Can Facial Recognition Technology Be Used Ethically?
Facial recognition has been controversial since day one. Concerns escalated dramatically during the Black Lives Matter protests, and were finally officially addressed when AI powerhouse IBM stated this week that it will no longer provide it’s facial recognition software products for general use. In general, concerns range from whether it's ethical to use it at all, to worries over the accuracy and problems that result from false positives, and who exactly has access to this technology?
Is all facial recognition bad? Does it need to be banned or regulated? Are there situations where it makes sense to use it, and how can it be used in an ethical way?
To answer that, we need to begin with what it is, exactly.
What is Facial Recognition?
The most basic definition of facial recognition is using a “two dimensional or three dimensional image of the visible physical structure of an individual’s face for recognition purposes.”
In a certain sense, it’s essentially the software attempting to answer the question “is this a face?” and assigning a probability score as an answer. In most systems, you can set this score - you can accept “it’s 55% likely to be a face”, or you can set your score all the way up to “It has to be 99% likely to be a face.”
It’s been applied in a myriad of ways, from social media to crowd scanning or boarding your airplane. If you’ve ever used a filter on Instagram or Snapchat, you’ve been using facial recognition software. That auto-tag feature on Facebook? Also facial recognition. There’s even video doorbells who can let you know who’s at the door (if you’ve enrolled them into the doorbell system).
Facial authentication is a step up from recognition - it’s not just recognizing that a face is on the screen, it’s checking that the face matches a record on file. Instead of checking all records in a database for a match, it’s checking if the person asking for access really is who they said they are. It’s 1:1, rather than 1:n matching, which I’ll discuss in more detail shortly. You can learn more about identification and authentication in a broader sense here.
Facial authentication is one of the most convenient ways to implement multifactor authentication where you need to guarantee who is granting or requesting access, particularly to sensitive or highly valuable assets. In addition to being convenient, it’s also the easiest technology to apply high levels of anti-spoofing or liveness detection while the facial image is being captured. It is, quite simply, one of the most developed, studied, and secure biometric technologies available.
If facial recognition used to authenticate is so accurate, and so potentially useful, why is there so much distrust and controversy around the technology?
Why So Many People Distrust Facial Recognition Technology
On one hand, it sounds great to be able to easily prove you are who you say you are for approving bank transfers, entering a secure area of a building, or accessing private health information. Imagine if you didn’t need your debit card anymore! Just walk up to the bank, and the camera recognizes you and you can withdraw or deposit money.
In that example, you can pretty easily extrapolate the downside: what happens if the system falsely identifies someone else as you, and lets them withdraw all your money? Or what if it thinks you’re someone else, and you deposit your money into the wrong account?
Facial recognition can be, and has been, used to scan crowds for different reasons. When used to scan a crowded mall for a lost child, it can seem like a godsend to a worried parent. Identifying the wrong child, walking with a different family, however, can quickly turn the helpful tool into a worst nightmare for that family. A similar scenario happens with using facial recognition to scan crowds for people with warrants out for their arrest. It seems helpful, and efficient - until the algorithm gives a false positive, and someone innocent is identified as someone they’re not.
Concerningly, it is regularly reported that facial recognition algorithms are less accurate on people of color. With the awareness that not only is a false positive possible, but it’s also more likely on people of color or women, facial recognition starts looking downright scary.
This is compounded by a study from NIST, which noted higher false positive rates for non-Caucasians. But in that same article, it also notes: “not all algorithms give this high rate of false positives across demographics in one to many matching, and those that are the most equitable also rank among the most accurate.”
That is where a key differentiator - and path forward - lies.
The algorithms matter.
It may come as a surprise to some, but algorithms vary widely in their accuracy. This variance is what leads to results such as what NIST published.
However, that caveat of accurate and equitable algorithms is the important part. High quality algorithms (such as the algorithm providers ImageWare uses) have an accuracy level over 99%. This post about accuracy from one algorithm provider notes that accuracy was highest for black men across all 20 of the top available algorithms. Note that black women were not far behind!
The caveat, of course, is that your biometric solution has to actually be using one of these best-in-class algorithms to make the claim.
Another distinct point: one to many vs. one to one matching
Facial recognition is typically focused on 1:n, or one to many, matching. It’s taking one face (from a controlled photo, a social media post, or a video), and not knowing if it’s present or not, comparing it to all the faces in a given set to see if there’s a match. It’s one to many: checking one thing against many things to see if the one thing has a match.
Facial authentication (or verification), on the other hand, is 1:1, or one to one, matching. It’s checking if the face presented matches what the system has on hand for what that face should be. One to one: checking if the one thing being presented matches the one thing on file of what it should be.
Using Facial Recognition Ethically
Facial recognition is an enormously helpful tool in very specific circumstances. But, importantly, it’s essential to view it as only a tool, and as one that isn’t perfect.
To use it in a way that is precise and beneficial, there’s key things to consider.
Knowing that not all algorithms are created equal, check on what algorithm provider you’re using. Is it one of the top quality ones? You can check if it’s a NIST certified algorithm, particularly one that has recently scored highly on the Face Recognition Vendor Test (FRVT). The security of the algorithm is also essential; look for those that are compliant with ISO/SEC 30107-3 standard for Presentation Attack Detection. Biointellic, our anti-spoofing facial authentication system, is iBeta certified for this standard.
It’s also essential to not get locked in to a specific algorithm. As new and improved algorithms are developed (which is constant!), your MFA solution should be able to swap existing algorithms for those that are faster, more equitable, or more accurate. The ImageWare Biometric Engine was specifically designed for this purpose, and regularly updates or upgrades the algorithms used for all biometric modalities, not just face.
Controlled Capture Environment
By standardizing the environment that a biometric measurement is taken in, you can nullify many of the potential issues that lead to poor matches. Enrolling with GoVerifyID, for example, guides the person enrolling through the initial face capture, ensuring that they provide a high quality initial image. This guidance ensures the capture device (typically a cell phone) is held at the right angle, a certain distance away, and that they’ve positioned their face appropriately within the screen.
By controlling the way the initial facial image is captured, the later authentication has a high quality, specific measurement to compare against. It’s not trying to match a social media image or a video still, either of which could have significant differences in quality resulting in false results.
Even with lower quality algorithms, a controlled capture environment can significantly reduce the issues that lead to incorrect matching.
Biometric Data Storage & Use
When biometric data is captured for authentication, where is it stored? How secure is it? Not only is this an ethical concern for guarding privacy, it’s now also a legal one. CCPA originally was written to protect consumers, but will soon apply to employee or applicant data as well.
There’s several best practices to consider for biometric data:
- Make sure it’s not stored in a “data lake” (single repository of all of your data)
- Encrypt the data in the databases, so even if someone gets in, they can’t make sense of the data
- For internal access, adopt a strict role based access control (RBAC) policy to limit what access people can have
- Store the biometric data separate from any personally identifiable data (PII)
- Don’t store original enrollment images; require new enrollment as algorithms update or change*
At ImageWare, we consider these as the bare minimum needed for security. The only caveat is the original enrollment image - for some clients and some situations, they prefer to keep the original enrollment on hand so that when new algorithm updates come out, the enrollment can be run through those rather than repeated. This is a significant convenience to the end user, and suitable in some cases. We guard this data zealously, again following all of the above best practices.
Accessibility & Choice
Facial recognition is not the only biometric modality out there for secure multifactor authentication (MFA). Arguably, it shouldn’t be the only biometric modality you allow for MFA.
When all is said and done, facial authentication doesn’t work in every scenario for every use case for every person. For organizations that want to offer everyone the same level of security, it’s essential that they offer a choice of modalities.
Where facial authentication isn’t suitable, voice, palm, or fingerprint might be, and vice versa. By offering end users a choice of modalities, you make secure biometric authentication accessible to everyone, not just those comfortable with using their face.
Knowing more about facial recognition, and facial authentication, should empower you and your organization to make an educated choice regarding what technologies you use for your security needs. While improved cybersecurity is a priority for nearly every organization, how it’s implemented is also a key factor.
To learn more about the features and options GoVerifyID offers, click the button below, or click here to schedule time with a member of our team.