Source: The Guardian (7/2/19)
Chinese border guards put secret surveillance app on tourists’ phones
Software extracts emails, texts and contacts and could be used to track movements
By Hilary Osborne and Sam Cutler
Chinese border police are secretly installing surveillance apps on the phones of visitors and downloading personal information as part of the government’s intensive scrutiny of the remote Xinjiang region, the Guardian can reveal.
The Chinese government has curbed freedoms in the province for the local Muslim population, installing facial recognition cameras on streets and in mosques and reportedly forcing residents to download software that searches their phones.
An investigation by the Guardian and international partners has found that travellers are being targeted when they attempt to enter the region from neighbouring Kyrgyzstan.
Border guards are taking their phones and secretly installing an app that extracts emails, texts and contacts, as well as information about the handset itself.
Tourists say they have not been warned by authorities in advance or told about what the software is looking for, or that their information is being taken.
The investigation, with partners including Süddeutsche Zeitung and the New York Times, has found that people using the remote Irkeshtam border crossing into the country are routinely having their phones screened by guards.
Edin Omanović, of the campaign group Privacy International, described the findings as “highly alarming in a country where downloading the wrong app or news article could land you in a detention camp”.
Analysis by the Guardian, academics and cybersecurity experts suggests the app, designed by a Chinese company, searches Android phones against a huge list of content that the authorities view as problematic.
This includes a variety of terms associated with Islamist extremism, including Inspire, the English-language magazine produced by al-Qaida in the Arabian Peninsula, and various weapons operation manuals.
However, the surveillance app also searches for information on a range of other material – from fasting during Ramadan to literature by the Dalai Lama, and music by a Japanese metal band called Unholy Grave.
About 100 million people visit the Xinjiang region every year, according to Chinese authorities. These include domestic and foreign tourists, and most enter from elsewhere in the country.
The Irkeshtam crossing is China’s most westerly border and is used by traders and tourists, some following the historic Silk Road.
There are several stages to crossing, and at one travellers are made to unlock and hand over their phones and other devices such as cameras. The devices are then taken away to a separate room and returned some time later.
The iPhones are plugged into a reader that scans them, while Android phones have the app installed to do the same job.
It seems that in most cases the app is uninstalled before the phone is returned, but some travellers have found it still on their phone.
It is unclear where all extracted information goes and for how long it is stored.
While there is no evidence that the data is used to track people later in their journeys, the information it collects would allow the authorities to locate someone if used together with details of the phone’s location.
It appears with the default Android icon and the words 蜂采 (Fēng cǎi); the term has no direct English translation, but relates to bees collecting honey.
The Guardian spoke to a traveller who had crossed the border to Xinjiang this year with an Android phone and was disturbed to see the app installed on his phone.
He said he had been asked to hand over his phone at the checkpoint, and it had been taken into a separate room. He and all the other travellers at that checkpoint had also been asked to hand their pin numbers to the officials, and had waited about an hour to have their phones returned.
At no point were they told what was being done to the phones.
He had been told by an international travel agent and by tourist information in Kyrgyzstan that something would happen with his phone at the border.
“We thought it was a GPS tracker,” he said. “[The travel company] was pretty sure we were going to have this thing put in.”
He checked his phone when it was handed back and found the app immediately.
“There was another checkpoint about two hours away and I was thinking that maybe they had downloaded things and they would have all of their analysts going through it all while we were travelling, and then maybe they [would] send people back when they got to the next place.”
The traveller said he had not been asked to hand over the phone at any other point during his visit, nor when he departed from China. He said he had not been concerned about carrying the phone with him, as there was so much overt surveillance in the region. He added: “I don’t like it. If they were doing it in my home country I would be aghast, but when you are travelling to China you know it might be like this.”
All of the installations confirmed by the Guardian and its partners were on Android phones, but travellers report that iPhones were also taken by officers.
Omanovic said: “This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive and draconian in the world.
“Modern extraction systems take advantage of this to build a detailed but flawed picture into people’s lives. Modern apps, platforms and devices generate huge amounts of data which people likely aren’t even aware of or believe they have deleted, but which can still be found on the device.”
Maya Wang, China senior researcher at Human Rights Watch, said: “We already know that Xinjiang residents, particularly Turkic Muslims–, are subjected to round-the-clock and multidimensional surveillance in the region.
“What you have found goes beyond that. It suggests that even foreigners are subjected to such mass and unlawful surveillance.”
The use of the app came to light after travellers took their phone to reporters in Germany.
Analysis of that software by the Guardian, Süddeutsche Zeitung, Ruhr-University Bochum and the German cybersecurity firm Cure53 suggested it was designed to upload information such as emails on to a server at the border office.
The Chinese authorities were contacted for comment but there was no reply by the time of publication.
Previously the Chinese government has defended its hi-tech surveillance of citizens in Xinjiang, saying it has improved security in the region.
• The Guardian worked with Süddeutsche Zeitung, NDR, the New York Times and Motherboard (part of Vice)