Police in the Xinjiang region of China rely on a master list of 50,000 multimedia files they deem "violent and terrorist" to flag Uyghur and other Turkic Muslim residents for interrogation, Human Rights Watch said today.
A Human Rights Watch forensic investigation into the metadata of this list found that during 9 months from 2017 to 2018, police conducted nearly 11 million searches of a total of 1.2 million mobile phones in Urumqi, Xinjiang's capital city of 3.5 million residents. Xinjiang's automated police mass surveillance systems enabled this phone search.
"The Chinese government's abusive use of surveillance technology in Xinjiang means that Uyghurs who simply store the Quran on their phone may trigger a police interrogation," said Maya Wang, acting China director at Human Rights Watch. "Concerned governments should identify the technology companies involved in this mass surveillance and social control industry and take appropriate action to end their involvement."
Human Rights Watch has repeatedly raised concerns about China's approach to countering acts it calls "terrorism" and "extremism." China's counterterrorism law defines "terrorism" and "extremism" in an overly broad and vague manner that facilitates prosecutions, deprivation of liberty, and other restrictions for acts that do not intend to cause death or serious physical harm for political, religious, or ideological aims.
The Human Rights Watch searches found a total over 1,000 unique files on about 1,400 Urumqi residents' phones that matched those on the police master list. The analysis of these matched files revealed that over half of them - 57 percent - appear to be common Islamic religious materials, including readings of every surah (chapter) of the Quran, the central religious text of Islam.
The list is part of a large database (52GB) of over 1,600 data tables from the Xinjiang Uyghur Autonomous Region leaked to the United States media organization the Intercept in 2019. The Intercept reported that Urumqi police conducted surveillance and arrests from 2015 to 2019 based on texts of police reports that were part of this database.
The master list of multimedia files that Human Rights Watch examined is located in a different part of the same database and has not been previously reported on or analyzed. Some of the numbers in this reporting have been rounded up so that the authorities cannot identify the source of the leak.
The analysis of the metadata of this master list reveals photo, audio, and video files that contain violent content, but also other material that has no evident connection to violence. The media files contain materials that:
- Are violent or gruesome, including content depicting beheadings or forms of torture that appear to have been carried out by armed groups such as Mexican and other drug cartels, Chechen fighters, or the Islamic State (ISIS);
- Involve foreign organizations, including the East Turkistan Independence Movement, which the Chinese government labels a separatist group; the World Uyghur Congress, a group run by Uyghur exiles; and a Uyghur-language broadcasts by Radio Free Asia, a US government-funded media outlet;
- Contain pro-democracy audiovisual content such as the "Gate of Heavenly Peace," a documentary about the Chinese government's Tiananmen Square massacre of student-led protests in 1989;
- Mention the names of cities in Syria, including documentaries about Syrian history and two 2015 episodes of a popular Chinese-language travel show, "On the Road" (侣行), that include references to the Syrian conflict;
- Contain common Islamic religious content, including Quran readings and wedding songs.
Human Rights Watch also found another related list in the database that has the same MD5 hashes - the unique signature of these files. This list apparently contains the search result of the Jingwang Weishi app, a surveillance application. The search results spanned 9 months between 2017 and 2018. This data shows the app surreptitiously conducted nearly 11 million searches involving a total of 1.2 million phones and found a cumulative total of 11,000 matches of over 1,000 different files on 1,400 phones.
The Human Rights Watch analysis of the file names and the police's own labeling, or coding, of the approximately 1,000 files found that:
- 57 percent of the 1,000 files are common religious materials, including readings of every chapter (surah) of the Quran.
- Nearly 9 percent of the matched files include violent content, including crimes committed by members of the Islamic State (ISIS);
- 4 percent of the matched files include calls for violence, for example by urging "jihad;"
- 28 percent of the matched files cannot be identified based on the available information alone (for example, the file name and police labels).
Human Rights Watch further analyzed those 1,400 phones that were flagged by police:
- Nearly 42 percent of phones contained violent or gruesome material;
- 12 percent of phones contained common Islamic religious material;
- 6 percent of phones contained files that are overtly political, such as an anthem to "East Turkistan" - the name some Turkic Muslims use to refer to the region that the Chinese government calls "Xinjiang" - videos about the Syrian war, and pro-democracy protests in Hong Kong;
- 4 percent of phones contained files that call for violence, such as "jihad;"
- 48 percent of phones contained files that Human Rights Watch could not identify.
International law obligates governments to define criminal offenses precisely and to respect the rights to freedom of expression and thought, including holding views considered offensive. Criminalizing mere possession of material deemed extremist even if the accused has no intent to use it to cause harm to others is a particularly severe threat to freedom of belief, privacy, and expression. These rights are guaranteed under the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which China has signed but not ratified.
The United Nations Human Rights Council should urgently establish an independent, international investigation into grave rights violations and the suppression of fundamental freedoms in Xinjiang by the Chinese government against Uyghurs and other Turkic Muslims, Human Rights Watch said. An unprecedented number of UN independent human rights experts and hundreds of nongovernmental organizations from around the world have recommended such action.
"The Chinese government outrageously yet dangerously conflates Islam with violent extremism to justify its abhorrent abuses against Turkic Muslims in Xinjiang," Wang said. "The UN Human Rights Council should take long overdue action by investigating Chinese government abuses in Xinjiang and beyond."
For additional details about the situation and findings, please see below.
Abuses in Xinjiang and the Role of Mass Surveillance
The Chinese government's Counterterrorism Law does not comport with international human rights standards and has been frequently abused.
In May 2014, the Chinese government began the "Strike Hard Campaign against Violent Terrorism" (严厉打击暴力恐怖活动专项行动) in the Xinjiang Uyghur Autonomous Region against Uyghurs and other Turkic Muslims. Since 2017, this abusive campaign, which conflates the peaceful religious and cultural expressions of Uyghurs and other Turkic Muslims with terrorism, has significantly escalated.
During this period, Human Rights Watch has documented mass arbitrary detention, pervasive surveillance, and attempts at cultural and religious erasure that amount to crimes against humanity across the region. A groundbreaking 2022 report by the UN human rights office similarly found that these crimes "may constitute … crimes against humanity."
What is central to these crimes is the use of new technologies, including the mass collection of biometric data from Turkic Muslims, artificial intelligence, policing apps, and big-data systems to monitor the entire population. These systems flag people as potentially "untrustworthy" using broad and arbitrary criteria, such as using too much electricity, and send their names to the police. The police then interrogate and often detain them in so-called political education camps or sentence them to prison terms following perfunctory, closed trials without access to lawyers. As of September 2022, an estimated half-million people remained in prison following the crackdown.
Since 2017, Human Rights Watch and other organizations have uncovered many of these systems, but the precise relationships among them remain unclear. This database is part of a police surveillance system named iTap, built for the Urumqi Police Department by the Chinese surveillance tech company Landasoft (蓝灯), according to the Intercept. Landasoft's chief executive officer claimed that the company wanted to be the "Chinese version of Palantir," the US company that is providing profiling and analytic capabilities to law enforcement and intelligence agencies globally.
With massive amounts of information on each individual, and the integration of their contacts, location, vehicle information, financial accounts and internet accounts - all without their consent - the software allows the police to monitor every resident of Urumqi, including uncovering people's hidden relationships through network analysis.
This research has shown for the first time that iTap is receiving data from the Jingwang Weishi and Fengcai apps. Human Rights Watch wrote to Landasoft on April 4 about this database but has not received a response.
Various media have increasingly reported that police are conducting abusive checks on people's phones throughout China, such as to find out who carried out the December 2022 "white paper" protests - where individuals used blank signs to signal opposition to the government's strict Covid-19 measures or the Chinese Communist Party's authoritarian rule. The government has also conducted such checks in Tibetan areas to pursue the government's aggressive assimilationist policies. In these cases, though, it appears that the police are conducting manual checks, swiping through people's phones.
The Chinese government has also increasingly required people throughout China to install various government and Communist Party apps purportedly for fighting online fraud, controlling the Covid pandemic, and spreading its ideology. Many of these apps collect copious amounts of personal data, including location information, health data, and other identifying information such as national ID numbers, with little transparency on how the data is used and stored.
At the same time, Chinese authorities have also made app stores remove apps they dislike, such as censorship circumvention apps, encryption apps, and religious apps, including a prominent Quran app used by millions of people around the world.
Methodology: Authenticating the Leaked Database
The master list that Human Rights Watch found in the leaked database contains a list of about 50,000 rows as of March 2018, with each entry containing metadata such as filename, size, filename extension (such as mp3) and the file's MD5 hash - a unique signature of the file the police use to identify files on residents' phones.
Human Rights Watch has found that the MD5 hashes in this list match those in lists previously reported by two other organizations, which separately conducted investigations into two of Xinjiang's policing apps that the authorities used during crackdowns:
- In February 2018, the US-based organization Open Technology Fund (OTF) reverse engineered Jingwang Weishi (净网卫士), an app that Urumqi police forced local residents to install. The Open Technology Fund found that in addition to extracting the phone's various identifying information such as its brand and model, IMEI (International Mobile Equipment Identity), IMSI (International Mobile Subscriber Identity), and MAC (Media Access Control) address and phone number, the app also searches the target's phone against a list of MD5 hashes and automatically reports any files deemed "dangerous" to the authorities.
- In July 2019, the New York Times reverse engineering efforts revealed another list of MD5 hashes extracted from another app named Fengcai, which the Xinjiang police routinely installed on travelers' phones at border crossings. This list contained 73,314 unique MD5 hashes. The vast majority of the hashes that Human Rights Watch examined can also be found in this list, which suggests that in the span of one year, between 2018 and 2019, Xinjiang police had added over 21,000 items to the list of "violent and terrorist" multimedia files. Only 29 files in the Human Rights Watch list were not in the list that the New York Times analyzed.
The fact that this same list of 50,000 files is included in two distinct Xinjiang-specific policing apps, as well as in this leaked database, suggests that the Xinjiang authorities use this same list as a master list to determine whether a resident has what they deemed to be "violent and terrorist files" on their device.
In regards to the related list in the leaked database that has the same MD5 hashes as the master list, Human Rights Watch determined that it contains the search results of the Jingwang Weishi app based on the fact that its format perfectly matched the output format described in Open Tech Fund's reverse engineering of that app. The search results contain the unique identifying information- IMEI, IMSI, MAC addresses - of every phone searched and, if found, a record of the name, size and file type of the "violent and terrorist" file.
Punishing the Possession of 'Extremist' Material
Many of the people arbitrarily detained and imprisoned in Xinjiang were rounded up for possessing "violent" or "terrorist" multimedia materials, according to information in leaked official lists of such individual and previous Human Rights Watch interviews with family members and former detainees.
A leaked list of over 2,000 detainees held in a political education camp from Aksu prefecture that Human Rights Watch obtained in 2018 showed that about 10 percent (over 200) of the people on the list were being held for "terrorism" or "extremism" because they had downloaded or shared such "violent and terrorist" multimedia content, or for being related to someone who had downloaded or shared such content.
In 2018, a Uyghur interviewee told Human Rights Watch that one of his fellow detainees held in a police detention center cell during the crackdowns was a 60-year-old man who had sent an audio of an Islamic religious teaching to his daughter, who passed it to a friend. The father and daughter received six-year and three-year prison sentences, respectively, and alleged that detainees in these facilities were tortured.