How to protect our "face" in the era of face brushing

  A person has only 10 finger prints, only two iris, two palm prints, only one set of voice prints, and only one face.

Biometric authentication is irrevocable. Once its information is leaked, there is no remedy.

  To some extent, swiping your face without security is no different from handing over your ID card and bank card password to others.

  Guo Bing, a distinguished associate professor of Zhejiang Sci-tech University and a doctor of law at Zhejiang University, sued Hangzhou Wildlife World to court because he did not agree to go to the zoo to brush his face.

This case became the "first face recognition case" in which domestic consumers sued merchants.

  On December 29, 2020, the second instance of the case was held in the Hangzhou Intermediate Court. Guo Bing filed a lawsuit requesting that the content of the relevant format clauses in fingerprint recognition and face recognition is invalid.

  Not long ago, a video of "wearing a helmet to see a house" was widely circulated, because some sales office staff would use facial recognition to determine the identity of the buyer, and then decide whether to give a house purchase discount.

  In the Internet era, while the development and application of new technologies such as "face-brushing" bring convenience, it also brings new challenges to personal information protection.

In recent years, controversy surrounding face recognition has continued.

These controversies reflect to a certain extent the widespread use of face recognition and the public concerns caused by it.

  How to ensure the security of personal information in the Internet age?

What are the weaknesses of biometric authentication technology?

Are there any relevant regulations and supervisions for biometric authentication application scenarios and technologies, including facial recognition?

A reporter from Science and Technology Daily interviewed relevant experts.

  Biometrics is our other ID card

  Check your identity at the airport or high-speed railway station and check your face; check in at the hotel and check your face; open an account remotely at the bank and check your face; pay online, pass the door control, check your face...

  In recent years, artificial intelligence technology with deep learning as the core has developed rapidly. Among them, the application of visual recognition technology is quite extensive, and face recognition has gradually penetrated into people's daily life from a few security scenes.

Since the beginning of this year, the new crown pneumonia epidemic has brought demand for contactless scenes, which has accelerated this process.

  Face recognition is actually a type of biometric authentication. Other biometric authentication includes fingerprint recognition, iris recognition, and voice recognition.

The biggest feature of biometric authentication is uniqueness, for example, each person has a unique face, fingerprint, and iris.

  Therefore, biometrics can also be regarded as our other ID card.

"Biometric authentication is to identify personal characteristics. For example, facial features are the same as checking ID numbers. It can refer to my personal identity." Member of the Party Group of Jiangsu Association for Science and Technology, Vice Chairman, Director of Information Department, Nanjing University of Science and Technology Li Qianmu said.

  Imagine that the ID card is either kept in a wallet or locked in a safe when not in use.

If one day, your biometric ID is stored in a computer hard drive that you don’t know about by property companies, zoos, banks, hotels, etc., would you still think it’s safe to swipe your face for authentication?

  Pan Zhuting, chief strategy officer of Beijing Yongxin Zhicheng Technology Co., Ltd., told reporters that the password can be changed regularly and can be changed.

But a person has only 10 fingerprints on his fingers, only two on his iris, two on his palm, only one set of voiceprints, and only one face.

Biometric authentication is irrevocable. Once its information is leaked, there is no remedy.

  To some extent, swiping your face without security is no different from handing over your ID card and bank card password to others.

  "The promotion and application of such a technology should fully demonstrate its possible benefit and risk ratio. But in the case of Hangzhou Wildlife World, we did not see the necessity and irreplaceability of the use of face recognition technology. I can't see the user's full consideration and preparation for risks. Such actions to promote technology require vigilance and reflection." Associate Professor Cheng Guobin from Southeast University thinks so.

  Why face recognition is repeatedly broken by hackers

  As early as March 15th in 2017, it was revealed that there were security vulnerabilities in face-swiping login: With a selfie of an audience, the face authentication system of the mobile phone can be successfully "changed" to crack.

  Since then, there have been face data leakage incidents, some because the database storing the photos was hacked, and some because the staff sold copies of the data for profit.

  Li Qianmu told reporters that the current weaknesses of biometric authentication are mainly in two aspects: First, biometric authentication mainly relies on images or videos for feature verification. Images and videos can be forged to a certain extent. “There is now a method called AI forgery. , Is to'create' a non-existent face through an AI algorithm, or adaptively generate other faces. This algorithm is called GAN, also known as adversarial neural network, which can generate some non-existent faces through a large number of sample training Fake samples, fake samples."

  The second is that biometric authentication is essentially a character mapping. In the computer, the facial features are described by numbers such as 0 and 1, so even if the face does not exist in the system, the number can be used by hacking. Enter these features, and face recognition may pass.

  In October 2020, a survey study involving more than 20,000 people-"Face Recognition Application Public Survey Report (2020)" showed that more than 90% of respondents have used face recognition, and 60% of the respondents Some believe that face recognition technology has a tendency to abuse, and 30% of the interviewees said that they have suffered privacy or property losses due to the leakage and abuse of face information.

  Compared with the leakage of personal information such as ID card numbers and mobile phone numbers, there are not many face data leakage incidents that have been exposed to the public.

However, there have been media reports that some cybercriminals have used e-commerce platforms to sell illegally obtained personal faces and other identity information, as well as "photo activation" online tools and tutorials.

  A positive change is that the public's awareness of privacy protection has increased.

The report shows that up to 80% of the respondents expressed concern about whether the original face information will be retained by the collector and how it will be processed.

Regarding the rules for processing facial information, respondents most want to know "what kind of technical and management measures are taken by the collector to ensure the security of the collected facial information" and "whether the facial recognition technology is provided by a third party, if so, the third party "Who is it" and "Which scenes the face information is currently used in, and whether the purpose of use has been changed".

  Industry self-discipline and legal supervision are indispensable

  Most of the interviewed experts said that they are happy to see the application and development of new technologies such as artificial intelligence, but it is also urgent to strengthen the protection of personal information.

  Li Qianmu believes that for the abuse of face recognition technology, one is to form strong supervision to deter illegal behavior; the other is to carry out technical prevention, use artificial intelligence methods to identify and distinguish against artificial intelligence, and establish a corresponding authentication database Or a third-party certification center to verify biometric certification; the third is to speed up legislation and increase penalties for violations.

  Looking at the world, some developed countries have already taken the lead in legislation.

In 2015, the United States issued the report "Facial Recognition Technology-Commercial Use, Privacy Issues and Applicable Federal Laws", restricting the use of facial recognition technology by commercial entities to identify or track individuals.

In 2018, the "EU General Data Protection Regulation" (GDPR) came into effect, clearly stipulating that personal data is personally owned data assets, and it is known as the "most stringent" data protection law in history.

  my country's legislation on the protection of personal information has also been accelerated.

For example, the "Civil Code" lists the biometric information of natural persons as personal information; the "Personal Information Protection Law (Draft)" intends to impose penalties such as confiscation of illegal income and fines for violations of the rights and interests of personal information.

  It is undeniable that technology has strong tool attributes, and anyone can use it. Some people use steel to build tens of millions of buildings, and some use guns to slaughter thousands of people.

Therefore, Cheng Guobin believes that for the abuse of face recognition technology, in addition to the legal supervision of industry self-discipline, it must also be deeply ethical reflection and ethical governance.

  "When developing a new technology, human beings always have a certain value tendency or value pursuit. The relationship between this specific initial value and the overall value of technology that should promote social development and human happiness is considered by technology. Ethical important work." Cheng Guobin said.

  In July 2019, the ninth meeting of the Central Comprehensive Deepening Reform Committee reviewed and approved the "National Science and Technology Ethics Committee Formation Plan."

The implementation of scientific and technological ethics review is to delineate the necessary ethical channel and value bottom line for scientific and technological innovation, to clarify the ethical boundary of "doing something, not doing something" in scientific and technological activities, and to prevent the "Pandora's Box" from being opened at will.

  "But as far as I know, the current ethical review mechanism in my country is only relatively complete in the medical field, and it is basically blank in scientific research in universities and institutions. Compared with some developed countries in Europe and the United States, the coverage of my country’s scientific and technological ethics review In terms of the completeness of the system, there is still much room for improvement." Cheng Guobin said that the establishment of an organization is only the beginning, and a complete set of mechanisms, policies, legal systems, and subtle scientific ethics need to be cultivated quickly.

  Our reporter Zhang Ye