Exporting Chinese surveillance: the security risks of ‘smart cities’
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Belgrade’s Republic Square is one of the cultural and social hubs of the Serbian capital, a popular meeting point lined with cafés and the site of the National Museum and the National Theatre.
It is also now at the centre of an international debate about the export of Chinese technology, authoritarian surveillance and cyber security.
The square is under constant observation by equipment made in China. A surveillance camera system installed by Huawei, the Chinese technology group, has the capacity to monitor the behaviour of people in the square and elsewhere in the city, recognise their faces, identify their vehicle number plates and make judgments on whether suspicious activities are afoot.
The cameras in central Belgrade represent the first among some 8,000 that the city plans to install as part of a comprehensive “safe city” partnership with Huawei.
When the project was unveiled in 2019, Nebojsa Stefanovic, Serbia’s former interior minister, boasted that every street and building in the area of the square would be covered by cameras. “We will know from which street [a perpetrator] came, from which car, who was sitting previously in that car,” he said.
But although the Serbian government has a good relationship with Beijing — the pro-China president Aleksandar Vucic last year kissed the Chinese national flag in a video seen over 600m times on Chinese social media — the installation of such surveillance systems is causing controversy.
“Very delicate technology is in question which allows monitoring of the whole society — and enables a dystopian, Orwellian society,” says Zlatko Petrovic, assistant secretary-general to the Serbian Commissioner for Information of Public Importance and Personal Data Protection.
‘It can be dangerous in the hands of someone who is not responsible, and it can easily be misused,” adds Petrovic. His independent state agency advocates more debate and transparency about how biometric data should be stored, who can access it, how it will be used and for how long.
The controversy in Serbia is being repeated in different ways across the world as scores of countries — including several western democracies — install surveillance technology as part of “safe city” and “smart city” packages supplied by Chinese companies including Huawei, ZTE Corporation, Hangzhou Hikvision Digital Technology, Zhejiang Dahua Technology, Alibaba and others.
The growing use of these Chinese technologies around the world is one of the issues that will provide a backdrop to Friday’s G7 summit in Cornwall, where the leading democratic nations will swap notes on how best to respond to China’s growing global reach.
“Safe” and “smart” city technologies represent a complex new frontier for China’s projection of power — an indication that Beijing will use its influence not just to defend itself against outside pressure but to actively export its political values to other parts of the world.
To defenders of the Chinese-backed projects, they use surveillance systems that are already widely in use in many democratic countries while offering big efficiency gains as city operations are automated. It is unfair to single out Chinese technology, they say, when products made in other countries might pose many of the same risks.
Nevertheless, several intelligence sources, city officials, academic experts, and security industry executives interviewed in Europe, the US and Asia, told the Financial Times that Chinese “safe” and “smart” city systems carry a plethora of potential security and human rights threats.
Although they offer convenience and cost savings, these systems come with three specific risks, the experts say. The first is that authoritarian governments may use the capacity to monitor individual people on a real-time basis to impose a digital form of totalitarianism. The second is the risk that Chinese vendor companies — and thereafter possibly Chinese state security — could gain access to sensitive data. The third is that, in extremis, a Chinese company could flick a “kill switch”, shutting down a city’s operations. Several cities have already begun to try to extract Chinese-made equipment from their monitoring systems.
“This represents the global expansion of the Chinese system of digital authoritarianism. When I say digital authoritarianism, I mean the ability to control, surveil and coerce societies using this type of safe and smart city technology,” says Xiao Qiang, an expert on China’s state surveillance at the University of California, Berkeley.
The distinction between “safe” and “smart” cities is blurred. “Safe” cities are mainly concerned with automating the policing of society using video cameras and other digital technologies to monitor and diagnose suspicious behaviour. “Smart” city technology often also includes video surveillance but is primarily devoted to automating municipal functions such as traffic control, garbage collection, power distribution and water systems.
New data shown exclusively to the FT reveals that the adoption of China’s safe and smart city technology by countries around the world is accelerating. A study by RWR Advisory, a Washington-based advisory, shows that out of a total of 144 safe and smart city contracts involving Chinese vendors signed outside China since 2009, 49 were scheduled for installation in 2018 or later.
The data also show a clear predominance of illiberal regimes placing orders. The RWR Advisory study shows that out of 64 countries that have signed up to install the safe and smart city technology of Chinese companies, 41 were ranked as “not free” or “partly free” by Freedom House, a US non-governmental organisation. The remaining 23 were in countries classified as “free”.
“Many, but not all, of the countries that are installing safe and smart city packages are illiberal regimes that are deciding to depend on these Chinese companies to run their infrastructure for them,” adds Xiao, who is also founder and editor-in-chief of the China Digital Times, a news website.
Countries in south-east Asia and the Middle East have signed the most contracts, with 20 and 19 respectively since 2009. Both regions have been identified as crucial to the success of the Belt and Road Initiative, Beijing’s signature policy to build infrastructure and win influence around the world.
Late last year, Chinese leader Xi Jinping exhorted south-east Asian countries to help build a “digital silk road”, a scheme that falls under the broad BRI umbrella and is charged with promoting the adoption of Chinese “safe” and “smart” city tech — as well as other digital technologies and services — around the world.
“Chinese surveillance technology companies are gaining a dominant position in this sector globally with the assistance of state support that takes a number of different forms,” says Andrew Davenport, chief operating officer at RWR Advisory.
Indeed, recent research by CSIS, a Washington-based think-tank, revealed that in the narrowly defined areas of cloud infrastructure and e-government services, Huawei was also making rapid inroads, signing 70 deals in 41 countries for these services from 2006 to April this year. Jonathan Hillman, a senior fellow at CSIS, says this means that Huawei’s cloud infrastructure and e-government services are handling sensitive data on citizens’ health, taxes and legal records in these countries.
“Huawei is building a strategic position as a cloud provider to governments in the developing world, where its sales pitch is sweetened by Chinese state financing,” Hillman says. “For its part, the Chinese government stands to shape global standards, gain intelligence and build coercive capabilities as developing countries become digitally dependent on Beijing.”
A spokesperson for Huawei said: “We firmly believe that any future security principles should be based on verifiable facts and technical data rather than ideology or a vendor’s country of origin, and that network security and resilience can best be achieved by diversifying suppliers.”
An executive at another Chinese surveillance company, who requested anonymity, says the country’s surveillance equipment vendors follow relevant regulations on data privacy. Projects were owned by city managers who had control over the devices and the data, the executive adds.
Hikvision, Dahua, ZTE and Alibaba did not respond to requests for comment for this article.
The extraordinary success that Chinese surveillance corporations have had in popularising their digital infrastructure and services internationally suggest that repeated US warnings about the sector in recent years have fallen largely on deaf ears.
The administrations of Donald Trump and current president Joe Biden have alleged that Chinese surveillance companies helped Beijing carry out human rights abuses in detention camps in the Xinjiang region, where some 1m Uyghurs are estimated to be detained. Beijing has denied western allegations of human rights abuses against Uyghurs as “slanderous attacks”.
The Trump administration also put several surveillance companies — including Huawei, Hikvision and Dahua — on to a blacklist that prohibits US-based companies from exporting products to them.
Biden took further steps this month, signing an executive order to prohibit US investments in 59 Chinese defence and surveillance tech companies in an effort to stop US capital from being used by China to undermine national security. The White House said in a statement as it announced the prohibition that the “use of Chinese surveillance technology outside [China], as well as the development or use of Chinese surveillance technology to facilitate repression or serious human rights abuses, constitute unusual and extraordinary threats”.
Evidence is now growing that a backlash towards Chinese surveillance technology is gathering momentum not only in the US but also in Europe and parts of Asia.
The UK presents a prime example of this trend. The FT discovered in May that a deal for “smart place” services supplied by Alibaba to the southern English town of Bournemouth had been aborted at the last minute. Alibaba declined to comment on the Bournemouth deal.
Another English town, Milton Keynes, has cancelled a contract with Huawei for a smart city project that used 5G telecoms equipment and is planning to strip out the Chinese company’s telecoms kit following Downing Street’s decision last year to eradicate Huawei equipment entirely from its network by 2027.
Since then, guidance from UK security officials to councils throughout the country highlights the risk that overseas smart city technology suppliers may come under pressure to “access and exfiltrate data” on behalf of security and intelligence services in their countries of origin.
In May, an official identified only as “Dean” from the National Cyber Security Centre, a branch of the UK’s GCHQ signals intelligence agency, made rare on-the-record comments about the risk of smart city technology being misused.
“I think with any bulk data store, there’s going to be threats of attack and risk of accidents,” Dean told a cyber security conference. “It’s clear from various incidents reported, the extraordinary lengths our adversaries and actors will go to to obtain data of this nature.”
He added: “We need to make sure that these services are resilient, and they are not easily disrupted by cyber attack. If a [smart city] is compromised, there will be a potential impact on local citizens.”
In Taiwan too, concerns over data privacy have led to the eschewal of Chinese-made smart city technology.
“Our direction in Taiwan is try not to use Made in China,” says Lee Chen-yu, director, Taipei Smart City Project Management Office. “We understand that with regard to some small, very tiny components this may be unavoidable sometimes, but we still try to mainly rely on Taiwanese vendors. ”
“There are some chips where there is a risk of a backdoor, where data could be transferred out,” Lee adds. “The vendors themselves must not be Chinese, and the requirements with regard to certain products, such as cameras, where there have been issues in the past about data being sent back to China, are particularly strict.”
Jonny Wu, senior director at Ability Enterprise, a Taiwanese smart city vendor, confirmed the change in attitudes towards China-made technology.
“Many companies in Taiwan previously would repackage made-in-China components. Now [they are] all forced to change,” Wu says. “Last year, the Taiwan government started changing public surveillance and IP cam systems and getting rid of all China-made ones.”
Alexi Drew, a specialist in emerging technology and security at King’s College London, says smart city contracts provided Chinese vendors with all-important access points to a potential trove of sensitive information.
“In pure cyber security terms, one of the most difficult parts of any malicious activity is gaining access,” Drew adds. “If we’re providing access to a hostile state actor as part of a smart city contract, then we’re looking at a wide suite of local authority infrastructure which at some point potentially overlaps with national infrastructure.”
Another industry executive, who declines to be identified, says the regular software updates served by safe and smart city vendors provided opportunities to insert “backdoor” routes into the system that are almost impossible to detect. Thus, a safe or smart city system may start off clean but over time become riddled with access points for snooping.
There have been various public allegations related to Chinese-built infrastructure and data vulnerabilities. A 65-page report funded by the Australian government and published last year found that a data centre built by Huawei for Papua New Guinea contained glaring errors that would have made the facility vulnerable to hacks.
Huawei also won a contract to install communications equipment inside the headquarters of the African Union building in Addis Ababa in 2012. African Union officials subsequently accused China of hacking the building’s computer systems every night for five years and downloading confidential data.
A Huawei spokesperson said that while the company supplied equipment for the African Union projects, it has never collected data illegally.
Such privacy concerns have ignited a debate on how best to benefit from the efficiencies of automating certain city functions while observing citizens’ rights and safeguarding security.
Lee says Taipei has developed several approaches and standards. It deploys video cameras, for instance, but does not use facial recognition because “that is individual, private digital information”.
Only the police department is allowed to access footage from the cameras, he adds. “Other government departments, even if I am the transportation department, I cannot access them,” Lee says.
In Belgrade, resistance to safe city technology is also growing. The facial recognition feature on the cameras installed in the centre of the city has not been activated while the government prepares a legal framework governing its use.
Meanwhile, Danilo Krivokapic, director of the Belgrade-based NGO Share Foundation, has been stirring opposition towards the surveillance technology by crowdsourcing photos of the Huawei cameras. Local residents are asked to upload images and geo-tags of new cameras to an ever-growing list.
“We are a post-socialist country and there is a persistent fear of the government watching everyone, especially when you talk about digital surveillance,” says Krivokapic.