It isn’t easy to live in China without giving away one’s facial data to commercial entities — from mobile payment platforms to government health code programs on the ubiquitous messaging app WeChat and even some gaming sites, numerous apps and platforms require real name logins and photos of any prospective user. Yet as Chinese journalists have found, commercial facial recognition data is not as secure as you would expect it to be — not secure at all.
According to a Xinhua report, bundles of personal identity data are sold as cheap as as 0.5RMB (0.07USD) apiece on the Chinese black market. “20,000 sets in total. No bargains,” one vendor was quoted as offering. The information typically includes photos of individuals holding their national ID cards (shenfenzheng) — which internet companies in China often request from users to verify their identities.
Such sales are often advertised not on the Dark Web, however, but rather explicitly on ecommerce marketplaces such as Taobao and Xianyu. While most major platforms filter keywords that refer to illicit sales and insist they are making regular efforts to stamp such sales out, buyers have traditionally managed to find workarounds using homonyms and acronyms. Actual sales are also often conducted separately to these marketplaces to avoid attention, for example on instant messaging apps such as WeChat or QQ.
Related:
In China, You Can Now Ride the Subway Using Only Your FaceThe eastern city of Jinan has introduced 3D facial scans for those wanting to ride the subway without the hassle of tickets or transport cardsArticle Apr 08, 2019
Nowadays, fewer internet companies rely on shenfenzheng mugshots for authentication purposes because they are vulnerable to hacking. Instead, apps now tend to ask users to record themselves performing certain actions — such as nodding or blinking — which are more difficult to replicate. Yet the report also found black market vendors selling emulators which, in their words, “animate” two-dimensional photographs, turning visuals into videos that fool authentication protocols. Such a package, which is 20 gigabytes in size, costs as little as 35RMB and comes with a tutorial, according to the report.
Faces aren’t private per se, but the information that comes with them — phone numbers, bank accounts, or ID cards — is. Vendors have told Xinhua reporters that with these tools, one can hack into frozen WeChat and Alipay accounts as well as profiles on dating sites.
A group in eastern China’s Zhejiang province was recently found guilty of fraud after it was discovered they had illegally obtained more than 2,000 pieces of data to create 547 Alipay accounts since 2018, all of which were verified with face recognition to collect the payment platform’s sign-up bonuses.
Related:
China’s New Civil Code Looks to Clarify Sexual Assault, Family Planning and Data Privacy LawsThe new civil code is intended to create synergy for a previously wide range of loose civil laws and regulationsArticle Jun 04, 2020
The issue has been something of a hot topic in China recently. After Guo Bing, a law professor in Hangzhou, purchased an annual pass to his local wildlife park, it installed a face recognition system that scans visitors’ faces upon entry. Guo argued that this had been done without his consent and when he was refused a refund, he sued. His case — the first in the country pertaining to the privacy of face recognition data — was heard in June, although the court has yet to provide a final ruling.
Such stories have caused outrage online, with many voicing concern over how such data is being used and stored.
China’s new civil code, which will go into effect next year, outlines the protection of biometric information, including fingerprints, voiceprints, iris, and facial recognition features. Yet written laws are only the first step, as implementation and enforcement will prove much more difficult.