A Chinese facial recognition database leak sparks fears about mass data collection.
After leaving a database unprotected, a company that runs facial recognition systems in China has let the personal information of 2.5 million people slip.
Facial recognition
Face-based biometrics are displayed in a grid with relevant points connected to facial features in a blue interface with a human head. This system is used for identity tracking, privacy protection, and surveillance (Big Brother).
It has come to light that a company that runs facial recognition systems in China exposed the personal data of 2.5 million people by leaving a database unprotected.
Victor Gevers, a Dutch cybersecurity expert who works for the GDI Foundation, a non-profit devoted to reporting security issues, made the discovery. As he tweeted: “There is a business called SenseNets in China. They produce security software based on artificial intelligence for face recognition, crowd analysis, and identity verification. Additionally, anyone can fully access their business IP and millions of records of people tracking data.”
The database included information such as the ID card number, the last 24 hours’ worth of tracking location data, sex, nationality, address, passport photo, birthday, and even employer. In July, Gevers notified SenseNets of the problem for the first time.
SenseNets now secure the database by being placed behind a firewall. The information had already leaked, so the action was too late.
What’s at stake?
The news is alarming, not just for the millions of people affected in China. Chinese surveillance differs significantly from the West’s in using a social credit score system. As seen in the movie, Minority Report uses facial recognition for everything from policing to tracking people’s movements to predict crime.
The UK and the US are also beginning to use facial recognition to identify criminals, though China is an extreme example.
Police forces in the UK are testing the technology even though it was found to have a high error rate. It was utilized to scan the faces of Londoners shopping for Christmas in December of last year and at Notting Hill Carnival in 2016 and 2017.
While on her Reputation tour, Taylor Swift’s security team used facial recognition to find stalkers. Investors in Amazon are urging the company to stop selling facial recognition software to government organizations out of concern that it might be used to violate people’s rights.
Sensitive information
The main issue is that facial recognition data is sensitive and must be protected. To put it another way, organizations that store this data must adequately protect it to avoid paying hefty penalties. The EU’s General Data Protection Regulation Update governs it in the United Kingdom and throughout Europe (GDPR).
According to Patrick Hunter, sales engineering director at One Identity, any company using software that gathers this kind of data is responsible for using it responsibly. He points out that because of GDPR, European businesses cannot take shortcuts with their security. He claims that the loss of the location data in the China case is the most concerning. Companies would never be allowed to keep this data because of GDPR.
Paul Ducklin, a senior technologist at Sophos, notes that the massive amounts of data generated by contemporary surveillance must be protected. “It’s not enough just to trust the government to not draw inappropriate conclusions from the data it’s collecting,” he says. “If your government insists that third parties should routinely and by law collect identification data – as the UK does, for example, when you check into a hotel or try to rent a property.”
Handling Sensitive Data
According to Javvad Malik, security advocate at AlienVault, the incident in China highlights the dangers of keeping sensitive data on hand. It’s worse when it’s something like your face that can’t be altered.
Malik says, “We frequently witness password databases being compromised, but whereas these can be changed fairly easily, changing a face or other form of biometric isn’t quite as straightforward.”
According to him, companies in charge of maintaining such data need to consider integrating security and privacy controls into every stage of the process, “from development to deployment, at the endpoint, the network, and through to the servers.”
Users need to be cautious as governments and businesses continue to collect vast amounts of data, and facial recognition trials are taking place in public places like concerts and the streets. However, it is ultimately the responsibility of those implementing facial recognition programmes, for whatever reason, to guarantee that the organization handling that data is secure. If not, there will be severe repercussions that could be fatal.
