In the age of technology, surveillance cameras, and facial recognition technologies, it is easy to be anxious about being watched by different forces – may it be the governments, the police, or corporations. The rise of facial recognition technology has opened discussion relating to someone’s right to privacy and how the technology can be used against private citizens by people or organizations with abusive intents.
Nonetheless, as the world focuses on government-chartered facial recognition efforts, there is a private company in China that has been running a facial recognition system that tracks people in the streets, and it appears to be unregulated, and some argue that it is illegal.
The facial recognition system was built by a company named北京图铭视界科技有限公司 (Beijing Photo Ming Vision Technology Co., Ltd) and had been operating in Beijing and the province of Henan. The system was discovered by a tech researcher named Victor Gevers from GDI Foundation and found out that the company has been hosting the data in unsecured databases all over the internet.
Gevers, who has been responsible for disclosing numerous unprotected databases that he has found online, said in a tweet that the system is named as 图铭人像大数据平台 (Figure Portrait of the Big Data Platform). The tech experts discovered the questionable facial recognition system after researching unprotected databases from China.
According to Victor Gevers, the facial recognition platform “uses an unsecured Elasticsearch, MongoDB & Tiandy network cameras with default credentials connected to the internet.” He also added that the system had been connected to the internet since December 2018. This could mean that the facial recognition data generated by the facial recognition system that the company has built was open to the public for the last six months.
“Behind one IP address, multiple services were running from different vendors,” Gevers noted suggesting that all the data from the three database hosting platforms were connected to one single entity that the researcher was later able to identify as the 北京图铭视界科技有限公司 (Beijing Photo Ming Vision Technology Co., Ltd). The tech expert warns that the system was able to detect faces of people even if they are wearing something that covers their facial features like hats.
“It detects if people are wearing hats, beards, and [sun]glasses,” he added.
Another interesting discovery in the facial recognition system is that it was able to detect vital information of people including their ethnicities. In the database, one particular ethnicity was listed called 维族 (Uyghur). While the researcher was able to provide proof of his discovery, one specific Twitter user in the comments questioned why Gevers was only disclosing that the system is explicitly targeting the Uyghurs and not other ethnicity.
Nonetheless, the tech expert said that the identity of who is responsible for the implementation of the facial recognition system but all the databases he found to point to a single one IP address. No information of who this IP address belongs to. While he disclosed the company that developed the system, he clarified that it is possible that the one implementing the system now could be a different company altogether.
In the past, Gevers was also responsible for disclosing other Chinese databases that could potentially put citizens’ privacy in harm’s way. A few months ago, he revealed that a database exists in China through a MongoDB that includes the private and identifiable information of Chinese women including their names, phone numbers, addresses, and “breed ready” status. Following an investigation by his team, they were able to confirm that the database was owned by a university that only accidentally uploaded the database only due to ISP problems.
Gevers also previously disclosed a database that included the transaction information of millions of Alipay’s, a financial service company based in China, users. The disclosure opened the conversation on whether financial institutions and service providers are selling their users’ transaction data to third parties. The allegation was later denied by Alipay to Z6Mag saying that they are not selling the data to anyone, and one possible reason that a third party holds a copy of their users’ transaction information is that those data were personally given up by the users themselves as a requirement for an online loan service that they are applying for. /apr