Facial recognition
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A screen demonstrates facial-recognition technology at the World Artificial Intelligence Conference (WAIC) in Shanghai on August 29, 2019. Photo: Bloomberg

Facial recognition data leaks are rampant in China as Covid-19 pushes wider use of the technology

  • Residential neighbourhoods across China are adopting facial recognition, but people have few means of fighting back
  • Incorrectly configured databases remains a widespread security problem in China owing to overworked and undereducated tech workers

When Lao Dongyan’s residential neighbourhood in Beijing decided to install facial recognition, she made an uncommon choice: She decided to fight it.

Lao had concerns about the data security for such systems, so she raised her objections in a group chat with other residents. As a law professor at Beijing’s prestigious Tsinghua University, Lao had knowledge and resources that most people do not have. Lao sent out legal letters to the property management and neighbourhood committee.

“When property management companies, schools and other organisations collect such information, you do not know how much they collected, how they store it or how they use it,” Lao said during a seminar held on September 23 at the China University of Political Science and Law, where participants discussed the misuse of facial recognition.

Lao said that the neighbourhood eventually decided to allow residents to continue to use their access cards to enter the community, but the facial recognition system was still installed. Not everyone in China gets that option, though, as facial recognition systems become more common in similar neighbourhoods around the country. And not all those neighbourhoods have a legal professional like Lao to advocate against the technology.

Privacy concerns about facial recognition are not new in China.

As the use of facial recognition has exploded across China in recent years, the country has been hit with numerous data leaks related to the technology. But people without any legal expertise might not know how to fight back, especially when the installation of such systems are being pushed by local police.

Facial recognition started becoming a more common way of controlling access to local communities last year, and law enforcement might be aiding the technology’s spread. Lao said the head of her neighbourhood committee told her that the local police demanded the installation of the system. And Chinese media reported that police in Shanghai have advocated for the same thing.

A man in Shenzhen has his temperature measured on March 6 at the entrance to an office building by an AI computer called “Smart AI Epidemic Prevention”, made by the Chinese artificial intelligence company SenseTime. Photo: EPA-EFE

Companies and officials have their own reasons for promoting the use of facial recognition.

One company that said it had installed its systems in more than 100 neighbourhoods in Chengdu last year told Xinhua last November that it was “answering the country’s call for building smart cities”. The company also said it raised the “class” and security of the neighbourhoods.

Many neighbourhoods are now giving another reason for installing these systems: the Covid-19 pandemic.

Since facial recognition is contactless, the neighbourhoods say this helps prevent disease. Media reports show that many neighbourhoods are already combining facial recognition systems with temperature checks.

The Cyberspace Administration of China (CAC) also said these systems are a more efficient way to screen non-residents and help to reduce the workload of community staff.

But the touted benefits of facial recognition are not necessarily winning people over.

Many complaints can be found on social media from residents who say they had no options when their neighbourhoods decided to add facial recognition systems. Opponents argue that it is unnecessary and that they have no control over their facial data.

Their concerns are not groundless. Personal data leaks related to facial recognition are common, and China is one of the worst countries at protecting biometric data, according to some research. Images of faces, national ID numbers and phone numbers have repeatedly been found for sale online at alarmingly low prices.
Xinhua reported in July that some online vendors were selling facial data for just 0.5 yuan (7 US cents) per face. State broadcaster CCTV also reported last December that a bundle of 5,000 images of people showing various facial expressions was being sold for 10 yuan. Even images of people wearing masks were traded online after systems were updated this year to account for the new reality under the pandemic.
One reason this data is so accessible is poor security practices. In January, GDI Foundation security researcher Victor Gevers found a middle school database in China full of photos of students’ faces, ID and student numbers, and GPS locations. It was left open to the internet without any encryption or other protection.
Students and staff use facial recognition to enter the Peking University campus through the southwest gate in Beijing in June 2018. Photo: Simon Song

A similar case was reported just last week, when a state-run investigation found a “smart community” app that left information unencrypted for anyone to see online. The app collects facial images, national ID numbers and apartment numbers for an access control system. The name of the app was not made public.

Qihoo 360, China’s biggest cybersecurity firm, wants to become China’s cyberwarfare defender

These kinds of leaks are so common because of a rapidly evolving business that emphasises “time to market”, Gevers said. The result is that tech workers are not given the time or education they need to build a viable system and avoid sloppy mistakes.

“This happens when an engineer has to deploy something quickly but does not have the knowledge or the time to do it in a correct and secure way,” Gevers said. He added that China has the second-most incorrectly configured databases in the world, with data often exposed through these misconfigurations.

A screen displays Face++, a facial recognition system from Chinese artificial intelligence company Megvii, at the Light of Internet show in Jiaxing, Zhejiang province, in November 2018. Photo: Simon Song

But this is not the only reason for data leaks. In some cases, it is deliberately stolen.

Chinese cybersecurity company Qihoo 360 found in July that some loan apps were discreetly accessing users’ smartphone cameras, taking pictures of them and then uploading them to remote servers.

By exploiting this kind of data, bad actors can steal identities to get access to loans or carry out scams. Some online vendors were found offering ways to animate still images of faces so that they could be used to fool some in-app facial recognition systems.

Leaked facial data can also be used to manipulate critical security systems used by the government, Gevers said.

In February 2019, Gevers found an online database of 2.5 million people in the western region of Xinjiang. The database was said to contain names, ID numbers and location data, showing how the government had been closely tracking the movements of members of the region’s Uygur Muslim minority.

The database was left open by Shenzhen-based facial recognition firm SenseNets, said Gevers at the time. He also found that some developers from the company kept database passwords and other credentials on the open-source code repository GitHub, making them readable to anyone in the world.

Legal protections for personal data are limited in China. The country has several laws that mention personal data protection, including its cybersecurity and criminal laws, but it does not have a unified legal framework or a clear definition of personal information.

The punishments that do exist for data-related offences are also not much of a deterrent, Deheng Law Offices said in a blog post. Companies might wind up with just administrative penalties over data leaks, which could include fines, being ordered to rectify the issue themselves, or being removed from app stores, Xinhua reported in July.

In 2018, the social e-commerce app Xiaohongshu was fined just 50,000 yuan for failing to protect user privacy. Its revenue was nearly 1.5 billion yuan that year.

“In general, legislative development in China relating to facial recognition technology has followed a very pragmatic ‘learn from doing’ approach,” said Michael Tan, a partner at the law firm Taylor Wessing in Shanghai, in an article on his firm’s website. “The Chinese approach could be understood as cultivating a more liberal business environment aiming at promoting the implementation of new technologies as well as better securing the whole economy‘s global competitiveness.”

Gevers said that it is virtually impossible for people to protect their facial data in China because facial recognition is used in many practical services. Tech giants have been pushing facial recognition payments, for example, and the government now requires people to have their faces scanned when buying a new SIM card.

But as the public becomes increasingly concerned about the issue, China could be starting to take facial data leaks more seriously.

State-run media outlets started publishing opinion pieces about problems related to facial recognition last year. This appears different from how censors used to treat Lao’s articles about the topic. She said during the seminar that her articles kept getting removed online.

China is also in the process of drafting a law to protect personal information, with a public draft reportedly coming later this month.

“I think there is growing awareness of and pushback against the risks of facial data leaks,” said Jeffrey Ding, a researcher who tracks China’s AI strategy at the University of Oxford’s Centre for the Governance of AI.

Ding said the September seminar that Lao spoke at makes him optimistic that the upcoming data protection law will address risks associated with facial data collection, both in residential neighbourhoods and public places like subway stations.
A recently installed facial recognition system at a subway station in Harbin can recognise people with face masks on. Photo: Handout
Even with the new law on the horizon, some think enforcement will remain an issue for some time after it goes into effect.

“I’m not as optimistic about the enforcement of this law given that regulatory bodies lack the technical capacity and talent to check against abuses,” Ding said.

Gevers maintains that addressing China’s data security problem will require solving the issue of long hours for tech workers and improving education. This is essential to limit sloppy implementations of facial recognition, he said.

But the other issue in China is that the government is the biggest customer of facial recognition technology. That is why Gevers said he thinks the government needs to weigh the costs and benefits of mass surveillance. The US has already targeted China over its surveillance practices in Xinjiang and is in the process of trying to ban WeChat, in part because of how Tencent monitors and censors information in the app.

This could ultimately be the real challenge for data privacy in China.

“Data is the new oil, and the Chinese government needs it to govern,” Gevers said.

This article appeared in the South China Morning Post print edition as: Concerns grow over facial recognition data leaks