Old Version
Cover Story

Trapped in Their Own Web

Improper trade of personal data in the cash loan market has prompted authorities to tighten the reins on personal data infringement, which could lead to a complete reshuffle of the industry

By NewsChina Updated Jan.1

China’s big data industry is on tenterhooks amid a sweeping investigation into firms suspected of improper acquisition and use of personal information.  

Starting September, many data companies or fintech (financial technology) companies in Shanghai, as well as in Hangzhou, East China’s Zhejiang Province and in Shenzhen, Guangdong 
Province, were put under investigation. Not only chief executives of big data companies, but core personnel from several financial companies that once made deals with the former were detained by the police. The storm that swept the whole industry has left it feeling up against a wall.  

The investigation, NewsChina learned, was precipitated after a suicide in an abusive payment collection case related to an online lending platform. The transaction and leak of personal data attracted attention from police. Their focus is on the practice of using web crawlers, sometimes referred to as a spider or spiderbot, which are internet bots used for the systematic scraping of online data. Web crawlers are widely used by data and fintech companies to harvest data from web pages, shopping platforms and social networks.  

As more companies have been enmeshed in the probe, many have chosen to stop data harvesting through spiderbots. Though a neutral tool, in an environment with lax legal regulation, the use of web crawlers is often associated with charges of privacy invasion, as many companies choose to collect, use and sell unauthorized data. This results in shady data deals that cause problems like leaks of personal information, fraud and abusive debt collection.  Before the current investigation, authorities had already launched two campaigns in 2017 and 2018 to crack down on payday loans with extremely high interest rates and telecommunication fraud, which also involved illegally obtaining personal information and private information leaks. Dozens of data companies were investigated. Now, as big data is being applied in unprecedentedly wide scenarios and the country is putting increasing emphasis on data protection, experts said that some of the misconduct related to data and internet finance is likely to spark a stringent industrial cleanup and reshuffle, as well as propelling further legislation aimed at protecting personal data. 

‘Missile’ Loans
The current investigation is believed to be a continuation of the authorities’ crackdown on deceptive and illegal cash loans on online lending platforms. In recent years, small-sum and short-term cash loans which are often issued through mobile apps have become popular. But the rapid growth of cash loans led to problems like fraudulent advertising of interest rates, extremely high interest rates, setting traps for the borrower to borrow more and unregulated payment collection in a market that was loosely regulated and lacked supervision.  

In an infamous “714 missile” loan (loans due in seven or 14 days), for example, a woman’s initial loan of 7,000 yuan (US$998) ballooned to 500,000 yuan (US$71,262) in three months due to high interest rates and overdue charges, particularly after she was lured into more loans to pay off the old ones, China Central Television (CCTV) reported in March.  

The huge success of these micro-lending platforms, whether legal or illegal, involved improper collection and use of personal information which was assisted by data companies in their efforts to locate customers and control risks, including in repayment collection. Many data providers and fintech companies that have come under the beady eye of the authorities were discovered to have abetted unregulated online lenders.  

In the case that triggered this investigation, NewsChina learned from multiple sources that the debt collector was outsourced by an online lender, and obtained the address of the borrower from a data provider. The debt collector is suspected of putting the borrower under pressure, which allegedly led to the victim’s suicide. The police have linked the tragedy to the actions of the data company which provided the victim’s personal information to the debt collector.  Following the investigation into the online debt lender, a personal financial service provider called 51 Credit Card, Hangzhou police posted on their Sina Weibo account on October 21 that the company was involved in using means such as intimidation and harassment in its outsourced payment collection.  

Without proper risk management mechanisms, many lending platforms are haunted by high levels of bad debts, which in turn boost the debt collection business. Debt collectors obtain personal information from banks and financial institutions to recover the loans. It is common for borrowers and their friends and families to be harassed by calls or messages.  

“The recent investigation was probably not aimed at personal data protection from the beginning, but eventually it led them to the issue of data security, as police wanted to hold accountable the supplier of data behind the payment collection,” said Li Ning, vice president of Vcredit Holdings Limited, a consumer finance service provider. 

The investigation into data companies once again has highlighted the chronic problem of data leaks and abusive use of personal information as it has become a valuable commodity in the digital economy.  

Harassing marketing calls and messages and telephone scams are the most common forms, in which the caller might already know the consumer’s name, age, home address and workplace. It is no surprise that just after one buys a property, a home decorating agent shows up, and everyone has become used to seeing pop-up windows advertising flights, hotels or products right after browsing for vacations or other items. Apps usually demand permission to access private information and share it when one tries to download and use them. Lending apps, in particular, demand that users give authorization to read their private data, like contact lists and call records. Online shopping, mobile payments, online lending, social networks and apps that cover every aspect of life are rendering people into a state of “transparency” where their information is vulnerable to being exposed and collected.  

A report on China’s legalization of big data released by the China University of Political Science and Law in December 2018 found that 47 percent of those surveyed received three to five spam messages every day on average. About 34 percent suffered from direct economic loss. Among the more than 70 percent that had experienced electronic account theft, most believed the theft was caused by personal information leakage. 

Previously, personal information leaks were largely attributed to the public’s weak awareness of data protection, or to hackers. It was not until 2016 when the police cracked down on a series of telecommunication frauds that involved personal information deals that people began to realize that private data was being sold on the black market. The data derived from fields ranging from banking and express delivery to securities and e-commerce. The joining of data companies probably only makes the situation more sophisticated.  

“Now as big data is applied to more and more scenarios, enhancing the proper use of data and protection of personal data is becoming urgent,” Chen Xinhe, vice secretary of Zhongguancun Big Data Industry Alliance, told NewsChina. 

In Fear of Arrest
On September 12, more than 10 employees of Geo, a tech company based in Beijing, were taken away by police, including the staff in charge of web crawling. In late September, several people in charge of a web crawling business from Tongdun Technology, a data service provider in Hangzhou, were also detained. One of Tongdun’s core products engages in data collection, involving crawling for online data to support credit assessment.  

On October 22, Beijing financial authorities demanded that local big data companies be screened for illegal web crawling operations. Those who are engaged in the business are required to make adjustments and report to authorities, and those who are not must make a commitment that they will not engage in the business in the future.  

Following the arrest of a number of senior officers of tech companies, many big data companies have stopped any business related to web crawling. “Now the web crawling business is basically suspended. Many companies that previously provided the service are cleaning their databases to avoid the checks,” one employee who works in the industry and asked for anonymity told NewsChina.  

Experts agree that a spiderbot itself as a tool is neutral. “It’s like a knife. The key is who is using it and for what purpose. It’s not right to ban all knives just because one is used in a murder,” said Chen Xinhe, adding that the problem lies in improper collection and use of data. 

There is no lack of regulation in the Chinese mainland. The Cyber Security Law that came into use in June 2017 stipulates that the collection of personal information should be lawful and with proper cause, based on the acknowledgement of the people involved. No personal information should be provided to others without consent from the people involved. This June, the National Information Security Standardization Technical Committee released a draft regulation on personal information security for public opinion, stipulating that the personal information controller should obtain consent from individuals before collecting sensitive information. They should ensure that consent is made clearly and voluntarily based on their complete acknowledgment. 

“Consumers should be clear that they have authorized use of their data [beforehand]. That’s the key to get personal data,” said Meng Qingfeng, vice president of CredEx Fintech, an online lender based in Shenzhen.  

Besides, “in normal cases, the data, even authorized data, should vanish after the data was obtained and no longer needed,” Chen Xinhe told NewsChina. For example, Chen said, if you apply for a bank loan, you need to authorize the bank to check your personal data, just like for insurance coverage and airline trips. The bank might ask a data provider to crawl for the data it needs and they agree that the use of the data stops there without being preserved or sold to a third party. ��

“But it is undeniable that [in reality] there is much improper practice, particularly 
scraping unauthorized data,” Meng said.  

Many data service providers obtain unauthorized data or keep data that should be destroyed after use. As competition grew fierce, data theft, misuse and transaction fraud are prevalent, which helps foment a gray zone of trading data on the edge of the law. Those whose information is leaked in the process can be exposed to harassing advertisements, scams or lured into online lending.  

A data provider’s quotations that NewsChina gained from an insider, show that the regular data service is classified into identity authentication, contacts and location, which includes not only information such as ID card numbers and cellphone numbers but also the person’s entire contact list and location information. The service is charged by time, each inquiry costing between 0.38 yuan (US$0.05) and 0.98 yuan (US$0.14). Every single message is priced accurately, with discounts for a yearly package.  

Some insiders who demanded anonymity told NewsChina that many data companies both provide inquiry services and sell data in packages. Besides personal information, the quotations that internet banking companies get also cover important private data such as personal social insurance information, the payment codes of online banks, transaction records on e-commerce platforms like Taobao and JD.com and messages on social media platforms.  

“Many data companies avoid talking about their [data] sources and only stress the value of data. It is hard to say how they get their data or to verify the source,” said the insiders.  

Zhang Xinbo, co-founder of Tongxun Technology, noted that currently there are different opinions about the ownership of data. There is no legal provision to define, for example, if user data on Alibaba’s e-commerce platform Taobao belongs to the user or the e-commerce giant. Nor is there a law to define if personal data is a kind of property. “If it is property, then how should we divide the profits generated from the data? It’s a tough question,” Zhang said.   

Cleaning up Industry 
Now the whole industry is feeling the chill. Xiao Sha, a partner at Beijing Dentons Law Offices, told NewsChina that he receives calls and visits from people in the big data industry every day, and what concerns them most is “under what circumstances could they be taken away by the police?” 

“They are most concerned about the compliance issue, particularly criminal compliance, because once it involves a crime, they could be jailed,” Xiao said. He added that in the past, personal information leakage was not so closely associated with the data industry, so lured by profits, many chose to continue their business, in spite of the risks. But now it seems like there could be real danger, panic is setting in. 

After Chinese regulators launched the two previous campaigns, more than 30 data companies were investigated in 2017. Following the Cyber Security Law that became law in June 2017, many companies that obtained data via illegal means were held accountable.  

In 2017, Datatang, a data company founded in 2011 in Beijing, was one of the first data companies to be charged for scraping and selling personal private information through web crawling. Two of its senior executives were sentenced to three years in jail. Police found that the company transmitted 130 billion pieces of personal information daily on average in eight months, mostly gained through web crawling.  

The environment is expected to be harsher for data companies as the authorities are further cleaning up the internet finance market, where demand for big data is considerable, as well as reinforcing regulation in the data industry and of personal information protection.  

Since the start of 2019, there have been signs that new laws will soon be enacted that focus on personal data protection. By October, the Cyberspace Administration of China, together with other related departments, had drafted a series of regulations targeting data security, cyberspace security, the protection of children’s personal information (which came into effect in October), and illegal data collection in apps, to solicit public opinion.  

In October, the People’s Bank of China issued a regulation targeting the protection of personal financial information and personal information that financial institutions accumulated in their daily business, and is seeking opinion from all banking institutions. The draft stipulates that financial institutions should not gain personal financial information from third parties engaged in illegal personal credit investigations.  

The tightening environment is already pushing many data companies to find other ways out. A top-ranked data company told the financial channel of Tencent-owned web portal qq.com that many companies are turning to traditional financial institutions like banks as supervision of internet finance strengthens. Some are also updating their products by integrating big data with AI technology instead of only relying on raw data services.  

“If this vigilance keeps strong until next year, there will be a thorough reshuffle. Substandard companies will retreat and only companies with official authorization will survive in the data industry,” Meng said.

Police from Wenling, Zhejiang Province, detain more than 200 people suspected of being involved in a large-scale illegal cash loan ring in Fujian Province, June 2018