Chinese facial recognition company left database of people's location exposed – CNET

A Chinese facial recognition company left its database exposed online, revealing information on millions of people, a security researcher discovered.

SenseNets, a company based in Shenzhen, China, offers facial recognition technology and crowd analysis, which the company boasted in a promotional video^[1] could track people across cities and pick them out in large groups.

The company left its database exposed online without a password, Victor Gevers, a Dutch security researcher with the GDI Foundation, discovered on Wednesday morning. The database contained more than 2.5 million records on people, including their ID card number, their address, birthday, and locations where SenseNets’ facial recognition has spotted them.

From the last 24 hours, there were more than 6.8 million locations logged, Gevers said. Anyone would be able to look at these records and track a person’s movements based on SenseNets’ real-time facial recognition.

“Knowing when someone is not in the office or at home can be useful for simple burglar crimes, but also social engineering attacks to get into buildings,” Gevers said in a message.

He said that GDI Foundation reached out to the company to warn them about their open database — which has been available since last July. SenseNets did not respond to a request for comment.

The database was available online for anyone to find, and it allowed for full access — meaning a malicious actor could add or delete records from the database, Gevers said. While it was available, the security researcher saw that someone had tried to hold the database ransom in the past.

Along with the location records, potential thieves could have also stolen sensitive information like people’s addresses and ID numbers.

Facial recognition is pervasive in China, which is used to monitor citizens across the country. By 2020, China plans to give each citizen a social credit score, tracked through facial recognition^[2] logging behaviors like jaywalking and shopping frequency. There are about 200 million surveillance cameras in China^[3], and plans to more than triple that much by 2020^[4].  

The technology has often been criticized as an invasion of privacy, as it allows government agencies to track citizens in real-time without their consent. The Orlando police department experimented with facial recognition^[5] tracking individuals using Amazon’s Rekognition.

In SenseNets’ exposed database, it logged each time a person was recognized by facial recognition from a tracker spread around the city. Each camera has an individual name and an IP address tied to a location, Gevers said.