Face recognition is a kind of biometric identification technology based on human facial feature information. With the development of artificial intelligence technology, face recognition technology has developed rapidly. In 2020, due to the precise control of people’s entry, exit and visit during the COVID-19 epidemic, face recognition technology has been rapidly extended to various scenarios of social governance; at the same time, personal information such as phone numbers and ID numbers have been widely collected. In order to grasp more accurate user personal information and implement more demanding risk control, more and more app operators put forward the requirements of face recognition in various scenarios. As the most sensitive type of “personal biometric information” in personal information, facial information should be the object of focus and protection. The newly revised GB/T 35273-2020 “Information Security Technology Personal Information Security Specification” issued by the National Information Security Standardization Technical Committee (TC260) also puts forward “enhanced” requirements for the protection of biometric information such as face information.
During the “two sessions” in 2021, a number of delegates submitted proposals around the issue of face recognition, and put forward suggestions such as application approval, legal review, subject voluntary, legal crackdown, special governance, and industry self-discipline. In real life, in order to prevent the face information from being collected by the sales office, some people “wear a helmet” to see the house. More and more communities and buildings use disguised “coercion” methods to implement the phenomenon of brushing the face to open the door. Hot search. The issue of face information collection has aroused strong concern in the whole society, and people have questioned whether face information can be effectively protected. As an important channel for face collection, whether apps have fulfilled the basic principles of legal, legitimate, and necessary personal information collection. A survey of some service apps such as smart access control systems, online shopping, and intra-city services shows that these apps are collecting face information. There are mainly problems in this regard, and at the same time, some apps also provide better implementation solutions in practice, which can be used for reference by peers.
1. App collection methods and scenarios of facial information
During the function operation or registration process of the app, due to business needs and compliance requirements, the following two methods are usually used to request users to collect face information.
(1) Direct collection of face photos
The app registers by directly collecting the user’s face photo and associating the real-name identity of the individual, so as to meet the functional requirements for identification. After the smart access control app confirms that the user is a community resident offline or collects the user’s real estate certificate, the user is required to upload a face photo online, which is used to compare the face when the door is opened. ID card photo, using image recognition technology to extract identity and photo information to verify the user’s identity. The face information collected in this way is closely related to personally identifiable information, and once it is leaked, it is easy to be maliciously used by others.
(2) Face-swiping in vivo verification
Through its embedded face recognition software development kit (SDK) or calling related data interfaces, the app uses motion commands, near-infrared face, 3D face and other live detection methods to verify the authenticity of the user’s identity. When online shopping apps open a store or confirm payment when the order amount reaches a certain amount, intra-city service apps withdraw cash or publish housing information, and financial apps bind bank cards when users withdraw, borrow, transfer, and pay, they will be available in the mall. In scenarios such as the first credit payment, the real identity of the user may be verified by face-swiping biometric verification. The face information collected by this verification method is more comprehensive, and it can verify the authenticity of the user while confirming that it is a real person or a living body.
2. Analysis of collection and use problems
According to the “Approval Method for the Illegal and Illegal Collection and Use of Personal Information by Apps” and the relevant requirements of GB/T 35273-2020 “Information Security Technology Personal Information Security Specification”, it can be found that there are irregularities in the collection and use of face information by the App, and the security risks are relatively high. many. In general, there are six problems.
(1) Trick users to provide face information
Some apps collect user face information on the grounds of real-name authentication, but do not verify the authenticity after the user provides relevant information. The test found that when user A uses his name, enters user B’s ID number, or user C’s face information for real-name authentication, the real-name authentication system shows that the authentication is successful. The reason is that the App needs to pay a certain fee when calling a third-party interface to verify the authenticity of the user’s identity. When the data reaches a certain amount, it is a considerable expense for the operator, because there is no real To meet business needs, a false real identity verification function is proposed to deceive users with real information; second, due to the potential commercial value of data, operators use real names to obtain more personal information for future business expansion needs or to enhance security risk control. Authentication requirements trick users into providing facial information. This practice of “misleading users to agree to the collection of personal information by fraud, deception, etc.” can be identified as the second category in the “Approval Method for Illegal Collection and Use of Personal Information” (hereinafter referred to as the “Determination Method”). Collection and use of personal information without user consent”.
(2) Unsafe transmission and storage of face information
(3) Collection of face information beyond the scope
Article 41 of the “Cyber Security Law” stipulates that “When collecting and using personal information, network operators shall follow the principles of legality, legitimacy, and necessity, disclose the collection and use rules, and expressly state the purpose, method, and scope of the collection and use of information. And with the consent of the person being collected”, the “Recognition Method” also identifies the behavior of “frequently soliciting user consent and interfering with the user’s normal use after the user expressly disagrees” as “collecting and using personal information without the user’s consent”. Some apps force users or use frequent interruptions to induce users to use the face recognition function without the authorization of laws and regulations, or without involving social public interests or major personal interests. For example, when registering, binding a bank card, etc., it is mandatory to enable the face recognition function, or other payment channels are hidden, and the face recognition function is repeatedly reminded every time an order is paid. Using face information as necessary information for binding bank cards and online payment, and forcing users to provide it, is a disguised form of collecting personal information beyond the scope.
(4) The rules for processing face information are unknown
Article 29 of the “Consumer Rights Law” requires that “Business operators who collect and use consumers’ personal information shall disclose their collection and use rules, and shall not collect or use information in violation of laws, regulations and agreements between the parties.” The “Personal Information Protection Law (Draft)”, which was publicly solicited in October 2020, also uses the “notification-consent” rule as a fulcrum, and clarifies the general rules for consent to the processing of personal information, that is, consent must be voluntarily, under the premise of full knowledge. made explicitly. Some apps do not clearly inform the purpose, method and scope of collecting face information in their privacy policies or when reminding users to enable the face recognition function. Since the state’s requirements for the online real-name system do not apply to all business functions in all industries, merely stating “real-name authentication” cannot be a reasonable reason for collecting personal information or even sensitive personal information. When some apps collect face information for real-name authentication, they should clearly state or quote the terms and requirements of national laws and regulations and industry management measures, while most apps generally describe the purpose of real-name authentication as “According to laws, regulations and supervision. Requirements” and “relevant regulations” are suspected of playing a policy borderline and generalizing policies and regulations to require collection of personal information beyond the scope.
(5) Retaining face information over time
Article 43 of the Cybersecurity Law stipulates that network operators shall collect and use their personal information in accordance with the agreement between the two parties. The face information collected on the grounds of real-name authentication is uploaded to the server. It should be used in accordance with the real-name authentication function agreed with the user, and the third-party interface is called to compare the real identity. After the purpose has been achieved, the original image will be deleted. Many apps do not indicate that this information will be deleted after completing the corresponding function during real-name authentication. In practice, most operators will retain this information. When national laws and regulations put forward storage requirements, a full impact assessment should be made on the security of the enterprise’s personal information to ensure that the system information protection mechanism meets the corresponding requirements.
(6) Lack of protection of user rights
The protection of the user’s right to withdraw consent is an important part of personal information protection. Article 47 of the “Personal Information Protection Law (Draft)” stipulates that when an individual withdraws consent, the personal information processor shall delete it voluntarily or at the request of the individual. Personal information. Most apps do not provide users with a mechanism to choose to delete face information. Once users activate face recognition, they cannot withdraw their consent to face information alone. Unless you give up all rights and interests in the account, all personal information including face information can be deleted by canceling the account. Some apps have added unreasonable “overlord clauses” to the service agreement for enabling the face recognition function. For example, “there is no guarantee for the accuracy of the identity of the user who has completed the authentication”, “the user agrees to irrevocably authorize the app operator to retain the information submitted during the authentication”, “the app operator has the right to not share the authentication information with a third party. provided directly by informing the user”, etc.
3. Good practice in the application of face recognition technology
In addition to the above problems found in the trial test, it was also noticed that some apps provided good practices in terms of security and user rights protection when collecting face information.
One is to directly use the face recognition function provided by the mobile terminal device. For example, the face information is encrypted and stored in the hardware of the mobile terminal device. When using functions such as face-swiping payment, the server does not return the face information. The comparison of the face information is completed on the mobile terminal, and the server only receives the terminal. Device verification results.
The second is to provide users with the function of deleting face information individually. For example, when the user chooses to turn off the face-scanning and unlocking service, the access control app is deemed to no longer use the service, and the operator promises to delete the face information collected by the service. If the user applies for the face recognition service again, the face information needs to be collected again.
The third is to use face recognition as an optional method for users to choose freely. For example, in addition to supporting face recognition to open the door, access control apps can also provide various methods such as mobile phone call to open the door, password to open the door, and access control card to open the door, which not only guarantees the convenience of life, but also provides a choice for users whether to give up personal information in exchange for a convenient life. right.
4. Compliance Suggestions on the Collection and Use of Facial Information
The “controversy” of face recognition has always existed from its first appearance to its gradual promotion and application. In fact, this is also the situation that every new technology and new application has to face. With the continuous awakening of netizens’ awareness of personal information protection, the protection of security and privacy has gradually become the primary concern before people decide whether to try new functions. Network operators rely on freshness and convenience alone. attractive. Only by effectively solving the security problems of face recognition can we make the road of face recognition applications go wide, far and steadily.
In addition to the above problems in the collection and use of face information by apps, there are also many problems in real life, such as collecting face information through smart cameras without the user’s consent. The “Face Recognition Application Public Research Report (2020)” shows that more than half of the surveyed netizens gave the judgment that “face recognition technology” has a tendency to be abused. Facial information is extremely sensitive personal information, which is closely related to personal interests. Once leaked, it cannot be changed and needs to be fully paid attention to by all parties.
For regulatory authorities, firstly, it is necessary to improve the compilation of laws, regulations, and standards related to face recognition and real-name authentication as soon as possible, clarify the requirements for collecting face information by application scenario, and provide direction and operation guidelines for operators to comply with the regulations; The second is to establish an approval system for the application of face recognition technology to a certain scale, review its legality, legitimacy and necessity, and crack down on illegal abuse and non-compliant installation and use of face recognition technology in accordance with the law; the third is to strengthen face recognition technology , the detection and certification of the security of related information systems and terminal equipment, promote the continuous improvement of the maturity of face recognition technology, and prevent the forgery, fraudulent use, leakage and loss of face information.
For operators, they should focus on: 1. Clearly evaluate the necessity of using face recognition technology, and do not give priority to using face recognition technology for personal identification if it will not affect major personal interests or social public interests. Accuracy verification; 2. It is not appropriate to set face recognition technology as the only means of identity verification, and users should not be forced or frequently recommended to activate related functions based on face recognition; , and establish strict internal management measures, delete original samples such as face pictures, only store face information abstracts, and store them separately from user identity information to prevent face information from being abused and illegally provided to third parties.