Despite a controversy over personal data violations, the government will formally introduce a "facial authentication" system for identity verification when activating mobile phones starting on the 6th of next month. The aim is to block burner phones and voice phishing crimes. However, the public's anxiety over providing biometric information has not been resolved. In addition, because mobile phone activations under foreign nationals' names are excluded from the facial authentication rollout, questions are being raised about the plan's effectiveness.
Earlier recommendations from the Personal Information Protection Commission and the National Human Rights Commission to establish a legal basis for using facial data as an identity verification method also remain unaddressed. Aware of this, the Ministry of Science and ICT said, "We will phase in the introduction of facial authentication until October, when the amendment to the Enforcement Decree of the Telecommunications Business Act is completed."
On the 30th at Government Complex Seoul in Jongno District, Seoul, the Ministry of Science and ICT announced a "comprehensive plan to prevent illegal use of mobile phones" that includes phasing in facial authentication when opening a new mobile line or switching numbers. Choi U-hyeok, head of the Information Protection Network Policy Office, said, "Starting July 6, facial authentication will become one option across all channels."
In response to a question about why the ministry is pushing the policy while allowing alternatives despite strong backlash to facial authentication, the Deputy Minister Choi said, "There may be various identity verification methods, but facial authentication is the most robust in practice, and we expect it will greatly reduce the possibility of illegal activation, including burner phones."
◇ Personal Information Protection Commission (PIPC)·National Human Rights Commission recommend establishing a legal basis
When news broke on Dec. 23 last year that the government would pilot a facial authentication system in the mobile phone activation process, the public filed a petition opposing it, citing concerns about personal data violations. Tens of thousands agreed. Government oversight bodies then stepped in. On the 28th of last month, the Personal Information Protection Commission recommended improving the system, noting that facial data is sensitive information managed more strictly than personal data, yet the legal basis, data protection measures, user choice guarantees, and plans for system operation were insufficient. The National Human Rights Commission also warned on Mar. 13 that mandating facial authentication could infringe basic rights such as the right to informational self-determination, and advised disclosing safety information, creating a legal basis, and preparing alternative verification methods for the digitally vulnerable.
Reflecting the recommendations from the Personal Information Protection Commission (PIPC) and the National Human Rights Commission to guarantee user choice, the Ministry of Science and ICT said alternative methods will continue to be provided. Existing mobile phone holders can use the Ministry of the Interior and Safety's mobile ID app verification, and users without an existing phone can use a resident registration abstract issued the same day as an alternative. During the phased rollout, if a user selects facial authentication and attempts it at least once (up to three times), they can proceed to the next step; even if they fail, activation will be allowed under certain conditions that include logging the processing, when identity is verified through other methods. The identity verification framework will be expanded in stages. In August, the ministry will review enhancing multi-factor authentication such as OTP and account verification, and in September it will, in consultation with the Ministry of the Interior and Safety (MOIS) and others, automatically link checks for forgery or alteration of the resident registration abstract into the identity verification process. Starting in November, a subscription restriction service that previously required a user request will be provided by default at contract. However, for simple device changes within the same carrier, considering that the user has already undergone verification once, facial authentication will be applied first to new activations and number transfers.
The Ministry of Science and ICT stressed, "During the pilot, we also checked security, including hacking vulnerabilities, through the Korea Internet & Security Agency (KISA). We found no vulnerabilities related to leaks of facial data." Still, public concerns and the recommendations from the Personal Information Protection Commission (PIPC) and the National Human Rights Commission have yet to be implemented. In particular, mobile phone activations under foreign nationals' names were excluded from this facial authentication rollout. Given that voice phishing rings have often exploited phones under foreign nationals' names and burner phones recently, critics say this could create blind spots in the system.
Shin Cheol-won, policy team leader at the Consumer Sovereignty Citizens' Meeting, said, "We agree with the aim of eradicating burner phones, but it seems too rushed to implement when public fears and the recommendations from the Personal Information Protection Commission (PIPC) and the National Human Rights Commission have not been fully addressed," adding, "Excluding activations under foreign nationals' names limits the plan's effectiveness, so piloting in high-risk areas first to pre-verify side effects would best minimize concerns over a hasty rollout."
◇ Ministry of Science and ICT: "No storage of biometric data"… Civic groups: "It makes sense to accept public sentiment"
The Ministry of Science and ICT emphasized that biometric data is not stored during facial authentication. Deputy Minister Choi U-hyeok said, "Even when facial authentication is performed, there is a temporary storage state of about 0.04 seconds, but even that is encrypted, so there is no storage of biometric data."
Bang Hyo-chang, chairperson of the Citizens' Committee for the Restoration of Digital Sovereignty, said, "Although the Ministry of Science and ICT emphasizes that it does not retain data permanently, it must consider the possibility of hacking that artificially stores such information," adding, "Given past hacking incidents, the ministry appears to be taking them too lightly and should proceed with caution." He added, "Rather than pushing ahead by only fixing issues pointed out by the Personal Information Protection Commission (PIPC) and the National Human Rights Commission (NHRC) and merely setting a legal basis, the Ministry of Science and ICT should fundamentally accept public sentiment."
Abroad, there are also concerns about mandating facial recognition for mobile phone activations. China has required facial recognition for mobile phone activation since December 2019. At the time, state-run CCTV warned of side effects, noting that many apps were collecting and conducting transactions with facial data without consent.
Regarding overseas cases of introducing facial authentication for smartphone activations, the Ministry of Science and ICT said, "We have confirmed adoption in places such as Vietnam and the Middle East, and we ask you to consider that, as an IT powerhouse where banking and verification are easily done via smartphone, Korea also faces a high incidence of related crimes."