Ethics combined with the rule of law
In order to effectively maintain the face of face recognition technology
This is an era of looking at faces. You need to brush your face when taking a plane or high-speed train, you need to brush your face when staying in a hotel or hotel, you need to brush your face when entering a unit or community, you need to brush your face when watching performances and events, you need to brush your face when handling various businesses, and even you need to brush your face when using the bathroom during the epidemic. I brush my face, therefore I am.
These perceptible face brushing every day is only the tip of the iceberg of the application scenario of face recognition technology. In public spaces such as airports, stations, docks, subways, streets, shopping malls, hotels, restaurants, classrooms, etc., there are countless non-inductive image acquisition probes, which open their tireless "eyes" and silently but meticulously watch your and my every move.
The digitization of face image information, supplemented by artificial intelligence data comparison, so as to identify natural persons, is the underlying logic of face recognition technology. With the all-round penetration of digital and artificial intelligence technology into social life, the application scenarios of face recognition technology continue to expand. The epidemic prevention and control in the past few years has provided the necessity and legitimacy of this technology application.
The all-round penetration of digital technology represented by face recognition into the field of national and social governance is in line with the logic of "goal-means". There is a high degree of coupling between digital technology and the risk management objectives of contemporary public management. In the modern risk society, the goal of governance has gradually shifted from the traditional maintenance and repair of order to risk prevention and regulation. The government needs to take precautionary measures against various uncertain economic and social risks to maintain social security and order efficiently and accurately.
Accurate and large-scale identification and monitoring of individual identities is the data basis for the management and control of various social risks. Based on big data, combined with algorithms, automated decision-making and other technologies, it can greatly expand the population and geographical scope covered by national and social governance, and solve a series of governance problems. Therefore, once a new technology emerges, its potential utility and scale effect to achieve governance goals are naturally favored. This is also the underlying driving force for the application of face recognition technology to bloom everywhere.
However, we must be wary that the "empowerment" of countries and organizations by digital technology is not a free lunch for technology. Digital empowerment is not without risk and can give a "modern" technical rationality veneer to various abuses of power. In the process of digital transformation of national and social governance, we need to fully understand and regulate the risks of technology.
Taking face recognition technology as an example, whether it is 1:1 or 1:N face data comparison, it is necessary to collect face information, and it is necessary to build face information databases of different scales. In the final analysis, it is about treating people as digital objects and governance tools. Face information is biological information of natural persons, which is legally "sensitive personal information", involving various personality rights and interests such as personal dignity and privacy. If this information is improperly collected, processed, and used, it will bring a huge risk of infringement to the personality, privacy, property and other rights and interests of individuals. For example, face recognition applications without thresholds will lead to excessive or even illegal collection of facial information, constituting infringement of personality rights and personal information rights and interests, and will also bring huge data security risks.
The irregular application of face recognition technology has caused a series of social problems, such as reselling facial information, illegally viewing or even buying and selling image surveillance information, and using facial information for deep synthesis to carry out fraud, extortion and other criminal activities; Some criminals use illegal means to crack the face recognition verification program and commit crimes such as stealing property. It can be said that if the misuse and abuse of face recognition technology are not effectively regulated, face recognition will be faceless.
From a realistic point of view, the risks of facial recognition technology are becoming obvious and imminent dangers. According to the "Public Survey Report on Face Recognition Application" released by the National Information Security Standardization Technical Committee and other institutions, among more than 20,000 respondents, 94.07% said they had used face recognition technology, 64.39% believed that face recognition technology had a tendency to be abused, and 30.86% reported that they had suffered losses or privacy violations due to face information leakage and abuse. Cases of "being loaned" and "being defrauded" due to facial information leakage and infringement of privacy and personality rights are increasing.
Although the mainland criminal law, civil code, network security law, data security law, personal information protection law and other laws and regulations all provide for personal information protection and data security, in view of the practical problems of face recognition, it is necessary and urgent to formulate special technical application security specifications to clarify the threshold and conditions for the application of face recognition technology, protect personal information rights and interests and data security, and curb the abuse of face recognition technology.
In this context, the Cyberspace Administration of China recently released the Provisions on the Security Management of the Application of Facial Recognition Technology (Draft for Comments) (hereinafter referred to as the Provisions) and opened it to the public for comments, which is timely. The Provisions make targeted provisions on the threshold for the application of facial recognition technology, the specifications for equipment installation to image acquisition, the rules for processing, storing, providing and deleting data, the accuracy of technical application, the accuracy to confidence threshold, and the responsibilities and obligations of technology users or service providers, in an effort to achieve full-factor supervision and whole-process standardization of the application of facial recognition technology.
The core of the management and regulation of face recognition technology is the risk management of technology application, which requires targeted rule design on the basis of fully recognizing all elements of technology application and the whole process risk source, and the key lies in reasonably setting the red line, bottom line, control line and security line of face recognition technology application.
First of all, it is necessary to draw the "red line" of the application of face recognition technology. A prominent chaos is that face recognition and surveillance probes are ubiquitous and rampant. To draw a red line is to determine the minimum amount of privacy. The wind can enter, the rain can enter, and the probe cannot enter. The red line is a "forbidden area", within which face recognition and surveillance are prohibited. In response to the prominent problem of the proliferation of face recognition, the Provisions make it clear that image collection and personal identification equipment must not be installed in public baths, toilets, hotel rooms, locker rooms, and other places involving personal privacy. This provision may seem self-explanatory, but drawing clear and untouchable "red lines" helps to foster a sense of "private space" in society and has a positive impact on the individual's personality and psychological safety. In addition, the Provisions stipulate that in hotels, banks, stations, airports, stadiums, museums, libraries and other business premises, unless expressly provided by laws and administrative regulations, individuals must not be forced to accept facial recognition to verify their identity on the grounds of handling business or improving service quality. This actually sets a high threshold for these business establishments to use face recognition technology to confirm identity, and also helps to curb the impulse of face recognition technology. The Provisions also specifically specify that building managers such as property service enterprises are not allowed to use facial recognition technology to verify personal identity as the only way to enter and exit the property management area. It can be said that if these "red lines" can be implemented, it will have a curbing effect on the abuse of face recognition at the source, and the helpless dilemma we encounter of brushing faces everywhere will be alleviated to a certain extent.
Second, it is necessary to delineate the "bottom line" of the application of face recognition technology. Even in areas where facial recognition technology can be applied outside the red line, the bottom line requirements must be met. This bottom line requires the principles of "clarity of purpose" and "sufficiency and necessity". The processing of face information must indicate a specific and specific purpose; It must be proved that face recognition is necessary and irreplaceable for achieving the purpose. On the basis of the principles of reasonable purpose and minimum necessity stipulated in the PIPL, the Provisions further stipulate that "facial recognition technology may only be used to process facial information when there is a specific purpose and sufficient necessity and strict protective measures are taken". Moreover, both "specific purpose" and "sufficient necessity" are indispensable. In other words, even if it has a specific purpose, if other non-face recognition technologies are used to achieve the purpose, facial recognition must not be used to process personal information.
Third, set the "control line" for the application of face recognition technology. Facial information is sensitive personal information, and the individual's autonomy and control must be respected and guaranteed. In the face of face recognition, individuals should have the right to say "no", which is the individual's right to refuse technology. The Provisions make it clear that the use of facial recognition technology to process facial information must obtain the individual's "separate consent" or "written consent" unless laws and administrative regulations provide otherwise. Separate consent means that the "package" clause is prohibited, and the individual's consent must be obtained separately for the processing of an individual's facial information. In particular, individual consent should be given on a fully informed basis. Entities using facial recognition must inform individuals of the purpose, use, and necessity of processing facial information in clear and understandable language. This "inform-consent" rule constitutes a control line for facial recognition technology to a certain extent.
Finally, it is necessary to set the "security line" for the application of facial recognition technology. Whether it is face comparison or monitoring in public places, sensitive personal information is processed, and the amount is huge. This data is easy to target for illegal and criminal activities, and it faces huge security risks at all times. From an individual point of view, without data security, there is no sense of security, and you may be trapped in anxiety and restlessness at all times. From the perspective of social governance, without data security, the public has no trust in face recognition technology and will resist it in various forms. In reality, sensitive information such as face recognition and monitoring in public places is regularly accessed, copied, disclosed and disseminated in violation of regulations, and data security is worrying. Therefore, "safety first" cannot just be a slogan, but must be put into practice. The Provisions highlight the core of safety responsibility protection obligations, and set safety management standards around equipment safety, installation safety, operation safety, database security, management personnel safety and other elements. Standardize the whole process of data processing from data collection, storage, processing, transfer, use, destruction and other links, which can provide guidance for the corresponding various technical standards and operation specifications.
With the iterative development of technology, the combination of technical power and traditional power has become increasingly close, and the breadth and depth of application have been continuously expanded. While empowering public administration, digital technologies are also shaping increasingly large digital technology systems. Face recognition is a typical technology for today's digital governance. In the macro perspective of national governance, technologies such as facial recognition and public surveillance may be used as tools for social management and discipline. However, "panorama and open" social governance, on the surface, seems to help regulate social risks, but it may also be a risk in itself. Ultimately, the application of technical means must serve the value dependence. Good governance should be people-centred; Effective governance techniques require respect for people.
Therefore, whether from the perspective of value rationality or instrumental rationality, the regulation of face recognition technology must pursue technological empowerment while holding the direction of technology for good, otherwise there will be a tragedy of subject-object alienation. To achieve technology for good, it is necessary to advocate technology ethics, but it mainly depends on legal regulation. The combination of ethics and the rule of law can effectively maintain the face of face recognition technology.
(The author is a professor at Peking University Law School)
Author: Wang Xizin
Source: China Newsweek