Zhenhua Data Information, a Shenzen-based technology company that has links with the Chinese government and the Chinese Communist Party, is monitoring more than 10,000 Indian individuals and organisations, among them top politicians, an investigation byThe Indian Express has revealed.
Amid concerns of surveillance and the involvement of a Chinese company that has got alarm bells ringing, several key questions have arisen.
Primary among those questions is, does this pose an actual security concern? To understand this, we need to ask a few questions.
A Look Into What Happened
A Chinese company called Zhenhua Data Information Technology Co was aggregating data that is publicly available with the intent of selling it to interested third parties. This was information on politicians, military officers, diplomats, academics, civil servants, business executives, engineers, journalists, lawyers and accountants of different countries.
According to ABC News Australia- “Information collected includes dates of birth, addresses, marital status, along with photographs, political associations, relatives and social media IDs.”
Why Are They Tracking Only High-Profile Individuals?
For the uninitiated, there is a term for such high-profile people known as “politically exposed persons” (PEP). A politically exposed person (PEP) is defined by the Financial Action Task Force as an individual who is or has been entrusted with a prominent public function.
Due to their position and influence, it is recognised that many PEPs are in positions that potentially can be abused to commit money laundering offences and related predicate offences, including corruption and bribery, as well as conducting activity related to terrorist financing.
So, when a PEP wants to open a bank account or do investing, there is a separate process which is stricter than an average person’s. Similarly, the accounts of family and relatives of a PEP are also monitored.
In addition, there are various sanction lists issued by different countries against some individuals. So, financial institutions need to be careful when dealing with such individuals and adhere to the guidelines set by regulatory bodies like RBI in India.
Is Zhenhua The Only Company Doing This?
A simple Google search for PEP databases will lead to many websites like namescan.io, and RDC which provide similar data as Zhenhua.
As you can see, Rdc.com has 1.7 million PEP profiles whereas Zhenhua has 2.4 million profiles.
According to indiaforensic.com, a Pune-based company called Riskpro Management Consulting Pvt Ltd has more than 100,000 curated records.
There is a massive ecosystem of companies in India who provide similar services. But they mostly collect and maintain data on Indian PEPs only.
How Are Companies Getting Access to Such Data?
Almost all of the data that was alleged to be sensitive is merely collated public information. These companies are scraping publicly-available information from several sources and correlating them to build an extended profile of sensitive individuals.
In general, every time you post something on Facebook, you have some privacy options to make it a public post - meaning any person on the internet can view it, unlike in the case of a friends-only post, which only your friends can view.
Similarly, when you are posting on Instagram, you have an option to have a private or public account. This is the same with Twitter and other social media sites.
Every time you make a public post or upload a picture while keeping the privacy settings as “public,” it is likely that it will be scrapped at one point or another.
In this case of Zhenhua, they merely collated Twitter, Facebook, LinkedIn, Instagram and TikTok accounts, combined them with news stories, criminal records and corporate misdemeanours in order to “build” a database of “sensitive” information.
I Am Not a PEP. Is My Data Safe?
If you are posting on social media sites or the internet in general, you need to assume that your data is eventually going to get scraped by marketing agencies or some other third-party.
Marketing agencies can see the pages you liked and the groups you are members of in Facebook, for example, you can append /members to any public Facebook group link and see all the people in it.
You can also append /likes and /groups to your Facebook profile link and see what pages you like and what groups you are in. This information can be used to enrich already-existing customer databases for targeted marketing and running campaigns.
What About Indian Companies?
While Zhenhua got a lot of attention for being a Chinese company, Indian companies that are following some shady tactics to get access to build credit profiles, etc. also need to be scrutinised.
A highly successful fintech company that rated people’s creditworthiness collected data from people using music players and religious apps.
Know What You’re Making Public
The point to note here is that Zhenhua didn’t try to hide the data like other similar companies mentioned earlier did. Scraping social media is nothing revolutionary. It has been done for many years. This news was hyped because the company involved is Chinese, and a lot of conclusions have been drawn from it.
Privacy law should make it hard for anyone to collect information about any person without their knowledge and permission. Personal data protection law doesn’t give individuals ownership over their data and this will allow companies to sell individuals’ data.
Zhenhua couldn’t even protect its data for that matter. They left an insecure elastic search database instance running, which resulted in this data becoming accidentally public.
Ultimately, as an individual, if you want to safeguard your data, don’t make public posts on social media and take note of how many accounts of yours are public, as well as what information about you is available for companies to scrape.
(The author is founder, Hackrew a cybersecurity startup based out of Hyderabad. Kothapalli is an alumnus of IIT Guwahati where he studied Computer Science and Engineering. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)
Liked this story? We'll send you more. Subscribe to The Quint's newsletter and get selected stories delivered to your inbox every day. Click to get started.
The Quint is available on Telegram & WhatsApp too, click to join.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)