Face Recognition Boundaries: What Level of Information Collection Is Applicable
Author: huifan Time: 2020-01-02
The human face carries important personally identifiable information. The development of technology has made people's faces become "important data" for identifying individuals. In the new generation of mobile phones launched by major mobile phone manufacturers, face unlocking has replaced fingerprint unlocking, and some payment systems have also adopted face recognition technology. At present, face recognition is undoubtedly one of the hottest and widely used technologies in the wave of artificial intelligence, which provides convenience for life travel and social order.
Is it safe to brush your face
"Brush your face" into the door and "rely on your face" to eat ... Today, with the maturity of face recognition technology, these once-imagined imaginations have been infinitely close to reality. According to the forecast of the Foresight Industry Research Institute, the overall face recognition market in China will grow rapidly in the next five years to achieve multi-industry applications. It is expected that the size of the Chinese face recognition market will exceed 5 billion yuan by 2021.
In addition to privacy concerns, public concerns about the other direction of face recognition technology come from the security of the technology itself. Previously, Zhejiang primary school students found that printing photos could replace "brushing their faces" and cheated the news of Fengchao Express in the community, which seemed to be its "unreliable" portrayal.
Compared to concerns over privacy, concerns about the security of the "brushing" technology itself are panic-like. In fact, the courier cabinet can be deceived by photos, mainly because it does not include live detection technology. "Now it is quite rare to use face recognition technology that dared to 'release' even without living detection."
From the perspective of the technology itself, current face recognition is divided into 2D and 3D technical solutions. Take Alipay and WeChat's "brush payment" as examples. Both use 3D face recognition technology, which will be combined by software and hardware. The method performs detection to determine whether the collected human face is a living body, which can effectively prevent impersonation of videos, paper, etc.
Different scenes, different boundaries
Commercialization scenario: In the case of satisfying the "informed consent" of the personal information subject, given that face information contains higher information security risks and potentially broader information content, companies should carefully evaluate whether the use behavior follows "legal, legitimate, "Necessary" principle, to avoid being questioned "kill chicken with a slaughter knife".
Application scenarios based on public interest: Similar to the traditional view of restricting the right to portraits, based on the needs of social public interests, the rights of natural persons to their face information can also be restricted to a certain extent. However, considering the possible threats to racial equality and freedom of speech caused by excessive use of face recognition technology, it is generally believed that when using this technology in public places, it is recommended to pay attention to the principle of authorization, the principle of legal retention, the principle of proportionality, etc.
Compliance issues in the application of face recognition technology
① Identification of the nature of photos containing face images
In the "Information Security Technology Personal Information Security Specification", facial recognition characteristics and personal genes, fingerprints, voice prints, palm prints, auricles, iris, etc. constitute the "personal biometric information" under personal sensitive information, and the degree of protection and related Have higher compliance requirements than general personal information. In June this year, the National Committee for Standardization of Information Security issued the "Requirements for the Protection of Biometric Identification Information Technology Security Technology (Consultation Draft)", in which the definition of biometric data is "biometric samples, biometrics, biometrics" Model, biological properties, biometric characteristics of the original description data, or an aggregation of the above data ", and" face "is listed as one of the physiological characteristics by which individuals can be identified. However, it has not been clarified in our country as to whether photos bearing face images will be identified as personal sensitive information.
Photos containing face images do not of course constitute biometric information / personal sensitive information with a higher degree of protection in nature, but are subject to the fact that they can be identified with personally identifiable properties after being processed by specific technologies Higher compliance requirements.
② Commercial use of face recognition technology
The "Network Security Law" requires network operators to collect and use personal information, and should clearly indicate the purpose, method and scope of collecting and using information, and obtain the consent of the person being collected. The use of facial image and image information collected by monitoring equipment based on security surveillance purposes for further commercialized precision advertising marketing has exceeded consumers' normal expectations for the use of their personal information.
Therefore, the face images and video images obtained by enterprises for security monitoring and other purposes, if they are subsequently used for other business purposes, need to protect the personal information subject's knowledge and consent requirements. In addition, the enterprise shall take reasonable measures to prevent unauthorized access or acquisition of the information, and follow the minimum requirements that are reasonably necessary for the storage period.
③ Restrictions on using face recognition technology in public places
On the one hand, the government based on the construction of smart cities such as installing face recognition devices at public transportation hub sites such as subways or collecting and using face information for administrative law enforcement purposes is a guarantee of public safety and can even facilitate the convenience of public travel. On the other hand, in an increasing number of surveillance scenarios in public places, individuals cannot refuse to obtain face recognition information, and at the same time increase the risk of personal information being abused.
Although the above is a public power use scenario, the trade-offs of benefits reflected in it still have some reference significance for enterprises deploying monitoring equipment in public places. Enterprises should consider the legitimacy and necessity of behaviors when processing face recognition information, and should actively formulate and comply with sensitive information processing policies to explicitly inform the information subject and obtain the proper authorization of the information subject to ensure that the collection and processing of this information should only Its business purpose is necessary, and its impact on personal privacy may be evaluated before the monitoring technology is launched.
④ Discrimination under face recognition technology
With the increasing requirements for the legality and transparency of personal information processing in China, when companies rely entirely on automated algorithms to process face recognition information and make decisions that significantly affect the rights and interests of personal information subjects, in order to avoid possible algorithmic discrimination against natural persons, Impact, it is recommended that:
(1) Fully inform the use of face recognition information;
(2) The working principle of the AI automatic algorithm and what features AI will use to evaluate the data subject;
(3) Obtain the consent of the data subject regarding the collection of face recognition information and subsequent AI processing behavior;
(4) Provide a complaint method to the subject of personal information to protect the right of affected subjects to question the conclusions made by automated decision-making.
Limited by the current state of technological development, the deviation of the original data, and the bias of the algorithm designers themselves, the use of face recognition algorithms through labelled judgment methods increases the risk of making discriminatory decisions, and these risks will be largely tolerated by themselves. Relatively disadvantaged groups bear. In the absence of supervision, effective safeguards, transparency and accountability mechanisms, the use of face recognition algorithms will accelerate existing inequality. What is worrying is that by using sophisticated and obscure algorithms, discrimination often occurs in an imperceptible way.
Chinese law strictly protects facial recognition features
The convenience brought by face recognition cannot be ignored. However, the development of technology has no boundary, but the use of technology must have a boundary, but this boundary is fuzzy. There are no obvious specifications for which scenarios can be applied and which areas can be expanded. Therefore, when it crosses the border, it will naturally cause a lot of controversy.
China's laws and regulations on portrait collection mainly focus on immigration management, identity card processing, criminal investigation, road traffic safety management and other laws and regulations. Public security agencies and other relevant government departments have the power to force the collection of biometric information such as portraits and fingerprints of data subjects. For example, Article 3 of the "Identity Card Law" stipulates that the items for registration of a resident identity card include his own photo and fingerprint information.
In addition to the legal requirements for portrait collection, face recognition is being widely used in railway stations / airports to "face-to-stop", classroom monitoring in schools, and "real-time punch-in" in enterprises and institutions. Management, as well as identity verification of banks and other financial institutions, identity verification of third-party payments such as Alipay, online beauty and P-pictures and other business areas. Whether the above behaviors meet the requirements of the Cyber Security Law and related information protection laws and regulations is worth pondering.
In fact, from the point of view of face recognition technology, in addition to the facial recognition features stored in the database for the first time, the facial features collected in subsequent face recognition can be used only for proofreading without storage. Not collecting or reducing the collection of unnecessary personal sensitive information is also in line with the "necessary" principle of data collection in the Cybersecurity Law, and it can also reduce the security risk of data leakage.
Face information, as important biological information of the human body, has been applied to various areas of life such as payment, entertainment, security, education and the like, driven by technological development. Technology is a double-edged sword. Face recognition is a high-tech. While people experience the convenience it brings to life, they cannot ignore the information security, privacy leakage, and other problems it brings, let alone bring it to them. The legal risks are ignored.
Youtube: Huifan Technology
Linkedin: Huifan Technology
Facebook: Huifan Technology