Facial Recognition: Security & Privacy Implications
In partnership with Breezeline
Author Candace Moix
Although most of your interactions with facial recognition may enable simple conveniences, allowing you to easily unlock your phone or auto-sort your photos, have you considered the potential security and privacy concerns? CSNP (Cybersecurity Non Profit) is here to help answer your questions!
What is facial recognition?
The Center for Strategic and International Studies defines facial recognition as:
…A way of using software to determine the similarity between two face images in order to evaluate a claim. The technology is used for a variety of purposes, from signing a user into their phone to searching for a particular person in a database of photos.
Facial Recognition technology uses computer software to identify key features and geometry unique to your face. It then transforms these markers into numerical expressions that can be easily compared. If the similarity score for two images is high, the photos are considered a match, which indicates they depict the same individual. Facial recognition can be used for many purposes, but most fall within the category of biometrics security - using physical or behavioral characteristics for identity verification.
Where is facial recognition used?
There are a multitude of use cases for facial recognition. According to Norton, the facial recognition market is expected to reach $7.7 billion this year, representing nearly double the market share it constituted five years prior.
Academia may use facial recognition to take attendance or verify identities, especially prior to online testing. Businesses and retailers may employ the technology for security measures to flag unauthorized access. The health industry may monitor medication compliance and detect diseases using facial recognition. And the finance sector is increasingly leveraging facial recognition to meet ‘know your customer’ requirements.
The most two notable use cases for facial recognition, however, are by big tech and law enforcement. Private companies like Google, Apple, Facebook, Amazon, and Microsoft are all competing to develop new capabilities for a variety of purposes ranging from platform enhancement to marketing. Security and law enforcement may also use facial recognition to identify individuals, though with the purpose of tracking criminals, finding missing people, and aiding in investigations.
Are there safety concerns regarding facial recognition?
Although many of these applications have the potential to improve security, accessibility, and convenience, there are some things you should be aware of.
Whether unintentionally by way of insufficient training datasets, poor similarity matching, or limited human oversight, facial recognition technology can yield inaccurate results. Inaccurate results may disproportionally effect minorities, resulting in discriminatory practices like racial and gender profiling. In several cases, black men have been wrongfully arrested due to failed facial recognition technology. Gender misidentification also has potentially serious outcomes in situations with a security nexus, like if gender mismatches at the airport result in more invasive searches for non-cisgender people.
Similarly, facial recognition’s reliability has been called into question. Depending on how advanced the facial recognition software is, something as commonplace as masks may inhibit its ability to effectively verify identities. Intentional attempts to circumvent this technology are also well-documented; spoofing techniques may be able to beat facial recognition using images or videos instead of a live person’s face. Further, research from universities like Carnegie Mellon have demonstrated the efficacy of anti-facial recognition glasses, capable of spoofing even advanced facial recognition technologies. Some options like Reflectacles are already available on the commercial market.
Facial recognition also presents serious privacy concerns. Unsafe collection, storage, usage, sale, and retention of sensitive biometrics leaves this data vulnerable. Without strong data policies on the collection of facial recognition data, these biometrics could be used mishandled, sold to third parties or too easily accessed by a bad actor in a data breach or hack.
Concerns about accuracy, reliability, and privacy all culminate in concerns about misuse. Technology often makes harmless mistakes that we overlook, but the implications of mistakes from a technology so heavily relied upon in security, specifically for tracking individuals, are significant. Discriminatory practices could occur systematically with little oversight, unauthorized access to biometrics could result in stalking, impersonation, or identity theft, and widespread surveillance could be implemented with little transparency.
What’s being done?
Around the world, legislation is being pursued to limit or ban the use of facial recognition technology. In the US, legislation is lacking, however, multiple cities across the US have passed local regulations limiting its usage. Alongside the push for federal regulation, a strong public response to facial recognition technologies has encouraged greater transparency. Last year, Facebook announced its plans to limit the usage of facial recognition software on its platform, following a whistleblower’s leak and increased scrutiny over company ethics. This year a class action lawsuit was filed against Google for its usage of Face Grouping to sort images in Google Photos.
What can you do?
Although increased federal regulation is the best way to safeguard individuals from facial recognition concerns, there are some measures you can take to protect yourself.
Know what you’re consenting to with new software or hardware that may use facial recognition.
Consider if all permissions are really required for different applications to work and how your biometrics could be used.
Know where you’ve opted into, if you decide to share biometric data for facial recognition.
Consider how a company plans to use your data and how they plan to secure it. Consider what the privacy implications may be if you choose to use certain platforms or technologies.
Know what your rights are regarding biometrics and privacy.
Consider what data you’ve consented to sharing, how that data is being used, and what the privacy laws in your area are.
About the Author: Candace Moix is a security analyst, currently working for Recorded Future in threat intelligence. She also lectures for the University of Maryland’s START program, is a member of the Trust & Safety Professional Association, and volunteers with Girl Security. She serves as Director of CyberSafety Initiative for CSNP.