XU YUYU was a poor 18-year-old student from the coastal province of Shandong when, on the eve of going to university in 2016, she was defrauded of the savings that her family had painstakingly accumulated for her. She died of a heart attack that was caused, a court said, by the fraud. Ms Xu’s fate sparked an impassioned debate in China about data privacy because the scammer, Chen Wenhui, had paid a hacker for stealing her personal details. He was sentenced to life in jail for theft of private information.

China has a reputation for lax controls over the gathering, storage and use of digital data about individuals. But sensitivities about such matters are growing, and not just when information is stolen.

This month a court in the eastern city of Nanjing agreed to hear a case brought by a government-controlled consumers’ group against Baidu, China’s largest search engine. The group claims that a Baidu app illegally monitors users’ phone calls without telling them. At the same time, Ant Financial, the financial arm of Alibaba, the country’s largest e-commerce group, apologised for a default setting on its mobile-money app that automatically enrolled customers in a credit-scoring scheme, called Sesame Credit, without users’ consent. The third of China’s big three internet firms, Tencent, also dealt with a storm of criticism after the head of one of China’s largest car firms said Pony Ma, Tencent’s founder, “must be watching” all messages on WeChat, the firm’s popular social-media app, “every single day”.

Consumers in China have good cause to worry. Data collected through one medium can often end up in another. A man who talked on his mobile phone one day about picking strawberries said that when he used his phone the next day to open Toutiao, a news aggregator driven by artificial intelligence (AI), his news was all about strawberries. His post on the experience went viral in January. Toutiao denied it was snooping but conceded, blandly, that the story revealed a growing public “awareness of privacy”.

Cultural evolution

Anxiety about it is indeed growing, but from a low base. The Chinese word for privacy, yinsi, has a negative connotation of secrecy. Things that in the West are taboo in conversation between strangers—for example, asking about the other person’s salary—are often discussed in China.

Such traditions inform behaviour in the digital world. The Boston Consulting Group says that in a dozen countries it surveyed in 2013, three-quarters of respondents outside China stated that caution was necessary when sharing personal information online. But only half of those polled in China agreed. In 2015 Harvard Business Review, a journal, tried to estimate what value people in different countries attached to personal data. It found that Chinese would pay less to protect data from their government-issued identification cards and credit cards than people from America, Britain and Germany. More than 60% of respondents in a large survey conducted by China Youth Daily, a state-owned newspaper, said that the default settings in their mobile apps allowed their personal information to be shared with third parties. Chinese law did not define what counts as personal information until a cyber-security bill took effect last year.

Two things are helping to change public attitudes. One is rising concern about online fraud, a huge problem in China. A survey in 2016 by the Internet Society of China found that no less than 84% of respondents said they had suffered from some form of data theft. The number of cases seems to be rising. In 2017, according to Legal Daily, a newspaper, the police investigated 4,900 cases of theft of personal information, resulting in the arrests of over 15,000 people. That is twice the number of cases and four times as many suspects as in the previous year. Worries about data theft are not the same as concerns about privacy. But the two sentiments often overlap.

The other big change is the surprising emergence of China’s internet companies as lobbyists for better data protection, even though their motives are mixed. On the one hand, the data they are scooping up from consumers are becoming an ever more prized commodity. The companies want to use the data in pursuit of global dominance in the business of AI. So they have an incentive to collect as much data as possible and support lax data-protection laws. On the other hand, consumers in China are demanding tighter protection, while their counterparts in the West, where the Chinese companies are trying to expand their business, have even greater privacy concerns.

For the past year, companies have been debating how to strike the right balance. Now, it seems, consumer pressure may be winning out. Frank Fan, a data-security expert, argues that recent events will prove a turning point. “In the future,” he says, “data-protection policies will determine whether a company will succeed or not.” Nie Zhengjun, Ant Financial’s chief privacy officer (yes, they have one) claims that Chinese consumers are “no longer content with preventing information from being used for fraudulent purposes…Now they want control in protecting their privacy.”

The question is how these shifts in consumer attitudes and company behaviour will affect the government, which is gathering vast quantities of personal information without the public’s consent. This includes DNA data taken from millions of people, including all inhabitants of the western province of Xinjiang. The government’s aim is to use the data to help it to strengthen social control.

In 2017 the government launched an inspection campaign examining the privacy policies of ten internet firms. At least five were found to have improved data protection by making it easier for users to delete personal information. This enabled the government to boast about the security of China’s data-protection laws and claim that it was making personal information safe from criminals.

At the same time, however, the cyber-security law required that copies of all personal data gathered by operators of “critical information infrastructure” in mainland China must be stored there. This has fuelled suspicions that the government wants to be able to gain access to them, either covertly or by putting pressure on data-storage companies. At the end of February, Apple will comply with the new law by handing management of the data of iCloud customers in China to a state-owned company. (The American firm insists that “no back doors will be created into any of our systems” and that it will ensure “strong data privacy”.)

In the long run, the public’s growing concerns about privacy must be at odds with the government’s efforts to create a new form of surveillance state. But the Communist Party shows no sign of concern: it seems to be able to have its cake and eat it. It is tightening data-protection rules for companies, while making it easier for itself to grab more private information.