UK police in Chinese spy technology row

There is a big difference between a Xiaomi phone and a spy balloon.
17 February 2023
Getting your Trinity Audio player ready...

Once again, Chinese spy technology has hit the headlines. Amidst spy balloon surveillance reporting, the UK Government has been promoting a paper from the Office of the Biometrics and Surveillance Camera Commissioner (OBSCC) that states police forces in England and Wales are “shot through” with Chinese camera technology.

According to the survey carried out by the OBSCC, out of 39 responding forces, 18 said their external camera systems use equipment manufactured by companies with security or ethical concerns, and 24 said the same about other operational equipment. These concerns are related to products made by Dahua, Hikvision, Honeywell, Huawei, and Nuuo.

The report’s findings are that the English and Welsh police forces use a lot of Chinese-manufactured technology. The paper fails to cite any research or evidence to show that any of this equipment is relaying information to anyone but the police force who use it for crime-fighting.

The Biometrics and Surveillance Camera Commissioner said, “there has been a lot in the news in recent days about how concerned we should be about Chinese spy balloons 60,000 feet up in the sky. I do not understand why we are not at least as concerned about the Chinese cameras six feet above our heads in the street and elsewhere.”

This a false equivalence: in one case, Chinese-manufactured cameras are installed by English and Welsh authorities. On the other, what is probably a spy balloon floats over the US, possibly recording images of American daily life for the Chinese government. To make the equivalence, we have to assume that Chinese-manufactured cameras and other equipment similarly capture information for the manufacturers and, therefore, by proxy, the Chinese government.

Chinese-owned Huawei has faced allegations over the years from the US and its allies that its wireless networking equipment might have backdoors that enable data surveillance by the Chinese government. The speed at which Huawei developed 5G-enabled hardware triggered a slew of panic (there were pretty much no alternatives that made economic sense to install at the time), but the presence of hyperbolic headlines begged the question: what could Huawei stand to gain from being years ahead of competitors in releasing a sought-after technology? It seems unrealistic to assume its sole reason was to spy on foreign citizens and governments. That may have been a lucky bonus (see below), but it would be more sensible to consider the realities of global trade. In short, Huawei was making money.

This isn’t to say that Chinese companies aren’t tied to the Chinese government, its corruption, and its patchy ethics. Huawei technology has been implicated as part of the systems supporting the mass detention of Uyghurs in internment camps. The company is also accused of employing forced Uyghur labor in its supply chain.

No evidence of specific spying by China

So what evidence exists that shows Chinese-manufactured equipment captures data for use by unauthorized third parties, like the manufacturer or a sovereign government?

One research paper studied the Chinese version of the Android OS distributions run by Xiaomi, Realme, and OnePlus handsets, tracking the network traffic the handsets generate when in use by a privacy-aware consumer. “We find that these devices come bundled with a number of third-party applications, some of which are granted dangerous runtime permissions by default without user consent, and transmit traffic containing a broad range of geolocation, user-profile, and social relationships PII [personally-identifiable information] to both phone vendors and third-party domains, without notifying the user or offering the choice to opt-out.” One of the study’s findings highlighted the difference between the permissions of firmware and privacy being enforced regionally: “the data shared by the Global version of the firmware is mostly limited to device-specific information.”

Users of stock Android and apps from the Google Pay Store on non-Chinese phones can be assured that their geolocation, contacts’ details, social media posts, texts, and emails are constantly harvested by Google and any number of third-party companies. Users of Apple’s iOS and apps from the App Store are similarly “mined,” the sole difference being that Apple is not selling its iOS users’ data on the open market.

Claims regarding China’s propensity to collect data through Chinese-made technological devices are otherwise unsubstantiated. A blog post that’s fairly typical in its take on the issue, for example, asks how secure Chinese smartphones are and states, “Chinese smartphones have been afflicted with a number of privacy and security issues,” including data theft and “backdoors” in hardware. No published research indicates data movements from Chinese devices outside those channels used daily by Western companies.

The bottom line is that, despite a wealth of accusations, we can’t find a case where respected cybersecurity experts have monitored Chinese tech and seen how Chinese authorities (or anyone) retrieve data from said devices or even what data may be being gathered. Surely, such a pressing concern would be examined, peer-reviewed (as happens daily for drugs, medical treatments, electronic testing, safety and security findings), and proven with empirical evidence. If this research has been undertaken and is the basis for important multinational trade policies, we would consider it important enough to be able to want to examine its ramifications in detail. In short, if it exists, we need this research to be published so we can read it. And if no properly-qualified data professionals have put their name to any such research, why are we listening to and building economy-changing decisions on unsubstantiated claims?

It’s not like that would be so hard to do: Shodan Monitoring is a network that allows users to monitor data leaks to the cloud, phishing websites, and compromised databases. Data messaging is a tangible, trackable thing; if there was substantive evidence, it would be published everywhere and, very likely, available for sale.

Instead, fearmongering about Chinese interference in UK policing might be stealing attention from more pressing public concerns around English and Welsh policing (see David Carrick and Wayne Couzens).

Ultimately though, the inherent accusation in the OBSCC findings is political and economic; it is not factual.