Facial recognition technology has evolved greatly in recent years and, as Infosecurity explores, so too have the privacy and security fears that surround its use While some government agencies want people to wear masks during the COVID-19 pandemic, it makes others nervous. A May 2020 memo from the Department of Homeland Security, uncovered as part of the BlueLeaks breach, frets that “face recognition systems used to support security operations in public spaces will be less effective” as masks are used. It’s one example of growing tensions over facial recognition technology, which has exploded in use over the last few years. Privacy advocates are pushing back as both the private and public sectors roll-out the technology, citing concerns about its effect on human rights. Facial recognition isn’t a new technology, but the barriers for its use have been dropping over the last 10 years. More powerful computers have enabled people to train deep learning algorithms more easily and improve algorithmic accuracy. Systems that match faces against a single record for verification purposes – like the detection systems on Apple’s Face ID or Microsoft’s Windows Hello – aren’t what’s drawing concern. It’s the one-to-many matching systems, which claim to pluck a face from millions of faces, that worry activists. Facial Recognition for Good There have been some positive uses for this technology. Child protection charity Thorn worked with Amazon’s Rekognition system to create Spotlight, a tool that uses facial recognition and text analysis to help track down trafficked children. Investigators have used the tool to match images of missing children on Facebook to online sex ads, recovering children that have been sold online. In other cases, authorities have identified fraudulent behavior using facial recognition. In one example, Kansas officials found the ringleader of a forced labor trafficking ring that had brought dozens of immigrants into the country illegally under false pretenses. Despite these successes, privacy groups worry about the potential effects of facial recognition on human rights. “Like biological or nuclear weapons, facial recognition poses such a profound threat to the future of humanity and our basic rights that any potential benefits are far outweighed by the inevitable harms,” argues Caitlin Seeley George, campaign director at privacy advocacy group Fight for the Future. Concerns span several categories. One of the biggest involves privacy. “For facial recognition to work, people need to hand over their biometric information which puts everyone in the system in danger of potential abuse and security breaches,” Seeley George says.

Danger of Over-Reach The privacy concerns focus on situations of over-reach, where facial recognition systems are used without the subject’s consent. Clearview.ai has drawn attention from privacy regulators after it reportedly scraped billions of facial images from social media sites without permission and folded them into its facial recognition database. A breach of its client list in February 2020 revealed that it had sold access to a large number of organizations, often to individuals without proper oversight. The Georgetown Law Center on Privacy & Technology also found that the FBI and ICE had been mining driver’s license photos for facial recognition searches, allegedly without their consent. Government over-reach is bad enough, but the private sector presents more worries. “The federal government is actually bound by regulations that make it slightly more transparent,” says Brenda Leong, senior counsel at the Future of Privacy Forum (FPF). However, the use of the technology in the private sector is more opaque, which can make people nervous. “I think people have that feeling just about the technology in general because it’s also moving very quickly in commercial applications,” she says. Statistics bear this out. In a survey of nearly 500 consumers, software recommendation company GetApp found that only 32% were comfortable having their face scanned by a private company. The security breaches that worry Seeley George are already happening. In August 2019, the owner of biometrics system BioStar 2 exposed over 27.8 million records, including over one million fingerprint records and facial recognition images, in a misconfigured Elasticsearch database.

Reliability Issues Another worry for facial recognition skeptics is the accuracy of the technology. False positive rates (matching the wrong person) and false negative rates (failing to spot the right people) both have potentially disastrous outcomes. Opponents of the technology point to a study by the National Institute of Standards and Technology (NIST), which found false positive rates up to 100-times greater for Asian and African American faces than for Caucasian faces. This doesn’t impress Jake Parker, senior director of government relations for the Security Industry Association (SIA), an industry group representing electronic and physical security companies. “The lowest performing [algorithms] received a lot of media attention, but as far as US government programs that use the technology, we’re actually already using the highest performing algorithms that have literally no difference across demographics,” he says. “Many of the lower-performing algorithms are experimental in nature and so not all these products are available in products that are sold.” Nevertheless, other studies have also uncovered problems with commercial products. MIT computer scientist Joy Adowaa Buolamwini discovered gender bias in facial recognition systems from IBM, Microsoft and Amazon. Error rates soared from less than 1% for lighter-skinned men to 35% for darker-skinned women, she found. Best Practices These concerns have created a strong reaction against facial recognition among both regulators and activist groups, along with debates around what constitutes responsible use of the technology. The Electronic Frontier Foundation (EFF) has called for a moratorium on any use of face surveillance using federal funds. In 2018, the EFF released a set of seven principles for facial recognition technology in consumer applications. There were: consent, the respect for context when using the technology, transparency over what the data is used for, proper data security, privacy by design, proper access to the data and accountability. These closely reflect the privacy principles we’ve seen in other broader-ranging laws like the GDPR and the California Consumer Privacy Act. The technology industry has also addressed concerns over the technology by suspending or moderating its use. Microsoft said in June that it will not sell it to police departments until there is a federal law to regulate it, following similar moves by Amazon (which committed in June to not selling its Rekognition system to police for a year) and IBM, which pulled out of facial recognition research altogether in a letter to Congress a few days later.

