Chinese company leaves Muslim-tracking facial recognition database exposed online

Researcher finds one of the databases used to track Uyghur Muslim population in Xinjiang.

SenseNets

One of the facial recognition databases that the Chinese government is using to track the Uyghur Muslim population in the Xinjiang region has been left open on the internet for months, a Dutch security researcher told ZDNet.

The database belongs to a Chinese company named SenseNets, which according to its website provides video-based crowd analysis and facial recognition technology.

Yesterday, Victor Gevers, a well-known security researcher that made a name for himself in the past few years by finding leaky MongoDB databases did what he does best and found one of SenseNets' MongoDB databases that had been left exposed online without authentication.

Gevers told ZDNet that the database contained information on 2,565724 users, along with a stream of GPS coordinates that came in at a rapid pace.

The user data wasn't just benign usernames, but highly detailed and highly sensitive information that someone would usually find on an ID card, Gevers said. The researcher saw user profiles with information such as names, ID card numbers, ID card issue date, ID card expiration date, sex, nationality, home addresses, dates of birth, photos, and employer.

For each user, there was also a list of GPS coordinates, locations where that user had been seen.

The database also contained a list of "trackers" and associated GPS coordinates. Based on the company's website, these trackers appear to be the locations of public cameras from where video had been captured and was being analyzed.

Some of the descriptive names associated with the "trackers" contained terms such as "mosque," "hotel," "police station," "internet cafe," "restaurant," and other places where public cameras would normally be found.

Gevers tracker locations

The location of some of the SenseNets trackers

Image: Victor Gevers

Gevers told ZDNet that these coordinates were all located in China's Xinjiang province, the home of China's Uyghur Muslim minority population.

There are numerous reports of human rights abuses carried out by Chinese authorities in Xinjiang, such as forcing the Uyghur Muslim population to install spyware on their phones, or forcing some Uyghur Muslims into "re-education" camps that Uyghur Muslims living abroad have described as forced labor camps.

The database that Gevers found wasn't just some dead servers with old data. The researcher said that during the past 24 hours a stream of nearly 6.7 million GPS coordinates were recorded, meaning the database was actively tracking Uyghur Muslims as they moved around.

Keriya GPS coordinates

Location of one of the GPS coordinates found in the exposed database

Image:Victor Gevers

Not knowing what he found at the time, Gevers reported the exposed database to its owner, the Chinese company, which secured it earlier today, blocking access from non-Chinese IP addresses using a firewall rule.

The company did not respond to a request for comment before this article's publication.

The most common conclusion is that SenseNets is a government contractor, helping authorities track the Muslim minority, rather than a private company selling its product to another private entity. Otherwise, it would be hard to explain how SenseNets has access to ID card information and camera feeds from police stations and other government buildings.

Gevers said he now regrets helping the company secure its oppression tool.

Article updated on February 17 with a map of the trackers' locations.

More data breach coverage: