Turning on his mobile phone, Chen Kuan, a Shanghai citizen, found that there are too many apps that need face recognition every day.
"From mobile banking apps to shopping software, from makeup apps to game anti-addiction... After a day, your face will be scanned more than a dozen times."
In this regard, Chen Kuan is quite worried: "Although some apps use face recognition for usage needs and security considerations, they do not give us the right to refuse to use it. Is this an abuse of face recognition technology? The application of face recognition technology is becoming more and more widespread, will it lead to the leakage of personal information?"
Chen Kuan's worries were not without reason.
The "Rule of Law Daily" reporter learned that face information is immutable and unique biometric information, which is easily stolen, used or synthesized by criminals to crack the face recognition verification program and infringe on privacy, reputation and property. The cases that have been triggered are not uncommon.
So, why do many mobile apps use face recognition technology?
How to prevent the technology from being abused during use?
Recently, the reporter conducted an interview.
Face recognition is widely used
Personal information is at risk
If you want to know the details of this month’s bills, you must first verify your identity by swiping your face; when you enter the subway station, you don’t need to scan the code or buy a ticket, you can enter the station and take the train; It was found that traces of face recognition can be found in many types of apps, from finance, e-commerce to travel, and Meitu entertainment.
In February 2022, some media conducted a survey on issues related to face recognition technology. Judging from the frequency of use, more than 90% of the participants in the survey will use face recognition technology in their lives and work.
Among them, 44.95% of the participants in the survey often use it, and 48.88% of the participants in the survey use it occasionally.
The survey also mentioned that since the implementation of the Personal Information Protection Law, nearly 40% of the respondents believe that the abuse of face recognition technology has improved.
However, the reporter found that among the apps that support the face recognition function, there are still some apps that do not have a clear face recognition usage agreement, and the user's consent has not been obtained for the face recognition function.
In the user's personal privacy policy, although the collection of information such as face recognition is included, some apps do not highlight it in form, so that users clearly realize that biometric information such as face information is collected, but "face information" Confusing with general personal information such as name.
The reporter selected 10 popular consumer finance apps for personal information protection compliance testing, and found that many financial consumer apps provide separate authorization pages and set up proprietary rules for face recognition functions, but some apps also use face recognition A separate consent is set to the same authorization as the camera function.
In addition, some apps use the method of "no service provided if you don't click to agree to face recognition" to forcibly collect users' personal information.
The "Face Recognition Application Scenario Compliance Report (2021)" (hereinafter referred to as the "Report") released by the Narada Artificial Intelligence Ethics Research Group shows that it has evaluated and analyzed the compliance status of 20 mobile face recognition applications, of which Sixty percent of the apps with face recognition functions do not have separate face recognition rules. Many App face recognition rules do not inform the storage time limit or location, and only 6 apps mention the storage of face information.
The "Report" also shows that among the 20 apps, 16 have implemented information encryption and transmission encryption for personal information, and another 4 entertainment special effects apps have problems.
For example, the "AI face-changing" function of an app can generate a face-changing video by uploading photos by users, and then selecting a video template.
But without encryption, links to users' face-swapping videos are publicly accessible.
This means that the face-changing video may be obtained by anyone, and there is a risk of personal information leakage.
"The emergence and application of face recognition technology has greatly improved the efficiency and accuracy of user authentication, thus gradually replacing traditional passwords, verification codes and other authentication methods, and has been widely used in financial payment, transportation, access control and attendance and other fields. It has been widely used.” Li Dongfang, a lecturer at the Law School of Inner Mongolia University, told reporters that currently there are no special prohibitive provisions in laws and regulations for the use of face recognition technology in apps, but it cannot violate the relevant provisions of current laws and regulations.
Li Dongfang said that the storage, transmission, analysis, transfer, and deletion of such sensitive personal information should also meet more stringent requirements. For example, the National Information Security Standardization Technical Committee issued the "Information Security Technology Face Recognition Data Security Requirements, etc., to effectively protect the security of personal information.
According to Hu Peng, a partner of Shanghai Yingdong Law Firm and a consultant of the Swiss-China Law Association, face recognition is sensitive personal information. Personal information processors can only process sensitive personal information under the circumstances of measures.
Both the Civil Code and the Cyber Security Law also stipulate the "minimum necessary principle" for collecting and processing personal information.
Once face information is leaked
Vulnerable to personal rights
"In daily life, face recognition technology does have unique advantages. However, once face information, which is sensitive personal information, is leaked or used illegally, it may easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety. It is worthy of vigilance." Li Dongfang said.
On December 7 last year, the Supreme People's Procuratorate released five typical cases of legally punishing citizens' personal information infringement crimes, one of which was Li's use of the "face value detection" software to infringe on citizens' personal information.
It is understood that Li is a software developer of a certain Internet Technology Co., Ltd. He published the "face value detection" software he made on a certain forum for free download and installation by netizens. In this way, he stole 1,751 photos from the installer's mobile phone album. Contains more than 100 pieces of citizen personal information such as face information, name, ID number, contact information, and home address.
So, how can we prevent the abuse of face recognition technology?
In July 2021, the relevant person in charge of the Supreme Law answered reporters' questions about the judicial interpretation on the trial of civil cases related to the use of face recognition technology to process personal information. made.
In particular, the processing of face information cannot contain any compulsive factors.
Relevant judicial interpretations stipulate that the behavior of information processors to process users' face information by means of not individually seeking user consent, forcing face scanning, etc., will be deemed to be an act of infringing on the personal rights and interests of natural persons in relevant civil litigation cases.
"The above regulations protect the rights and interests of users in the application of face recognition technology to a large extent. But the reality is that in many scenarios where face recognition technology is abused, users are often forced to accept it, and most of them will not bring it up. Litigation, to protect their legitimate rights and interests." Li Dongfang believes that how to further refine the relevant regulations requires more thinking by legal researchers and legislators.
Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law, said that face recognition is not only related to a person's appearance, but also related to personal property information, financial information and family member-related information.
In the user privacy agreement, it should not simply state in one sentence that personal information should be protected, but should also specify the circumstances under which personal information is collected, how to collect it, how to use it, and how to delete it.
In this regard, Hu Peng suggested to take a series of related measures, such as separate pop-up windows for matters such as face recognition and face image processing to obtain separate consent, and the app clearly states the purpose, method and Scope, the subject of personal information has the right to withdraw authorization, and not to pop up frequently to obtain personal consent, etc.
According to the experts interviewed by the reporter, relevant information such as face recognition or face images involves not only personal privacy, but also biological characteristics. If criminals obtain relevant face images, they may impersonate others to engage in illegal activities.
Strengthen supervision and law enforcement
Improve industry self-discipline mechanism
How can we use face recognition technology more safely and make it bring more convenience to life?
During the two sessions of Guangdong Province this year, the collective proposal "Suggestions on Strengthening the Supervision of Facial Recognition in Guangdong Province" submitted by the Guangdong Provincial Committee of the Kuomintang to the conference proposed to improve the industry's self-discipline supervision mechanism.
It pointed out that the face recognition technology industry is a high-tech industry, which develops with the development of the era of Internet big data, but the companies in the related industries are mixed. It is recommended that the regulatory agencies conduct capital and technical checks on companies that want to enter the face recognition industry. , reduce the entry of low-quality enterprises, and better protect the information security of the public.
At the same time, establish relevant industry associations, establish industry standards for face recognition technology, and reduce infringements on face information through internal industry supervision.
On January 16, the "Face Protection Project 2022 Annual Results Conference" was jointly sponsored by the Institute of Cloud Computing and Big Data of the China Academy of Information and Communications Technology, the Trusted Face Application Guardian Program (hereinafter referred to as the Face Protection Program), and the China Communications Standards Association TC602. "Held in the cloud, in the latest round of evaluation results of the face protection plan, many companies and products have passed the "special evaluation of face recognition security", "evaluation of financial app face recognition security capabilities", "face recognition system to protect face information Special Evaluation", etc.
The face protection plan was initiated by the Institute of Cloud Computing and Big Data of the China Academy of Information and Communications Technology in April 2021. It unites companies, financial institutions, legal institutions and academic groups to jointly promote face recognition ecological security and compliance co-governance.
By the end of 2022, there will be 148 member units of the face protection plan.
In his speech, Bi Maning, director of the Expert Committee of the "Face Protection Program" and former deputy director of the Information Security Level Protection Evaluation Center of the Ministry of Public Security, pointed out in his speech that face recognition is currently the focus of conflicts between privacy protection and artificial intelligence technology applications, and industrial development faces three aspects Risks are inadequate technology, unreasonable application and inadequate management.
"Face recognition has only been widely used and developed in recent years, and my country's relevant legislation is also in the process of continuous improvement." Hu Peng said that at present, my country's relevant legislation is still relatively scattered, and the connection between various laws and regulations needs to be further improved. clear.
The provisions of some higher-level laws are relatively general. For example, the Personal Information Protection Law stipulates that the national network information department will coordinate and coordinate relevant departments to promote the personal information protection of face recognition technology, and formulate special personal information protection rules related to face recognition technology. , standards, while the more specific operational guidelines stipulate that among the non-mandatory national standards, how to determine the effectiveness of these non-mandatory national standards still needs to be further clarified in judicial practice.
In Li Dongfang's view, the current wanton collection and use of face information by some App manufacturers is obviously against the existing laws and regulations. In-process supervision in application scenarios, to detect illegal activities as early as possible and deal with them according to law.
In terms of post-event relief, it is also necessary to give full play to the role of procuratorial organs in personal information protection public interest litigation, and give full play to the guiding role of laws in the application of industries and related technologies.
"In general, in the process of formulating laws and regulations, it is necessary to promote the use of face recognition technology to benefit users in application scenarios and ensure continuous innovation and progress of technology. It is also necessary to put the security of face information in an important position, and prevent the technology from causing harm. The potential risks are minimized." Li Dongfang said.
Rule of Law Daily reporter Zhang Shoukun