Registering facial recognition data with a biometric authentication application is all the rage in China, but it comes with major privacy concerns.
BEIJING — A friend of mine recently made a business trip to China's southeastern city of Shenzhen. Arriving at an office building, he was not allowed into the elevator until he had registered his facial recognition data with a biometric authentication application. This action is called "face swiping" in China.
After some hesitation, he finally yielded to the request in order to get to his appointment on time. However, the more he thought about this afterwards, the more he regretted that he didn't stick to his principles — even if that meant he would have been letting down his company. He was worried that his biological information could be abused and misappropriated.
Face swiping is increasingly used in security inspection in China. Not only has it become normalized for use as an ID card verification process in airports and railway stations, but more and more places are following suit, including social media platforms and mobile payments among others.
It is most commonly used in office buildings and residential blocks. What is different from airports and stations is that, in order to pass the security check at an office building or a residence, one is obliged to first go through a registration and verification process. This extra step creates the risk of privacy infringement, and personal biological data could be violated and misappropriated with all kinds of consequences.
Under current circumstances of imperfect supervision, legally collected facial data is being misused.
It is worth noting that, according to a recent survey in China, embezzlement of personal information by using AI face-swapping technology is far too commonplace. A CCTV report pointed out that one can purchase as many as 1,000 strangers' photos online for a mere 2 RMB (30 US cents). Chinese media have reported that criminals have used artificial intelligence technologies to alter people's photos that they illegally obtained, and turned these photos into deep fakes for criminal purposes.
Battling against unscrupulous criminals, the eastern city of Hangzhou submitted a revised draft of the city's Property Management Regulations to the standing committee of the National People's Congress of Hangzhou for deliberation in October. The aim of this draft is to prohibit estate management bodies forcing property owners to provide biometric information such as fingerprints and face recognition to enter their community. This is the first time that discussion about the importance of "privacy and data security in relation to convenience" has entered the lexicon of local legislation.
The fact that a local legislature is seriously examining the application of face recognition is a big step forward. Many are hoping that debates about the collection of personal biological information might now be taken up at a higher level in China, with appropriate legislation applied.
Facial recognition payment in Tongxiang, China — Photo: Xinhua/ZUMA
The first step would be to regulate who is authorized to collect biometric data, such as faces and fingerprints. The purpose of collection should be defined clearly while the method of storage and security has to be guaranteed.
Not only should one be allowed an "opt out" choice, but an alternative method for verifying their identity has to be provided for people who are not willing to share this data.
Even if the collection of facial metric information is permitted, further clarification and transparency on the use of this data must be conditional so as to avoid misappropriation. Under current circumstances of imperfect supervision, loopholes and the existence of an illegal photo trading market, legally collected facial data is being misused.
Is your face an account or a password?
An effective check-and-balance system needs to be implemented by tech companies driven by their interest in developing an increasing number of facial recognition applications. One of the reasons why China rapidly advances in artificial intelligence is because it collects far higher amounts of data information than Europe and the United States.
Facial recognition is one of the few areas where artificial intelligence finds a wide range of real application scenarios that can be successfully commercialized. But it's precisely because of this potential that we need to be more vigilant about such "progress."
Neither office buildings nor private residencies has the ability to develop a face-swiping system themselves. They are being driven by high-tech companies trying to promote widespread usage of their applications. Therefore, just by banning the use of face swiping in offices and residences, without allowing system providers to participate in the rulemaking, will reduce the legislation to a cat-and-mouse game.
There's no doubt that improving technologies aid many people. The critical question is, as some experts put it: Is your face an account or a password?
The difference between these is clear: an account doesn't get changed regularly, whereas a password can be altered at will, and should be frequently for security's sake. Everybody has only one face, unless you squander a fortune on plastic surgery in South Korea. Using your face as an unchanging password for authenticating numerous services is at your own peril.