How a Chinese Surveillance Broker Became Oracle’s “Partner of the Year”

Banners printed for the occasion read, “Build a new type of strategic partnership.” Artfully made cutouts of the two companies’ logos adorned the stage. And the frosting on the massive sheet cake curled into a red “20,” to celebrate two decades of cooperation between Oracle and one of its most important Chinese resellers.

This was the backdrop in 2018, when Oracle executives gathered with management from Digital China, a Beijing-based broker used by foreign tech companies to access the Chinese market. Roger Li, Oracle senior vice president and managing director for China, delivered a speech extolling the deep and sustained cooperation between the two firms, according to an account published on Digital China’s website. His team posed for numerous photos with Digital China representatives, including a carefully staged shot in which they together placed their hands on a cake knife.

The event showed a deepening relationship between Oracle, an Austin-based multinational best known for its databases, and its longtime partner. Soon after, Oracle named Digital China a global “partner of the year.” At a 2019 Oracle software developer conference in Shenzhen, a keynote speaking slot went to Digital China’s chief technology officer. And Digital China’s board includes a former Oracle China vice president.

But Oracle’s relationship with the Chinese broker is deeply problematic. Oracle has pledged to “uphold and respect human rights for all people” and stated that its partners should “have the same mission and vision” as Oracle itself. Co-founder Larry Ellison once criticized a competitor, Google, for going “into China and facilitat[ing] the Chinese government surveilling their people.” And yet Digital China and its network of subsidiaries are critical purveyors of technology used to build China’s surveillance state. Among the company’s offerings are services for Chinese police and defense entities — as advertised on Oracle’s own website.

In February, The Intercept revealed that Oracle employees had marketed the company’s analytics software for use by police and military-linked clients in China, as well as by police and paramilitary forces in Brazil, Mexico, Pakistan, and the United Arab Emirates. Documents found on Oracle’s site indicated that at least two Chinese provincial police departments have used the software to crunch surveillance data. At the time, Oracle spokesperson Jessica Moore said that Oracle had “no known implementations” with Chinese police. She described the presentations, which bear the company’s logo, as hypothetical “pitch decks.”

But a former Oracle senior director contradicted that account. At the 2017 Oracle OpenWorld conference in San Francisco, he presented on a surveillance project by an unnamed provincial police department in China. He told The Intercept that the department had used Oracle software.

And even Moore left open the possibility that brokers might have sold analytics software built with Oracle technology to police departments. “Third parties or systems integrators could develop products on top of our technology,” she said, though she claimed that it was unlikely.

Now, The Intercept has unraveled that network of resellers — and found deep and long-standing relationships between Oracle and brokers that sell surveillance technology to the Chinese government.

In addition to Digital China, Oracle’s website names as a partner a subsidiary of CEC, a state-owned conglomerate that was listed last year by the Defense Department for its military ties. The website of that subsidiary, Great Wall Computer Software and Systems, describes extensive work with the Ministry of Public Security and provincial public security departments. The broker has helped with “anti-terrorism” work (a term generally used to connote the crackdown against Muslim minorities in Xinjiang), its site says. Great Wall has also worked on a border control and surveillance system that involves the use of Oracle databases, according to Chinese state news agency Xinhua.

Another Chinese reseller, Sinobest, advertises on Oracle’s Cloud Marketplace a “police integrated information system” that runs on the U.S. corporation’s technology. Sinobest describes the app as suitable for “strike, prevent, manage, control” public security, a form of heavy-handed and data-driven policing. “That means that the technology is used to cast a very wide net that covers not only the criminal activity but also every other behavior or condition that is conducive to the crime,” said Daniel Sprick, a legal scholar at the University of Cologne who studies policing in China.

Still another partner, Kingbase, is described on a featured page on Oracle’s site as having products that are used in the “national defense war industry.” And a fifth, Xinjiang Hui Wen Network Information Technology, works extensively with the Xinjiang Production and Construction Corps, the entity that runs many internment camps used in the systematic persecution of Muslim Uyghurs and other minorities. Oracle previously told The Intercept that it sold technology to the Xinjiang Public Security Bureau, which oversees policing in the region, until 2019. That was the year the agency was listed by the U.S. Commerce Department.

Moore told The Intercept that Kingbase and Sinobest are not current Oracle partners, despite their pages on Oracle’s website. She said that Oracle does work with Great Wall, the CEC subsidiary, but that the relationship is permitted under the terms of the Defense Department listing. She added that Oracle has no record of police or military transactions involving Great Wall but that the broker has represented Oracle in business with China’s State Administration of Taxation.

Moore said Xinjiang Hui Wen was a partner until earlier this month, when its membership expired, and Oracle is now reviewing the broker’s partner eligibility.

Digital China did not respond to emailed questions, and no one answered when The Intercept called on multiple occasions. Great Wall, Kingbase, and Sinobest did not respond to questions sent through email and submitted through Sinobest’s website. A person who answered the phone at Xinjiang Hui Wen claimed that the reseller did not have an employee who answers media queries. The broker described Oracle as a partner in a June 2020 job listing.

Oracle is not alone among U.S. tech companies in its reliance on resellers in China. For decades, the tech giants have used brokers to provide needed connections to Chinese businesses and government officials.

Over the past eight years, third-party outfits have become even more important. In 2013, revelations from National Security Agency whistleblower Edward Snowden that U.S. tech companies assisted the agency’s spying set off alarm bells within the Chinese government, sparking a scramble to purge Chinese government supply chains of foreign technology — or at least technology under direct foreign control. To cling to market access, Western companies moved closer to brokers. Oracle, for its part, allowed a Digital China subsidiary to “localize” its powerful server hardware, which is tailored to Oracle databases, resulting in a  machine manufactured by the subsidiary. The server was recently sold to Beijing police as part of a cloud-based surveillance project.

Oracle’s work with brokers illustrates the role that Western companies play in driving surveillance in China, even as they scale back their presence there. “The West has a long history of selling arms and surveillance systems to other countries,” said Maya Wang, a senior researcher on China at Human Rights Watch. “There is this pretense that this is a story of good versus evil, with the U.S. being on the good side. But the evidence is not supportive of that narrative.”

Brokers like Digital China often work with multiple foreign companies. Digital China’s partners also include Amazon Web Services, IBM, and Microsoft. (In a preliminary search, The Intercept could not find policing-related solutions listed by Digital China on other foreign companies’ websites.)

Ken Glueck, an Oracle vice president, argued that Oracle’s practices in China and elsewhere adhere to the law. “We go beyond what one might anticipate from export control regulations,” he said in a telephone interview with The Intercept. “We vet partners, and we have a track record globally of ending partner relationships where there has been some violation in our view.”

But export control law has notable holes, especially when it comes to emerging surveillance technologies. Human rights advocates concerned about the use of U.S. technology by police in China and elsewhere have called for overhauling the U.S. export control regime.

Moore, meanwhile, downplayed Oracle’s ability to influence partners. “We have no doubt that all Chinese partners conduct objectionable business,” she said in March, adding that Oracle can only control transactions involving its work. In another email she wrote: “These are arms-length relationships that are almost always far more limited in practice, and by contract, than they may be represented on a public marketing website.”

But at Oracle China’s anniversary event with Digital China, Li, the managing director, reportedly described not an arm’s-length relationship but “mov[ing] forward hand in hand” — a comment underscored by the overlapping hands on the cake knife.

The Rise of Resellers

Foreign technology companies operating in China have long faced a dilemma: In order to obtain market access, they have to give something up. In some cases, that something is their technology, which leaks out through the establishment of joint ventures with Chinese companies and local research and development centers. In other cases, it is their stated values. And often, it is both.

Oracle entered China early, in 1986, and by 2008 it had four R&D centers in the country, according to a presentation found on its website. Ellison, the Oracle co-founder, reportedly selected the location in Beijing himself. The company established a fifth center in 2013 and closed its Beijing center in 2019. Oracle would not say how many of the other centers remain open.

By the early 2000s, Oracle had made significant inroads in the country. The Chinese government was pushing for local control over key technologies, but at the time there was no quality Chinese-made alternative to Oracle’s pioneering database software. Meanwhile, local officials building up data infrastructure were dazzled by brand names, and Oracle was the gold standard in the relational databases used to process large amounts of information. As a result, the Chinese government put Oracle’s technology to use even in sensitive areas. According to a presentation on Oracle’s website, its technology helped power the internet surveillance project Golden Shield, along with the pilot for China’s grid management system, a network of neighborhood-level social control. Golden Shield “was instrumental in helping Public Security Bureaus to identify Uyghurs without proper registration and force them to return to Xinjiang, where many were detained,” said Darren Byler, an anthropologist at Simon Fraser University who studies policing in Xinjiang.

A later Oracle document claims that Oracle servers have been used by the People’s Armed Police, a Chinese paramilitary force focused on domestic security. When asked about Oracle documents claiming business with military entities, Moore said, “We deny transactions for any unlawful or unauthorized military work, consistent with the export laws and regulations at the time of the original transaction, and applicable to any ongoing provision of product support.”

In 2012, company President Mark Hurd told investors on an earnings call that Oracle was “ramping up” its business in Asia. Then the Snowden documents threw Oracle’s China work into limbo. From a hotel in Hong Kong, Snowden helped reveal that the NSA had obtained access to the systems of Apple, Facebook, Google, and other companies. The news spooked Chinese government officials, who worried that a reliance on U.S. technology made China vulnerable to American spying.

Although it was not named in the documents that Snowden leaked on PRISM, the NSA project, Oracle came under scrutiny because its databases were so widely used by government ministries. “Sometimes in the United States we forget how much the Snowden incident influenced Beijing’s thinking about cybersecurity and policy,” said Elsa Kania, an adjunct senior fellow at the Center for a New American Security and an expert on Chinese military strategy. “In the wake of ‘Prism-gate,’ as PRC state media calls it, there was increased pressure on and suspicion of foreign companies like Oracle.”

Ellison did not help the situation. At a moment when other U.S. tech companies were trying to distance themselves from the NSA, he defended the agency to then-CBS News host Charlie Rose. “It’s great,” Ellison said in the August 2013 interview on NSA surveillance. “It’s essential.” He also asked, “Who’s ever heard of this information being misused by the government?” even though Americans were reeling from a decade of overzealous post-9/11 investigations.

A few days after the interview aired, China’s Ministry of Public Security moved to investigate Oracle, along with IBM and computing company EMC. What ensued was a campaign to “de-IOE” Chinese supply chains, which meant removing IBM, Oracle, and EMC technology — or at least laundering them through Chinese resellers.

As U.S. companies struggled to hold on to market access in China, they made further compromises. Microsoft opened a “transparency center” in Beijing that allowed source code review for its products. IBM partnered up with the Beijing-based broker Teamsun to develop a local database, handing over access to the source code for its Informix software as part of the deal. And Oracle partnered with Digital China to adapt its hardware to the Chinese market. Working with another Chinese company, Neusoft, Oracle also tried to break into the “smart city” business in China, a move reflected in documents found on its site that detail data-driven surveillance as part of a smart city model.

For companies counting on China for growth, the “de-IOE” campaign was far from ideal. But the resellers empowered by it offered one advantage: They helped shroud sales of controversial technologies, warding off scrutiny from both the U.S. government and human rights activists concerned about the ways that Western technology was being used to perpetrate techno-authoritarianism in China. “We’ve seen brokers crop up and become more important as a way to keep things underground,” said Emily Weinstein, a research analyst at Georgetown’s Center for Security and Emerging Technology who has written about problematic work by U.S. tech companies in China.

Brokered transactions are not totally underground, however. The Chinese government publishes detailed procurement notices outlining the technology that various ministries and departments purchase. Along with police reports, these say that police in Guangdong, Jiangsu, and Yunnan provinces have recently purchased Oracle databases. So has China’s Ministry of Public Security, which oversees police throughout the country. An online marketplace set up by China’s State Council notes, “Oracle databases are used in various fields in China, such as e-government systems at all levels of government.” Among other areas, it cites public security.

Procurement records show that Digital China or its offshoots have licensed Oracle databases, applications, and middleware to several government clients, including the State Administration of Radio, Film, and Television, the former name of one of the entities responsible for censorship in China. Some of these deals have been lucrative. A 2018 project to provide Oracle database software to the central government’s State Sports General Administration, for example, brought in close to 19.8 million RMB ($2.9 million) for Digital China. It is unknown what portion of that went to Oracle.

Digital China also brought in money for Oracle through another source: the localized Oracle database server, or Dengyun All-in-One.

Oracle Servers, Made in China

The origin of the Dengyun All-in-One is detailed in a presentation hosted on Oracle’s website, which says that the tech giant and Digital China signed an agreement covering the transfer of Oracle hardware in September 2016. Under the deal, Oracle agreed to assist a Digital China subsidiary, Yunke China, with rolling out the server, a towering machine designed to run Oracle’s relational databases. Oracle was to provide marketing, project management, and some technical support, according to an account published on Digital China’s site. Oracle marketing documents tout the server as suitable for handling sensitive data and cloud-ready. (The “yun” in Dengyun means “cloud.”)

Moore downplayed the extent of the collaboration. “The Digital China Dengyun offering is simply a rebranding of older versions of Oracle’s hardware,” she said. “It involves no joint development or intellectual property transfer of any kind.” Oracle said that Dengyun was made of “parts” from Oracle’s Exadata Database Machine, a server that it markets to businesses and government clients in the United States and elsewhere as “the best platform to run the Oracle Database.” The specifications given by Yunke China for the most recent Dengyun All-in-One are identical to those that Oracle lists for the Exadata X8-2.

Within four months of Oracle signing the Dengyun agreement, assembly lines in a factory in Guangdong province were churning out the machines, according to the Oracle presentation and to Yunke China’s site. That same month, provincial government social security departments in Hebei and Shaanxi provinces received the first Dengyun servers, the presentation says.

The following year, Yunke China displayed one of the servers at an Oracle conference, according to the broker’s website.

It is unclear exactly how Dengyun All-in-One intersects with Oracle’s efforts to market its data analytics software for use by Chinese police, but the product helped position Oracle and its partners to upsell customers on advanced software that works with its database. A source close to the broker industry said that companies like Oracle frequently pitch additional products to existing database clients.

What is clear is that for Oracle, the Dengyun deal meant its databases would remain ubiquitous and necessary at a moment when its China business was in danger. The tech giant appears to have continued to assist Digital China and other brokers with sales. Dengyun is mentioned in nearly a dozen Oracle marketing documents downloaded from the tech giant’s website.

Dengyun’s local connection became part of the sell. A 2016 Oracle document depicts the company’s collaboration with Digital China on a timeline, mentioning the “domestically manufactured” Dengyun at the end of the trajectory. A later sales document pitching Oracle’s technology to Chinese government cloud clients touts Dengyun as “autonomous and controllable,” a term widely used in China to mean Chinese-made products that have no direct oversight by foreign entities and no backdoors. (The Intercept downloaded the second presentation before it disappeared from Oracle’s website.)

By the time of the Dengyun deal, Digital China was enmeshed in surveillance work. In a post dated August 2018, shortly before it and Oracle celebrated 20 years of teamwork, Digital China announced on its website a geospatial effort called Deeplan. The project uses mobile phone data, apparently culled from telecommunications giant China Mobile, to generate heat maps showing potential crowds. The goal is to “monitor the activities of people in real time” in order to “improve the efficiency of police officers,” according to the site. An apparent image from the interface shows individuals’ blurred-out names, along with their phone numbers, precise locations, and cities of origin. The page says police can use the heat map to divide people into groups from inside and outside a province, a feature that might be used to track aspiring protesters or government petitioners. The Digital China subsidiary that oversees the project, Howso Technology, currently lists a job opening on its website for a software development engineer specializing in geographic information systems, or GIS. Among the requirements is familiarity with Oracle databases.

The Dengyun effort was soon linked to oppressive entities in China as well. In 2018, the server was sold to the National Geomatics Center of China, which oversees geospatial work that is crucial for police efforts.

Most glaringly, on March 9 the Beijing city government announced that it would pay 2.7 million RMB ($414,900) for a Dengyun machine as part of a “smart policing project.” Although ostensibly focused on transportation, the project is part of China’s “Police Cloud,” an effort to collect and centralize information that has been criticized by Human Rights Watch. (The Intercept previously reported that Oracle employees promoted the company’s technology for Police Cloud.)

A procurement document for the project describes features of interest to police trying to prevent protests or large gatherings, including automated license plate recognition, the identification of cars that are entering the city for the first time, and facial recognition on drivers inside their vehicles. It also describes the server as a necessary part of the policing project and notes that the project requires the purchase of certified Oracle databases, as well as “at least one Oracle-certified engineer.”

Glueck, the Oracle vice president, claimed that the Dengyun server is too basic to be of use in any kind of ambitious surveillance project. “This product is not the kind of appliance that you could even run a surveillance system on,” he said. “That’s not to say that we obviously don’t have different hardware capabilities, but this is a very limited, small-scale kind of appliance.”

But Oracle’s own marketing materials boast that Dengyun can be used for big data and high-performance computing. The Yunke China flyer separately says that the server offers 3.0 petabytes of disk capacity per rack — enough to store years’ worth of continuous high-definition video or billions of social media images.

Oracle’s relationships with resellers are a cautionary tale. In its effort to distance itself from the U.S. government in China, the company may have gone too far in the opposite direction.

Enabling Data-Driven Policing

For many Western companies operating in China, brokers offer a sort of plausible deniability, allowing them to claim that they simply provide neutral tools and don’t bear responsibility when those tools are used to surveil the Chinese population. But it is hard for Oracle to make that claim with Digital China: The broker markets policing-oriented products configured for Oracle technology on the tech giant’s own site.

One such offering on Digital China’s Oracle.com partner page is called “Government Industry Information Security Solution 2.0.”

A Chinese-language posting about the “solution” says that Digital China can provide IT maintenance and management for Chinese police, military, and other entities that conduct surveillance. This includes work for China’s 1203 Project, an effort to link up security data infrastructure from across China. The partner page also describes work for the feared chengguan, uniformed city management officers who are known for their violence toward street vendors. And it boasts that Digital China can help authorities maintain an “integrated policing platform,” a term used to describe data-driven policing software. The page notes that the solution is built to run on Oracle databases, operating systems, and virtual machines.

“It clearly shows that Oracle did not shy away from providing crucial technological infrastructure to the Chinese party-state,” said Sprick, the China legal scholar, after reviewing the page.

Digital China is an Oracle managed service provider, a coveted certification that the tech giant says requires annual third-party audits. In a February email, Moore said that the company separately audits or investigates any partners suspected of misusing its technologies. Oracle declined to comment on what its audits in China entail. Glueck claimed that Oracle has ended partnerships in the country based on audit results but would not give details.

Byler, the anthropologist, said companies like Oracle need to do better. “It does take some time to suss out your networks and figure out who is doing what,” he said. “But due diligence and the human rights record of China demands that you do that kind of work.”

When asked about the police assistance described on Digital China’s partner page, Moore equivocated. Rather than disavow the project, she said, essentially, that it wasn’t that bad. She noted that the solution includes other, nonpolicing government work. “An examination of the full text shows the offering you cite is almost entirely ‘optimizing’ other solutions, nearly all of which are completely benign,” she said, adding, “If you object to ‘video conference optimization,’ we really don’t know how to respond.” She neglected to note that the solution describes video conference optimization work for Chinese military clients — for an unspecified “army office” in the “national defense industry.”

“We all have different definitions of what surveillance might be,” Glueck told The Intercept. But when pressed for Oracle’s definition, he diverted the conversation. Instead of answering, he suggested looking into the tech giant’s rivals.