Cybersecurity is increasingly a problem that troubles you and me.
Data breaches, hacked cameras, email/telephone scams… Worrying news hit the headlines every now and then.
In this data-driven world, companies are so craving to know who you are, with industries from finance to healthcare and from advertising to e-commerce thirsting for data more than any time before.
We hope for a better world where technologies are so advanced to eliminate illness and bring about endless prosperity, but be prudent before we get there. Driven by the huge demand, data breaches are happening every now and then. The outside world may have already known everything about you.
This is the Part 3 of a 5 Part-Series. Link to the Part 1, Part 2, Part 4 and Part 5.
Demand for more data
The pervasiveness of data breach points to strong demand.
He Chong runs a company that leverages AI to provide targeted marketing services. Once in a while, clients would come to his company for data. As far as He is concerned, data purchase has become common practice for companies in the field of mobile marketing as more and more advertisers seek out information about their users. Clients increasingly expect advertising agencies to not only provide marketing algorithms, but also help them enhance user personas.
Companies in the fields of precision marketing and AI are major data buyers. Baidu purchases 10 to 20 million hours of voice data a year from Datatang, a Chinese big data company, alone, while an AI startup buys on average 300,000 to 2 million hours. This is in sharp contrast with a decade or so ago, noted Qi Hongwei, founder of Datatang, when the total amount of data traded in the market was no more than 100 to 200 hours a year.
It may be hard to identify the link between profit and data in the AI industry, but for fintech companies, data almost equals to money. This has turned fintech companies into the most enthusiastic buyers of personal data, which explains why He Chong’s company receives the highest offer—100 yuan for the personal information of each individual—from fintech firms.
Chinese loan firms acquire data mainly through three channels: third-party data service providers, precision marketing companies and state-backed organizations including the Credit Reference Center of the People’s Bank of China, the credit reporting agency Guo Zheng Tong (backed by the Ministry of Public Security), and China Higher Education Student Information and Career Center (which offers student verification services).
State-approved data providers are already seeing a sharp increase in demand. The National Citizen ID Information System, backed by the public security authority, received altogether 2.6 billion queries for identify information that comes with photos in 2016, as opposed to fewer than 1 billion in 2012, Caixin reported. The growth mainly stemmed from the consumer finance sector.
However, data provided by state-backed channels are limited after all. The vast majority of financial institutions still rely heavily on the other two channels for data, He Chong told KrASIA. Take the Credit Reference Center for instance. As of the second half of 2016, the center held the credit information of 880 million Chinese citizens, but had zero information about the rest 500 million people who had yet to generate any credit records at banks.
They consist primarily of blue-collar workers, college students and young people who have just started working and happen to constitute the target market for the now flourishing small loan providers, consumer finance companies, and traditional banks.
The risk management model of small loan companies is actually rather representative in the big data era. Unlike traditional lenders, who conduct offline credit investigations to determine whether an applicant is creditworthy, small loan providers operate risk management models capable of automatically generating credit reports online, based on user information and behavior data collected from smartphones, among others.
Since small loan companies deal mainly with high-risk borrowers, it’s important that they assess the creditworthiness of applicants before extending a loan to make sure that the debts can be paid. This requires an effective risk management model that allows companies to weigh the potential gains against the estimated cost of defaults. And such a model in turn entails massive data to function.
All sorts of data are wanted when it comes to risk control, be it ID cards, educational background, bank card numbers, device fingerprints, shopping history, LBS data, or phone usage data. Even account balances and bank statements are collected. The more data available, the fewer bad loans a company will have and the higher profitability it will enjoy.
He Chong sees the selling of data as “dirty work” and therefore refrains from engaging in the business.
Companies that do peddle data are data service providers and consulting firms, whose upstream suppliers are individuals or organizations that acquire data through legitimate or illegitimate means. These include hackers, utility software providers that grab data by embedding SDKs in apps, and e-commerce platforms sitting on large amounts of online shopping data. Even some phone makers, with access to users’ phones, are profiting from the sales of user data.
A company named Union Mobile Financial Technology (UMF) offers dreadfully detailed information, Caixin noted, including the number of bank cards one has, the time one’s bank accounts and credit cards have been in use, the total number and value of bank account transactions and card payment volume (including online payments) for the latest three to 12 months, current balances, the number of years one’s phone number is in use, and whether the number is registered with real name. Another company called 100Credit offers monthly bank statements too.
UMF’s affiliate cooperates with telecom operators to provide group text messaging services to more than 100,000 clients, including government agencies, internet firms, trading companies, insurance companies, banks, and logistics service providers. This allows it to collect data in the process and, after processing, “sells the information associated with finance, such as the transaction text messages banks send to clients, to financial service providers that need the data for risk management and debt collection agencies”, a source who has dealings with UMF revealed.
Low costs are another reason people turn to black and grey markets for data. “Since the selling of data involves little more than file replication, their prices can be very low in the grey market,” Zhang Jianliang, CEO of Rongzhijia, a P2P lending platform, told KrASIA. “While one query at the state-backed Guo Zheng Tong costs five yuan, many internet firms that hold massive user data offer prices as low as 0.2 yuan (approx. USD 0.03) or even less than 0.1 yuan (approx. USD 0.01) per query.”
As per interpretation by the Supreme People’s Court and the Supreme People’s Procuratorate, obtaining, selling or providing more than 50 entries of information on people’s whereabouts, communication content, credit history, and property, etc. through illegal means is considered as grave and could incur sentences.
At the 2017 China Cyber Security Conference, Wei Cong was somewhat surprised to find that one of the speakers was a hacker working for the public security authorities, who gave a speech on the legal consequences of different kinds of data theft.
In September 2017, a real estate agent addressed by the surname Yang was sentenced to three years in prison, plus a penalty of 4,000 yuan (approx. USD 635), for sending via WeChat the personal information of 113 property owners to her superior, including names, phone numbers, sizes and exact locations of houses, and the name of the real estate project, which her company had intended to use for marketing.
The verdict is seen as an attempt by the authorities to make examples to deter crime.
Houses for sale are one of the big three subjects of spam calls in China. The other two are loans and tutoring schools for kids. As a result, the trading of personal data has become almost a staple for the real estate brokerage sector, where people have dedicated chat groups on QQ for the exchange and trading of homebuyers’ information. The series of moves by the government have sent a chilling effect on the real estate industry. The dozen or so real estate agents KrASIA approached for comment all declined to comment, citing sensitivity of the matter. “The atmosphere is really intense now. We had colleagues who got arrested the other day,” one of them told KrASIA.
In the face of mounting regulations, Tongdun Technology, a company specializing in risk control and anti-fraud services in the financial sector, closed a service that provides banks with people’s contact information.
“We did offer the service in the past, but only to banks with authorization from users,” Gu Wei, the company’s vice president, explained to KrASIA. “The intention of the service is to assist banks in the collection of unpaid debts, but it has never been the main source of profit for us.”
He also predicted that “at least 80% of the data companies that offer credit reporting and anti-fraud services through illegitimate methods would be shut down.”