As facial recognition technology becomes a daily aspect of people’s lives, concerns grow about slack data security and ethical uses of private information.
By ZHOU Yixue
One day in August, WANG Yi, who lives on the outskirts of Beijing, received a text message from the management of his building. To facilitate COVID-19 contact tracing, it said, a new “smart access control system” using facial recognition technology would be installed, allowing residents to enter the building simply by looking into a camera. Wang, like the rest of the more than 500 residents, was asked to go to the management office to take photos, which would then be tied to their other personal information.
Wang works at a technology company. He felt a little uneasy. Granted, he would still be able to get into the building using an app on his phone, but a photo is required to keep the app activated. In other words, he would lose access to his own home without his photo being taken.
Wang researched the system on the internet and found that there had been data breaches associated with the company. Concerned about how his personal information would be stored and used he raised his concerns with the building managers, who said the information would be “properly used under the supervision of the local police.”
LIU Huan had a similar experience at his workplace. In December, when a new entry system was installed in his office building, again for contact tracing purposes, he and his coworkers inquired about its data security. Neither the maker nor seller was able to provide any convincing details.
As facial recognition technology spreads, concerns about data security and questionable use of private information have arisen.
Facial recognition technology is widely used in China, initially for security purposes at public facilities such as airports and train stations, and now for everyday commercial activities like paying for groceries. COVID-19 has given the technology another push with many shopping malls and office buildings equipped with smart cameras that track the comings and goings of visitors.
Questions about this technology have grown louder. Sixty percent of people worry that facial recognition is being “abused,” according to a national survey and many want to opt-out. People are most concerned about the use of their personal data — where and how it is stored and managed, what measures are taken to prevent data breaches, and whether it can be used for purposes they have not consented to. Despite the wide use of the technology, details on these issues are largely undisclosed.
WANG Xinrui, a lawyer who specializes in data security, told Jiemian News that the technology’s risks have been overlooked or glossed over. “If someone asks you for the pin to your bank account, would you give it to him? Of course not,” he said, “but people are simply indifferent if a company or an organization takes their photo. To some extent, your face should be as sensitive as your bank account information. Whoever knows your face has access to your identity.”
There are already cases of data theft leading to financial losses. In 2018, a man in Zhejiang Province got access to more than five hundred people’s bank accounts using illicitly obtained ID photos.
Theoretically, companies could and should “desensitize” photos, effectively anonymizing them. But in reality, many companies don’t bother. Secure data collection and storage is expensive. A person working in tourism told Jiemian News that in most cases, photos taken for contactless tickets are simply stored in a local server that can be easily hacked into.
TANG Jiayu with Real AI believes facial recognition is full of security loopholes. In stress tests with the Ministry of Industry and Information, engineers from his company were able to break into various supposedly safe personal devices with only a photo.
Technical security aside, the ethical boundaries are indistinct at best. Smart surveillance cameras have been installed in classrooms to check if students are paying attention. In some shopping malls, customers’ facial images are collected and analyzed along with their purchase information. Most people deem such practices unacceptable according to the above survey, but there are only the vaguest regulations in place.
This year, a high-profile lawsuit filed against Zhejiang Hangzhou Safari Park became the first legal challenge to the use of facial recognition technology. GUO Bin, a law professor, sued the park when he was informed that his annual membership would be invalidated upon “failure to register facial recognition information before a due date.” A district court ordered it to delete Guo’s facial recognition data and pay token compensation saying it was unfair and unreasonable to make biometric data, fingerprints, or facial recognition data, mandatory to enter a park.
“Local legislators are now aware of the sensitivity of biometric data and the imperative of personal data security,” Guo said.
Laws and regulations are slowly catching up. In October, lawmakers in Hangzhou passed a bill that makes the mandatory collection of biometric data by property management companies illegal. In December, the city of Tianjin banned non-public entities from collecting biometric data.
In October, China issued a draft of the Personal Information Protection Law that set rules on collecting, processing, and maintenance of personal information. According to the draft, those who process sensitive personal information must demonstrate the need for the information as well as acquire individuals’ consent.
The proposed restrictions on sensitive data, including biometric data, are considered “very strict,” which may deter some private entities from relying on such information. Until then, people can only resort to piecemeal solutions via the courts.
(Wang Yi, Liu huan are assumed names to protect the interviewees' privacy.)
