Chinese Facial Recognition Database Inadvertently Exposed

Bottom Line Up Front

• A Dutch cybersecurity researcher reported that Chinese company SenseNets exposed millions of people’s facial recognition information.
• China has used facial recognition to target Muslim ethnic minorities in the Xinjiang region.
• Venezuela is also adopting an identification card system similar to the Chinese model to track and collect information about their citizens.
• Personal information collected by states and their corporate partners is valuable to criminals and its exposure could place citizens at greater risk.

Just last month, Dutch cybersecurity researcher Victor Gevers reported that Chinese company SenseNets inadvertently exposed a database of millions of Chinese citizens’ facial recognition information, and personal details including gender, nationality, and ethnicity. The database also contained tracking information from various locations. While SenseNets has since reportedly blocked access to the database, its existence raises troubling questions about the future of state surveillance and the security of the vast amounts of data and information collected by states corporations and others.

The national ID system—mandatory for all Chinese nationals in mainland China—contains a nationals’ personal information, including data on housing, health, finances and travel. This information will also inform China’s new ‘social credit score,’ being tested now, which will allow the state to track residents’ behavior and penalize everything from minor societal taboos to crimes. Human rights advocates have criticized the system, which can affect individuals’ freedom of movement, educational opportunities and career advancement. China is also utilizing facial recognition in the largely Muslim Xinjiang region, where the government has targeted Muslims, interning huge numbers of Uighurs in ‘re-education’ camps. The exposed SenseNets database reportedly contains information about Xinjiang residents’ movements and activities. This is part of a new effort to use collected personal data to predict what the Chinese government considers criminal behavior.

Other countries are also adopting identification card systems similar to the Chinese model. Chinese telecommunications company ZTE Corp has worked with the Venezuelan government to help implement a national identity and mobile payment card system called ‘carnet de la patria,’ or ‘fatherland card. President Donald Trump lifted sanctions on ZTE in July 2018 after the company violated U.S. law by shipping American-made goods to Iran and North Korea, but a bipartisan group of lawmakers recently introduced a bill to reimpose those sanctions. The Venezuelan ‘fatherland card’ database reportedly contains personal information including medical records, political affiliation and voting history and social media activity.

It is unclear how states will protect the data they collect. Hackers and cybercriminals routinely steal, exploit and sell or purchase exposed or hacked personally identifiable information (PII) to target individuals, companies, and nations. As authoritarian governments collect more data about their citizens as a method of consolidating societal control, they also put the population in danger of online exposure and exploitation. While European countries must now abide by the General Data Protection Regulation for ensuring data is safe from theft or illegal use, most states do not mandate similar protections. As the SenseNets data exposure proves, companies cannot always keep vital information secure, which could result in millions of people being targeted not only by their governments but also by cybercriminals and other illicit actors.