On December 1st, China’s regulation took effect requiring each person to have a facial scan when subscribing for a new mobile phone. If you were not aware of this regulation your initial reaction, like mine, could be that this is an infringement of privacy rights. After all, why does any government need to capture my face in relation to my desire to have a mobile phone?
According to a BBC News article, the Chinese government has stated that it wants to “protect the legitimate rights and interests of citizens in cyberspace”. When you combine the tracking of a person’s location achieved through a mobile device and now the facial scanning and recognition, then privacy advocates may have a point.
But let’s step back for a moment. The world is making an assumption that the data gained from the facial scan will be used in an inappropriate way, and maybe they are right. However, we should remember that it‘s not technology that causes privacy issues – it’s the way technology gets used that can cause reason for concern.
What issues would face scanning/recognition attached to a mobile device resolve in my world as a consumer and would it make the incursion into my privacy acceptable if used correctly?
Phones as authenticators
Smartphones have morphed into identity authenticators. Think for a moment about all the applications and services where you receive a code through SMS or via an app to validate that you are the person you claim to be. Step into a bank and ask for an increased ATM limit and they will send a code to your mobile at the counter to validate you are the real person you are claiming. This then raises the question that potentially you need strong authentication when subscribing to a mobile phone service in order to ensure that the authenticator belongs to the real person.
At the initial subscription of the service the issue may not be that apparent, but what about maintenance or changes to the subscription? Or, more importantly, what happens when someone attempts to take control of your phone service through a SIM swap and can then control your identity, at least in part?
The FBI have recently issued two separate alerts regarding SIM swapping, one related to cryptocurrency theft and the other an industry alert. In basic terms, cybercriminals will walk into a phone shop with a fake ID (or simply call the carrier) and get the customer service representative to activate a new SIM card for the mobile number they need to control. They may even do it without an ID and use social engineering by knowing the home address and some other basic information about the subscriber that is freely accessible on social media or other public websites.
Once the new SIM is issued and activated, the criminal is able to receive authentication texts or to load apps and start impersonating the victim. Virtually all services – email, banking, social media and many others – use the phone as a password reset authentication device, making the options for the criminal endless.
Meanwhile the victims are wondering why their phones stopped working and those crucial hours that they waste hoping they will come to life again gives the criminal the time they need to monetize their crime.
I recently tested the ability to get a replacement SIM and walked in a local branch store of my carrier’s phone network and asked for a new SIM due to a lost phone. I produced my ID, which stayed in my wallet and was in part covered up, and all the assistant really saw was my name, date of birth and my license number – this could easily have been a fake due to the lack of inspection or removal from the wallet. I got my new SIM within a few minutes, shockingly simple! Had my intention been malicious, I would have been in control of the very device used to validate the identity of the subscriber.
Now, let’s circle back to the Chinese face scanning regulation. If the technology is used to protect against SIM swap and identity theft by ensuring that the smartphone or, as discussed above, the identity authenticator, is only ever in the ownership of the true subscriber, then it would seem to be a very positive use of technology to protect the consumer. Would I subscribe and allow this level of protection, provided also that the collected data are used in an appropriate manner? Yes.