A middle school’s facial recognition database exposes student data

This article originally appeared on ABACUS China's internet is known for its lax security, so it's surprisingly easy to find all kinds of things there if you know where to look. And one security researcher recently unearthed a disturbing trove of photos, ID and student numbers, GPS locations, and even school grades belonging to teenagers. GDI Foundation security researcher Victor Gevers uncovered an unsecured facial recognition database in China belonging to Ruoergai Middle School in Sichuan province. It was left open to the internet, with no firewall or authentication methods protecting it, according to Gevers. The database contained high-resolution pictures used to train the facial recognition system alongside much more private information of students. “The database had information like ID numbers of the document, student number, nationality, gender, telephone numbers, grades, class, when they passed a certain checkpoint,” Gevers said. This school (若尔盖县中学出校) is using the 校安云盾平台 ("School Security Cloud Shield Platform") has some fancy school uniforms. These are their class photos used to train facial recognition. They store a lot of PII data per student every time they pass a check-in point. pic.twitter.com/t4RRbLcISC — Victor Gevers (@0xDUDE) January 12, 2020 The system, maintained by a platform called Xiaoan Yundun, covered 1.3 million people, including teachers, cleaners and security personnel. A school might seem like an unusual place to have such a large facial recognition system, but it’s becoming more common in China. Surveillance systems are already peeping on city streets, and governments and private companies in China are also pushing facial recognition into subway stations, payment platforms and even toilet paper dispensers. You can’t even buy a SIM card without scanning your face these days. “Skynet”, China’s massive video surveillance network Schools are the next big market. In addition to smart uniforms embedded with ID chips and GPS, lower and higher educational institutions have been introducing facial recognition cameras inside the classrooms and outside. This raises questions about the potential security issues. Four ways China’s schools are keeping tabs on students with new technology China is the biggest place for data leaks, according to Gevers. The country has seen several scandals over the past few years involving people’s IDs, phone numbers, addresses, contacts and other data being sold on the internet. Now biometric data such as facial recognition images are starting to leak, too. Recent research from Comparitech showed that China is the worst in nearly every way at protecting biometric data. This is why Ruoergai might not be the only Chinese school that’s unintentionally giving up their students’ sensitive data. Gevers said his organization detected about 200,000 open databases in China that have problems with security or missing patches. The researcher said that the middle school’s database, which has been online since June, was secured 24 hours after his team sent a request to the company’s internet service provider, Alibaba Cloud. But it’s not clear if the school has taken any additional measures to protect the sensitive data of its students. Calls to the schools went unanswered while Xiaoan Yundun couldn’t be reached. (Abacus is a unit of the South China Morning Post, which is owned by Alibaba.) More recently, facial recognition companies in the country have been facing pushback from legal experts advocating for more stringent rules. China had its first facial recognition lawsuit in November when law professor Guo Bing sued a wildlife park for introducing the technology without consent. Late last year, the Chinese government announced that it plans to "curb and regulate" the use of facial recognition technology and other apps in schools. Purchase the China AI Report 2020 brought to you by SCMP Research and enjoy a 20% discount (original price US$400). This 60-page all new intelligence report gives you first-hand insights and analysis into the latest industry developments and intelligence about China AI. Get exclusive access to our webinars for continuous learning, and interact with China AI executives in live Q&A. Offer valid until 31 March 2020.

A middle school’s facial recognition database exposes student data

The database contains records for 1.3 million people, including students, teachers, cleaners and security personnel