Chinese labourers adjust a surveillance camera at Tiananmen Square (Photo by Guang Niu/Getty Images)
In preparations for the 70th anniversary of the People’s Republic of China, President Xi Jinping has laid down the law: there will be no alcohol, no kites, and no drones at the October 1 parade. And especially no demonstrations of dissent.
If there’s ever been a time Big Brother will be watching, it is now. And everywhere.
We know that China’s total surveillance state has been evolving, if not accelerating, for some time. Recent reports indicate that Chinese spies have been hacking iPhones for years on an industrial scale to monitor the Uighur ethnic group in the country’s Xinjiang region. You heard that right: the very same high-end mobile devices that lured users with promises of security and privacy are now being utilized for surveillance. And this is just the tip of the iceberg. What’s happening in Xinjiang is a sign of things to come. Orwell’s nightmare is being realized before our eyes and no technical quick fix will allow us to escape the Thought Police.
As China’s economy developed, many experts anticipated that democracy would follow. Instead China has turned into a full-bore police state with all the trimmings: a leader for life, censorship factories, sprawling re-education camps. In other words, real civil liberties and privacy do not exist. For example, American intelligence officers stationed in China, who must evade surveillance to do their jobs, have found the country’s digital networks so hazardous that they’ve actually considered falling back on Cold War tradecraft.
This should come as no surprise. Calling China’s internal security apparatus formidable is an understatement. Domestic security spending has exceeded the country’s military budget. There are armies of specialists thousands deep—the kinds of resources capable of DNA profiling an entire region.
Recently at DEFCON 27, the co-founder of the Tor Project, Roger Dingledine, confirmed that his Internet anonymity platform would not be able to safeguard users in a place like Xinjiang. Hence the people who claim that you can enjoy all the amenities of the online world in a high-risk environment with an allegedly “secure” mobile app (Signal, WhatsApp, Telegram, etc.) are highly deluded. The very act of using a mobile device in Xinjiang is tantamount to carrying around a pocket-size telescreen. Residents warn that if you crank up one of those trendy privacy apps, you’ll end up getting an early morning visit from government agents.
All of this leads to a common response: why don’t they just ditch their mobile devices?
If only it were that simple. Because it’s not just the smartphone: it’s everyone one else’s too. Forego a Xinjiang pocket telescreen and you’re still surrounded by technology that can, and will, betray you. Like drones that are disguised as doves. The public record shows that China, with its substantial investment in artificial intelligence, wishes to be on the forefront of this movement, to the point that they’re developing “smart” uniforms for schoolchildren.
Avenues of escape can be found by studying the field-tested countermeasures used by intelligence officers in days gone by—or, as spies refer to it, “going grey.” But that’s not an easy task in a country where automakers forward real-time location data to the Chinese government. Meeting this challenge involves finding ways to eliminate trace evidence in transit, vanishing into larger populations, and evading AI-based collection systems without generating statistical anomalies. It means setting up a nice mind-numbing baseline of harmless behavior to lull watchers asleep while identifying gaps in coverage that allow operators to maneuver and communicate.
Let’s not forget the ever-handy decoys: baiting security services with dummy equipment and streams of innocuous traffic while brandishing shielded gear and low-power ephemeral channels. Dead drops and short-range agent communication (SRAC) devices are back in fashion.
The idea is to force watchers into a zone where their big budgets and hacking suites don’t offer an edge. To employ tactics that preclude the sort of centralized aggregation, computer automation, and economies of scale that China has learned to depend on. To make observation and tracking as expensive as possible by focusing on autonomy. Taking back ownership and responsibility for data channels means regaining control. It means freedom.
Here are some key questions: can you guess at the kind of resources required to physically tail someone 24/7 for an entire month? One former federal investigator indicates that well over 40 agents would be necessary. How about a year? How does this practice scale? How much does it cost if the quarry doesn’t use existing infrastructure to send and receive sensitive messages? How long will counterintelligence officers monitor an inactive target until other high priority cases demand their attention?
Robert Hanssen once complained that his colleagues at the FBI took weekends off, allowing Soviet spies in New York City to work relatively unencumbered. As one associate lamented, “they didn’t want to work on a Sunday… and the Russians got away.” Thus does history inform us that even heavily funded intelligence agencies like China’s Ministry of State Security have their limits. This, I argue, is the key to gaming, if not escaping, the total surveillance state. Recall that memorable line from the movie THX 1138: “The T-H-X account is six percent over budget. The case is to be terminated.”
Bill Blunden is an independent investigator focusing on information security, anti-forensics, and institutional analysis. He is the author of several books, including The Rootkit Arsenal and Behold a Pale Farce: Cyberwar, Threat Inflation, and the Malware-Industrial Complex. Bill is the lead investigator at Below Gotham Labs.