China Power | Society | East Asia

China’s Ubiquitous Facial Recognition Tech Sparks Privacy Backlash

Privacy concerns remain largely unaddressed in proposed Chinese facial recognition standards.

By Lauren Dudley for
China’s Ubiquitous Facial Recognition Tech Sparks Privacy Backlash

A Chinese flag flies near a Hikvision security camera monitoring a traffic intersection in Beijing, Oct. 8, 2019.

Credit: AP Photo/Mark Schiefelbein

From picking up medication, to taking public transportation, to buying a cellphone, facial recognition has become an unavoidable aspect of everyday life in China. But while Chinese people sometimes are reported as willing to trade their privacy for public security, Chinese consumers have become increasingly loud in their demands to know why their personal information (PI) is being collected and how it is being secured.

Facial recognition and surveillance have quickly spread in China as the Chinese government prioritizes public security, promotes the development of artificial intelligence (AI), and works to prevent the spread of COVID-19. Leading facial recognition and surveillance companies including Hikivison, Dahua, iFlyTek, SenseTime, and most recently Jiadu Technology have been tapped to advance AI technologies with applications advancing facial recognition and surveillance as part of China’s “National AI Team.” These efforts are beginning to come to fruition. Over the past few weeks, facial recognition cameras have been equipped with AI-enabled body temperature detection technology to prevent people who may be infected with COVID-19 from traveling.

As the number of facial recognition cameras in use in China grows from 176 million in 2017 to up to 626 million in 2020, the Chinese government has taken some measures to regulate and ensure the security of sensitive data. Biometric data collected from facial recognition-enabled surveillance systems in China is protected by the Personal Information Security Specifications. This regulation, China’s first major data privacy rule, says that collection of PI should be for “legal, justified, necessary, and specific purposes,” often requires consent, and must be kept secure. But unfortunately, these principles are not reflective of the current reality of the Chinese facial recognition ecosystem, where sensitive biometric data is frequently collected without consent or sufficient data security protections, particularly amid the COVID-19 outbreak.

A Double-Edged Sword

The fast spread of facial recognition technology has led many Chinese people to voice concern over its dizzying pace of adoption. A widely-watched CCTV report last year exposed the Chinese black market for facial recognition data, where a package of ID photos sell for approximately 36 cents. After the report, more than 80 percent of people said they doubted the security capabilities of network operators storing sensitive PI in a survey conducted by the Nandu Personal Information Protection Research Center in Beijing.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

One of the most public pushbacks against the unnecessary and unsafe collection of biometric data to date was a November 2019 lawsuit against a Hangzhou zoo that required a facial recognition scan for admission. This case, the first facial recognition dispute in China, was raised by a Zhejiang University of Science and Technology law professor who said that the park’s collection of biometric data is not necessary for the zoo’s purposes (falling short of the threshold established is the Personal Information Security Specifications) and poses a risk to customers if the data is not sufficiently protected.

After the publication of this case, some Chinese citizens raised concerns they will suffer from the largely unchecked adoption of facial recognition technology without sufficient, enforced protections for people and their data. These concerns range from fear of organizations’ poor data protection practices, to the consolidation of valuable, sensitive biometric data in the hands of a few companies, to the possibility of nontransparent, discriminatory treatment. Tsinghua Law professor Lao Dongyan even went as far as to pose the possibility that data could be misused by public authorities in a way that could threaten individuals, their families, property, reputation, occupation, freedom, health, or life.

Although fear of the Chinese government’s access to data is not often expressed (at least publicly), fear that Chinese consumers will pay the price for hasty, unregulated technology adoption is widespread. It is also not without historical precedent. Many people are still waiting on Ofo, the nearly bankrupt bike-share company, to refund nearly $170 million in cash deposits in the app. Likewise, Chinese consumers were reportedly robbed of over $13 million in Guangdong province alone from unregulated QR codes embedded with viruses.

Possible Facial Recognition Standards

Chinese regulators have begun to acknowledge the privacy and security concerns that come with the rapid expansion of facial recognition technology. Last month, the National Information Security Standardization Technical Committee, dubbed TC 260, released a proposal on PI and consent. While the draft generally recommends that collectors of PI should inform and obtain the explicit consent from people prior to collecting their PI, it notes that such an approach is impractical for the collection of data in public places, as is typical with facial recognition. In these cases, the standards body recommended that owners of facial recognition technology just identify the nature and purpose of the information collection.

Though this does represent a greater acknowledgement of privacy and security concerns with facial recognition-enabled surveillance, it is unlikely that the proposal will meaningfully protect consumers. First, it is unclear what happens if one does not consent to the collection of biometric data with facial recognition technologies, particularly whether alternative means of security verification should be available. If alternative means of verification are not available, those who do not consent to facial recognition data collection may not be able to access critical public goods, such as transportation and healthcare.

Second, it is unclear if and how the proposed protections will be enforced and whether exemptions to informed consent outlined in the proposal will limit its scope. Of course the usual limits to the protections apply. National security and social stability will continue to trump all other priorities in China, so the Chinese Community Party’s access to data from facial recognition systems for broadly-defined national security purposes will not be meaningfully restricted. By the same token, privacy safeguards will not extend to populations deemed a threat to social stability, such as the Uyghurs. But it is yet to be seen how other exemptions may be used to limited the standards’ impact. For example, the exemption for public health could be used to justify maintaining the body temperature-detecting facial recognition systems in public places even after the threat of COVID-19 subsides.

In the end, it seems that pushback against the unregulated spread of facial recognition technology was successful in bringing privacy concerns to the attention of the TC 260. Contesting the application of widely-hyped technologies in a country where technological advancement is an important source of national pride is not easy, so the Chinese government’s attempt to include greater privacy protections in facial recognition standards represents a small win for Chinese civil society. But given the Chinese government’s focuses on national security, public health, and technological advancement, the development and implementation of facial recognition technology is likely to take priority over the protection of personal information.

Lauren Dudley is a Research Associate in Asia Studies at the Council on Foreign Relations.