Chinese Facial Recognition Leak Exposes 2.5 Million People
Facial recognition and personal data of over 2.5 million Chinese citizens was exposed by an unsecured facial recognition database. The data was being stored by SenseNets, a Chinese company that specializes in artificial intelligence and facial recognition. The exposed data includes ID card number, 24 hours of individual’s location data, gender, nationality, address, pass photo, birthday, and employer.
The data leak was discovered by Dutch cyber security researcher Victor Gevers, an employee the GDI Foundation. Access to over six million records that contains the whereabouts of over 2.5 million people is a treasure trove for hackers. It’s also is a reason to be wary of facial recognition applications.
How Does Facial Recognition Work?
Facial recognition is any system used to recogn human faces using biometrics and other technologies. With facial recognition, facial features are mapped from photographs and videos and stored in a database. When used for identification, the information in the database is compared with real time scans of crowds that are analyzed for facial texture and shape patterns. The goal is to match a known person in a database with someone on the street.
Critics of facial recognition caution that the accuracy of facial recognition systems is lower than the accuracy rates of other biometric systems like iris recognition and fingerprint recognition. However, facial recognition is accepted because it is contactless and considered non-invasive. Still over 400 banks in China are using facial recognition including the Bank of China and China Merchants Bank.
How Hackers Use Facial Recognition Data
Hackers can use the personally identifiable information in the database and especially the location data to establish fake identities. It is possible to combine data from multiple breaches to when you have something in your dataset like national identity card numbers. Hackers can then construct complex identity profiles of victims. Armed with millions of records on real people, they can open up lines of credit, banking relationships, and hack at other login credentials.
What is SenseNets?
SenseNets is a Chinese company based in Shenzhen. SenseNets makes artificial intelligence-based security software systems for face recognition, crowd analysis, and ID verification.
China uses facial recognition for policing citizens, to control certain sects of its population, to track people’s whereabouts, as well as to predict crime. The most worrying loss is the leaked location data. Governments tracks citizens under the guise of keeping its cities and people safe but there are ulterior motives. Of course, if the data falls into the wrong hands, it can be used by government agencies, hackers, spammers, all without people’s knowledge or consent.
Apple, Facebook, and Amazon all have their own facial recognition platforms. but the China leads the way in development and deployment. Chinese firm CloudWalk Technology is a Guangzhou-based developer of facial recognition software with the largest global market share of 12.88% as of 2017. Britain’s Aurora has 4.18% of the facial recognition systems followed by Insigma Group again in China with 3.31% of the market.
Another Chinese facial recognition firm, SenseTime, can detect age, identity, and assigns people an attractiveness score. Their software can be used by police to match automobile tags and drivers’ information.
The Chinese Ministry of Public Security is already working on the implementation of surveillance system that will cover public areas in the country. The Chinese police use facial recognition glasses that check identities against lists of suspects. Some Chinese schools use facial recognition to track attendance and even to monitor who is paying attention in class.
In Shenzhen, facial recognition is deployed at pedestrian crossings to deter jaywalkers. People who jaywalk (cross a street other than at a designated crossing point) are identified with biometrics. The image of the offender is displayed on a nearby video screen and they are also issued a fine.
The United States Uses Facial Recognition Too
The United States has amassed a database of millions of Americans and uses it to match travelers. U.S. Customs and Border Protection (CBP) has it own Biometric Entry-Exit Program and conducted a pilot program at nine US airports. Facial recognition matched 98% of traveler’s identities at airport departure gates. The test was not without issues though. The system experienced challenges and was only able to confirm 85% of all passengers processed due to poor network connections, staffing issues, and compressed boarding times because of flight delays.
Matching people with their identities in real time is one of the largest obstacles for facial recognition systems as the computing power causes time delays. The algorithm capacity of the fastest servers isn’t enough to process data from thousands of cameras capturing hundreds of millions of people at any given time. CBPs facial recognition system also has issues with certain age groups and nationalities.
The Delta Airlines operates the first fully biometric airport terminal at Hartsfield-Jackson Atlanta International Airport. Facial recognition is used to identify international passengers and speed up the security screenings by reducing the number of times passengers must present documents during check-in.
Opponents of the system site privacy concerns and informed consent issues. The CBP claims its policy is to remove airport photos of U.S. citizens from its system once their identities have been confirmed. However, this does not explain how they obtained the photos to match for facial recognition in the first place.
Both the UK and US are starting to use facial recognition to identify criminals despite the lower accuracy rate issues. British police used facial recognition to scan Christmas shoppers in 2016 and 2017. However, Amazon investors are trying to prevent the company from selling its facial recognition technology to government agencies.
China already has a social credit scoring system to determine citizens’’ privileges and status based on behaviors and reporting from acquaintances.
SenseNets has now protected the database by placing it behind a firewall.
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers