Lifting the Veil on the Traffic in Personal Data: Hotel Records for 300 RMB
Southern Metropolis Daily December 12, 2016 – Rao Lidong and Li Ling
Scary! Reporters from the Southern Metropolis Daily bought information on colleagues’ movements, flights, hotel bookings, internet usage etc, buying eleven different types of personal data for 700 RMB.
Southern Metropolis Daily went undercover to investigate the black and grey markets for the provision of personal information. For 600 RMB, you can buy the precise location of a colleague, for 300 RMB a record of every hotel room booked since college entrance exams. You can also buy details of the amount of savings held at all four major Chinese banks.
The Southern Metropolis Daily bought a “Complete ID Track and Trace” (身份证大轨迹) using on a colleague’s ID number, including hotel records, internet records, long term and short term residency etc.
Anyone can track down all of your private information, including hotel records, property in your name, flight records, even internet cafe browsing history, all it needs is willingness to pay. Does this give you the chills? Deposit records at the four main banks, real time mobile phone location, mobile call data, they can track it all, and are open 7 days a week 24 hours a day.
Today reporters from the Southern Metropolis Daily spent only 700 RMB and bought all of the above data on their colleague, even more frightening is that there is already guaranteed third party software offering this kind of service, and the whole business has already become systematised.
Precise location data in 30 minutes Hotel data down to the second
As long as you are willing to spend money, you can find anybody’s hotel records, cars and property, all kinds of official certificates, photocopies of qualifications, even real time location using mobile data. At the other end of the internet are businesses waiting to provide everything, anywhere in the world, 24 hours a day.
On December 8th, we contacted one service provider called “xxTrading” saying we were investigating a relative’s fiancé. The “xxTrading” employee explained that all they needed was the ID number and they could find 11 types of documents including: hotel records, train records, flight details, internet cafe details, (Chinese border) exit data, entry data, criminal history, housing records, rental details, banking details, driver’s licence—a so called “Complete ID Track and Trace” (身份证大轨迹).
This “Full Service” costs 850 RMB. The “xxTrading” employee told us that if we wanted to investigate specific information, then that would cost extra, “checking personal credit scores costs 300 RMB, hotel records 200 RMB.” Moreover, if you check information individually, for example hotel records, then the results come back within the day; for the full ID Track and Trace, you need to wait two days.
Same Day Results And Who Shared the Room
We received permission from a colleague, who provided their full name and ID number. The “xxTrading” employee found all the hotel records in the province where our colleague’s ID was registered for a cost of 200 RMB. Finding hotel records for the whole country cost 300 RMB and the results came out before midnight the same day; however, we had to transfer payment in advance.
On December 9th, at 7pm the company sent a complete list of all the hotel records of our colleague, and in addition sent a page with the full details of the last hotel our colleague stayed at on October 30th.
The document revealed that the first time our colleague checked into a hotel was August 10, 2011 at 9:48 pm, at AnXin Hotel in Xincheng District Xian. Our colleague stayed in room 310 and we could also check who else stayed in that room. We asked how much this would cost and received a reply “individual check on other occupants costs 600.” Our colleague confirmed that after the college entrance exams they went on holiday as a family to Xian in 2011 and stayed in a hotel.
And the last hotel record was a piece of paper with a blue background, on the left was a picture of the ID card, in the middle listed the customer number, ethnicity, date of birth, ID number, address, room number, hotel number, and hotel address. On the right was from top to bottom: full name, sex, type of ID, area, city, province address, date of check in and check out, name of the hotel and zone of address. Every hotel record contained the check in time down to the hours, minutes and seconds.
Anything from home address to flight numbers, bank accounts to internet records—you ask, they have
We also asked the price for telephone records. The reply was phone records were only available for Liantong numbers at a cost of 1,500 RMB, location data was 600 RMB.
The “xxTrading” employee also said they could check bank balances at all four major banks for 600 RMB per search. You just need to provide the ID Number, but the results would only be available after two days.
We decided to try to buy the Complete Track and Trace using another colleague’s data. We haggled and got the price down to 700 RMB. One day after transferring the money, we received two Excel spreadsheets containing nine types of information on our colleague.
The first file called “Dispersed Checks” recorded the colleague’s hotel records from April 2011, locations of permanent residence, temporary residence, and internet records. The other file called, Basic Personal Information for XXX”, contained train records, flight records, banking records, driving records, driving endorsements and penalties, motorbike registration etc.
After verification by our colleague, it was confirmed that both files were completely accurate and basically contained a complete track and trace of their ID for everything over the past few years. Particularly the file containing basic personal data from the whole of China was exactly the same as the government registration data and the photo was the one from their personal ID card. Moreover, our colleague said that the reason the data started again from April 2011 was because that was the date when their ID card was renewed.
30 minutes and precise positioning to 6 digits after the decimal point
We decided to switch to another colleague’s mobile number and see what the positioning data was like. “xxTrading” said they could only do it for Liantong phone numbers, it would take thirty minutes, and cost 600 RMB. We provided the number and transferred the money. After more than thirty minutes, the company sent a photo with information on the position including a map, longitude and latitude (up to six digits after the decimal point), and it was exactly the same as the location of our colleague.
In reality, “xxTrading” is only one link in the wider information industry. We found out that the above personal data wasn’t sourced by “xxTrading”. “xxTrading” are only agents for the real service providers. The “xxTrading” employee stated that they could develop the relationship with us and we would provide “downstream representation”. The agency fee was 500 RMB and then the standard charge for each service varied.
we discovered that on weibo, qq groups, tencent shop, taobao, etc were a large number of people who could find information on other people, some even had their own websites, and provided “professional commercial investigation” or protecting against malicious “human flesh” searching or malicious “human flesh” searching.
systematisation of the traffic in personal data
counterparts discuss offline, pay online; some use fake names and inaccurate trading descriptions to list on major websites
aside from selling personal data, service providers also offer “silent” positioning services where with no information and only money you can find out the current location of anyone.
on qq i searched positioning services and discovered that there were many people who provided this service, and with only a mobile number or qq wechat you could find out locations. according to an explanation there are two types of mobile positioning—one goes via gps and the other via the base stations. for gps you need to provide a connected mobile phone, and accuracy is within 20m, if the phone has reception you could be even more precise, with accuracy to around 10m.
businesses explained that gps was turned on by default when users download apps such as wechat and map. when i raised the issue of mobile positioning, one agent said that after paying 600 rmb it would take only a few minutes to find the location.
surprisingly this type of service already has guaranteed third party platforms. one merchant gave us a web address and account number for “tongxbao”, and said that you just need to send an invoice listing the merchant as the receiver and you could start trading.
we discovered that the set up of these guaranteed third party platforms was extremely simple. the buyer only needs to send an invoice and the seller will process it. the platform stated that after the buyer transfers the money, the amount will be safeguarded by the platform. the seller can’t use the funds until after the buyer confirms, then the money will be unfrozen and transferred to the seller’s account. after the transaction is complete, “tongxbao” takes 20% of the fee from the seller as operating costs.
we tried and sent through an invoice. the invoice listed nine categories: hotel data check, mobile positioning, personal track and trace, residence data etc and each category was further broken down. at the bottom of the invoice, the receiver must fill in their account number, that is to say, the two counterparts must agree on the price before they can go onto the platform and pay.
after the order is placed, the platform states that if there is a dispute between the parties, they can start arbitration, “tongxbao” has specialised employees who will investigate and verify whether the information provided by the seller is correct.
in addition, some service providers use covers and process the transaction on mainstream websites, thereby saying there is a third party “guarantee”. on december 10th, a service provider called a kai told us on qq that he could check hotel records and other types of personal data, and that in order to guarantee the the funds, the transaction would be completed on the business services platform “zhu bajie net”.
a kai explained you just need to post a help wanted note on zhu bajie net, in the name write software developer or clothes designer, definitely don’t write checking personal data or something like that, “our thing is of course illegal, hidden from view, only you need to know.”
after you post on zhu bajie net, i will set up the deal with clients, then after the transaction is completed, collect the money, and this way the funds are kept with zhu bajie net, so if the transaction goes awry, the client can take back the money, and this way “the security of the funds is protected.”
Insiders say that the industry is growing, however the majority of service providers can’t be trusted
In this black and grey data theft industry, the businesses surrounding hacked “Social Work” databases containing personal information has already matured. “Social Work” in the hacking community means the type of hacking that aims to obtain intelligence and data. “Social Work” databases contain large amounts of user data, which has become the main source of data for “human flesh searches” and information peddlers.
The hacked “Social Work Database” industry was popular, but after it was exposed and carefully investigated, social networks, such as QQ, continue to list it as a sensitive search term, meaning signs advertising for “Social Work Databases” quickly disappear.
However, the once famous “Social Work Databases” have not been completely abandoned by people who work in the industry, only the name has changed and other businesses have popped up under new names. We discovered from searching on Baidu and Taobao etc that some information merchants went by the name of “counter-flesh search” and “counter-data breach,” which at the same time as avoiding internet controls were in reality conducting malicious “human flesh” searches.
Because of problems of skills and personal qualifications, a motley group of people are employed in this black and grey industry, with more bad than good; in comparison, the majority of potential customers have a strict set of requirements and want trustworthy and quality service providers to carefully check (other people’s) backgrounds, and often have to change service providers they work with, whether they want to or not.
Due to the short supply of quality service providers, the market outlook was always good. A Kai told us that the vast majority of service providers in the current market were untrustworthy, “Even after finding a real one, the price is too high for the majority of people.” He explained that the market price for only checking phone records with the top three service providers was 1,000-2,000 RMB, and to check hotel records 700-800 RMB.
Aside from the high price, it’s hard to find highly skilled and trustworthy merchants, “In the current market, there are only three or four companies in the market providing data breach services, so it’s not easy to contact them.” A Kai told us that, “For the most part, anyone saying that they can check their own databases for hotel records, phone records, text messages are all conmen.”
In private conversations, A Kai told us that in the black and grey data theft industry he is both a service provider and a consumer, “In Changsha, I was a local loan shark, some people borrowed money and ran, so I had to find a way to flesh search them.” He said that in normal circumstances he would go through local channels for solutions, searching online is the next, next step.
What is remarkable is service providers promise of a “third party transaction guarantee,” some certainly cannot guarantee that funds are safe. On the above “TongxBao” platform, the reporter transferred 600 RMB on this third party payment platform, and provided the name and phone number of another reporter. After ten minutes, the service provider sent three different location maps, with the average being Binjiang Road, Haizhu District, Guangzhou City. However, this time the reporter’s real position was 5km away in Yuexiu District.
The reporter asked about the accuracy of the data, and the company said, “The information comes from base stations and it’s impossible to check again. Another check would require another payment.” This company said that normally positioning was accurate to within 50 meters. As regards problems with positioning he said, “If you know you wouldn’t need me to check, it’s up to you who you believe.”
After which the reporter filed for arbitration; however, to date the platform has done nothing.
Police: We will undertake verification and investigation
We reported the traffic of personal information to government bureaus, but have still not seen any results
On the 11th, we reported the data theft to the police in the area our colleague was registered and sent the perpetrator’s contact details to the police. Following which we phoned Guangzhou public security bureau. After the police had asked for all the details they said that they would ask someone to get in touch. In less than ten minutes, police from the related department contacted us. After listening to the details, the police office said that because the data was not openly available on the internet, there was nothing that could be done about it for now.
“Once it is made public, you can go to the local police station, file a report, and the police will launch an investigation.” As regards the service providers, the police said to report it to the local police station and once the report was submitted it would be given to the police to investigate.
As regards the problem of the existence of many related websites, we called the police in the website’s local place of registration. Chengdu police replied that as regards the problem of “TongxBao,” they would send people to investigate and contact me. They also suggested that a report be made with Guangzhou police. As regards websites such as Zhu Bajie Net registered in Chongqing, we contacted the Chongqing public security bureau, and were told that a report could only be made at our own local police station; Chongqing police could not accept the case.
The corporation behind Jingx Website was Jingx Technology Company, Jieyang City, Jiedong District. The reporter contacted the internet police at the public security bureau in Jieyang, and an officer said we could file a report on the police website, and consecutively conduct verification and investigation, then deal with it according to the situation.
Because the worker at “xxTrading” said they were based in Shenzhen, we telephoned to file a report with the Shenzhen office for internet trust, illegal online activities, and vice. The hotline asked for a message to be left. We reported the above problem and still had not heard anything before the story was filed. The website listed another hotline, and we reported “xxTrading’s” online shop and workers; however, whilst making the report with the WeChat platform, we discovered that there was no category for “participating in illegal trades,” the only option was “this webpage contains misleading information.” Employees from WeChat contacted us and said that Tencent has always fully co-operated with police operations to combat black industries.
The Tencent employee also told us that the traffic of personal data had already become a multi-platform industry, with offline and online trading. For QQ alone, the security team in 2016 centrally investigates QQ groups where there exists a possible threat, and after individually investigating each one, all groups confirmed to be engaged in illegal activity are closed without exception. To present, 4,500 groups have been checked, and 3,400 QQ accounts have been closed.
Moreover, on the afternoon of December 11th, we reported the problem of suspected involvement in illegally obtaining data and trading that data and service guarantees to the Information Ministry. We left contact details including email and telephone, however to date have not be contacted.