Facial recognition takes off in China, leaving regulators to play catch-up

From entertainment to payment services, facial recognition technology is gaining popularity in China and has been adopted by both state law-enforcement agencies and commercial practices. Yet regulation of the technology’s serious security implications has been slow to catch up.

It’s a reality that has been brought to public attention through a recent lawsuit, filed by a university professor against a local zoo in the Chinese city of Hangzhou.

The court action, believed to be the first in China to consider the use of facial recognition, is examining the use of the technology at the park entrance. The lawsuit has sparked discussion on how far the use of facial recognition should go and what legal liabilities should be associated with it.

The case has revealed how, in contrast with other cybersecurity issues such as data protection and network security, the regulation of facial recognition, in terms of both formulating regulations and enforcement action, has lagged since China’s Cybersecurity Law came into effect in June 2017.

But that could be about to change, with indications that regulators are now preparing to take on the challenged posed by the use of facial recognition.

Increasing popularity

Earlier this year, a Chinese app called Zao became instantly popular on social media for swapping celebrities’ faces in famous movie clips with the user’s own. But it was Zao’s wide-ranging data collection and usage terms that triggered a public outcry.

The company that owns the app — Momo — was soon reprimanded by authorities and ordered to modify its practices.

At the annual World Internet Conference in October, a group of more than 60 Chinese banks and financial institutions together launched a facial-recognition-based payment tool. Before this, it had already been possible to pay by scanning one’s face on payment apps developed by Alibaba and Tencent.

But the technology wasn’t limited to commercial use and has since been widely adopted by Chinese security agencies for governance purposes.

In fact, the Chinese state now appears to be encouraging private enterprise to use facial-recognition. Most recently, the Ministry of Industry and Information Technology, China’s communications regulator, issued a notice to require telecom companies to use the technology to verify mobile users’ identify for new Internet-access registration, starting from December.

Policy and consent

This rapid development has generated some concerns. Officials from the People’s Bank of China, the country’s central bank, have warned that facial recognition shouldn’t be the only means of verification for payment because facial features amount to extremely sensitive personal information.

In what is seen as a first step on the part of regulators, the central bank has been urged to come up with regulation and technical standards on the use of biometric information for payment.

Concerns over the security of how information of one’s facial features is gathered and stored appears to be closely associated with this nascent regulatory push.

Existing regulations have covered the protection of facial features. For example, there’s the Personal Information Security Specification, a set of widely-applied regulations on collection and processing of personal data.

Under this regulation, biometric information, including facial features, are categorized as personal sensitive information, thus the collection and processing of such data requires a higher level of security action.

However, collection and processing of personal information are not subject to consent rules for the purpose of national and social security, public interest or the investigation of criminal cases.

There are no independent regulations on the adoption of facial recognition, targeting general use or practices in a specific industry. There are also no restrictions on what scenarios allow the use of facial recognition.

Biometric regulation

As public awareness increases, both regulators and technology companies are stepping up efforts to guarantee security when adopting facial recognition.

According to a white paper recently published by a Chinese think tank associated with the communications regulator, the National Information Security Standardization Technical Committee, a standard-setting body known as TC260 is now working on security requirements for online verification systems using facial recognition.

The China Communications Standards Association is also working on regulations for the use of facial recognition in mobile smart devices, the white paper says.

Major Chinese technology companies, including Baidu, Alibaba and Huawei, are already implementing a higher level of security measures for sensitive data including biometric information, with tools such as encryption, according to the report.

For example, a Huawei security expert has publicly said the company has reduced the risk of biometric data being leaked by not uploading such data onto cloud computing platforms.