Some Chinese citizens are starting to push back against the widespread use of facial recognition, according to a South China Morning Post report. In that regard, they are worried that the technology is being deployed improperly, and without the necessary safeguards to protect people’s personal information.
Those lax standards have led to several high-profile data breaches in the past few years. Security experts have found databases left entirely unprotected, with no encryption to prevent cybercriminals or even curious bystanders from gaining access. Those databases link someone’s face to their national ID number, and often contain other sensitive information such as phone numbers, student numbers, and addresses, in addition to GPS locations.
In other cases, the malfeasance was more deliberate, but still took advantage of a vulnerable security environment. For example, some apps installed malware that activated the smartphone camera to take (and steal) an illicit photo of the user. Facial data in China is currently being sold for as little as 0.5 yuan (7 US cents) per face, and fraudsters are pairing that with tools to animate that data in an effort to get past face-based security systems.
There have also been examples of simple negligence, with developers leaving passwords and other credentials on the open internet.
“This happens when an engineer has to deploy something quickly but does not have the knowledge or the time to do it in a correct and secure way,” said GDI Foundation security researcher Victor Gevers.
The problem, according to critics, is that China is more interested in supporting technology developers than it is in protecting the privacy of its citizens. While the country does have data protection laws, they contain little in the way of specifics, and do not create a strong legal framework for the resolution of privacy violations. As it stands, the penalties are extremely weak, and do little to deter the steady march of the surveillance state. For instance, Xiaohongshu was fined a mere 50,000 yuan (against revenue of 1.5 billion yuan) for failing to protect the information of those using its social e-commerce app in 2018.
The government also happens to be one of the biggest customers for facial recognition tech. Many businesses that have installed facial recognition claimed that the police ordered them to do so. China is in the process of drafting a data protection law, but critics remain skeptical about the enforcement of that law due to the country’s priorities and staffing limitations.
“In general, legislative development in China has followed a pragmatic ‘learn from doing’ approach,” said Michael Tan, who is a partner at the Shanghai law firm Taylor Wessing. “The Chinese approach could be understood as cultivating a more liberal business environment aiming at promoting the implementation of new technologies as well as better securing the whole economy‘s global competitiveness.”
That approach is at odds with the Three Laws of Biometrics recently published by the Biometrics Institute. Critics noted that the country has taken advantage of the COVID-19 pandemic to expand its surveillance apparatus.
October 9, 2020 – by Eric Weiss