BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

China Facial Recognition Database Leak Sparks Fears Over Mass Data Collection

Following
This article is more than 5 years old.

Getty

A company that operates facial recognition systems in China has exposed the personal information of 2.5 million people after leaving a database unprotected, it has emerged.

It was discovered by Dutch cybersecurity researcher Victor Gevers, who works for the GDI Foundation, a non-profit dedicated to reporting security issues. He tweeted: “There is this company in China named SenseNets. They make artificial intelligence-based security software systems for face recognition, crowd analysis, and personal verification. And their business IP and millions of records of people tracking data is fully accessible to anyone.”

The database contained the ID card number, tracking location data of the last 24 hours, sex, nationality, address, passphoto, birthday, and even employer. Gevers had apparently first reported the issue to SenseNets in July.

SenseNets has now protected the database by placing it behind a firewall. But the action was too little, too late: the information had already leaked.

Why it matters

The news is a concern – and not just for the millions affected in China. Chinese surveillance isn’t like anything we have seen in the Western World: the country has a social credit score system and it’s using facial recognition for everything from policing to tracking people’s movements to predict crime, as seen in the film Minority Report.

And although China is an extreme example, the UK and US are also starting to use facial recognition to identify criminals.

The technology is being trialled by police forces in the UK - even after it was found to have high error rates. In December last year, it was used to scan the faces of Christmas shoppers in London and it was also used at Notting Hill Carnival in 2016 and 2017.

Meanwhile, Taylor Swift’s security team deployed facial recognition during her Reputation tour to root out stalkers.

At the same time, Amazon investors are urging the company to halt sales of its facial-recognition software to government agencies over fears the technology could be used to violate people's rights.

Sensitive data

Concerns centre around the fact that facial recognition data is sensitive and must be secured accordingly. In the UK and Europe, it’s covered by the EU Update to General Data Protection Regulation (GDPR). In other words, companies that store this data must adequately protect it, or they’ll face huge fines.

There is a duty of care for any organization using software that collects this type of data, says Patrick Hunter, sales engineering director at One Identity. As he points out, in Europe, GDPR means that organizations cannot be lax on their security. In the China case, he says, the most worrying loss is the location data. “Due to GDPR, companies would never be permitted to retain this sort of data.”

As Paul Ducklin, senior technologist at Sophos points out, modern-day surveillance generates enormous quantities of data – which must be secured. “If your government insists that third parties should routinely and by law collect identification data – as the UK does, for example, when you check into a hotel or try to rent a property – then it's not enough just to trust the government to not to draw inappropriate conclusions from the data it's collecting,” he says.

The China incident highlights the risks associated with storing sensitive information, adds Javvad Malik, security advocate at AlienVault. Indeed, this is even worse when it’s something that can’t be changed, like your face.

“We see password databases getting breached on a regular basis, but whereas these can be changed relatively easily, changing a face, or other form of biometric isn't quite as straightforward,” Malik says.

He says companies responsible for storing such data must look at embedding security and privacy controls along every step of the process: “From development, to deployment, at the endpoint, the network and through to the servers.”

As governments and companies continue to collect large amounts of data – and facial recognition trials are happening on the streets and at concerts – users need to be wary. But it’s really down to those implementing facial recognition programmes, for whatever reason, to ensure the company processing that data is secure. If not, the consequences will be far-reaching and potentially devastating.