinese entities need to be stored in-country and be accessible to Chinese security services. It even happened that some Chinese certification authorities were kicked off international systems, like Mozilla, as their certs were not considered “safe” anymore. Some western companies like Apple for example, built a complete different eco system for Chinese users to fulfill this requirement of full data transparency to the government. It is slightly ironic that a company that constantly prides itself on having the users online and data security in mind would roll over like this but Apple always says they do “just follow national laws”. In their eyes that gets them off the hook I guess.

Dominate the software “playing field”: Apart from forcing western providers who want to operate in China to show their encryption keys, store data locally or force them to take down certain Apps from their app stores, the simplest way to achieve a good mass surveillance capacity is to have the majority of Chinese people use homegrown software. In the case of WeChat, Alipay, Douyin etc. this has all come true. Getting in early, exploiting the fact that many Chinese don’t speak English well and most western companies did not focus on the Chinese market and its special necessities, companies like Tencent or Alibaba were able to provide useful tools to the masses. Sure, they got cover fire from the government to push out the few international competitors, but their tools delivered exactly what the Chinese society wanted and needed at the time of massive internet growth. On top of that, the security agencies got very short access routes to raw data, device positioning, live-chat surveillance etc. Most Chinese citizens live exclusively in the moated world of WeChat and its micro-apps and sub-services. The amount of confidential conversations by oblivious citizens taking place over WeChat is pretty astonishing. It is almost as if they lack a different point of reference. Cause even if they want to break out, it is very difficult for an average user to get other services like Signal or WhatsApp. Plus, none of their friends will be on them or will have functions that are useful in every day life in China. An almost perfect bubble. There seems to be plans now to follow up this success with own operating systems ( Kylin and HarmonyOS ) for workstations and mobile. That means that the digital surveillance units can make requests directly to the manufacturer in what they need to fulfill their tasks in the future.

Sit on top of the pyramid: One big strength of the Chinese state is to be able to control most of its most important infrastructure. All the ISPs in China are state owned companies. Having the Great Firewall plugged into this infrastructure gives state backed operatives sweeping options of data collection, system fingerprinting and tracking users across services. It also gives you options to attack in-country targets that go beyond more common hacking operations. Like extracting data via a DNS “bouncing” method, that is very hard to pull off, if you are not in charge of all national DNS resolvers. Further, you can look into and control all the none-encrypted traffic. Attempts by state operatives to get into peoples private messenger services, even WhatsApp and Signal, by just being able copy a “confirmation” SMS are very wide spread. Just a few weeks ago there was another incident with a journalist from the Associated Press based in China. They do control the system and they will use it. Every other private operator, may it be Tencent, Baidu, Bytdance etc. need to operate on lower layers of this pyramid.

No repercussions: Even if security operatives get caught breaking into peoples systems, there is not much danger of repercussions. Traces can be erased quickly, accountability doesn’t need to be provided and the perpetrators can vanish in the obscurity of the Chinese internet, where they know the government has their backs ( to an extend ). Even in bigger state backed hacking operations outside of China, catching Chinese APTs and calling out the operators by name and identity has often not much effect. The government and individuals will deny and legal prosecution or measures will not be taken.

Hands on approach: In times of “social unrest” the police will force people to install surveillance tools on their phones. I have seen this myself on the streets in Beijing during ZERO-COVID. A measure that is of course not conducted on a regular basis, as the govt still needs to weigh necessity and the optics of openly breaching citizens privacy, but it does happen that police men will force people on the streets to hand over their phone, plug it into a device and most likely will install a surveillance app like “EagleMsgSpy” on it. For a citizen, even a foreigner, it will be hard to deny this request.

Accuracy and Volume: Despite the Chinese internet creating a lot of data, far more than what can be all practically and efficiently analyzed by the security services at this point of time, they can also rely on a very intrinsic system of old-school surveillance methods. Combined with mass video surveillance, face recognition via “SkyNet” and mobile data, they can pinpoint individuals rather quickly. Not every province, city or region has access to all the tools or people who are trained well enough, but if it comes together, it works rather well. I experienced cases where we were able to shake off our physical surveillance teams just for them to find us on the other side of town an hour later.

None of the techniques and circumstances I am writing about above should come as a massive surprise to people who deal with China and its cyber capabilities. But if you grow up in societies that are far less into “people control” than some of those elements are not coming to mind immediately. Talking to new arrivals in China, it often strikes me how little they connect the dots, even if they are generally not unaware of surveillance, online tracking at such sorts.

Systems that are so intertwined and interconnected do not exist a lot in the world outside of China. That doesn’t mean that not a lot of stuff slips the attention of censors or the surveillance machine in general. Despite the best efforts the Chinese security bodies often drop the ball on rather mundane incidents ( and they are trying hard to rectify those shortcomings ). But the ability to track down targets plus using the dominance in controlling the infrastructure, gives the Chinese government players a lot of options to zero in on potential targets.