There are many subjects to collect, weak security, and there is an urgent need for strong legislation-who will protect our biometric information?
Hangzhou, 6 Nov (Xinhua) A large number of subjects have been collected, security is weak, and there is an urgent need for strong legislation-who will protect our biometric information?
Xinhua News Agency reporters Wu Shuai and Zhang Xuan
Recently, Hangzhou Wildlife Park regulations, do not enter face information will affect the normal use of the park card, causing social concern.
At present, are citizens' fingerprints, facial features and other biometric information at risk of being overcollected? Which subjects are obtaining our biometric information? In what aspects does the relevant information protection need to be strengthened? Xinhua News Agency reporters launched an investigation in this regard.
Public biometric information has been overcollected
The reporter learned from Professor Xue Jun, vice president of the School of Law of Peking University, that at present, personal biometric information such as faces and fingerprints have become in addition to ID card numbers, mobile phone numbers, and so on. Excessive collection of citizen information cases in the new "hardest hit areas."
At the same time, because of the increasingly close relationship between biometric information and personal property and personality rights and interests, once the information is lost or out of control, it will cause huge and irreparable losses to the information owner.
This is not unfounded concern. In February 2019, a face recognition company in Shenzhen was confirmed to have a data leak, with the core data of more than 2.5 million people accessible and 6.8 million records leaked, including ID card information, face recognition images and GPS location records.
A domestic well-known Internet enterprise video recognition security expert revealed to reporters that at present, there are a large number of lawbreakers and data black and gray practitioners who have achieved the purpose of registering false accounts or directly infringing upon other people's accounts in order to pass physical certification. The need for the corresponding face information, and even in China has given birth to a certain scale of "face industry".
Reporters searched the Internet and found that there are a large number of "over-face" technical solutions for e-commerce platforms and specific devices, and even complete "over-face" technical tutorials, including software selection, script settings, and so on. Some websites also have "face software" code links, which can be downloaded at will.
Where does our biometric information flow into? Is it safe?
So in daily life, who is keen to record and store our biometric information? Pei Zhiyong, director of the Qianxin Network Security Research Center, told reporters that there are roughly three types of subjects at present.
The first is the main body of some video surveillance operators. For example, through shopping malls, hotels, conference venues and other public places video equipment to collect information.
Secondly, some public functional departments, large Internet enterprises, commercial organizations, etc., through the user authorization, collect the data information including the personal biological characteristics of the user.
The third is that scientific research institutions need to collect and use because of scientific research, such as storing samples of a certain scale for artificial intelligence learning and training.
Li Xi, a professor at the Institute of artificial Intelligence at the School of computer Science of Zhejiang University, said: at present, the main collection and storage subjects of citizens' biometric information have varying levels of ability to provide information security protection, and the disclosure and transparency of information is not enough. It is easy to cause massive information to face security risks.
At the same time, industry insiders have revealed that at present, in order to reduce their own costs, a large number of business subjects "force" the public in a weak position to sell biometric information in the form of format terms or unilateral notification. It even implies a self-exemption clause in the contract. All these are not conducive to the protection of relevant information.
"in the future, we will not rule out the possibility of reconstructing personal biometric features based on the collected data, such as 3D printing technology to're-engrave 'human faces. By then, the risk we face is not just that the virtual world will be invaded, but that we will be impersonated in real life. " Qianxin Group Vice President Zuo Yingnan said.
The technical forces of good and evil still struggle with each other and need to be filled in the legal gap.
Interviewed network security experts believe that face, fingerprint, iris and even genes, biometric information because of its personal, unique, will be more and more widely used in finance, shopping, security and other life scene trend is irreversible. However, its replicability also determines that the "devil struggle" around information security technology will continue for a long time.
The reporter learned that at present, in view of the potential risks of "face change", the technical level can mainly be dealt with through "in vivo detection + face comparison recognition," and at the same time through remake, 3D structured light, multi-dimensional biometric information, and other auxiliary technologies. It can also increase the security of related technologies to a certain extent.
Some experts are of the view that the current gaps at the level of relevant legal norms also need to be filled.
According to lawyer Jiang Haibin, senior partner of Zhejiang Zhejiang and Hangzhou Law firm, China's network security law stipulates the principle of "who collects and who is responsible" and stipulates that the collection of personal information must be approved by the collector, including personal biometric information. However, for the collection of relevant information subject needs to provide what degree of protection force, how to evaluate and disclose, the level of protection of individual sensitive information of citizens, specific protection measures and other key issues, have not yet formulated mandatory legal norms.
In May 2018, the National Technical Committee for Information Security Standardization promulgated and implemented the "Information Security Technology personal Information Security Standard" as a recommended national standard. Among them, biometric information is clearly classified as "personal sensitive information that may endanger personal and property safety if leaked, illegally provided or abused, and can easily lead to damage to personal reputation, physical and mental health, or discriminatory treatment".
Long Weiqiu, dean of the School of Law of Beijing University of Aeronautics and Astronautics, believes that the standard puts forward requirements for the collection, preservation, use, and entrusted processing of personal information, and the provisions in principle of the landing network security law. Fill the gap in the practice standard of domestic personal information protection, and provide specific guidance for enterprises to carry out personal information protection compliance.
At present, China is speeding up the legislative process of personal information protection law. In this regard, Xue Jun also suggested that it is necessary to distinguish between ordinary personal information and sensitive personal information at the legislative level. "for personal sensitive information, or a licensing system may be established, that is, without the authorization of laws and regulations, general businesses, private institutions, etc., shall not collect sensitive information containing personal biometric characteristics, even with the consent of individual citizens."