A Chinese government-run health program that tracks potential exposure to the coronavirus has been used to steal users’ personal information, including makeup-free selfies of celebrities unintended for public view.
The mobile app Beijing Jiankangbao records the health status of tens of millions of residents and visitors in the Chinese capital, including their travel history and COVID test results.
But some users have abused a feature that allows them to retrieve other people’s records in order to peep at headshots that celebrities took when they signed up to the service. Chinese media have reported that they were able to bypass verification by facial recognition and look up the stars’ information by entering their names and identification numbers, which can easily be found online.
In the past few days, photos of top-earning actresses like Fan Bingbing, Yang Mi and Liu Shishi have been posted online after they were accessed through the app. Members of the popular idol group TFBoys have also got their photos leaked.
The pressure to rapidly gather and analyze personal information during the pandemic has led to rampant data breaches worldwide, in part because of flaws or weak security in systems designed to control the virus.
The Russian government confirmed this month that spreadsheets containing details of hundreds of thousands of COVID-19 patients from Moscow were published online due to an internal mistake.
Last month, the data of 16 million Brazilian patients, including President Jair Bolsonaro, were found to have been exposed online, the Brazilian newspaper Estadão reported. And Welsh authorities in September said data of 18,105 coronavirus patients were uploaded to a public site by mistake.
Chinese authorities have relied heavily on data and surveillance in contact tracing and tracking down those who have been to regions affected by COVID-19.
Many Chinese cities have adopted similar “health code” systems to the Jiankangbao program in Beijing. Residents can check their health status, based on their travel history and contact with others, by entering their personal ID and having their face scanned on their mobile phones. Only those who can present a green code are allowed into public venues, while those with yellow or red codes need to stay in quarantine.
But system flaws have led to leaks of personal information and even caused harassment of patients.
Beijing Jiankangbao allows users to check others’ health codes by entering their names and 18-digit national ID numbers supposedly only if the person being looked up is verified to be present through facial recognition.
But according to a report by Hongxing Xinwen, some people had been able to get celebrities’ unedited selfies simply by using their ID numbers, which are widely circulated online, and their names.
The photos were then sold online, often to those who run social media accounts that specialize in celebrity gossip, the report said. In one chat group, a collection of the selfies of 70 celebrities obtained from Beijing Jiankangbao were sold at 2 yuan (31 U.S. cents), it said. Some stars have been mocked on social media for looking less attractive in these photos compared to how they look in public.
The government said the feature allowed people to help those who could not use smartphones or forgot to bring their devices get their health status.
On Monday, the Bureau of Economy and Information Technology in Beijing, which is in charge of the health code system, said it was looking into the leaks, according to local newspaper The Beijing News. The apparent bug appeared to have been fixed by Tuesday afternoon.
During the COVID-19 pandemic, personal information of patients and their close contacts is often shared with an army of bureaucrats in charge of disease control. This has been a source of many data leaks over the last year.
Last week, a family member of a COVID patient in the northeastern city of Shenyang complained about getting more than 100 harassing calls and hateful text messages after their phone numbers and travel history, initially provided to local authorities, were posted online. The person wrote on the social platform Jinri Toutiao that they had a “complete mental breakdown.”
The explosive growth in the collection of data, often for commercial purposes, has spurred privacy concerns in the world’s most populous country, prompting the Chinese government to draft a personal privacy law.
Follow Viola Zhou on Twitter.