Facial Recognition Technology Presents New Data Privacy Concerns

Facial recognition’s roots are more than 50 years old, but advances have made it a fresh frontier in the debate surrounding privacy and technology.

Privacy advocates must understand how facial recognition works and address how advertisers, social media companies, and government agencies deploy this technology.

What is a Facial Recognition System?

Facial recognition systems are a form of biometric identifier. They “recognize” a person from a digital image, relying on distinguishing landmarks and features called “nodal points.” Nodal points include details such as:

    • Distance between the eyes
    • Width of the nose
    • Depth of the eye sockets
    • The shape of the cheekbones
    • The length of the jawline

In its most basic form, a combination of these measurements creates a numerical code known as a faceprint, which is then stored in a database.

While early systems required a relatively clear 2D portrait image to take meaningful data, more sophisticated systems can now use 3D cameras and perform surface texture analysis. They’re even working on systems that perform facial recognition in the dark.

Why Facial Recognition Technology is Hot

The private sector is leading the way in facial recognition technology, and the reason is economic: Faceprints are big business. As reported in a recent VICE Magazine article, “the global facial recognition market at $1.3 billion in 2014. It could double by 2022.”

Because facial recognition technology is passive, cameras are ubiquitous, and there are almost no meaningful regulations regarding the use of or disclosure about the technology, a true wild west situation exists.

Facebook and Google already analyze and gather enormous quantities of faceprint data, and Apple recently filed a patent to use facial recognition technology for photo-sharing.

What are the Privacy Concerns?

Facial recognition systems prompt us to ask complex questions about the boundaries between what’s public and private. Many issues are open for debate including: 

    • Is the makeup of a person’s face personal data?
    • Is facial recognition technology more intrusive because it’s based on a person’s body rather than data such as an email address or mobile device’s MAC address?
    • Should this data only be collected and used with a user’s permission?
    • How can individuals opt-out?

These questions are hardly restricted to the physical world, as social media companies have made use of facial recognition technology for some time.

According to a recent article, Facebook remembers your face when you are identified in a photo so it may be tagged in other photos.

One of the largest concerns about this approach to facial recognition is how social media companies also aggregate massive amounts of personal information such as biographical data, location data and networks of friends.

Much of the heat surrounding facial recognition technology hinges on the ability of companies to gather and use this information without explicit consent.

Retailers believe facial recognition technology may be used to provide vastly improved customer service experiences.

Advertisers imagine a world where they can leverage faceprints to target ads. Both seem non-plussed by the idea that individuals should be aware of and be able to opt-out of these applications.

There’s also substantial debate on whether or not facial recognition, or biometrics in general, can be trusted as a form of improved security.

It remains to be seen if the majority of users feel comfortable sharing biometric information with banks and other large institutions if it turns out the security improvements are marginal.

Facial Recognition And The Law

So where does the law stand with regards to facial recognition technology? The answer seems to be “largely on the sidelines” according to a report from the U.S. Government Accountability Office (GAO) on facial recognition technology.

Despite a lack of regulation, the technology has found its way into law enforcement.

The San Diego Police Department has been using the technology in the field and the FBI is actively developing a $1billion Next Generation Identification program that relies on biometric information.

The FBI plans to make the program available to local, state and federal law enforcement.

At present, only two states regulate commercial use of facial recognition technology. Texas and Illinois have privacy laws addressing biometric identification, including facial recognition technology.

Texas and Illinois laws:

    • Require that before collecting a biometric identifier of an individual, a private entity must obtain that individual’s consent;
    • Prohibit an entity in possession of a biometric identifier from sharing that person’s biometric identifier with a third party, unless the disclosure meets an exception, such as for law enforcement or to complete a financial transaction that the individual requested or authorized; and
    • Govern the retention of biometric records, including requirements for protecting biometric information and destroying such information after a certain period of time.

Recent class action lawsuits against Facebook and Shutterfly are the first tests of Illinois’ Biometric Information Privacy Act. Other states may look to Illinois as a model for their own laws.

There may be unforeseen and hugely beneficial innovations based on facial recognition technology, but privacy and security professionals must be a part of the conversation.