China installs app onto phones of visitors to Xinjiang, sifting through their data

Police officers patrolling in Kashgar in China's western Xinjiang region, on June 4, 2019.
Police officers patrolling in Kashgar in China's western Xinjiang region, on June 4, 2019.PHOTO: AFP

BEIJING (NYTIMES) - China has turned its western region of Xinjiang into a police state with few modern parallels, employing a combination of high-tech surveillance and enormous manpower to monitor and subdue the area's predominantly Muslim ethnic minority.

Now, the digital dragnet is expanding beyond Xinjiang's residents, ensnaring tourists, traders and other visitors - and digging deep into their smartphones.

A team of journalists from The New York Times and other publications examined a policing app used in the region, getting a rare look inside the intrusive technologies that China is deploying in the name of quelling Islamist radicalism and strengthening Communist Party rule in its far west. The use of the app has not been previously reported.

China's border authorities routinely install the app on smartphones belonging to travellers who enter Xinjiang by land from Central Asia, according to several people interviewed by the journalists who crossed the border recently and requested anonymity to avoid government retaliation. Chinese officials also installed the app on the phone of one of the journalists during a recent border crossing. Visitors were required to turn over their devices to be allowed into Xinjiang.

The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app's code.

Those items include publications by the Islamic State in Iraq and Syria terror group, recordings of extremist anthems and images of executions.

But they also include material without any connection to Islamist terrorism, an indication of China's heavy-handed approach to stopping extremist violence. There are scanned pages from an Arabic dictionary, recorded recitations of Quran verses, a photo of the Dalai Lama and even a song by a Japanese band of the earsplitting heavy-metal style known as grindcore.

 
 

"The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism," Ms Maya Wang, a China researcher for Human Rights Watch, said. "You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you're going to be afraid of practising your religion, speaking what's on your mind or even thinking your thoughts."

The United States has condemned Beijing for the crackdown in Xinjiang, which Chinese officials defend as a non-lethal way of fighting terrorism. The region is home to many of the country's Uighurs, a Turkic ethnic group, and the Chinese government has blamed Islamist extremism and Uighur separatism for deadly attacks on Chinese targets.

In the past few years, China has placed hundreds of thousands of Uighurs and other Muslims in re-education camps in Xinjiang. For the region's residents, police checkpoints and surveillance cameras equipped with facial recognition technology have imbued life with a corrosive fear of acting out of turn.

With the scanning of phones at the border, the Chinese government is applying similarly invasive monitoring techniques to people who do not even live in Xinjiang or China. Beijing has said that terrorist groups use Central Asian countries as staging grounds for attacks in China.

Three people who crossed the Xinjiang land border from Kyrgyzstan in the past year said that as part of a lengthy inspection, Chinese border officials had demanded that visitors unlock and hand over their handsets and computers. On Android devices, officers installed an app called Fengcai, a name that evokes bees collecting pollen.

A copy of Fengcai was examined by journalists from The New York Times, German newspaper Suddeutsche Zeitung, German broadcaster NDR, The Guardian, and Vice Media technology site Motherboard.

One of the journalists undertook the border crossing in recent months. Holders of Chinese passports, including members of the majority Han ethnic group, had their phones checked as well, the journalist said.

Apple devices were not spared scrutiny. Visitors' iPhones were unlocked and connected via a USB cable to a hand-held device, the journalist said. What the device did could not be determined.

The journalists also asked researchers at the Ruhr-University Bochum in Germany and the Open Technology Fund, an initiative funded by the US government under Radio Free Asia, to analyse the code of the Android app, Fengcai. The Open Technology Fund then requested and funded an assessment of the app by Cure53, a cyber-security company in Berlin.

The app's simple design makes the inspection process easy for border officers to carry out. After Fengcai is installed on a phone, the researchers found, it gathers all stored text messages, call records, contacts and calendar entries, as well as information about the device itself. The app also checks the files on the phone against the list of more than 73,000 items.

 
 

This list contains only the size of each file and a code that serves as a unique signature. It does not include the files' names or other information that would indicate what they are.

But at the journalists' request, researchers at the Citizen Lab, an Internet watchdog group based at the University of Toronto, obtained information about roughly 1,400 of the files by comparing their signatures with ones stored by VirusTotal, a malware-scanning service owned by Google sibling company Chronicle. Additional files were identified by Mr Vinny Troia, founder of cyber-security firm NightLion Security; and Mr York Yannikos of the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany.

Most of the files that the journalists could identify were related to Islamist terrorism: ISIS recruitment materials in several languages, books written by extremist figures, information about how to derail trains and build homemade weapons.

Many of the files were more benign. There were audio recordings of Quran verses recited by well-known clerics, the sort of material that many practising Muslims might have on their phones. There were books about Arabic language and grammar, and a copy of The Syrian Jihad, a book about the country's civil war by researcher Charles R. Lister.

Lister said he did not know why the Chinese authorities might consider him or his book suspicious. He speculated that it might only be because the word "jihad" was in the title.

Other files the app scans for have no link to Islam or Islamist extremism. There are writings by the Dalai Lama, whom China considers a dangerous separatist, and a photograph of him. There is a summary of The 33 Strategies Of War, a book by author Robert Greene on applying strategic thinking to everyday life.

"It's a bit of a mystery to me," Greene said, when told that his book had been flagged.

There is also, puzzlingly, an audio file of a metal song "Cause and Effect" by Japanese band Unholy Grave. The reason for the song's inclusion was not clear, and an e-mail sent to an address on Unholy Grave's website was not answered.

After Fengcai scans a phone, the app generates a report containing all contacts, text messages and call records, as well as lists of calendar entries and of other apps installed on the device. It sends this information to a server.

 
 

Two of the people who recently crossed the Xinjiang border said that before officials returned phones to their owners, they took photos of each owner's passport next to his or her device, making sure that the app was visible on the screen.

This suggests that authorities have been told to be thorough in scanning visitors' phones, although it was not clear how they were using the information they acquired as a result. It also could not be determined whether anyone had been detained or monitored because of information generated by the app. If Fengcai remains on a person's phone after it is installed, it does not continue scanning the device in the background, the app's code indicates.

Officials in Xinjiang are now gathering oceans of personal information, including DNA and data about people's movements. It would not be surprising for the Chinese authorities to want this harvesting of data to begin at the region's borders.

China's Ministry of Public Security and the Xinjiang regional government did not respond to faxed requests for comment.

Names that appear in Fengcai's source code suggest that the app was made by a unit of FiberHome, a producer of optical cable and telecoms equipment that is partly owned by the Chinese state. The unit, Nanjing FiberHome StarrySky Communication Development, says on its website that it offers products to help police collect and analyse data and that it has signed agreements with security authorities across China.

FiberHome and StarrySky did not respond to requests for comment.

According to StarrySky's website, the company offers "cellphone forensic equipment", which it says can extract, analyse and recover data from mobile phones. On another page, StarrySky says the purpose of its smart policing products is "to let there be not a bad guy in the world who is hard to catch".