Like just about anything on the Internet, biometric surveillance systems are eminently hackable as well as prone to human error.
As previously reported on Naked Capitalism, biometric surveillance systems, a common trope in dystopian novels, are being hastily rolled out across the West, with next to no public debate. That, of course, is for an obvious reason: if an open, informed debate on the pros and cons of biometric surveillance systems was actually allowed, the public would overwhelmingly reject it. Which is why these systems are increasingly encroaching into our lives under the radar, with limited public knowledge or understanding.
However, a recent incident in China has underscored the potential vulnerability of biometric data storage systems. As Tech Crunch reported on Tuesday, a Hangzhou-based tech company called Xinai Electronics has left a huge cache of data containing 800 million records, including millions of faces, vehicle license plates and resident ID numbers, exposed to public view and access for months on end:
The company builds systems for controlling access for people and vehicles to workplaces, schools, construction sites and parking garages across China. Its website touts its use of facial recognition for a range of purposes beyond building access, including personnel management, like payroll, monitoring employee attendance and performance, while its cloud-based vehicle license plate recognition system allows drivers to pay for parking in unattended garages that are managed by staff remotely.
It’s through a vast network of cameras that Xinai has amassed millions of face prints and license plates, which its website claims the data is “securely stored” on its servers.
But it wasn’t.
Security researcher Anurag Sen found the company’s exposed database on an Alibaba-hosted server in China and asked for TechCrunch’s help in reporting the security lapse to Xinai.
Sen said the database contained an alarming amount of information that was rapidly growing by the day and included hundreds of millions of records and full web addresses of image files hosted on several domains owned by Xinai. But neither the database nor the hosted image files were protected by passwords and could be accessed from the web browser by anyone who knew where to look.
The database included links to high-resolution photos of faces, including construction workers entering building sites and office visitors checking in and other personal information, such as the person’s name, age and sex, along with resident ID numbers, which are China’s answer to national identity cards. The database also had records of vehicle license plates collected by Xinai cameras in parking garages, driveways and other office entry points.
TechCrunch says it contacted the company on numerous occasions to warn it about the exposed database, yet its emails were never returned. The database was publicly accessible for at least several months before finally being taken down in mid-August. But that was only after a data extortionist claimed to have stolen the contents of the database. If true, the implications are dire. Given the innate uniqueness of biometric data, if it is hacked, there is no way of undoing the damage. You cannot change or cancel your face, iris, fingerprint, or DNA like you can change a password or cancel your credit card.
The Growth of Biometric Surveillance in the West
Meanwhile, at the opposite end of the Eurasian landmass, the EU is assembling a gargantuan facial recognition system, by allowing, for the first time ever, police forces across the EU to link their photo databases. Brussels is also about to launch an automated Entry/Exit System (EES) to register travelers from third countries. The system will register the traveler’s name, type of travel document, biometric data (fingerprints and captured facial images), as well as the date and place of entry and exit.
The UK and the US are also investing heavily in facial recognition technologies, despite fierce opposition from civil liberties groups…
Read the full article on Naked Capitalism