Why Chinese tech giants want rules on facial recognition
By Yu Jing, Wang Yan

Over 20 tech companies in China kick-started the development of the first national standard for facial recognition technology on Wednesday, signaling the country's resolve to regulate the increasingly widespread use of the technology across industries.

Led by Chinese artificial intelligence company SenseTime, the group working on a draft standard includes Chinese tech giants Tencent and Ant Financial. In an announcement, SenseTime said the wide application of facial recognition technology "has led to a series of problems including identity theft and security risks due to a lack of regulation in the collection, storage and processing of facial data."

Facial recognition has been used widely across China, powering the technology to unlock iPhones, go through security checks at airports, and purchase goods with a "smile to pay" at the store. At its core, it is a biometric software application capable of verifying or identifying a person by comparing and analyzing patterns on facial images.

Contrary to conventional belief that Chinese consumers are not sensitive to the protection of privacy, public awareness on the issue seems to be on the rise. A recent lawsuit filed by a law professor in eastern China's Zhejiang province, dubbed China's first lawsuit against the application of facial recognition technology, sparked national debate. The professor sued a wildlife park for requiring the collection of facial data without asking for permission from customers. 

Machines at a supermarket in China that allow consumers to pay by scanning their faces. /VCG Photo

Machines at a supermarket in China that allow consumers to pay by scanning their faces. /VCG Photo

"Physical characteristics including facial features and fingerprints, are some of the most important identifiers for individuals. Unlike our ID which can be modified, our biometric information stays permanent for life," said Zhang Xin, associate professor and assistant dean at the School of Law of the University of International Business and Economics, in an interview with CGTN.

Since the security risk associated with a breach of biometric information is very high, a legal framework that regulates the collection, use, storage and transmission of biometric information is much needed, she added.

At the core of the legal controversies surrounding facial recognition is the issue of consent. Though China does not have regulations specifically on facial recognition, the China Cyber Security Law, which came into effect in 2017, requires that personal information can only be collected when individuals are informed and agree to the aims and scope of the collection.

While it is easy to design the consent mechanism for unlocking an iPhone, it is hard to send notices and obtain consent from consumers in situations where facial data needs to be captured from potentially large numbers of people in the public sphere, Shen Weiwei, associate professor of China University of Political Science and Law, told CGTN.

A display shows a vehicle and person recognition system for law enforcement in Washington, DC. /VCG Photo

A display shows a vehicle and person recognition system for law enforcement in Washington, DC. /VCG Photo

Given the wide availability of facial recognition, consent should be a context-specific requirement since "customers have the awareness that they trade some part of their privacy for greater convenience," he said. For example, in photo-enhancing applications, or smart license plate recognition systems, it is obvious that our images are captured in order to access the service.

Though the issue of consent is at the core of the debate, experts say the bigger problem lies in the regulation over data collectors. 

"The consent mechanism is an essential part of consumer protection, but it cannot be the only basis for protection," said Lao Dongyan, an associate law professor at Tsinghua University, at a recent panel discussion hosted by the Hongfan Institute of Legal and Economic Studies. The responsibility to ensure data security should be shifted to the data collector, instead of relying on the vigilance from customers.

There is usually an agreement on data-sharing between traditional companies using the facial recognition technology, e.g. retailers, and AI companies, said Alice Xiang, a research scientist at the Partnership on AI, an NGO committed to researching best practices in AI based in San Francisco. With a big collection of data as training tools, the facial recognition algorithm can be trained to better recognize patterns or traits.

Facial recognition is used as part of the school entrance system at Peking University. /VCG Photo

Facial recognition is used as part of the school entrance system at Peking University. /VCG Photo

AI companies might directly use the data traditional companies collected from customers to train their algorithm, but they may also turn to professional data source companies. Megvii, the AI company known for its core facial recognition product Face++, said the company primarily purchases data from third-party professional data sources for the purpose of training algorithms.

For customers and end-users that buy solutions from Megvii, all data is stored at clients' local servers, and Megvii does not have access to, and does not seek to access to, any personally identifiable information, Megvii added.

Tech giants in the field like SenseTime are using their financial leverage to raise the awareness of data privacy. SenseTime told CGTN in a written response that they have an ethics board committed to ensuring it operates ethically, affirming that it only works with camera companies that can demonstrate they are applying their solution ethically and in line with its values. 

Chinese companies are now leading the field of facial recognition globally. In an annual facial recognition accuracy competition run by the U.S. National Institute of Standards and Technology, Chinese companies consistently rank among the top performers. In one of the main tests where algorithms are asked to detect when two photos show the same face, three Chinese AI companies performed among the top ten – Yitu Technology, SenseTime and Megvii.

Facial recognition is used to identify jaywalkers at this intersection. /VCG Photo

Facial recognition is used to identify jaywalkers at this intersection. /VCG Photo

Tech companies are now addressing security risks with more advanced technology like federated learning that can train the algorithm without directly accessing the data the company collects. There are also discussions in the U.S. about enabling "biometric blockchain" where personal identifiable information is turned into a unique and random string of numbers.

"To use more advanced technology to prevent security breach is more in line with the trend of technological development," said Shen Weiwei, associate professor of China University of Political Science and Law. "Since legislation usually takes a long time, industry-wide regulations are more likely to play a major role." 

But in the longer term, given that there is a large power and information asymmetry between customers and companies, it is also necessary to have audit and accountability policies and procedures that ensure companies stay accountable, in addition to self-regulation in the industry, Zhang Xin from the University of International Business and Economics emphasized. 

The establishment of the national-level working group to set the standard for facial recognition in China is a first step forward.