Biometric security has become extremely common in China, where facial recognition is already ubiquitous in everyday life. But how well does China protect all this data it’s collecting on its citizens? Not very well, according to a new report.

Research from Comparitech shows China performing the worst in nearly every way at protecting biometric data. The report examines how 50 countries collect, use and store biometric data. China scored 24 out of 25, with higher scores indicating “extensive and invasive use of biometrics and/or surveillance.”

To score each country, the report looks at how countries use biometrics in identification documents and banks and whether they have laws to protect biometric data. It also looks at how big a country’s biometric database is, how widely it deploys facial recognition-enabled surveillance cameras, whether people are required to submit biometric information when they enter the country and if biometrics are collected in the workplace.

Facial-recognition technology being demonstrated at the World Artificial Intelligence Conference (WAIC) in Shanghai in August 2019. (Picture: Bloomberg)

China scores the highest in all categories except one: Voting. China has a zero in this category because its tightly controlled voting system doesn’t require biometric data.

Both the Chinese government and companies have been aggressively deploying facial recognition across the country. Mobile payment companies encourage users to pay with their faces. Dating apps encourage users to verify their accounts with a face scan to get more exposure. Subway stations set up facial recognition payment systems at turnstiles for commuters who prefer not to reach for their metro cards. Some cities even use facial recognition on toilet paper dispensers to prevent people from taking too much.

People worried about how their facial data is collected and used can try to avoid some services, but in many cases they can’t opt out. 

Some universities are installing facial recognition cameras in classrooms to monitor students’ attendance and behavior. Starting this month, buying a new SIM card in China requires people to have their face scanned, which authorities say is to prevent identity theft and online fraud. Chinese police are also collecting DNA for what is now the world’s largest DNA database, according to the Wall Street Journal

With little protection in place, companies can easily gain access to large troves of personal biometric data, and data leaks are rampant. 

Chinese media reported in September that nearly 170,000 items of facial data involving more than 2,000 faces were being sold online. The vendor said the data was either scraped from search engines or directly from an overseas software company’s database. This week, a state broadcaster also reported that more than 5,000 pictures of faces were being sold for less than US$2 online in China.

There are signs that both the tech industry and Chinese authorities recognize that measures need to be taken to prevent the abuse of biometric data. Some companies’ research labs are studying ways to fool facial recognition systems. Some of China’s biggest tech companies have also joined an organization to develop industry standards aimed at ensuring the safety and accuracy of facial recognition.

China’s legislators are reportedly drafting a new law to protect people’s biometric data, but it’s not clear when the law might be adopted.

While China's rank on this list might not surprise many, other places among Comparitech’s top five worst offenders might not immediately spring to mind. India, Indonesia, the Philippines and Taiwan are all tied for fifth. Malaysia and Pakistan come in second and third. The only one of the listed "worst countries" outside Asia is the US, which scored 20 out of 25 because of practices like biometrics in passports and no laws to protect biometric data.