China changing its stance on facial recognition

• A draft ruling includes directives not to use facial recognition technology to disrupt social order, endanger national security, or infringe on the rights of individuals and organizations.
• CAC also noted that facial recognition tech must be used only when non-biometric measures won’t do.
• The draft ruling is open for comment until September 7.

Over the last decade, we have witnessed the rise of surveillance states worldwide, yet, to date, no country is more surveilled than China. Under President Xi Jinping, the Chinese government has expanded domestic surveillance, putting the Eastern powerhouse at the forefront of global facial recognition technology for years. 

Dubbed the “global capital of surveillance,” China also saw the rise of a new generation of companies that make sophisticated technology at ever-lower prices. What’s worse is that Chinese companies were operating with less scrutiny and regard for corporate social responsibility than similar companies in other countries.

Today, the Chinese facial recognition system logs nearly every citizen, with a vast network of cameras nationwide. Every move in cities around China is being captured digitally. Not only is facial recognition software used to access office buildings, but it has also been used to snare criminals and even shame jaywalkers at busy intersections. 

The scope of the data collected by Chinese authorities became more apparent when the database of SenseNets Technology, a Shenzhen-based biometrics provider, was leaked in 2019, exposing the personal information of millions of people for months.

According to security researcher Victor Gevers, who found the database, SenseNets collected nearly 6.7 million GPS coordinates in one database. Within just 24 hours, SenseNets has data taken from cameras positioned around hotels, parks, tourism spots, and mosques, logging details on people as young as nine days old. 

The location data was matched to names — many of which were Uighur — as well as ID numbers, home addresses, photos, and employers, according to Gevers, who said he also discovered a large number of organizations were connecting to the database, including police stations, hotels, and various companies. Simply put, the database leak showed how pervasive China’s surveillance tools are.

China is finally drawing the line with facial recognition.

To put into context how heavy surveillance is in China, it is essential to know that the country has over 700 million surveillance cameras, according to online data. That means there is one lens for every two citizens. But now, China wants to create some boundaries and limit the use of facial recognition technology, finally.

On August 8, via the Cyberspace Administration of China (CAC), China released draft regulations to govern its facial recognition technology, including prohibitions on its use to analyze race or ethnicity. The purpose is to “regulate the application of face recognition technology, protect people’s rights to personal information and other personal and property rights, and maintain social order and public safety” as outlined by a smattering of data security, personal information, and network laws.

The news may come as a shock for many around the world, because China is notoriously known for its heavy surveillance nationwide. The draft rules, which are open for comments until September 7, include some vague directives not to use face recognition technology to disrupt social order, endanger national security, or infringe on the rights of individuals and organizations.

The internet regulator noted that the “Face Recognition Technology Application Safety Management Regulations (Draft for comment) is drafted according to existing laws and regulations such as the Network Security Law, Data Security Law, and the Personal Information Protection Law.”

The draft of the newest ruling says that “If there are non-biometric verification technologies for achieving a similar purpose or business requirements, those non-biometric verification methods should be preferred” (in Chinese, translated by Tech Wire Asia). Individual consent, however, isn’t required for certain administrative situations. Should facial recognition be used, the proposed rules encourage the use of national systems.

Image collection and personal identification equipment should be installed in public places to maintain public safety, the draft rules said, noting that clear signage is required. The draft also states that building managers will not need to use facial recognition to monitor entries and exits on the property – they must provide alternative measures of verifying a personal identity for those who want it.

It also can’t be leaned into for “major personal interests” such as social assistance and real estate disposal. For that, manual verification of personal identity must be used, with facial recognition used only as an auxiliary means of verifying personal identity. Should there be a collection of images for internal management, it can only be done for a reasonably-sized area, the draft reads.

Businesses like hotels, banks, airports, and more should refrain from deploying facial recognition to verify personal identity. If the individual links their identity to the image, they should be informed verbally or in writing and provide consent. 

Collecting images is also prohibited in private spaces like hotel rooms, public bathrooms, and changing rooms. Lastly, all entities in China currently using the technology in a public space, or those with more than 10,000 facial recognition records stored, must register with their local internet regulator within 30 working days.