Like just about anything on the Internet, biometric surveillance systems are eminently hackable as well as prone to human error.
As previously reported on Naked Capitalism, biometric surveillance systems, a common trope in dystopian novels, are being hastily rolled out across the West, with next to no public debate. That, of course, is for an obvious reason: if an open, informed debate on the pros and cons of biometric surveillance systems was actually allowed, the public would overwhelmingly reject it. Which is why these systems are increasingly encroaching into our lives under the radar, with limited public knowledge or understanding.
However, a recent incident in China has underscored the potential vulnerability of biometric data storage systems. As Tech Crunch reported on Tuesday, a Hangzhou-based tech company called Xinai Electronics has left a huge cache of data containing 800 million records, including millions of faces, vehicle license plates and resident ID numbers, exposed to public view and access for months on end:
The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites and parking garages across China. Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely.
It’s through a vast network of cameras that Xinai has amassed millions of face prints and license plates, which its website claims the data is “securely stored” on its servers.
But it wasn’t.
Security researcher Anurag Sen found the company’s exposed database on an Alibaba-hosted server in China and asked for TechCrunch’s help in reporting the security lapse to Xinai.
Sen said the database contained an alarming amount of information that was rapidly growing by the day and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai. But neither the database nor the hosted image files were protected by passwords and could be accessed from the web browser by anyone who knew where to look.
The database included links to high-resolution photos of faces, including construction workers entering building sites and office visitors checking in and other personal information, such as the person’s name, age and sex, along with resident ID numbers, which are China’s answer to national identity cards. The database also had records of vehicle license plates collected by Xinai cameras in parking garages, driveways and other office entry points.
TechCrunch says it contacted the company on numerous occasions to warn it about the exposed database, yet its emails were never returned. The database was publicly accessible for at least several months before finally being taken down in mid-August. But that was only after a data extortionist claimed to have stolen the contents of the database. If true, the implications are dire. Given the innate uniqueness of biometric data, if it is hacked, there is no way of undoing the damage. You cannot change or cancel your face, iris, fingerprint, or DNA like you can change a password or cancel your credit card.
The Growth of Biometric Surveillance in the West
Meanwhile, at the opposite end of the Eurasian landmass, the EU is assembling a gargantuan facial recognition system, by allowing, for the first time ever, police forces across the EU to link their photo databases. Brussels is also about to launch an automated Entry/Exit System (EES) to register travelers from third countries. The system will register the traveler’s name, type of travel document, biometric data (fingerprints and captured facial images), as well as the date and place of entry and exit.
The UK and the US are also investing heavily in facial recognition technologies, despite fierce opposition from civil liberties groups. As I reported in late July, the US is even preparing to share the biometric data of its citizens with the national governments of select countries, including the UK and the EU — on a quid pro quo basis, of course.
In the almost total absence of public debate — and in many cases, even public awareness — about these developments, what little debate that does occur is largely informed by surveys and opinion polls commissioned by the very firms that stand to benefit most from the roll out of the new systems.
A case in point: the French military contractor Thales Group, which is helping American Airlines develop its digital ID app and has been instrumental in efforts to roll out national digital identity programs in Africa, recently conducted its own survey of 1,800 residents of seven EU countries. The results of that survey, published in June, showed a significant majority (66%) of the respondents would happily use a digital ID wallet.
This is, of course, good news for Brussels, since it is on the verge of launching an EU-wide ID wallet, which Member States must have ready for public use by 2024. The goal of the ID wallet is to establish a unified digital identification system in Europe and it is meant to simplify — and, of course, digitize — the way people identify themselves in just about every facet of their lives and in any EU country. Use of the wallet will be totally voluntary (at least to begin with).
Also, as luck will have it, Thales Group is one of Europe’s leading providers of digital identity systems. In fact, as you can (and I would suggest, should) see in the slick corporate video below, the company was already showcasing the benefits of its digital ID wallet app almost two years ago, in October 2020. Those benefits included helping the app’s users schedule appointments for mandatory vaccination, which is curious given that at that time there was no mandatory vaccination for COVID-19, since there were no COVID-19 vaccines available.
Another company that recently commissioned a survey on public attitudes toward new digital technologies — in this case, biometric payment technologies — is Mastercard, which, is piloting a biometric checkout program dubbed, in pure Orwellian fashion, “Smile to Pay”. Seventy percent of the survey’s respondents, from six Asia Pacific countries (Australia, China, India, Japan, New Zealand, Thailand and Vietnam), said that using fingerprint or facial recognition to authenticate transactions was easier than remembering PINs or passwords (d’uh!), though 72% expressed concerns about which entities would have access to their data. Sixty-nine percent said they found the system more secure.
But is it?
A system like “Smile to Pay” may offer greater security by adding an extra factor to the authentication process, but consumers will not have to use the two-factor authentication — biometrics plus a PIN or password — if they don’t want to. And they are largely being encouraged by Mastercard not to, since the main selling points of the new technology are speed and convenience. What’s more, as the data breach at Xinai Electronics showed, the actual data underpinning the system may not be secure at all.
Other Data Breaches in China
The breach at Xinai was not the only mass leak of sensitive data that appears to have occured in China in recent months. In July, a huge trove of data containing information on around one billion Chinese residents was allegedly siphoned from a Shanghai police database stored in AliBaba’s cloud. As Techcrunch noted shortly after the alleged data leak, “[w]ithout the (unlikely) confirmation from the Chinese government, it’s difficult to know for sure if the seller’s claims are genuine and the data was obtained from Shanghai’s police department, as is claimed.”
A month later, a hacker claimed to have obtained the personal information of 48.5 million users of a COVID health mobile app run by the city of Shanghai. The data is managed by the city government and users can access the app either by downloading it or opening it using the Alipay app, owned by fintech giant and Alibaba affiliate Ant Group, and Tencent Holdings’ WeChat app. Ant Group and Tencent are the two largest tech firms in China and are absolute behemoths.
If authentic, these breaches raise serious questions about the Chinese government’s cybersecurity regime, little more than a year after Beijing launched a crack down on private companies’ collection and collation of facial recognition data. As Sandra Watcher, a data ethics expert at the Oxford Internet Institute, told the Guardian last year, the security systems guarding our biometric data are only state-of-the-art until the day they are breached:
“The idea of a data breach is not a question of if, it is a question of when. Welcome to the Internet: everything is hackable.”
A Deeply Flawed Control System
There are, of course, plenty of other reasons why the creeping use of biometric surveillance systems, not just in China but across Asia, Africa and the West, by autocratic and ostensibly democratic states alike, should creep us out. First of all, these systems offer today’s governments surveillance powers that even the most efficient police states of the past could only have dreamt of — and what’s more, at a time of rising economic insecurity and political instability.
But that does not mean they are infallible. In fact, the systems are notoriously inaccurate on women and those with darker skin, and may also be inaccurate on children whose features are still changing rapidly. Yet despite these flaws police forces around the world are increasingly turning to facial recognition technologies to identify criminals and, in some cases, protesters. For Delhi police, for instance, a similarity score of just 80% is apparently enough to indicate a positive match, according to the force’s response to a query from the Internet Freedom Foundation, an Indian civil liberties group.
India offers an interesting case study on how biometric surveillance systems can, once the roots are planted, get out of control very quickly. In November 2021, Amnesty International warned that the capital city of Hyderabad, which has emerged as a challenger to India’s Silicon Valley, Bengaluru, is “on the brink of becoming a total surveillance city”:
The city in Telangana state – one of the most surveilled cities in the world – has begun construction of an ominous ‘Command and Control Centre’ (CCC), intended to connect the state’s vast facial recognition-capable CCTV infrastructure in real time. In addition, a study by the Internet Freedom Foundation found that Telangana state has the highest number of facial recognition technology (FRT) projects in India.
“Hyderabad is on the brink of becoming a total surveillance city. It is almost impossible to walk down the street without risking exposure to facial recognition,” said Matt Mahmoudi, Amnesty International’s AI and Big Data researcher.
“In addition to CCTV, we are concerned that law enforcement’s practice of using tablets to stop, search and photograph civilians without charge could be used for facial recognition.”
As biometric surveillance technologies advance, their use poses an ever-larger threat to privacy and basic freedoms, as the Electronic Frontier Foundation (EFF) warns:
As face recognition technologies become more effective and cameras are capable of recording greater and greater detail, surreptitious identification and tracking could become the norm.
The problems are multiplied when biometrics databases are “multimodal,” allowing the collection and storage of several different biometrics in one database and combining them with traditional data points like name, address, social security number, gender, race, and date of birth. Further, geolocation tracking technologies built on top of large biometrics collections could enable constant surveillance.
That is a disturbing enough prospect, especially given the minimal benefits — essentially minor gains in convenience and time — citizens actually stand to gain from giving up their most precious data to governments and corporations. But it is even more disturbing if you consider that this data, once relinquished, may not even be safe in the hands of governments or corporations, especially as cyber warfare becomes an increasing part of wider conflict.