A Chinese facial-recognition database with information on thousands of children was stored without protection on the internet, a researcher discovered, raising questions about school surveillance and cybersecurity in China.
The cache was connected to a surveillance system labeled “Safe School Shield” and contained facial-identification and location data, according to Victor Gevers, a researcher at the Dutch nonprofit GDI Foundation, which scans the internet for vulnerabilities and flags them to owners for fixing.
In China, where personal data from leaks is often sold on the black market, such neglect could put minors in danger.
Mr. Gevers said the data covered 23 schools and companies in southwestern Sichuan province and neighboring Gansu province. Out of the 20 schools, about half were in areas with large populations of Tibetans and other minority groups. The Sichuan Education Ministry didn’t reply to a request for comment.
“The database was open and publicly searchable, making it a prime target for criminal groups,” said Mr. Gevers, who based in the Netherlands.
Mr. Gevers said he sent a warning email to Alibaba Group Holding Ltd. about the database, which was hosted on a cloud service run by the company, and reported his discovery on social media. The platform’s unidentified administrator then secured the information, he said.
The 1.3 million pieces of information in the database appeared to have been gathered over a period of 10 days, Mr. Gevers said. The platform had been visible on search engines popular among cybersecurity researchers and developers since mid-December, he said. A cyber attacker could have created an administrative account that would give it access to the system even after it was secured, he added.
Mr. Gevers said he wasn’t able to discover the administrator in charge of the database, which is hosted on Alibaba’s servers by a third-party, according to a person familiar with the matter. While government surveillance is broadly accepted, the use of facial recognition and other types of tracking technologies in schools has proven a flashpoint for the country’s nascent privacy movement.
In September, news of a school in the eastern China city of Nanjing that employed face-scanning technology to make sure students were paying attention in class sparked a flurry of criticism on social media. That same month, the Ministry of Education’s top official in charge of technology took aim at the use by schools of third-party apps that collect sensitive information on students.
“The collection of data should be limited to the minimum amount necessary,” the official, Lei Chaozi, said. “We strictly forbid any collection of biometric data.”
Mr. Gevers and his team said they have uncovered several unsecured surveillance databases located in China. In March 2019, they found one that contained detailed information on the identities and movements of 2.5 million people in the far-Western Chinese region of Xinjiang, where China’s ruling Communist Party has built a sprawling surveillance state to track and control the area’s 14 million Muslims.
Digital surveillance in China falls particularly hard on Tibetans and Xinjiang’s Muslim Uighurs, two minority groups that are subject to intense police scrutiny, according to Maya Wong, a senior researcher at Human Rights Watch in Hong Kong. The Communist Party has long been threatened by Independence movements in both Tibet and Xinjiang.
“The two groups are defined as ‘people of interest’ along with major criminals, those involved with drugs and terrorism and people on the wanted list,” she added.
Of the roughly two dozen entities connected to the most recent database GDI uncovered, 20 were schools located in southwestern China’s Sichuan province, and the rest were companies in Sichuan and neighboring Gansu province, according to Wall Street Journal research. Slightly less than half of the schools were located in areas dominated by Tibetans or other minority groups.
One collection in the database was made up of high-resolution passport-style photos of students dressed in uniforms, standing against a green backdrop and holding cards in front of them bearing their names, according to screenshots Mr. Gevers shared with the Journal. The platform also collected student location information, as well as the names and mobile phone numbers of parents, the researcher said.
As the government and companies adopt facial-recognition technology for use in everything from airport security to mobile payments, citizen concern about its proliferation around China is growing. In a survey of more than 6,000 Chinese people conducted by the Nandu Personal Information Protection Research Center in December, a majority said they felt facial recognition made society safer but more than 40% said they worried about the potential for data leaks.
In Hangzhou, a university professor sued a wildlife park for requiring members to register their faces as part of a new membership identification system. Chinese lawmakers are pushing for better regulation to protect personal data but for now the rules lack enough bite to be effective, said He Yuan, an associate professor at Shanghai Jiaotong University’s law school.
“With data security, the risks are particularly high with small-sized enterprises who may take risks but are reluctant to bear compliance costs or invest in the hardware and software needed to secure their systems,” Mr. He said.