Privacy leakage. Photo: IC

In October, a database containing the personal information of 20 million people, including names, ID numbers, birthdays, cell phone numbers and even home addresses, was leaked on the Internet, causing widespread public panic.

What was worse, many websites based on this database were designed for public searches, so that anyone could find out the information on these 20 million people by simply typing in a name.

Out of occupational habit, information security engineers Zhang Wei and Wang Jinglong from Shanghai tried their names on the website, and were surprised to find that they were among the victims of this major personal information leak. All their travel and housing information over the past few years was on the list. Now, they finally understood why they had been the targets of spam messages and telephone calls every day.

"If even people like us can't protect our personal information, what is the meaning of our work?" Zhang said.

Zhang and Wang decided to act. "We realized it was not caused by a lack of individual precautions, but by a failure of management of those who kept the information."

They organized an online group bringing together victims from all over the country who, like them, were trying to protect their rights through legal means. After two months of preparations and waiting, they submitted a civil lawsuit to a Shanghai court in a rare case of citizens in China trying to legally protect themselves against personal information leaks online.

Lax management

This incident can be traced back to as early as August, when a flaw in a hotel wireless system was exposed on a well-known bug report website named http://www.wooyun.org/ by a technician who had been a guest there.

"He just wanted to know if his personal information was safe after he found this bug, and then he found hotel guests' personal information could be stolen through this loophole," Meng Zhuo, the founder of http://www.wooyun.org/, told the Beijing Youth Daily.

After two months of testing, Meng's website reported this loophole and claimed that a large number of hotels that used this wifi management software system, which was developed by Hangzhou-based IT company Cnwisdom, led to risks of guests' information being leaked.

Home Inns Group, one of the biggest chain budget hotels in China, admitted in an open letter on October 11 to the existence of the problem, and claimed that it had been fixed.

But just one week later, the 20 million hotel guests' information was leaked on the Internet. Although there is no proof confirming a connection between the two incidents, it is certain that the hotel's management system had loopholes which could lead to people's personal information being leaked.

According to Wang, the database is now being downloaded some 40,000 times a day and spreading at great speed, bringing huge potential risks for the 20 million victims. 

"We analyzed the data and found it was very specific and accurate. We thought the information was leaked even earlier but the negative impact has just begun," Wang said.

The National Computer Network Emergency Response Technical Team Coordination Center of China (CNCERT) launched an investigation on October 22 after receiving reports of websites that can search people's personal information through the hotel database.

In an official response from CNCERT to the Global Times last Thursday, it claimed that they had shut down a website whose server was based in the US after coordinating with the United States Computer Emergency Readiness Team (US-CERT) on November 21.

However, CNCERT said it had later received reports about seven similar websites, four of which are still in operation.

Individuals affected

Like many other victims, Zhang and Wang received several junk messages and phone calls each day over the past few months, which vary in content from selling houses, gold and insurance to cigarettes and satellite television offering adult programs.

But this is not the worst of it. One person who joined the online discussion group said he split up with his girlfriend after she found his hotel record showed he had previously been there with another girl, no matter how hard he tried to explain that she was his ex-girlfriend. 

"The impact is much bigger than most people can imagine. One out of every 75 Chinese citizens has had his personal information completely exposed on the Internet," Zhang said.

To prove this point, Zhang helped the Global Times reporter type his name in one of the websites, and all his business travel information since 2011, including personal information, was visible.

Zhang and Wang filed a lawsuit against the responsible hotels last month. "We think the hotel should take responsibility if a guest's personal information is leaked due to their lax management, and guests should have the right to claim for compensation," Zhang said.

But Zhang stressed that they are not against any specific enterprise or person.

In Zhang and Wang's opinion, the point is to call for people to be fully aware and for related parties to have a proper sense of responsibility on the issue.

Wang said they also want help from the government to promote personal information protection legislation and let people know exactly how much their personal information is worth.

"Most victims today are the silent majority and do not realize the value of personal information," Wang said.

Targeted crime

Leaks of personal information are usually caused by two major factors: people's habits and institutes' or enterprises' management failures.

In fact, personal information leaks in China have existed for a while. According to Zhang, there is already an underground market containing a complete industry chain which involves collecting personal information and using it for specific commercial purposes.

There are people out there who are using their access to personal information to sell it on the online data exchange platform for profit as well as many companies pretending to be consulting agencies while actually engaging in the personal information trade business.

As a specialist who has worked in the field for more than 10 years, Zhang said information is used by some groups to conduct targeted marketing or commit crimes against individuals.

"All kinds of businessmen and interested groups will send large amounts of junk messages to you day and night to promote their products, forcing you to spend quite a lot of time to clean it up and, more importantly, affecting your normal life," Zhang said.

It's much worse if your information falls into the hands of someone who intends to commit illegal activities. "The information is so accurate that they can do almost anything they want, like steal your money from the bank, make fake ID cards, cheat your friends by pretending to be you or rob your home," Zhang said.

Unfortunately, most people will choose to do nothing even if they realize their information has been leaked until they suffer a loss, by which time it is already too late.

"On the one hand people don't know how their information was leaked and on the other they don't know how to protect themselves," Zhang said.

Protection awareness 

It is no coincidence that similar incidents happen repeatedly. Just two weeks ago, another report revealed by wooyun.org showed that a database containing information on some 70 million users of QQ, an instant communication software by Tencent, had been leaked.

In 2011, several major Chinese websites were found to have leaked millions of their users' detailed personal information. 

Shang Jiangang, a lawyer representing Zhang and Wang, told the Global Times that as the first case of its kind in China, they encountered many difficulties in their attempt to protect citizens' rights.

"It is not easy for us to obtain evidence to prove the relevance of who should be held responsible, and even if we can prove it, it is difficult to value the losses incurred by most victims under most circumstances, which also makes compensation requests difficult," Shang said.

In China, there is no law to support civilians seeking to protect their personal information rights. Although the amendment of the Criminal Law, which came into effect in 2009, mentioned that anyone who obtains citizens' personal information through illegal means could face jail sentences of up to three years, it is difficult to enforce in reality, due to the lack of clear regulations clarifying which government organ should undertake this responsibility. 

The court had not yet decided if they will accept Zhang's and Wang's case by press time.

"Even if we fail, we believe someone else will continue. The most important thing is to raise public awareness on the personal information security issue as well as warn those enterprises who have been ignoring the issue for a long time to take responsibility," Zhang said.