Who’s Really Responsible for Digital Privacy in China?

While the United States is reeling from the revelation that political consultancy Cambridge Analytica harvested data from over 87 million Facebook accounts, China’s biggest tech companies and regulators are confronting a wave of of their own customers’ concerns about digital privacy. Boundaries between the public and private sector are dissolving as Chinese tech platforms are increasingly required to march in lockstep with government imperatives, and as the state grows more reliant on tech companies to monitor and restrict citizens’ behavior on- and offline. Chinese tech users who believe that state regulators will rein in tech companies’ invasive data collection practices overlook how intertwined state and corporate interests are. Chinese citizens and consumers may be disappointed if they think the minor regulatory measures taken against tech companies are going to protect their privacy in the near future.

One flashpoint in the evolving conversation about data protection in China is the firm Ant Financial, an affiliate of e-commerce giant Alibaba that bundles the market-dominating mobile payment service Alipay with the commercial credit rating product Sesame Credit. Three years of simmering criticism of Ant Financial’s data collection practices boiled over in January after the company made a major misstep with customers’ information. Although some Chinese citizens have voiced the hope that regulators will rein in Ant’s data collection practices and require the company to reveal which third parties it gives data to, the company’s relationship with the state suggests it is unlikely to change its data-collecting and -sharing models anytime soon.

Reports

12.12.17

Central Planning, Local Experiments

Mareike Ohlberg, Shazeda Ahmed, Bertram Lang
Shazeda Ahmed & Bertram Lang
Mercator Institute for China Studies
The “Social Credit System” is designed to monitor and rate citizens and companies in China and to guide their behavior. “It is a wide-reaching project that touches on almost all aspects of everyday life,” the authors Mareike Ohlberg, Bertram Lang,...

Ant Financial’s Sesame Credit is often mischaracterized as being one and the same as the Chinese government-run social credit system, yet commercial credit platforms are ultimately a small part of that wider state project. In a society where interpersonal social trust frayed over decades of political upheaval, since 2014 China’s State Council and National Development and Reform Commission (NDRC) have led the government’s promotion of the social credit system, which Chinese legal scholar Rogier Creemers describes as “a set of mechanisms providing rewards or punishments as feedback to actors, based not just on the lawfulness, but also the morality of their actions, covering economic, social and political conduct.” Social credit is thus construed as a means to repair connections between Chinese individuals, businesses, and legal institutions, and between Chinese citizens and the government itself. So far, however, the government’s social credit system has been guided by policies tested only at the provincial level, and may face steep hurdles to implementation and public acceptance if they are to go national. Unlike traditional financial credit scores, state-issued social credit evaluations are based on citizens’ information (e.g. demographics, tax fraud, social insurance payments, court orders), long collected by various branches of government. The novel element of the system is that this formerly siloed information will now be shared across government bureaus in order to assess the state’s need to impose far-reaching punishments. One example that Jeremy Daum of China Law Translate highlights is that if someone loses a lawsuit and fails to perform on the court judgment made against them (such as failing to pay a court-mandated fine), that person can now be blacklisted across multiple government ministries and face restrictions on consumption of air and train tickets, as well as lose the privilege to send their children to private schools. In some province-level pilot tests, ratings based on the information gathered are made accessible to Chinese citizens through local smartphone applications such as Honest Shanghai or credit websites tied to individual Chinese provinces. In Shanghai, third parties such as micro-loan services, bike-sharing companies, and libraries provide rewards including deposit-free or premium services to people with positive ratings, though the ratings themselves are not government-issued and appear to have no official legal status.

Although Sesame Credit scores and social credit pilot test ratings are measured with different yardsticks, state media and Ant Financial itself nonetheless frame Sesame Credit as an important step toward establishing a social credit system nationwide. The crux of Sesame Credit’s role in the state-run social credit system rests on a “Memorandum of Cooperation” (MOC) between Ant Financial and the NDRC. The document is not publicly available, but the NDRC website’s article about the August 2016 signing of the MOC on “Implementing Joint Rewards and Punishments” declared that:

Ant Financial Group’s CEO Jing Xiandong stated that Sesame Credit Management Co. Ltd., under the banner of Ant Financial, will share information collected on trustworthiness [守信] and untrustworthiness [失信] with the State Credit Information-Sharing Platform in a timely manner and in accordance with the relevant laws, regulations, and supervisory requirements. Ant Financial will rely on its own rich scenarios [场景] to promote joint encouragements for trustworthiness and joint punishments for untrustworthiness, and will use its cloud computing and big data capabilities to actively cooperate with the NDRC’s promotion and development of big data technology, monitoring developments in municipalities’ credit statuses. Ant Financial will become a benchmark of Internet firms using credit information to enact joint reward and punishment mechanisms, and will contribute some of its power to the construction of an honest society.”

Notably, Ant Financial is one of several private companies to sign similar memoranda on joint rewards and punishments as well as sharing “credit data” (broadly construed) with the NDRC’s State Credit Information-Sharing Platform, which claimed to have 37 “market institutions” (市场机构) participating as of September 2017. Other signatories include group discount and delivery service Meituan-Dianping and the ride-sharing company Didi Chuxing. Well before signing the memorandum, in 2015, Sesame Credit began to lower the scores of users who it discovered were on the national blacklist of debtors and judgment defaulters kept by the Supreme People’s Court. From Ant’s 2016 Corporate Sustainability Report, the company notes that as a result of this cooperation, Sesame Credit users’ scores dropped and users were restricted when seeking services from e-commerce platforms including Alipay, Taobao, and Tmall, as well as affiliated microlending, car rental, and dating services. “They were punished both online and offline. In addition, they were not allowed to take planes, soft sleepers on trains or buy luxury products,” the Ant report said. Chinese Communist Party-backed newswire Xinhua lauded Ant Financial for spurring debtors to pay up so as to raise their Sesame Credit scores.

Yet it may be a while before Ant Financial gets more praise from state media.

In the first week of January 2018, Ant Financial made headlines with a serious blunder that shined an unexpected spotlight on digital privacy concerns in China. Offering Alipay users online access to a summary of their 2017 spending habits, the company automatically checked a box in the contract granting Alipay the users’ consent to a Sesame Credit evaluation. Rather than asking customers to opt in, the checked box had to be un-checked by the consumer if the consumer wanted to opt out. Left checked, the box gave Alipay permission to access users’ personal financial data for credit-scoring purposes. Chinese citizens flocked to social media to upbraid the company for burying the consent in the fine print, essentially luring users into turning over their data. Ant Financial apologized on the social media platform Weibo and the company was called in by the Cyberspace Administration of China for an official reprimand. Although several news stories described this incident as a wake-up call to the importance of privacy violations in China, in fact, a small number of Sesame Credit users have been critical of the system since 2015.

Reports

05.24.17

China’s Social Credit System: A Big-Data Enabled Approach to Market Regulation with Broad Implications for Doing Business in China

Mirjam Meissner
Mirjam Meissner
Mercator Institute for China Studies
Under the catchphrase “Social Credit System,” China is currently implementing a new and highly innovative approach to monitoring, rating, and regulating the behavior of market participants. The Social Credit System will have significant impact on...

In a December 2017 report on the implementation of China’s social credit system, we exposed some of the critiques of Sesame Credit and other private companies’ commercial credit scoring products. We analyzed debates on Chinese blogs and question-and-answer forums such as Sina, Tianya, and Zhihu from June 2016 to June 2017. A search of posts that included one or more of the keywords “social credit system” (社会信用体系), “Sesame Credit” (芝麻信用), “honesty system” (诚信体系), “credit system” (征信体系), or “Credit China” (信用中国) revealed that virtually all critical comments related to social credit were directed at private companies’ opaque, invasive collection of personal information and avoided knocking the state-run pilot programs. A cross-check of Free Weibo, Weiboscope, and other sources that collect censored social media posts yielded no meaningful results. We were unable to explain why online critics went after the commercial companies and not the state-run data collectors that share data with these companies to restrict users’ actions (such as the above examples of Alipay blocking blacklisted people from making certain purchases). While we have yet to grasp the long-term implications of the government-run social credit system in citizens’ daily lives, the impact, both positive and negative, of Sesame Credit and other commercial credit trackers is palpable. For instance, Ant Financial’s partnerships with a host of third-party vendors—including bike- and car-rental companies, hotels, foreign consulates, and hospitals—waive deposits for Alipay users who have high Sesame Credit scores or reward them with free expedited services. By the same token, Alipay users with low scores are barred from access to such services.

A shadowy side of China’s commercial credit rating products is becoming clearer: In December 2017, Wired magazine reported that car rental company Shenzhou Zuche waives deposits on the cars it rents to Sesame Credit users with scores above 650—and then tells Ant Financial if the customer crashes the car. While this type of data exchange with a credit company is far from novel in the West, privacy concerns arise in China because Sesame Credit’s user agreement does not indicate if users are notified when the third party sends data back to Ant Financial. The policy does state, however, that third parties that can provide information directly to the company include telecommunications operators, private companies, and government credit platforms, among others. One thread on Zhihu from 2015 to 2017 opens with the question “Does Alipay’s Sesame Credit Endanger Personal Privacy?” Reading Ant Financial’s terms of service, one commenter complained: “The companies that cooperate with [Alipay’s Sesame Credit] can limitlessly consult anyone’s credit [information] within the span of a month. . . Openly selling users’ information! Is this really a business model?”

Similarly, critics are troubled by the public shaming mechanism Ant Financial exercises when users fail to repay loans. One commenter on bulletin board service (BBS) Rong360 recounts the story of a friend who failed to repay a small loan using an Alipay feature called Huabei. The distressed debtor was mortified to discover that Ant Financial called people in his address book to notify them about the money he owed. In another Zhihu thread tellingly headed “Does Huabei’s Practice of Phoning My Friends to Tell Them That I Owe Money Violate Citizens’ Privacy Rights?” one person called the user agreements employed by Huabei and Sesame Credit “roguish” (流氓). Others noted that phone shaming resembles a legal method employed by certain local governments.

Sesame Credit’s opaque data collection and assessment methods have sparked further disquieting allegations. In a long post on BBS site Tianya, someone who purported to be a bank employee claimed that a Sesame Credit software tester showed the person and their coworkers what should have been confidential Excel spreadsheets full of sensitive user data. The employee said further that Sesame Credit looked at IP addresses to calculate the strength of relationships between users and their friends, on the theory that people who access the web via the same networks are assumed to have closer ties. What’s more, friends’ Sesame Credit scores affect one another, meaning one’s own score can be dragged down simply by being associated with someone else who has a low score. The bank employee writing on Tianya found the process “shocking, horrific,” and compared Ant Financial’s staff to “secret agents in the movies.”

Another typical complaint that reflects both the unease with current data abuses by giant tech companies and the apparent trust the public puts in regulators to fix the problem is the call for a national law to protect personal data—legislation that could shield citizens from the resale and misuse of their data: “The fact that China has yet to pass an effective Personal Data Protection Law leads to excessive information collection, leaks, and resale, and makes it hard to ensure the veracity and accuracy of data.”

For a long time, progressive—and anonymous or pseudonymous—voices of China’s legal and tech communities have offered “constructive criticism” of the government, calling for such a law—a draft of which has been in the pipeline since 2003. Interspersed with social media posts critical of the tech companies are recurring suggestions that Chinese should have faith in the state to crack down on their unchecked data collection, evaluation, and exchange.

What incentives do Chinese regulators have to rein in tech firms’ privacy abuses given their potential dependence on private firms’ cooperation with new initiatives like the NDRC’s State Credit Information Center? Foreign observers argue that recently published Chinese standards for data privacy will bring China closer to resembling the European Union’s General Data Protection Regulation, though it remains to be seen how effectively these new standards will be implemented when it comes to limiting invasive data collection practices. Breaking laws carries a more severe penalty than does flouting standards. A September 2017 Cyberspace Administration of China review of privacy protections built into some of China’s most widely used smartphone apps—including Alipay—was incapable of preventing Ant Financial from later trying to gather user data without clear consent. Ant Financial’s recent disregard of its users’ data privacy may be the tip of the iceberg of evidence that Ant and similar companies are employing lax user protections in a thriving, highly competitive, data-driven industry.

A recent development suggests one way citizens might push back against Chinese tech companies’ privacy invasions: When search giant Baidu was found to be collecting user information—including messages and call logs—without clearly notifying users, the Jiangsu Consumer Council filed a lawsuit against the company. The lawsuit against Baidu was withdrawn in March, by which time the company claimed to have “removed improper functions.”

As more citizens feel the tech giants have violated their privacy, it will be harder for Beijing to turn a blind eye to these complaints, especially if tech companies’ far-reaching data access helps determine user punishments and rewards. On the one hand, the government is trying to engineer trust in data-intensive rating systems, and scandals surrounding privately collected data raise the risk of a public backlash against data mining writ large. On the other hand, a growing lack of trust in profit-obsessed technology companies coupled with both low awareness of and transparency around how private companies’ data is shared with and used by government platforms could bolster the government’s ability to crack down on private data miners. Ultimately, the ubiquitous tools these companies create are becoming a form of infrastructure that functions as regulation: the design of these products determines what users can and cannot do. As one Zhihu critic wryly noted in response to the question, “Can Sesame Credit Be Obstructed by Government Policies?”: “If these scores are able to tell the government which people are political activists, I don’t think the government wouldn’t support them.”