China's internet is known for its lax security, so it's surprisingly easy to find all kinds of things there if you know where to look. And one security researcher recently unearthed a disturbing trove of photos, ID and student numbers, GPS locations, and even school grades belonging to teenagers.

GDI Foundation security researcher Victor Gevers uncovered an unsecured facial recognition database in China belonging to Ruoergai Middle School in Sichuan province. It was left open to the internet, with no firewall or authentication methods protecting it, according to Gevers.

A camera seen on top of a blackboard in a Chinese classroom. (Picture: Zhejiang Hangzhou No.11 High School)

The database contained high-resolution pictures used to train the facial recognition system alongside much more private information of students.

“The database had information like ID numbers of the document, student number, nationality, gender, telephone numbers, grades, class, when they passed a certain checkpoint,” Gevers said.

The system, maintained by a platform called Xiaoan Yundun, covered 1.3 million people, including teachers, cleaners and security personnel.

A school might seem like an unusual place to have such a large facial recognition system, but it’s becoming more common in China. Surveillance systems are already peeping on city streets, and governments and private companies in China are also pushing facial recognition into subway stations, payment platforms and even toilet paper dispensers. You can’t even buy a SIM card without scanning your face these days.

Schools are the next big market. In addition to smart uniforms embedded with ID chips and GPS, lower and higher educational institutions have been introducing facial recognition cameras inside the classrooms and outside. This raises questions about the potential security issues.

China is the biggest place for data leaks, according to Gevers. The country has seen several scandals over the past few years involving people’s IDs, phone numbers, addresses, contacts and other data being sold on the internet.

Now biometric data such as facial recognition images are starting to leak, too. Recent research from Comparitech showed that China is the worst in nearly every way at protecting biometric data.

This is why Ruoergai might not be the only Chinese school that’s unintentionally giving up their students’ sensitive data. Gevers said his organization detected about 200,000 open databases in China that have problems with security or missing patches.

The researcher said that the middle school’s database, which has been online since June, was secured 24 hours after his team sent a request to the company’s internet service provider, Alibaba Cloud. But it’s not clear if the school has taken any additional measures to protect the sensitive data of its students. Calls to the schools went unanswered while Xiaoan Yundun couldn’t be reached.

(Abacus is a unit of the South China Morning Post, which is owned by Alibaba.)

More recently, facial recognition companies in the country have been facing pushback from legal experts advocating for more stringent rules. China had its first facial recognition lawsuit in November when law professor Guo Bing sued a wildlife park for introducing the technology without consent.

Late last year, the Chinese government announced that it plans to "curb and regulate" the use of facial recognition technology and other apps in schools.