Packed with 2 yuan for 70 popular celebrities without makeup photos, face data leakage far exceeds your imagination

A few days ago, as long as you spent 2 yuan, you could buy 70 registration photos of popular celebrities. You read it right, as long as 2 yuan, a bottle of mineral water.

Where did the photos come from?

Someone found that in the "Healthcare" applet, as long as you enter your name and ID number, you can find the designated person's Healthbao photo without recognizing the face.

▲ Face photos of celebrities are packaged for sale. Picture from: Red Star News

According to the official introduction, the "Healthcare" applet is a digital information service tool launched by the Beijing Big Data Center based on Beijing's epidemic prevention data and the relevant functions of the national government service platform.

In the past year, the discussion about whether face recognition is safe has changed. People have changed from discussing "Is face recognition technology safe" to "Is the storage and use of face recognition data safe".

The popularity of face recognition is beyond imagination

Face recognition technology has penetrated into all aspects of our lives, and its popularity is beyond imagination.

In April of this year, the security of the community stopped me at the door and said apologetically: "There are regulations in the community that you can only enter by face recognition. Please record the facial data on the spot."

I thought it was unreasonable, so I refused. More and more people like me refused, and gradually blocked the gate of the community. Amid the protests of everyone, the security finally let the residents into the community.

When I returned home and turned on my mobile phone, I found that the owner group in the community was like an explosion. Many people were complaining about the property company.

Talking about safety management is basically an excuse. What face recognition is to collect data? The door is opened by swiping a person's face. Those who want to enter the community still enter the community. What is the difference with the access card? ! ! ! !

The response from the property staff in the group was: "(This is for) the prevention and control of the epidemic. You can identify who is entering and leaving the community by swiping your face, and it is also for the good of everyone."

However, during the epidemic, everyone was wearing masks. A group of people took off the masks for face recognition and blocked them at the door for close contact. Doesn't this increase the risk?

Seeing the soul torture everyone sent to the group, the staff never responded.

▲ A security guard in a community in Wuhan is demonstrating the face recognition access control function. Picture from: Chutian Metropolis Daily

Aifaner found that since September 2019, residents in the Qingshan District of Wuhan City have questioned news reports about facial recognition access control, and residents said that the facial recognition access control started operating 3 months ago. Obviously, the switch to face recognition access control is for the prevention and control of the epidemic, which is untenable.

In addition to community access control, face recognition has long been "blooming everywhere". It can be seen in health code applets, facial payment, banking, and the sale of commercial houses, etc., which are closely related to life.

How much is your face worth? It may be several hundred thousand yuan.

It has become an open secret to wear a helmet when going to the sales center to see a house. Many sales centers have installed cameras with facial recognition functions to record the facial data of each visiting customer. A customer who has visited many times proves that he is a high-intention customer, "a suite can be sold to them for hundreds of thousands of dollars."

Everyone is ridiculing the "magic nature" of the helmet, but one thing is forgotten. Where is the collected facial data? Will it have been shared by various real estate developers?

Is facial recognition data safe?

The reason why the public discussion changed from "whether face recognition technology is safe" to "whether the storage and use of face recognition data is safe" is because the face data leakage incident occurred more than once.

A few days ago, as long as you spent 2 yuan, you could buy 70 self-portrait face photos of popular celebrities. From the incident to the corresponding company's response, almost no one cared whether the photos of most ordinary people had been leaked.

What is worrying is that some portrait photos taken by the front camera of a mobile phone have 3D depth information. As long as you get the original image, you can view the depth information with a normal app.

▲ This selfie not only has the depth information of my face, but also the precise positioning information

Three months ago, the Sichuan Renshe app was exposed to a vulnerability. If the user’s mobile phone is accidentally lost, criminals can take out the SIM card in the phone and use the Sichuan Renshe app to obtain the ID card information and face credentials of the person corresponding to the mobile phone number. The photo and the bank card in the social security financial card, and then use the information obtained to apply for various small loans or recharge virtual cards, and then disappear after cashing out.

▲ V2EX vulnerability diagram made by netizens. Picture from: V2EX

In January 2019, a popular app called Twinning appeared in the United States. Users only need to upload a face photo to find the celebrity with the most similar appearance through face recognition.

Someone found the cloud server address directly in the code of the official website of Twinning. After entering, they could directly see the information stream of face photos uploaded by users in real time. After the leak occurred, many face photos of people can be searched directly on Google.

Cracking face recognition is not difficult

In fact, professional hackers can crack facial recognition in as little as 150 seconds, even elementary school students can do it.

In the 2017 Superb Carnival Competition, tyy, a post-90s female hacker who graduated from the Department of Computer Science of Zhejiang University, successfully cracked the access control system using face recognition within 150 seconds by using a device vulnerability.

In October 2019, a group of elementary school students discovered that they could easily open the Fengchao express cabinet by just holding a printed face photo. Afterwards, Fengchao immediately stated that it will not be launched again until the technology is perfected.

However, Wang Jinqiao, a researcher at the Institute of Automation of the Chinese Academy of Sciences, said that the cost of finding a suitable person, understanding his account information, and modeling attacks is very high.

For example, using a face photo to crack Fengchao express cabinets, the cracker needs to obtain a photo of a person, and then figure out when the TA made an online purchase, and also know the delivery time, and know which express cabinet TA’s express is placed in. The gray interest is nothing more than stealing a courier worth tens of yuan from the other party.

Compared with the precise cracking of a single individual, we should pay more attention to the large-scale leakage of face recognition data during the collection, storage, and use. The company behind it even includes your living habits, browsing preferences, economic level, and society. The relationship can be "touched" clearly, and coupled with the large-scale facial data, there may be some moths. This is the focus of the current need to strengthen supervision.

It’s not hard to crack, but it’s hard to defend rights

It only takes 150 seconds to crack, but the road to rights protection is difficult.

According to "People" report, in March 2020, Tsinghua University Law School professor Lao Dongyan wrote a detailed legal opinion after discovering that the community had enabled face recognition access control, pointing out that the community’s collection behavior was contrary to the current legal framework. Sent to the property and neighborhood committee.

▲ Hangzhou residents wear masks and brush their faces into the community. The system can accurately identify the residents even when they are wearing masks. Image from: People (public account)

After a lengthy mediation, the street office finally gave three alternatives: swiping the access card, ID card registration, and using the mobile app.

Lao Dongyan said that if the biometric information is obtained by others, they may use your face combined with your ID card information to log in to your bank account, transfer the money in the account, and enter the unit, community, or community you should have entered. Disgust you, change your face into an obscene video . These risks are most relevant to the daily lives of residents. Moreover, once biological information such as human faces and fingerprints is leaked, it cannot be changed and no relief can be obtained. You may be exposed to such risks forever.

Lao Dongyan believes that "Human Face" rights protection is very special, because the information on the Internet is endless.

Even if the public security organ catches the criminal, it just keeps him in jail. If your information is leaked, it is leaked. It has been sold to the next family, and the next family may be sold to another next family. It is out of control and you cannot restore it to the original state…Data is not the same as property, and data is shared. It is exclusive. On the issue of data, collection without notice is of course harmful, but even with the consent of the party as the data subject, is it possible to use his corresponding personal data at will? Certainly not.

Where is the source of the face data breach?

When I was in another company a few years ago, I was involved in some bidding work. I represented the company to negotiate with relevant departments to make some products that require facial recognition for the locality.

When negotiating, the other party is more concerned about the cost structure, when will it go online, whether it can go online before a certain time to cooperate with the publicity work, and what is the annual operation and maintenance price in the later period. No one has ever asked how to save face data after it is collected, and whether it will leak.

▲Most livelihood service projects need to verify the face, and most of these livelihood service projects are undertaken by Internet companies for technical development and later operation and maintenance.

This is not to blame for their ignorance of data. As the saying goes, they do not understand big data, just as we do not understand their work.

If there is a leakage of face data, based on my limited experience, there is a greater chance of errors in the "outsourcing" link.

The project went online smoothly, and the publicity work was in place. It’s not a big problem for everyone to use it. No one cares about whether the facial data will be leaked. Some sensitive and private data are in a state of "streaking". People with a little bit of technical knowledge It can be crawled. After a year of operation, I don’t know how many times it has been saved, and it is put on the dark web and sold as a package. —— a project leader

What's more, some companies don't hesitate to lose money or even post to win projects. The purpose is not to make project money, but to take the opportunity to collect extremely sensitive big data, such as face and fingerprint data.

Therefore, strong supervision of companies that collect and store big data is the key to preventing citizens' private data from leaking.

Big data regulation is imminent

In recent years, various localities have issued regulations on the management of big data, the National Cyberspace Administration of China has also launched the "Data Security Management Measures (Draft for Comment)" for public comments, and the state has also issued the "Personal Information Protection Law (Draft) "We are very pleased to see that citizen data is getting more and more attention.

The relevant regulations clearly stipulate the collection, sorting, preservation, and use of citizen big data, which is a very big progress.

At the same time, I also have some concerns. At present, the collection, storage and use of big data are mainly dependent on the consciousness of the corresponding company. There is no top-level national technical team to supervise the specific collection methods, storage location, and use rights, or none of them are in The controlled "big database" is used to check (for example, collection, storage, and use need to apply for permission from this database, and the scope of use is strictly limited, etc.) , there may be some loopholes that can be exploited .

Facial data is not as simple as some people say, "I’m an ordinary person, I just use it." When large-scale facial data is illegally used, the hand that masters big data can even virtualize it on the Internet. A group of non-existent but "alive" people will bring more dangerous challenges to the real world.

As Lao Dongyan, a professor at Tsinghua University School of Law, said in an interview with People:

Whether personal information is worth protecting does not depend on whether this information involves privacy, but on whether you can be identified through this information. If a specific natural person can be identified through certain information or in combination with other information, such information is protected by law. This time the "Civil Code" also stipulates the rights of personal information in addition to the right to privacy. Anonymity is the foundation of modern society. You don't want all your actions to be permanently recorded without omission and exposed to everyone. Otherwise, you may find that anywhere, there may be one eye always staring at you. You lose your freedom because of this, and you don't necessarily feel safe.

Remarks: The views of Professor Lao Dongyan, Tsinghua University Law School, quoted from the "People" public account article " Stuck in Face Recognition "

Third-rate plan planner, second-rate mirror host, first-rate prodigal swingman

#Welcome to follow Aifaner's official WeChat account: Aifaner (WeChat ID: ifanr), more exciting content will be provided to you as soon as possible.

Ai Faner | Original link · View comments · Sina Weibo