Hundreds of thousands of surveillance cameras throughout China have been hoovering up facial recognition data without notifying the people attached to the faces. Now, the companies behind the tech are finally under the microscope after a blistering recent exposé — one carried by a major mouthpiece for Beijing, the same government known for its own untrammeled intrusions into private life.
On March 15, China Central Television broadcast its annual consumer rights gala, a long-running annual special that has uncovered many high-level consumer frauds. One segment revealed that facial recognition security cameras located at chain stores nationwide have been picking up shoppers' personal information without their knowledge or consent. The revelations ignited a furious backlash against the companies. "Two characters," went one popular online comment about the findings: "wu chi (无耻)," meaning "shameless." It's another instance of grassroots pushback against surveillance tech in China, a global leader in surveillance research as well as in deployment.
The central irony went unremarked: that Beijing has become both the critic and perpetrator of mass surveillance.
Caught in the act
In the 10-minute investigative segment, undercover reporters talked to surveillance camera providers who proudly exhibited the power of their facial recognition systems. Within seconds of encountering a shopper, cameras installed in retail stores could recognize and document that person's, age, ethnicity and even emotional state. The cameras also successfully identified return customers, allowing sellers to call up purchase histories in real time.
Such technologies have been branded "VIP customer identification," promising to use facial recognition to help retailers identify their frequent clients in order to serve them better. In fact, the cameras collect and store information from everyone who's ever stepped in a store, regardless of status.
The website of Ovopark, one of the firms exposed for selling surveillance cameras and software, once proudly noted that this technology had been sold to retailers including international brands Kohler and MaxMara, both of which have operations in China. (That assertion was no longer posted as of Monday, the day the CCTV take-down aired.) In a blog post published in November 2020, Ovopark, a Suzhou-based startup founded in 2014 that raised $12 million in its series B round last May, said its cameras work covertly in situations where customers wouldn't want their biometric data to be collected. It gave the example of a real estate sales office. "Customers there will never agree to have their facial recognition data collected, so [we offer] Facial Recognition Technology for Non-Cooperative Individuals at a Distance, designed for commercial environments," the blog post reads. Ovopark has since published a vague statement on its website saying the company is investigating the issues the investigation raised.
Kohler also released a statement saying it has ordered the immediate removal of all surveillance cameras from its stores in China. Kohler and retailer MaxMara separately claimed they used the cameras only to count customer traffic.
It's an open question how much CCTV's latest exposé will change corporate behavior. The surveillance industry is thriving in China, which combines abundant engineering talent with a relatively lax environment for deployment. According to data analytics firm Qichacha, over 7,000 companies in China provide services or equipment related to facial recognition.
Some of China's AI unicorns are getting in on the action. CloudWalk, one of China's "four AI dragons," currently seeking approval for a domestic IPO, said in a Sep. 2018 press release that it was helping equip several prominent shopping malls with tech that performed functions similar to Ovopark's. Cloudwalk boasted of an innovative way of obtaining facial recognition data: by prompting customers to participate in "face swaps" and "celebrity look-alike" games to capture their faces, then asking for their phone numbers in exchange for cash incentives.
Big brother Beijing
Private companies haven't vaulted China to its leading status in facial recognition tech by themselves. National tech policies and standards have encouraged its research and commercial implementation since 2015. In a 2017 blueprint to "facilitate the development of next-generation AI industry," China's Ministry of Industry and Information Technology said that by 2020 it aimed to support recognition that would work on "people from different regions" and achieve recall rates of 97% and recognition rates of 90% "under complex/dynamic conditions."
Crucially, China's state surveillance projects have also offered industrial applications for technologies once only used in labs. "Sharp Eyes," a controversial nationwide program that aimed to cover all of China's public spaces with public safety cameras by 2020, has been a boon for the surveillance tech industry. "'Sharp Eyes' facilitated the exponential growth of the video surveillance market as part of the larger security industry," Beijing-based think tank EqualOcean wrote in a market analysis. "It has significantly stimulated demand for high-resolution cameras, facial recognition cameras and other video surveillance equipment."
While such projects are often officially for public safety purposes, they're frequently abused to infringe on individual privacy. For example, surveillance cameras have become ubiquitous in the western region of Xinjiang to monitor and suppress ethnic minorities, including Uyghurs and Kazakhs.
Hints of a movement
Given the consequences for political dissent, it's risky for Chinese people to speak out against state-sponsored or state-imposed surveillance projects. But pro-privacy sentiment is still gathering steam. In a 2019 public survey conducted by a Chinese think tank, over 70% of respondents said they worried about their facial recognition data being leaked. Over 40% said the use of these technologies should be limited in certain situations.
Most ire at privacy violations is directed towards private companies. In 2019, a law professor in the tech-friendly city of Hangzhou sued a local zoo for forcing him to submit facial recognition data to gain access. He later won the case, widely regarded as the first facial recognition lawsuit in China. There are regular conversations on social media about the ubiquitousness and invasiveness of surveillance cameras.
CCTV's exposé shows the state is well aware of these societal concerns. Beijing genuinely concerned with privacy abuses and happy to crack down on them — when the private sector is the perpetrator. In 2020, China's Ministry of Industry and Information Technology tested 520,000 mobile apps for their privacy protection practices, according to the minister. Many popular apps owned by China's Big Tech, including Tencent and JD, were ordered to make changes.
But the state has been quiet about how it uses the surveillance tech the private sector has developed for its own purposes. CCTV didn't say whether facial recognition cameras or similar equipment were being deployed by government actors.
Regulation is here to help, sometimes
A new law likely to be passed in 2021 will help government further regulate the commercial uses of facial recognition. Article 27 of the draft Personal Information Protection Law states that "image collection or personal identity recognition equipment" shall only be installed in public venues "as required to safeguard public security and observe relevant State regulations," adding that "clear indicating signs shall be installed."
A major question for now is what constitutes a "public venue."
"Even though [shopping malls] may be privately owned, you've got the general public running in and out. It's not like it's a private club or a person's house," Jamie Horsley, a visiting lecturer at Yale Law School and an expert on Chinese administrative law, told Protocol. She pointed to 2016 regulation that includes "malls (shops), bookstores" and many more retail spaces to the definition of "public venues."
The draft law, Horsley said, primarily regulates private companies, not governments. Under the new rules, facial recognition can still be deployed for public security purposes and when required by "relevant regulations." That allows authorities to keep their police surveillance projects.
There is a provision in the law that restricts government use of facial recognition as well. But actually enforcing it will be difficult. Chinese courts lack judicial independence and rarely accept cases brought against the state.
Regardless, the forthcoming rules, which adopt provisions from existing privacy laws around the world, could be the beginning to the end of China's facial recognition free-for-all. "The government is very interested in social stability, and so they recognize that how they handle personal data ... is now an issue at the forefront of people's minds," Horsley said. "[Even] if you are a powerful government agency."
Clarification: This article has been updated to clarify comments made by Yale Law School lecturer Jamie Horsley.
