BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Is Microsoft AI Helping To Deliver China's 'Shameful' Xinjiang Surveillance State?

Following
This article is more than 5 years old.

When an ethical hacker exposed the SenseNets data breach, shining a light on the technologies including facial recognition being used to track Xinjiang Muslims in real time, there followed an online debate as to whether Microsoft 'partnered' with SenseNets, and whether they were aware of the inclusion of their technology in the dystopian surveillance program that has drawn international condemnation for the subjugation of the Muslim Uighur population of Xinjiang Province.

The breach by the Shenzhen-based facial recognition company exposed a database of more than 2.5 million records: names and addresses; ID card numbers; dates of birth; passport photographs; employer details; and, most alarmingly, 6.5 million records relating to the GPS locations passed by those individuals in the prior 24 hours.

Information shared online appears to show the use of Microsoft technology (GitHub and Azure) within the SenseNets program, although Microsoft denies any partnership or commercial relationship with either SenseNets or its parent company. If the information that has been shared publicly is correct, and Azure Cognitive Services are being used, then either this has been procured through a different source or even personally by one or more of the developers themselves. If the technology was there, then it is quite likely to have been (or still be) a fundamental part of the program.

Microsoft has its own complicated relationship with facial recognition. At the World Economic Forum in Davos this year, CEO Satya Nadella said that “one of the things that I feel today is, in the marketplace, there’s competition; there’s no discrimination between the right use and the wrong use of facial recognition.”

And nowhere is that lack of discrimination between right and wrong more of an issue than in Xinjiang.

Victor Gevers, the hacker responsible for publishing the breach and sharing the Microsoft related information, tweeted at the time of the SenseNets breach that, "the company 微软 also known as Microsoft has been a precious partner who has turned more than once a blind eye to the (technical) / (mal)practices of the engineers of SenseNets. From pirated versions of Windows servers to offering Azure Cognitive services for Face (recognition)."

A complicated relationship?

SenseNets has for some time openly listed Microsoft as a partner on their website, and yesterday the New Statesman's NSTech website revisited the claims linking Microsoft and SenseNets, initially saying "the US software giant declined the opportunity to deny the existence of an alleged partnership with SenseNets, in light of claims made on the Shenzhen-based firm’s website, before NS Tech published this story."

This was later revised to include a denial: "A Microsoft spokesperson has since said that it is not involved in a partnership with the company and that SenseNets used the company’s logo on its website without its permission. 'We have asked for it to be removed,' the spokesperson added."

But, putting the alleged partnership to one side, the more pointed online debate related to the SenseNets developers' use of Microsoft-owned GitHub and the alleged use of Azure Cognitive Services. And in particular the removal of an API key for Azure Cognitive Services from within the GitHub repository.

Gevers explained on Twitter that "after SenseNets became news the API key for cognitive services suddenly disappeared from GitHub. But other sensitive materials were still leaked by the developers through their personal repositories like e-mail, database, SSH and Gitlab credentials, where the lost API key was found... At this moment it is not clear if the Microsoft Azure Cognitive services are still being used. The developers of SenseNets did not learn much from the previous incident and keep pushing new code and credentials to GitHub for their new 'Face device management system'."

When I asked Microsoft about the alleged SenseNets partnership, the use of Azure Cognitive Services by SenseNets or the removal of the API from GitHub, they confirmed to me that they are not "involved in a partnership with SenseNets," adding that, "we’ve done a search of all our partnerships over the past five years and don’t have any evidence of Microsoft having a partnership with SenseNets. We’ve done a thorough examination. SenseNets and its parent company are not customers of our Azure services including those related to facial recognition, and we have no evidence they’ve purchased our products or services in the past five years."

Consequently, the apparent use of Azure and its Cognitive Services by the SenseNets program remain unexplained.

Right from wrong

I interviewed Victor Gevers this week, following the news of a further headline data breach in China. He sees SenseNets as a game-changer for exposing the information gathered within China's surveillance state, and that has given him a personal dilemma. "We don’t want to be whistle-blowers - we want to fix stuff, not embarrass people," he told me. "In the last month, we have found a lot of databases that show the implementation of mass surveillance, using extensive technology that is purely designed for monitoring."

As far as SenseNets goes, he explained that "we reported the system, we found it very remarkable, not knowing exactly what the use was. I posted a tweet, saying this is the system we found, it's mass surveillance, it's bad, it's out there. Then after a while, some journalists asked if we ever checked the GPS locations in the database because this could be a very bad thing... I reached out and I asked, 'can you help me with this'. And a journalist verified the information and said this is bad, this can’t stay covered, you need to list this publicly. So that's how the ball started rolling."

A focus on ethics

The questionable ethics around China's surveillance state, especially where Xinjiang is concerned, are becoming better understood as more data abuses hit the headlines. This week, a U.S. State Department spokesman called Xinjiang a "great shame for humanity", and said that "we are committed to promoting accountability for those who are committing these violations."

More broadly, there is a complicated relationship between leading Western technology companies and the vast Chinese market - including the decline in smartphone sales this year, the debate on whether or not search engines should be tailored, and the tolerance of pirated software. There is also now the backdrop of the ongoing trade negotiations with the U.S. and the extent to which China's surveillance ethics, a key driver of prohibitions on the likes of Hikvision and Huawei, will come into play.

But, where the ethics are concerned perhaps this should be clear cut. "If we find stuff that is not good or has questionable ethics," Gevers told me, "then we’re experimenting to see if we can share that on social media." Ultimately, where China's surveillance state is now concerned, it is likely that few western companies will want any public associations to come to light. And so maybe this becomes a good news social media story to balance all the bad.

[The headline of this article was changed after it was first published.]

Follow me on Twitter or LinkedIn