China uses app to spy on visitors, collect data
BEIJING — China has turned its western region of Xinjiang into a police state with few modern parallels, employing a combination of hightech surveillance and enormous manpower to monitor and subdue the area’s predominantly Muslim ethnic minorities.
Now, the digital dragnet is expanding beyond Xinjiang’s residents, ensnaring tourists, traders and other visitors — and digging deep into their smartphones.
Journalists from the New York Times and other publications examined a policing app used in the region, getting a rare look inside the intrusive technologies that China is using in the name of quelling Islamic radicalism and strengthening Communist Party rule in its far west. The use of the app has not been previously reported.
China’s border authorities routinely install the app on smartphones belonging to travelers who enter Xinjiang by land from Central Asia, according to several people who crossed the border recently and requested anonymity to avoid government retaliation. Chinese officials also installed the app on the phone of one of the journalists during a recent border crossing. Visitors were required to turn over their devices to be allowed into Xinjiang.
The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.
Those items include Islamic State publications, recordings of jihadi anthems and images of executions. But they also include material without any connection to Islamic terrorism, an
The Chinese government has blamed Islamic extremism and Uighur separatism for deadly attacks.
indication of China’s heavyhanded approach to stopping extremist violence.
“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a China researcher for Human Rights Watch, said. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”
The United States has condemned Beijing for the crackdown in Xinjiang, which Chinese officials defend as a nonlethal way of fighting terrorism. The region is home to many of the country’s Uighurs, a Turkic ethnic group, and the Chinese government has blamed Islamic extremism and Uighur separatism for deadly attacks on Chinese targets.
In the past few years, China has placed hundreds of thousands of Uighurs and other Muslims in reeducation camps in Xinjiang. For the region’s residents, police checkpoints and surveillance cameras equipped with facial recognition technology have imbued life with a corrosive fear of acting out of turn.
With the scanning of phones at the border, the Chinese government is applying similarly invasive monitoring techniques to people who do not even live in Xinjiang or China. Beijing has said that terrorist groups use Central Asian countries as staging grounds for attacks in China.
Three people who crossed the Xinjiang land border from Kyrgyzstan in the past year said that as part of a lengthy inspection, Chinese border officials had demanded that visitors unlock and hand over their handsets and computers. On Android devices, officers installed an app called Fengcai (pronounced “FUNGtsai”), a name that evokes bees collecting pollen.
A copy of Fengcai was examined by journalists from the New York Times; German newspaper Süddeutsche Zeitung; German broadcaster NDR; the Guardian; and Motherboard, the Vice Media technology site.
One of the journalists undertook the border crossing. Holders of Chinese passports, including members of the majority Han ethnic group, had their phones checked as well, the journalist said.
Apple devices were not spared scrutiny. Visitors’ iPhones were unlocked and connected via a USB cable to a handheld device, the journalist said. What the device did could not be determined.
The journalists also asked researchers at the RuhrUniversity Bochum in Germany and the Open Technology Fund, an initiative funded by the U.S. government under Radio Free Asia, to analyze the code of Fengcai. The Open Technology Fund then requested and funded an assessment of the app by Cure53, a cybersecurity company in Berlin.
The app’s simple design makes the inspection process easy for border officers to carry out. After Fengcai is installed on a phone, the researchers found, it gathers all stored text messages, call records, contacts and calendar entries, as well as information about the device itself. The app also checks the files on the phone against the list of more than 73,000 items.
This list contains only the size of each file and a code that serves as a unique signature. It does not include the files’ names or other information that would indicate what they are.
But at the journalists’ request, researchers at the Citizen Lab, an internet watchdog group at the University of Toronto, obtained information about roughly 1,400 of the files by comparing their signatures with ones stored by Virus-Total, a malwarescanning service owned by Google sibling company Chronicle. Additional files were identified by Vinny Troia, founder of cybersecurity firm Night-Lion Security; and York Yannikos of the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany.
Most of the files that the journalists could identify were related to Islamic terrorism: Islamic State recruitment materials in several languages, books written by jihadi figures, information about how to derail trains and build homemade weapons.
Many of the files were more benign. There were audio recordings of Quran verses recited by wellknown clerics, the sort of material that many practicing Muslims might have on their phones. There were books about Arabic language and grammar, and a copy of “The Syrian Jihad,” a book about the country’s civil war by researcher Charles Lister.
Lister said he did not know why the Chinese authorities might consider him or his book suspicious. He speculated that it might only be because the word “jihad” was in the title.