Researchers find biometric, biographical and location data of thousands of China’s school children unprotected online
A database of Chinese school children’s faces and their locations on Alibaba Group Holding Ltd. servers has been found online unprotected.
According to a Wall Street Journal article, the database of thousands of students collected by Safe School Shield, a surveillance system, involved 23 schools in Sichuan province. A Netherlands-based nonprofit, GDI Foundation, which seeks Internet vulnerabilities so they can be fixed, made the discovery.
An unnamed third-party cloud service hosted on Alibaba servers had the files. Along with facial biometrics and location information, the database holds student names as well as the names and mobile telephone numbers of students’ parents.
The article says that the cache — 1.3 million bits of information — has since been secured by Alibaba, however, a criminal could have created an administrative account to retain access after it was secured.
In fact, the data had been gathered over 10 days, and the database was available via search engines used by cybersecurity developers and researchers for about a month.
Chinese residents largely favor the use of facial recognition by the government, saying it makes them safer. A surveillance state has been created in the Xinjiang region, home to 14 million Muslims, a minority in China that government officials would like to see stripped of its cultural independence.
But the Journal quoted a survey by the Nandu Personal Information Protection Research Center that shows 40 percent of respondents feel the potential for leaks was a concern.
That is a relatively mild reaction out of China, which is known for numerous domestic cybercrimes involving the theft and sale of personal information. This might be changing, however.
The article recounts the local social-media unrest raised after it was revealed that a Nanjing school had used face-scanning systems to monitor which students were paying attention.
And last spring, Chinese police put 32 people in jail — after detaining more than 50 — as part of a three-year investigation into the stealing and trading of 39 million bits of personal data.
Those jailed allegedly were part of a nationwide gang trafficking in stolen information, according to the South China Morning Post. Data was gotten from hacking personal computers as well as local government offices.
Measures are being taken in China to better protect private information stored online. In June 2017, the nation enacted the Cyber Security Law, China’s first attempt at comprehensive regulation of data.
It is a complex statute full of standards, guidance and rules, and it is still being interpreted and changed through drafts of various sections. The question is, can a government that so enthusiastically deploys surveillance systems against its own population effectively regulate its semi-private business sector?