On December 1st, China’s regulation
requiring people to have their face scanned when subscribing for a new mobile
phone took effect. If you were not aware of this regulation your initial
reaction, like mine, could be that this is an infringement of privacy rights.
After all, why does any government need to capture my face in relation to my
desire to have a mobile phone?
According to a BBC News article, the Chinese government has stated that it wants to “protect the
legitimate rights and interests of citizens in cyberspace”. When you combine
the tracking of a person’s location achieved through a mobile device and now
the facial scanning and recognition, then privacy advocates may have a point.
But let’s step back for a moment. The world is
making an assumption that the data gained from the facial scan will be used in
an inappropriate way, and maybe they are right. However, we should remember
that it‘s not technology that causes privacy issues – it’s the way technology
gets used that can cause reason for concern.
What issues would face scanning/recognition
attached to a mobile device resolve in my world as a consumer and would it make
the incursion into my privacy acceptable if used correctly?
Phones as authenticators
Smartphones have morphed into an identity
authenticator. Think for a moment about all the applications and services where
you receive a code through SMS or via an app to validate that you are the
person you claim to be. Step into a bank and ask for an increased ATM limit and
they will send a code to your mobile at the counter to validate you are the
real person you are claiming. This then raises the question that potentially
you need strong authentication when subscribing to a mobile phone service in order to ensure that
the authenticator belongs to the real person.
At the initial subscription of the service the
issue may not be that apparent, but what about maintenance or changes to the
subscription? Or, more importantly, what happens when someone attempts to take
control of your phone service through a SIM swap and can then control your
identity, at least in part?
The FBI have recently issued two separate alerts
regarding SIM swapping, one related to cryptocurrency
theft and the other an industry
alert. In basic terms, a cybercriminal will walk into a
phone shop with a fake ID (or simply call the carrier) and get the customer
service representative to activate a new SIM card for the mobile number they
need to control. They may even do it without an ID and use social engineering
by knowing the home address and some other basic information about the
subscriber that is freely accessible on social media or other public websites.
Once the new SIM is issued and activated, the
criminal is able to receive authentication texts or to load apps and start
impersonating the victim. Virtually all services – email, banking, social media
and many others – use the phone as a password reset authentication device,
making the options for the criminal endless.
Meanwhile the victim is wondering why their phone
stopped working and those crucial hours that they waste hoping it will come to
life again gives the criminal the time they need to monetize their crime.
I recently tested the ability to get a replacement
SIM and walked in a local branch store of my carrier’s phone network and asked
for a new SIM due to a lost phone. I produced my ID, which stayed in my wallet
and was in part covered up, and all the assistant really saw was my name, date
of birth and my, license number – this could easily have been a fake due to the
lack of inspection or removal from the wallet. I got my new SIM within a few minutes,
shockingly simple! Had my intention been malicious, I would have been in
control of the very device used to validate the identity of the subscriber.
Now, let’s circle back to the Chinese face scanning
regulation. If the technology is used to protect against SIM swap and identity
theft by ensuring that the smartphone or, as discussed above, the identity
authenticator, is only ever in the ownership of the true subscriber, then it
would seem to be a very positive use of technology to protect the consumer.
Would I subscribe and allow this level of protection? Yes.
Tony Anscombe 5
Dec 2019 - 11:30AM