"Sweeping face": agree with the risk geometry by default

  Face recognition technology changes life application scenarios are widely spread, while risks coexist. The national standard has begun to solicit opinions from the society. Technical safety supervision is expected to be further regulated.

Citizens "brush their faces" at the supermarket to check out

  On April 9, the much-watched "face recognition first case" finally ushered in the final judgment after more than a year. The defendant Hangzhou Wildlife World was sentenced to delete the photos submitted by the plaintiff Guo Bing when he applied for the annual fingerprint card. In addition to the facial feature information inside, an additional sentence was added to delete the fingerprint identification information submitted by the plaintiff Guo Bing when he applied for the annual fingerprint card.

The "First Face Recognition Case" was finally dropped. In addition, at the previous "3·15" party, many well-known brand stores were "named" for installing facial recognition cameras to capture facial information without the consent of consumers. , Let "brush face" once again aroused the attention of the public.

  How should we manage the life-changing technology of "brushing face"?

How many scenes currently have the phenomenon of abuse of face recognition technology?

How many people recognize the risks?

Faced with the "blooming" face recognition technology, how should the public respond?

Recently, the reporter consulted the Guangzhou Municipal Market Supervision Administration. The other party said that consumers should read the terms clearly when signing contracts involving personal information, and they can make complaints and reports if they encounter disputes.

In response to this topic, the reporter visited different scenes in many places to investigate.

  Text, picture/Guangzhou Daily full media reporter Cheng Yilun, intern Li Yuan

  The reporter visited different places such as communities, shopping malls, campuses, office buildings and government centers where the face recognition system was installed, and found that most office buildings and communities will form a set of internal property management methods when they install the system. Most of them are internal processors, so they will not report; and users are usually "passive" about the collection of facial information. Among them, college students, corporate employees and other groups are seldom asked for personal wishes. In terms of collection, written forms will be used to protect users' right to know; at present, face recognition technology is the most secure in the field of financial payment, but its application and promotion are still relatively slow.

  Regarding the characteristics of face recognition technology, the current issues that the public are most concerned about and need to clarify include the following: Except for the necessary security application places such as roads, airports, banks, etc., whether there are applications in other places such as communities, office buildings, enterprises and institutions The necessity of face recognition technology; whether schools, hotels, parks and other places facing specific or non-specific objects have applied for approval before applying face recognition technology, and obtained the authorization of the personal information subject; who obtained the personal information data Responsible for monitoring, how it will be stored, disseminated, used, destroyed, etc.

  Fortunately, recently, the national standard of "Information Security Technology Face Recognition Data Security Requirements" is open to the public for comments, which also means that face recognition will soon have a clear "boundary".

"Face-brushing machine" enters campus and office buildings

Most people claim to be "accepted by default"

  As more and more universities and communities implement the construction of "smart campus", "smart classroom" and "smart property", technologies such as face recognition and big data collection have been introduced to universities and communities everywhere.

  In fact, the promotion of face recognition technology in colleges and universities has aroused attention a long time ago: Since 2018, Southwest University, Chongqing Jiaotong University, Peking University and other colleges and universities have successively used face recognition technology to achieve "face-swiping" registration, “Swipe face” access control, “swipe face” admission, etc., and colleges and universities have installed face recognition cameras in some pilot classrooms for daily attendance and classroom discipline management, trying to prevent students from playing mobile phones in class, skipping classes, and “signing in for classmates” "And other issues.

  In the education system, face recognition technology has certain advantages, such as eliminating phenomena such as "taking exams" and managing personnel during epidemic prevention and control; but how to use this technology and how to use it has also become a major issue.

Earlier, eight departments including the Ministry of Education issued the "Opinions on Guiding and Regulating the Orderly and Healthy Development of Mobile Internet Applications in Education". The "Opinions" pointed out that users must not be forced to authorize in disguise by default, bundling, or stop installation and use, and they must not be collected. Personal information irrelevant to the provision of services must not violate laws, regulations and user agreements, and must not disclose, illegally sell or illegally provide personal information to others.

When the reporter visited, they found that "default authorization" is more common.

  Take a university as an example. There are 5 facial verification pass machines from the front entrance of the teaching area to the northwest entrance of the dormitory building.

According to the staff, only face recognition can be performed on these machines, and campus cards cannot be swiped. Students in and out of our school use the "face swiping" method.

  Student Li, who majored in psychology at the school, told reporters that the “face-sweeping machine” was installed at the entrance of campus and dormitory buildings during the epidemic last year. In addition to these entrances that need to “sweep their faces”, students enter and exit libraries, dining halls and other places. Still swiping the card.

  Jiang, who majored in electronic information engineering at the school, said: “At that time, the school proposed that the reason for the full implementation of face verification was to facilitate temperature measurement and strengthen the management and control of personnel on campus, so we can understand, but at that time we did not obtain us in advance. He agreed, and did not centrally arrange face collection, but directly used the plane photos of the students at the time of enrollment to archive."

  The situation similar to the students also includes corporate employees. When interviewing a number of commercial office property centers in Zhujiang New City that have set up a face recognition system, the reporter found that few employees have the opportunity to express when faced with corporate requirements for “face-scratching” management. Willingness.

"Generally, faces are adopted on the APP, and there may be a user agreement asking whether you agree to be collected, but as an employee, when the company proposes to update the access control system for safety and epidemic prevention, there is no way to refuse." In an office building Li Mingshu at work told reporters.

  Citizen Lu Jie works in a game company. Since last year, her company has enabled face recognition for access control and attendance.

"At that time, the company was talking about system upgrades. At first, our attendance method was fingerprint punching in. Now we want to switch to face swiping and punching. Every employee is asked to blink, smile, and turn his head at the face collection device. Facial information is collected in the direction." Lu Jie’s company has nearly a thousand people. For the "face swiping" check-in method, the general response is that it is "faster, more convenient and clear at a glance." For the preservation and application of facial information, Security is guaranteed, but everyone has no bottom: "It is equivalent to the company having our fingerprints, faces and other personal information."

No need to report for internal "face brushing" equipment

Community residents' right to know is relatively guaranteed

  Is facial data collection only used for security?

Where is this facial information stored?

If the data is obtained by a third-party company, what responsibilities should the company or school bear?

Will the facial data be retained after students graduate and employees leave?

Whether the data is destroyed under the supervision of a third party... During the reporter's visit, it was discovered that most of the information subjects and the property or managers have "information asymmetry" on these issues.

  In interviews, many college students mentioned, “The equipment was introduced by the school, and the school should have its own set of management methods. Our personal information should be kept safe.” “The application of face recognition is not particularly widespread, even if it is true. If it is leaked, there should be fewer ways to make illegal profits."

Including whether the school will delete their facial information after graduation, the students also don't know.

  In contrast, the right to know about “brushing face” of community residents can be more protected, so they have more choice.

For example, Liede Garden. During the epidemic last year, the community installed a facial recognition card swiping machine. When the reporter visited several areas of the community, it was observed that there were few households using facial recognition. "form.

Ms. Lu, a tenant in District 5 of the community, and Ms. Wang, the owner of District 1, both told reporters that they had not received a notice from the property regarding mandatory facial information registration. Residents can choose to voluntarily go to open face authentication, "but We did not open it, mainly because it was very convenient to swipe the card." The reporter also learned that the reason why the community has not fully implemented face recognition is also due to the complex composition of people in the community, including not only the owners, but also short-term For groups such as tenants and foreign tenants, it is inevitable that there will be differences in cultural cognition during implementation, and information maintenance is also a significant cost.

  When the information about face recognition between the property and the residents in the community is “symmetrical”, it will help guide the residents to accept the face recognition access control.

The Jiayuan community where Mr. Huang lives is near the University Town. This is a residential area with more than one thousand residents. The majority of residents are college teachers.

For ease of management, the community has installed and used a face-swiping card all-in-one machine developed by a certain company since its establishment.

"Currently, about 70% of the households who have activated the face-swiping access control system, and 30% of them have not entered their personal information because they are worried about the leakage of their personal information, so they use the form of swiping their cards." The property staff of the community told reporters.

  According to the property staff, the residents of this community generally have a higher awareness of face recognition: “Although it is very convenient for us to enter information, we only need to provide an ID card and take a photo, but there will be some The owner came to the property center to inquire about our information storage methods and security, etc., we will tell the owner that the information is generally stored in the system and will not be uploaded to other places, let alone commercial. If the owner moves, you can ask us "Delete." Mr. Huang revealed, "This residence is mainly allocated to college teachers through a five-year contract, but in fact, few people remember to delete their facial information when they move out." According to the reporter, the community The nature of it is similar to that of public rental housing.

  Subsequently, the reporter also inquired about the property centers of other office buildings and communities.

Take an office building as an example. The property manager told reporters that for face access control, the property actually had a set of internal management methods.

The current face registration rate in the building’s own area is 97%, while the tenant area’s hiring rate is relatively low; the manager also revealed that because the face-swiping access control is used internally by the enterprise and internal processors are used, it is relatively “very safe”. There is no need to report to the government, only need to bid to install the access control, and the face information of the company's employees will not be uploaded to the outside world.

In addition, according to the property management process, if the staff in the building is going to leave, they can report to the superior department in advance, and then the relevant staff will notify the property to delete the face information of the leaving staff. “But the leaving staff themselves generally do not pay attention to this. We So far, there has been no request from individuals or departments to delete personal facial information.” The manager said.

"Face brushing" technology has instability

The internal network should also be used cautiously

  So, when companies, communities, and campuses use "internal LANs", can they guarantee the security of facial data storage?

Is the level of face recognition technology stable?

The reporter also visited this.

  Student Wang from the psychology department of a university visited by the reporter said that the biggest feeling the face recognition machine brought to her was the problem of "slow response".

She found that after installing a face recognition machine in the school, it was sometimes easy to block the entrance during the peak hours of school.

"On average, it takes three to five seconds for each person to swipe their face, and sometimes they may not get in for more than ten seconds; therefore, at the peak of get out of class, the security will open the side door and let it pass by checking the campus card."

  The property staff of Jiayuan Community revealed that he was most concerned about the problem of "equipment failure".

“Sometimes the card cannot be swiped in, sometimes the face cannot be recognized, and sometimes it is a direct strike. This may be related to the equipment provider, and has nothing to do with the system itself.” The property staff said.

"I believe that from the equipment side to the system provider, no one wants to have technical loopholes, but with so many chains in between, who can guarantee 100% security?" Teacher Huang said.

  In March last year, Professor Dongyan Lao of Tsinghua University Law School also raised objections when she modified the access control system in the community where she lived and asked the owner to scan the code to upload information such as faces: “Face recognition technology itself is unstable. Data protection needs to be continuously upgraded and updated. Does the community property have this motivation and cost to do it?"

  Subsequently, the reporter searched for face recognition access control on Taobao and contacted a famous brand in Zhejiang.

The merchant told reporters that their machine can enter and delete facial information without connecting to the Internet, and it can be used normally; but if you need to obtain personal information such as attendance status, check-in time, etc., it needs to be connected to the Internet. After the Internet is connected, the computer can be accessed from the machine. Export photos and upload them to the cloud.

This also means that although communities, universities, and enterprises use "internal local area networks", the collection of facial biometric data still requires caution.

  A staff member of an intelligent technology company told reporters that the company’s face recognition technology is currently mainly used in banks, public security, airports, customs and other scenarios, and generally cooperates with public security or competent agencies to provide technology and equipment services to Party A as Party B. , And will not directly cooperate with the community.

“We have previously worked with customers to create a new model of smart communities. Residents open the unit doors by brushing their faces. The purpose of brushing faces is to avoid illegal use of public rental housing and to protect the interests of low-income groups. The face-swiping machines used in communities are generally local Installed by the police station, public security bureau, or competent authority for actual population control, and the data will be stored in the local public security network or competent authority."

Market Supervision Administration: In case of dispute, you can call 12345

  Yesterday, the Guangzhou Municipal Market Supervision Administration stated that in accordance with the Consumer Protection Law, shopping malls and sales offices cannot illegally obtain personal information such as consumers' faces without the consent of consumers.

At the same time, it is reminded that consumers should raise their personal awareness and read the terms clearly when signing contracts involving personal information; in addition, in order to facilitate citizens’ complaints, if consumers encounter personal information rights disputes during the consumption process, it is recommended to call the 12345 hotline. Complaints.

Online "brush face":

"Pay with face" is relatively safe

Privacy policy still needs to be improved

  Compared with the large-scale offline application of face recognition technology, its online, especially in the field of financial payment, is somewhat "cold."

  Since 2018, Alipay, WeChat, and UnionPay’s cloud QuickPass apps have launched the "face payment" service. Now three years later, the service has basically blossomed.

The reporter opened Alipay’s “face-swiping settings” to search for stores near Huacheng Square that support “face-swiping payment”. There are 98 stores within 1 km, covering convenience stores, milk tea shops, vending machines, board game shops, beauty salons, Fast food restaurants and so on.

  "But currently, less than 20% of people use facial recognition to pay." When the reporter asked the staff of a number of convenience stores, the other side said.

Even in the vicinity of South China University of Technology and the high-end office buildings in Pazhou, which have a high degree of technological acceptance, "face payment" is still "received."

The reporter saw that even at lunchtime, there were long lines in the manual payment area in the convenience store, but few people were interested in the smart "face-swiping" device on the side.

"Mainly I still feel that the security of face payment is not very high." A 25-year-old IT staff told reporters.

  Subsequently, the reporter and his companions tested the "face-swiping payment" service in the mall. Since the last four digits of the party’s mobile phone were required to be entered at the same time as the "face-swiping", only when the "face-swiping person" matched the mobile phone number. In order to pay successfully.

"Although the facial brushing service is used less, there has been no mistake so far," the staff told reporters.

  However, this does not mean that online face recognition technology is more "stable" than offline.

In February of this year, the AI ​​team of Tsinghua University Artificial Intelligence Research Institute, Ruilai Smart Company, generated "confrontation glasses" (using AI algorithms to generate special patterns, customizing special "glasses" in the adult face triangle), and in less than 15 minutes Time to crack the face recognition system on 19 different models of mobile phones, the average time for each phone to crack is less than 1 minute, and the only one that has not been cracked is an iPhone 11 mobile phone equipped with a 3D face recognition system.

  In addition, the reporter found that many apps did not separately ask for user consent before opening the facial recognition function, and most apps did not highlight the collection of facial recognition and other information in the privacy policy, but combined the facial information with the general Personal information is collected by obfuscation; in addition, many clauses do not mention what kind of special protection measures the APP will take to face information, nor does it clearly indicate the specific information of third-party technology companies that support face recognition technology, including the name And qualifications.

  But there are also some APPs that will launch special agreements for the "face-swiping payment" business, such as Industrial and Commercial Bank of China, Alipay, etc. Among them, Alipay also launched the "face-swiping classroom" video science popularization.

expert:

3D face recognition technology is safer

It is recommended to officially set up a data center

  Ma Zhaoyuan, assistant to the dean of the Shenzhen International Graduate School of Tsinghua University and a physicist, believes that the safety and stability of face recognition technology cannot be generalized. Due to the different technical levels of different companies, the safety and stability of face recognition products will also be improved. difference.

"For example, Alipay's face recognition technology combines multi-factor verification technologies such as eye patterns, and its accuracy can reach 99.99%; but some face recognition access control devices without live detection technology are vulnerable to attacks." Ma Zhaoyuan said.

  However, the face recognition access control machine can only perform relatively simple face recognition algorithms because of the limited computing power of its terminal equipment. Coupled with the change of outdoor light and the complex background, it is easy to cause misidentification.

For example, the main reason for the successful case of brushing face by printing face is that the system's living body detection technology is not ideal.

"Currently, face recognition algorithms mainly identify pictures. The device collects faces through the camera, and loses depth information. It cannot distinguish whether it is a picture or a real face in front of the camera. Therefore, it is necessary to prevent such attacks through live detection technology, such as by requesting Recognize people to make specified actions (blink, shake their head), use a 3D camera to obtain 3D images of human faces, etc." Ma Zhaoyuan explained, and it is worth noting that in the previous test of Ruilai Smart Company, the iPhone 11 mobile phone that failed to be unlocked was unsuccessfully unlocked. It is equipped with 3D face recognition technology, which also means that compared with 2D face recognition technology, 3D face recognition technology is more secure.

  In addition, Ma Zhaoyuan introduced that the speed of the facial recognition system will also be affected by many factors.

For example, the amount of face data in the database will affect the amount of comparison calculations, thereby affecting the overall recognition speed; whether the face database is local will also affect the overall recognition speed, etc. Therefore, many companies will combine real-time and real-time and Ease of use can be adjusted, "No face recognition system can be 100% correct. Therefore, in some application scenarios where the face database is large and the loss caused by incorrect recognition is greater, more people need to be collected. Face information, in order to ensure the accuracy of recognition, the speed of this type of recognition system is relatively slow; and the face database such as enterprise attendance is relatively small, even if the loss caused by incorrect recognition is not large, it is real-time and easy to use. For scenes with high sexual requirements, only partial information such as the eyes can be extracted to achieve satisfactory results, so the recognition speed is also faster. In addition, the face recognition network optimized for specific scenarios such as'wearing a mask and revealing only the eyes', etc., It can also improve the speed of face recognition in this scene." Ma Zhaoyuan said.

  When the reporter interviewed Yuncong Technology Co., Ltd., the other party also revealed that the company's current technical support is mainly to use multi-party secure computing technology, to store data in a distributed manner, and to operate intelligently in an encrypted environment to achieve the effect of interconnection and non-disclosure.

"At the same time, the human-machine collaborative operating system will adapt different algorithm technologies according to the scenarios of different modules. For example, the mobile phone of the bank requires a lightweight model, which requires fast running speed and small model size; while the public safety scenario requires algorithmic requirements. It has strong anti-interference ability against weather, day and night, and dynamic blur. The accuracy requirements usually depend on the customer, and the customer can adjust the recognition accuracy according to different threshold settings."

  How to better develop human face recognition technology specifications?

Cloud from science and technology proposed that the best solution is to set up a shared data center led by the government to form a benign system, led and supervised by the government, with the participation of core enterprises; secondly, the use of technologies such as multi-party secure computing to ensure data security and Desensitize the data; the last is the issue of standards and access efficiency.

It is recommended to establish a system of regional standards, industry standards, national standards, and even international standards, take advantage of Guangzhou's artificial intelligence application advantages, and take advantage of the industrial advantages of pilot zones and pilot zones to allow core enterprises to intervene in standards.

lawyer:

National standards have begun to solicit opinions

Understand the "three principles" when the face is collected

  The security and stability of face recognition remains to be seen, and more attention needs to be paid to whether Party A fully guarantees Party B’s right to know during the process of collecting face recognition information.

  In response, the reporter interviewed lawyer Chen Huai of Jinqiao Law Firm.

Attorney Chen said that face information is a personal core privacy and also personal sensitive information.

Therefore, when a user is collecting facial information, it must be collected only after the right holder's "explicit consent" or based on the needs of the public interest.

Attorney Chen revealed that to determine whether the community or school is collecting public safety, you can see whether there is a similar sign that says "You have entered the public safety recognition area" is posted next to the face recognition machine.

  Lawyer Chen suggested that citizens who want to know whether communities or companies require households or employees to enter facial information comply with the regulations, according to three principles-legal, justifiable, and necessary.

That is, whether the purpose of collecting facial information by the community or enterprise is legal (if there is no report), necessary (is there any other management measures besides facial recognition), and justified (whether to obtain the explicit consent and authorization of the personal information subject, which expressly indicate It includes informing the main body of the purpose of the information/specific content/deleting time, etc.).

  In addition, according to Lawyer Chen, under the influence of the Guo Bing case, Hangzhou has therefore become the first city in the country that explicitly prohibits compulsory face recognition on properties in the property management regulations. Since New Year’s Day this year, Tianjin has also begun to prohibit face collection. To identify information, it is stipulated that enterprises, institutions, industry associations, and chambers of commerce prohibit the collection of biometric information such as faces, fingerprints, and voices; in January this year, the Guangdong Provincial Procuratorate also deployed the provincial procuratorate to carry out personal information protection for the collection and identification system of human biological characteristics In March, the Jianghai District Procuratorate of Jiangmen City held a public hearing on the illegal installation of the "face information recognition" access control system in residential communities in the jurisdiction. Participants believed that the "face information recognition" access control system was installed in the residential communities in the jurisdiction in violation of regulations. The risk of divulging personal information is suspected of infringing upon the legitimate rights and interests of an unspecified number of people.

  What's more gratifying is that on April 23, the draft of the national standard "Information Security Technology Face Recognition Data Security Requirements" began to solicit public opinions from the public.

The formulation of the national standard is mainly to solve the problems of abuse, leakage or loss of face data, as well as excessive storage and use, and is suitable for data controllers to safely carry out face recognition data-related business.

The reporter noticed that there are the following highlights in the draft opinion:

  For application scenarios, the national standard requires that only when the security or convenience of non-face recognition methods is significantly lower than that of face recognition methods (such as airport, railway station, etc.), face verification or human face verification can be carried out. Face recognition; face recognition data should not be used for purposes other than identity recognition, such as evaluating or predicting the data subject’s work performance, economic status, health status, preferences, interests, etc., and should provide other than face recognition The identification method is for the user to choose, and the data subject should not be denied the use of basic business functions because the user does not agree to the collection of face recognition data;

  In response to express consent, the national standard requires that when collecting face recognition data, the data subject should be informed of the collection purpose, data type and quantity, processing method, storage time and other rules, and the data subject's express consent should be obtained;

  In the technical field, the national standard also requires the qualifications of companies or developers that perform face recognition. They need to have corresponding data security protection and personal information protection capabilities to prevent face recognition from being illegal by means of "live photos". Cracked.