You’ll have to answer questions like. who gets access? And, how will you store data?
by Jared Shelly
Imagine picking up your daughter from school where you’re met with a facial recognition scan making sure you’re on the list of approved visitors. Then you go to the mall, where a facial scanner compares you to a list of known shoplifters. Later that night, you go to synagogue where your face is scanned once again to ensure you’re not a known member of a hate group.
While such scenarios may feel futuristic, they’re actually happening right now. In fact, facial recognition technology is being used everywhere from airports to cruise ships to ATM machines. Taylor Swift’s security team even deployed the technology during her recent tour, cross-referencing images of concert-goers with a database of the star’s known stalkers.
Facial recognition uses biometrics to map someone’s facial features. It analyzes the shape of eyes, cheekbones, jaw, nose, and mouth — and how far apart they are from one another. The technology then produces a “faceprint,” a mathematical formula that’s compared with others in a particular database. That database might contain of millions of travelers, thousands of employees, or hundreds of pop-star stalkers.
There’s a serious debate about whether organizations should consider implementing facial recognition technology into their security strategies. Some, like Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, say it’s a slippery slope.
“We fear, frankly, an Orwellian menace where everywhere a person goes, their face is getting captured by cameras and everybody with the tap of mouse can see everywhere they’ve been, everything they’ve been doing and everyone they’ve been with,” said Schwartz.
Others, like Brad Smith, President and Chief Legal Officer of Microsoft, say the technology brings exciting societal benefits when part of a holistic security plan. But, he argues, it needs government regulation to prevent abuse like discriminatory practices, intrusion of privacy, and mass surveillance by governments.
“The facial recognition genie, so to speak, is just emerging from the bottle,” Smith wrote recently in a widely circulated blog post. “Unless we act, we risk waking up five years from now to find that facial recognition services have spread in ways that exacerbate societal issues. By that time, these challenges will be much more difficult to bottle back up.”
One approach being explored by weapons detection company Patriot One Technologies is threat detection first, facial recognition second. “Our system looks for evidence of a weapon before it we attempt to identify anyone using facial recognition,” said CEO Martin Cronin. Patriot One’s computer vision technology attempts to identify guns, rifles, and other weapons via live video. “Unless we have reason to think someone is a threat, there’s no reason to encroach on their privacy.”
Implementing Facial Recognition
Implementing facial recognition comes with basic questions: Are you scanning to find potential bad actors or confirming people on your security list? If a face matches, is your team prepared to contact police or remove an unwanted person from the premises?
After answering those questions, build in some basic policies and procedures. Make sure only a limited number of employees have access to the data you’re collecting and be sure they’re only using it for security purposes. Determine which data to keep and for how long — then have a data destruction plan in place. From a cybersecurity perspective, ensure someone is trained to look for patches and updates that will keep the information safe and secure as the technology evolves.
For public-sector institutions, Schwartz recommends implementing a privacy officer who understands the technology and can negotiate with the vendors from a position of equality. He also recommends holding a public dialogue about whether or not to implement the technology.
“That’s a question that shouldn’t be made in a back room by the assistant police chief or vice principal. That’s a question that should be discussed by entire community,” he said.
Finding the right tech vendor is also a challenge, so look for one with a long history of positive reviews and case studies from businesses like your own. Before engaging with the vendor, understand what you want the technology to achieve and “have a realistic expectation of the system’s capabilities,” said Jason Porter, vice president at Pinkerton. For example cameras have to be positioned to see a face straight on, rather than at an angle. Also, cameras need to be high quality with good resolution.
Storage is currency in the digital world, so how much storage are you willing to allocate to facial recognition? Do you need a dedicated server or will the tech vendor handle that? If you’re working in Europe, all that data has to comply with General Data Protection Regulation (GDPR) rules too.
“You’re not only storing information about what faces you’re seeing, you’re storing visual data of those faces or a digital map of those faces — and that can take up quite a bit of bandwidth,” said Porter. “You’ve got to determine whether you’re going to store that offsite or via the cloud.”
In the end, it’s important to remember that facial recognition will not solve all your security problems, it’s just another tool in your arsenal.
“You have to look at your security and risk management posture from a holistic standpoint,” said Porter. “One system is not the magic pill that cures all diseases.”