How to balance privacy concerns around facial recognition technology
There has been global uproar regarding facial recognition technology and whether and when it’s ethically sound to use it. Its use without citizens’ consent could have potential safety benefits but is undoubtedly a violation of privacy.
Unfortunately, the recent news about facial recognition comes at a confusing time. Facial recognition is also being used in airports, banks and healthcare establishments to accurately determine whether a person is who they say they are. Because of this, it’s become a tricky balancing act between using facial recognition for account security, watchlist screening or nefarious purposes.
While newer regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are steps in the right direction to protect consumer privacy, there is a need for tighter regulation for facial recognition technology.
Facial recognition vs. facial authentication
To help draw a clearer line in the sand when it comes to facial recognition and necessary regulation, there needs to be a better sense of what the technology can and cannot be used for. The best way to help draw this distinction is by putting facial recognition and facial authentication in two different buckets.
Facial recognition without an individual’s consent has been at the center of controversy in recent news. It’s often associated with widespread surveillance and a breach of civilian privacy. Its use should be distinguished as a technology that removes control from the person whose likeness is being captured without consent — in some cases to catch bad actors or known terrorists, but in other cases, the intent is more malicious.
For example, American billionaire John Catsimatidis was recently criticized for using the Clearview AI app to profile his daughter’s date. Catsimatidis simply captured a photo of the individual and uploaded it to the app to conduct a full-fledged background check. While his intent is seemingly innocent, the use of the technology is a clear breach of the suitor’s privacy, as it was used without the individual’s consent or awareness. This use case can and should be considered an abuse of the technology and needs to be reinforced by regulatory bodies.
Facial authentication, on the other hand, gives the individual full control by offering a choice as to whether they would like to allow the technology to identify them. Facial authentication is performed to protect logins and is permission-based — it offers a superior level of account protection compared to usernames and passwords, knowledge-based authentication or even SMS-based two factor authentication.
Because traditional authentication methods are no longer sophisticated enough to keep up with today’s advanced fraud landscape, high-risk industries like banking and finance are turning to face-based identity authentication and verification instead. These emerging technologies compare the photo on a government-issued ID (e.g., a driver’s license) to a real-time “selfie” at the time of onboarding.
After the user has been verified, the user’s face (i.e., the selfie) can be used for downstream account authentication. Instead of asking the user for the make/model of their first car or mother’s maiden name, a user’s selfie can be used as a second factor and incorporates sophisticated algorithms that can pick up on the slightest abnormalities and can either grant or reject access to the user. When it comes to an individual’s finances, this type of due diligence can offer the highest degree of confidence for the user, especially for high-risk transactions like wire transfers and password resets.
The point of differentiation is the distinct control that is given to the user before any face-based identity verification or account authentication is conducted. In this way, we can say that facial authentication verifies an individual’s identity, whereas facial recognition often exposes it.
It’s also important to note that there are, in fact, edge cases that should be debated on a case-by-case basis. For example, India is known for having high volumes of missing children (just under 250,000 in the past five years alone). Because of this, the Indian government created a database with photos of missing children and used facial recognition technology to identify thousands of them.
How do the technologies differ from a technical POV?
One of the most concerning aspects of facial recognition technology is whether its results are 100% accurate. We see this concern when we look at use cases like surveillance during riots or strikes.
For example, if facial recognition is being used to identify any given individual off the streets during a riot and is then used in an arrest, there will be question as to whether those results are reliable or even just. The issue with this use case is that facial recognition technology often uses a large database of photos in order to make some sort of match. Because of this, the accuracy is often skewed.
Facial authentication, on the other hand, uses one original photo from a passport or driver’s license in order to make a clear distinction that it is in fact the individual in question. Because the algorithm has the original photo to base its decision, there is much higher confidence in its level of accuracy.
Recent debate around the use of facial recognition brings to light an urgent need for regulatory measures and clear distinction behind the appropriate use of the technology. By educating regulators and society at large, we can create a system that enables the utmost confidence in the use of face-based identity verification and mitigates its use for dubious purposes.