Decrypted: As tech giants rally against Hong Kong security law, Apple holds out

It’s not often Silicon Valley gets behind a single cause. Supporting net neutrality was one, reforming government surveillance another. Last week, Big Tech took up its latest: halting any cooperation with Hong Kong police.

Facebook, Google, Microsoft, Twitter, and even China-headquartered TikTok said last week they would no longer respond to demands for user data from Hong Kong law enforcement — read: Chinese authorities — citing the new unilaterally imposed Beijing national security law. Critics say the law, ratified on June 30, effectively kills China’s “one country, two systems” policy allowing Hong Kong to maintain its freedoms and some autonomy after the British handed over control of the city-state back to Beijing in 1997.

Noticeably absent from the list of tech giants pulling cooperation was Apple, which said it was still “assessing the new law.” What’s left to assess remains unclear, given the new powers explicitly allow warrantless searches of data, intercept and restrict internet data, and censor information online, things that Apple has historically opposed if not in so many words.

Facebook, Google and Twitter can live without China. They already do — both Facebook and Twitter are banned on the mainland, and Google pulled out after it accused Beijing of cyberattacks. But Apple cannot. China is at the heart of its iPhone and Mac manufacturing pipeline, and accounts for over 16% of its revenue — some $9 billion last quarter alone. Pulling out of China would be catastrophic for Apple’s finances and market position.

The move by Silicon Valley to cut off Hong Kong authorities from their vast pools of data may be a largely symbolic move, given any overseas data demands are first screened by the Justice Department in a laborious and frequently lengthy legal process. But by holding out, Apple is also sending its own message: Its ardent commitment to human rights — privacy and free speech — stops at the border of Hong Kong.

Here’s what else is in this week’s Decrypted.


THE BIG PICTURE

Police used Twitter-backed Dataminr to snoop on protests

An unsecured database exposed the personal details of 202M job seekers in China

The personal details belonging to more than 202 million job seekers in China, including information like phone numbers, email addresses, driver licenses and salary expectations, were freely available to anyone who knew where to look for as long as three years due to an insecure database.

That’s according to findings published by security researcher Bob Diachenko who located an open and unprotected MongoDB instance in late December which contained 202,730,434 “very detailed” records. The database was indexed in data search engines Binary Edge and Shodan, and was freely visible without a password or login. It was only made private after Diachenko released information about its existence on Twitter.

Diachenko, who is director of cyber risk research at Hacken, wasn’t able to match the database with a specific service, but he did locate a three-year-old GitHub repository for an app that included “identical structural patterns as those used in the exposed resumes.” Again, ownership is not clear at this point although the records do seem to contain data that was scraped from Chinese classifieds, including the Craigslist-like 58.com.

A 58.com spokesperson denied that the records were its creation. They instead claimed that their service had been the victim of scraping from a third-party.

“We have searched all over the database of us and investigated all the other storage, turned out that the sample data is not leaked from us. It seems that the data is leaked from a third party who scrape[d] data from many CV websites,” a spokesperson told Diachenko.

TechCrunch contacted 58.com but we have not yet received a response.

While the database has now been secured, it was potentially vulnerable for up to three years and there’s already evidence that it had been regularly accessed. Although, again, it isn’t clear who by.

“It’s worth noting that MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline,” Diachenko wrote.

There’s plenty of mystery here — it isn’t clear whether 58.com was behind the hole, or if it is a rival service or a scraper — but what is more certain is that the vulnerability is one of the largest of its kind to be found in China.