How businesses should protect privacy when using face recognition
Source: Eifeh Strom, Freelancer
has been entrenched in controversy lately. The city of San Francisco recently made headlines by becoming the first US city to ban the use of face recognition technology by law enforcement and government agencies; however, businesses are not included in this ban.
Built-in face recognition in smartphones has helped eased the general population’s feelings on using biometrics by making it a norm. However, many civil liberties groups and consumers are still just as concerned about how enterprises are using and storing face recognition data.
The determination of privacy
is often dependent on the use case. In some instances, privacy is determined by the governing entity. For example, the Global Entry program, administered by the US Department of Homeland Security, uses face recognition to verify that the person in front of the camera is the same as the one in the passport photo. “Not only is consent and privacy in this instance ‘implied,’ but also legally mandatory,” said Doug Aley, CEO of Ever AI
On the other hand, consumer expectations of privacy and consent are often contingent on the application. “We typically find implied consent in situations where consumers are expecting it (e.g., consumers expect that bad actors are not allowed entry into the country, and so the concept of face recognition to identify them is acceptable),” Aley explained.
However, there is a delicate balance that will come down to the difference between mission-critical applications (e.g., where the government doesn’t need permission to use an individual’s face) versus general purpose face recognition
for casual, entertainment-focused applications, he added.
In terms of legislation, laws regarding privacy are rapidly evolving around the world. In the U.S., states such as Illinois, Texas and Washington have specific biometric privacy laws governing the use, collection and storage of biometric data. In Europe the General Data Protection Regulation (GDPR) also has specific clauses mandating how biometric data can be collected, used and stored. For example, the GDPR states that EU residents must give explicit consent before their data can be collected, and that they have the right to withdraw consent at any given time — this is known as “the right to be forgotten.”
Dan Grimm, VP of Computer Vision and GM of SAFR at RealNetworks
believes regulations are needed at a national level in the United States, not just by jurisdiction. This would help to provide a baseline for how facial recognition can be deployed in ways that take into account the “important missions of our customers and the interest of the general public.”
While making sure all facial recognition deployments abide by privacy regulations is a given, whether in the cloud or on premises, businesses can further maintain privacy by doing their part. This should include ensuring that all data is encrypted in transit and at rest; systems are built with stringent cyber protections; providing the ability for individuals to be deleted from a system; and offering an opt-in/opt-out structure that encourages users to provide consent around the use of facial recognition.
“For SAFR from RealNetworks, we find this particularly important and not only include these features out of the box, but also provide our customers with best practices for implementing facial recognition,” Grimm added.
From a consumer’s perspective, concerns surrounding face recognition rests more in the hows (e.g., how it is being used, how it is being transmitted and how it is being stored) rather than the actual use of the technology, according to Shawn Mather, Director of Sales for the U.S. at Intelligent Security Systems (ISS)
. For this reason, he explained that privacy is much more an issue of application.
In the future, we can expect that governments worldwide will continue to develop policies to regulate the use of biometrics technologies, as well as define the rights of opting out of being tracked digitally. We may even see more cities opt to follow in the footsteps of San Francisco and ban certain applications of face recognition technology all together.