Health Code China COVID-19 Hubei Coronavirus

Used Across China, Health Codes Pose Major Privacy Loopholes

Rebbeca Ren

posted on April 7, 2020 5:52 pmEditor : Chen Du

Holding a green health code on his smartphone, Ji Wei, a 30-year-old man who has stranded in Hubei province for more than two months, finally went through the security checkpoint and boarded the train back to Beijing, the city where he resides in for seven years.

After a two-months lockdown, Hubei Province, the epicenter of China's Covid-19 outbreak, gradually lifted outbound travel restrictions late last month. Starting from March 25, people in Hubei except for the capital city Wuhan will be allowed to leave, but with a caveat: only when they have a green health code on their phones. 

As the country's aggressive measures have slowed the spread of the coronavirus effectively, governments across China is now actively encouraging people to return to work. A bold and large-scale experiment is being staged—by requiring citizens to use health codes on their smartphones and tracking their data—to determine whether they should be allowed to use public transportation, enter malls or office buildings, and resume work, or be subject to prolonged quarantine.

Generally, people given a green code means that they have not traveled recently, are not posing a risk to others, and will be allowed to enter establishments or travel relatively freely. Yellow codes indicate that the holders should be recommended to stay in just in case, because they may have been in contact with infected or suspected cases. Red codes mean that the holders are posing a significant public health risk, often times confirmed Covid-19 patients themselves or known close contact of confirmed cases, and should be in isolation.

However, the massive adoption of health codes is posing a serious privacy risk to the potential hundreds of millions of users across China, as they will be quasi-forced to use them while their personal data is at risk of being exposed.

Running as standalone smartphone apps or mini programs inside popular apps such as WeChat and Alipay, health codes are digital IDs developed by China's central and local governments that bind to individual citizens in the age of heightened security amid the Covid-19 pandemic. The codes have different colors that indicate users' general risk of having been infected, aggregated from their travel and contact history, current health conditions, personal information and more. 

But a number of health codes used across China have been found without user agreements or data privacy policies, sometimes both. Essentially as tech products, they are required by relevant laws and regulation, such as China's Cybersecurity Law, to have these agreements that users can choose to agree or not agree to when signing up, which is known as informed consent.

Some of these health codes also require more data than they need. For example, the "Anti-Virus Code", developed by the central government and can be found in WeChat's payment tab, claims that it collects data about other apps installed on users' phones, which can be seen as a violation according  to the Cybersecurity Law. 

Health codes involves a large amount of personal information such as name, ID number, contact information, location, itinerary, health status, etc.

Outside of the paperwork, the health codes also pose significant privacy risks during usage. One example is that when users pass through security checkpoints, their health codes and information are collected and security guards may gain access to that information without users' consent, which is not being laid out in user agreements and privacy policies of many health codes, if there is any to begin with.

Besides that, the many health codes across China are often incompatible. Ji told PingWest that his green Hubei health code wasn't recognized in Beijing, and he was subject to another 14-day mandatory quarantine.

According to the government, a person's health code is determined by three factors: Travel history, duration of time spent in an outbreak-stricken area, and relationships to potential carriers of the virus. These information are scraped from government-accessible databases, including travel websites, as well as public health authorities.

Some 900 million people use health codes on WeChat, according to local newspaper Beijing Youth Daily and other outlets.

"But if we are forced to continue to use this tracking service after the pandemic is over, it will drive me crazy. I care about my privacy very much, and as far as I can tell, the law on the protection of personal information is far from perfect in China," Ji told PingWest.

The man believed that his personal information was already exposed, through health codes by other means. During his stay in Hubei, a police station outside Chaoyang District called him and asked when he planned to return to the city.

As central and local governments endeavor to collect and analyze massive amount of data to help contain the spread of disease, concerns of privacy and data security  have been mounting. 

"Information security matters. If the health code is no longer needed after the pandemic prevention and control work is over, the personal data should be deleted in time," said Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law.