New Concerns About Uses of Facial Recognition

2020-09-01

Facial recognition and other biometric technologies have great potential to assist in catching criminals, finding missing people, and in other law enforcement activities. I wrote here earlier about facial recognition and some of the associated caveats. Gizmodo recently had an article about 95%+ failure rate of facial recognition technology in Detroit. Not only is Boston banning the technology (per the article), but other cities are doing so, too.

facial recognition being used on woman's face

Bruce Schneier had an opinion piece in the New York Times about the use of facial recognition and other technologies to identify individuals for marketing and other uses. His points are - as usual - important and worth reading. He expresses valid concerns about tracking individuals and issues of privacy.

I'd like to address a related but somewhat different aspect: identifying specific individuals. This could be to find missing persons or for identifying specific individuals for authentication in enterprise environments. The contrast boils down to "who are the people in this picture" vs. "is this X in this picture". Each is important and the former is arguably valuable to law enforcement and marketers and represents a potential privacy issue as Schneier points out.

Singling Out Individuals

Consider the authentication issue. The user appears in front of a camera, software then decides whether or not the image matches either a) a particular user or b) a user from a known set of potential users. In the first case, an individual makes a claim to be a specific user. That claim may include a username and other verification factors such as a password or PIN. In this case, the image acts as an additional authentication factor.

When the goal is to select an individual from a known set of potential users, a confirmation in the form of a PIN or password may be required forming two-factor authentication.

In neither case is the image the only authentication factor. (Yes, some individuals use a face scan as the sole authentication for a phone or computer, but that is also an issue for some.) That's good.

Finding a particular individual (or one in a small set) in a crowd is a bit different. It is also different from looking at each face in a crowd and searching for each of them in databases of wanted individuals. But there can still be significant issues. False positives and false negatives are not uncommon when databases are searched, for example, to identify a suspect appearing in a photo or on a video. Poor accuracy for faces of non-whites compounds the issue.

Using facial recognition as part of multi-factor authentication (e.g. with a pin or password) is valid and valuable. Using facial recognition to search crowds or databases for individuals may be more problematic with current technologies. There is no doubt, however, that such technology will improve rapidly. Concerns of accuracy and privacy are significant and cannot be ignored.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.