Following the news that San Francisco has become the first city to ban the use of facial recognition in local agencies, such as law enforcement, please see a comment below from Matthew Aldridge, Senior Solution Architect at Webroot, who believes that while the technology can work well, the risk of biometric data being stolen is too great a risk for it to be deployed worldwide.
Breaking News: San Francisco became the first major U.S. city to ban the use of facial recognition technology by police and other municipal agencies https://t.co/4G5zypmh2w
— The New York Times (@nytimes) May 14, 2019
Matthew Aldridge, Senior Solution Architect at Webroot:
It is great to see San Francisco leading the way on this debate. We’ll see in time whether this course of action is the best one, but it is important that this discussion is ongoing with all legislators. There are many factors to consider here, ranging from privacy concerns for the many to the detection of the wrongdoings of the few. In this case it seems that the concerns of the many have prevailed.
There are however legitimate applications from law enforcement and other similar agencies where face recognition technology could greatly reduce policing costs and increase the chances of successful prosecutions in certain cases. In these situations it should only be perpetrators of crime who have their biometrics stored in this way. There is a temptation in mass surveillance to build a profile on every unique person detected, track their movements and categorise them into behaviour groups. This type of approach is being taken for example in China, where the state is able to not only do this, but to map the profiles to the identities of the individual citizens concerned, raising questions about how and why this data is being used.
Current facial recognition technology can work well, but is far from perfect. Despite its shortcomings, it demonstrates its value by reducing the workload of investigators, effectively augmenting their role. Facial recognition for personal use – such as tagging photos and authenticating access to your smartphone – is a very different application and should not be confused with mass surveillance at city and state level. There is a real chance of that biometric data being leaked, stolen or hacked and it is the associated privacy and human rights risks of the technology that we must continue to address through ongoing legislation combined with improved technical controls.
Sam Bakken, Senior Product Marketing Manager at OneSpan:
It’s good to see legislators and others taking technological innovations seriously – especially in terms of this one-to-many use case where facial recognition might be used to pick a face out of a crowd.
It’s important to remember though that one-to-one use cases such as that facilitated by Apple Face ID and other technology whereby a user willingly enrolls in the system to allow them to unlock their phone or log-in to other accounts using their face makes it easy and convenient for consumers to add an additional layer of security to their mobile devices and accounts.
John Gunn, CMO at OneSpan:
This is backwards thinking when it comes to public safety and an equally illogical argument could be made against using finger prints and DNA evidence, which are also left behind without intent or permission, but are instrumental in providing leads that solve countless crimes and bring violent criminals to justice. We have a constitutional presumption of innocence that protects us. If facial recognition or finger print matching or DNA testing provides clues to law enforcement agencies, they should not be barred from following up on them.
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
The intent of the law is to ban the use of biometrics for surveillance activities primarily by law enforcement. The ban targets those entities using facial recognition without permission, and is limited to business conducted for the City of San Francisco either by law enforcement or city agencies.
Banks, e-commerce and other entities using biometrics in their interactions with customers are covered by their End User License Agreement (EULA), so this particular legislation won’t impact them by and large, although there could be some BYOD implications, but is certainly interesting in terms of consumer sentiment and in particular, the emotions some groups have surrounding new technologies.
For perspective on the commercial uses of biometrics, remember that banks are losing more than $10B per year to fraud and biometrics are bringing that number down, which benefits all consumers.
David Warburton, Senior Threat Research Evangelist at F5 Networks:
“In recent years we’ve seen improvements in internet security and privacy as technology has continued to evolve and new legislation has been put in place, such as the NIS Directive and GDPR, which ensure organisations treat personal data with the care it deserves. Nevertheless, technology is becoming increasingly pervasive, and many are waking up to the negative and intrusive impact it can have on their lives.
“As a global technology hub, San Francisco’s decision to ban facial recognition may have come as a surprise to many. It is explicit recognition that the technology still has inherent weaknesses, as well as a wide range of privacy implications. A serious and enduring concern with biometrics relates to how data is stored and handled. Many government departments in today’s digital age simply do not have a great cybersecurity track record, and the sheer quantity of data biometric systems collect becomes a hugely attractive cybercriminal target. Interestingly, there are geographic differences when it comes to facial recognition. In China, for example, the technology is widespread and more commonly accepted for everything from identifying jaywalkers to monitoring children’s moods in classrooms. However, this is not the case in other parts of the world where trials are still determining the efficacy and privacy implications of this emerging technology.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.