July 5, 2022
While giving full play to the many advantages of high-efficiency, fast and intelligent face recognition, it also fills in the shortcomings of "security".
On April 22, the draft of the national standard "Information Security Technology Face Recognition Data Security Requirements" was formally open to the public for comments. The national standard to be promulgated this time also reflects and refines the provisions related to face recognition in the draft "Personal Information Protection Law".
The national standard requires that the data subject's explicit consent should be obtained when collecting face recognition data, and the face recognition data must not be used to evaluate or predict the work performance, economic status, health status, preferences, interests, etc. of the data subject.
At the same time, other identification methods other than face recognition should be provided for users to choose. In addition, technical qualification thresholds have been put forward for developers who perform face recognition, requiring them to have corresponding data security protection and personal information protection capabilities to prevent face recognition from being illegally cracked by "live photos".
In response to the chaos of face recognition abuse in the current market, the introduction of this national standard is expected to intervene in targeted supervision from the collection, storage, and use of face recognition data. At the same time, it will also provide attention to face recognition technology providers and users. The scope of responsibility is also planned, which can further regulate the application of face recognition technology.
Three main scenarios of face recognition technology application
In order to better guide data controllers (that is, organizations or individuals capable of determining the purpose and method of face recognition data processing) to collect and use face recognition data in a standardized manner, the draft opinion document summarizes the three aspects related to face image processing. Class scenes, including:
a) Face verification: Compare the collected face recognition data with the stored face recognition data of a specific natural person (1:1 comparison) to confirm whether the specific natural person is its declared identity. Typical applications include ID comparison at airports and railway stations, face unlocking of mobile smart terminals, etc.
b) Face recognition: Compare the collected face recognition data with the stored face recognition data in the specified range (1:N comparison) to identify a specific natural person. Typical applications include park entry, residential area access control, etc.
c) Face analysis: It does not carry out face verification or face recognition, and only performs statistics, detection or feature analysis on the collected face images. Typical applications include traffic statistics in public places, body temperature detection, picture beautification, etc.
In the application scenarios of these three types of face recognition, face verification is mainly based on the application of human proof verification, so the consent and authorization of the person being collected are basically obtained in an explicit way. At the same time, face verification is mainly used in the field of public security and law and first-level public places such as airports and stations. The security level of related face recognition equipment and platform systems is relatively highest.
Face recognition is mainly aimed at the face application scenarios of 1:N comparison, and is widely used in public places such as parks, parks, scenic spots, communities, and office buildings. However, due to the mix of purchased equipment and system platform brands, and the lack of targeted data security supervision, the security risks of face recognition systems in these scenarios are more worthy of attention.
The defendant in the first case of facial recognition in China is conveniently the scenic spot (zoo), and after the lawsuit on the face recognition system of the scenic spot, Hangzhou, Sichuan and other places have successively revised the property management regulations, clarifying that the property service person shall not force the owner to pass the fingerprint , Face recognition and other biological information methods use shared facilities and equipment. This also means that scenic spots and communities have started a tightening trend in the application of face recognition systems.
Judging from the content of the draft document, the standard emphasizes that the face recognition application of 1:N comparison should follow the basic security requirements, security processing requirements and security management requirements of the face recognition data proposed in the document.
For example, when carrying out face recognition, it should be carried out in a non-face recognition method that is significantly less safe or convenient than a face recognition method, and the face recognition data should not be used for purposes other than identity recognition. This regulation will effectively crack down on businesses similar to those exposed on March 15 this year that use facial recognition to classify customers. With the proposed promulgation of the above-mentioned national standards, the 1:N face comparison application may usher in the most stringent supervision.
Face recognition has been "popular" for many years, and more and more online applications, access control in public places, and barriers have been unknowingly replaced by face verification and face access methods. The general public as the collected party is also Invisibly involved in this "sense of science and technology" lifestyle.
Today, as consumers, owners, and customers, personal subjects are gradually awakening their security awareness about face privacy. The introduction of relevant standards for face recognition information security is expected to further enhance the general public’s ability to say “no” to face recognition. courage. And its more important significance is to better help various application fields to safely carry out face recognition data-related business, while giving full play to the many advantages of face recognition in terms of efficiency, speed, and intelligence, it also complements the shortcomings of "security". board.
