The speech by US Attorney General William P. Barr hardly seems earth-shattering. But buried within its business-like announcement of the indictment of four Chinese military hackers, there is the following statement, which has huge implications for privacy:

For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax.

The first of the intrusions that Barr mentions took place in 2014, but was only revealed in November 2018, when Marriott Hotels admitted that it had discovered there was unauthorized access to its Starwood guest reservation database. The system held details of 500 million guests, and Marriott said that for around 327 million of these guests, the information included some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Four years is plenty of time to exfiltrate all those details.

In February 2015, the second-largest health insurance company in the US, Anthem, said that the account information of as many as 80 million customers had been subject to unauthorized access. Information held on the system included names, birthdays, medical IDs, Social Security numbers, street addresses, email addresses and employment information, including income data, according to USA Today.

In April 2015, the US Office of Personnel Management (OPM) discovered that it, too, had been subject to unauthorized access for at least a year. As a detailed Wired feature on the incident explains:

The hackers had first pillaged a massive trove of background-check data. As part of its human resources mission, OPM processes over 2 million background investigations per year, involving everyone from contractors to federal judges. OPM’s digital archives contain roughly 18 million copies of Standard Form 86, a 127-page questionnaire for federal security clearance that includes probing questions about an applicant’s personal finances, past substance abuse, and psychiatric care. The agency also warehouses the data that is gathered on applicants for some of the government’s most secretive jobs. That data can include everything from lie detector results to notes about whether an applicant engages in risky sexual behavior.

In September 2017, Equifax admitted that sensitive personal information of 147.9 million US citizens had been compromised. According to Equifax, its core credit reporting databases were unaffected, but the following data had been accessed:

Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, in some instances, driver’s licenses. In addition, the following information was also accessed:

Credit card numbers for approximately 209,000 consumers; and

Certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed.

On March 1, 2018, we disclosed that the incident also impacted partial driver’s license information for approximately 2.4 million U.S. consumers.

Any one of those losses of important personal data would be serious. Taken together, they are catastrophic. The information they provide is ideal for committing identity fraud, and naturally this was the first thought of the companies involved. For example, Anthem stressed “there is no evidence that any data impacted by the cyber attack has ever been sold or used to commit fraud”, and offered “two years of credit monitoring and identity protection services to all individuals whose data may have been impacted.”

But now that Barr has officially linked the four incidents to the Chinese government it is clear the potential damage is far worse than simply financial losses. Given that a state actor was behind the intrusions, not common criminals, it seems unlikely that the information will be exploited simply to make money. The combined data gives China something much more important: the key details of most adults in the US. Not all of those individuals will be of interest to the Chinese government, although it will be pleased that it now has a database for the whole country. But for those most of interest it has far more highly sensitive information.

The OPM hack gave access to details of 18 million US citizens working in positions of power. In addition to basic personal information, the Chinese government also knows about their personal finances, past substance abuse, psychiatric care – maybe even risky sexual habits. Those are precisely the details that are useful in order to apply pressure or even blackmail people. Even if most resists such threats, the numbers involved are so large that a small percentage acquiescing to China’s demands would be a serious threat to US national security.

Things are even worse than they seem from the above. A post on this blog last month noted how easy it was for Clearview to scrape 3 billion images for facial recognition purposes, and that state actors could easily do the same. This means that China can probably assign a face to most of the personal files it has harvested in the four hacks discussed above. It is also interesting that in December last year the Pentagon warned military personnel against using at-home DNA tests. One reason for doing so is that it is only a matter of time before the companies providing such tests are targeted by foreign powers in order to gain access to the highly-revealing DNA profiles they hold in order to add them to their database of US citizens.

Finally, it is worth noting that the Chinese government has made AI a priority for its researchers and companies. It is easy to imagine the entire database of exfiltrated data on US citizens being fed into powerful AI systems to extract the social graph of everyone in the US: who they are related to, who they have social connections with, who they have travelled with. The patterns that emerge would give the Chinese government unprecedented insights into the workings of US society at the deepest level.

Featured image by prostějovský časosběrač.

About Glyn Moody

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics.