Respecting Patron Privacy When Using Facial Recognition
Facial recognition technology has become increasingly popular in recent years, with various organizations implementing it for security and surveillance purposes. However, the use of facial recognition in security screening has raised concerns about privacy violations.
So called “1-to-N matching” facial recognition technology works by capturing an individual's facial features through a camera and matching them against a database of known faces. While this technology may seem beneficial for finding potential security threats, it comes with significant privacy concerns.
Facial recognition technology uses the principle of biometric identification, which means that it captures unique physiological or behavioral characteristics that can identify an individual. In other words, facial recognition technology collects and stores personal data, such as facial images, without the individual's consent. This collection and storage of biometric data without explicit consent can be considered a violation of privacy.
Facial recognition technology is prone to errors, which can lead to false positives or negatives. A false positive occurs when the technology incorrectly flags a person as a security threat, leading to unnecessary screening and potential harm to the individual's privacy. A false negative, on the other hand, occurs when the technology fails to identify a genuine security threat, leading to a potential security breach.
Facial recognition technology can also be used for mass surveillance, tracking individuals' movements and behaviors without their knowledge or consent. This level of surveillance raises significant concerns about the potential abuse of power and infringement of civil liberties.
Facial recognition technology relies on databases of known faces to match against the faces captured by a camera. These databases can be local or remote, and each has different implications for privacy.
A local facial recognition database refers to a database that is created and maintained by the organization using the technology. In this case, the organization captures and stores the biometric data of individuals, such as facial images, on its own servers or computers. Local databases are typically used for security screening purposes within a specific location, such as an airport, bank, or government building.
One significant concern with local facial recognition databases is the potential for misuse or abuse of the data. For example, an organization may use the data for purposes other than security screening, such as marketing or tracking individuals' movements within the building. Additionally, the data can be vulnerable to cyberattacks or unauthorized access, leading to breaches of individuals' privacy.
In contrast, remote facial recognition databases refer to databases maintained by third-party organizations or government agencies. These databases are typically much larger than local databases and can include millions of facial images collected from various sources, such as social media, public records, and surveillance cameras.
One significant concern with remote facial recognition databases is the lack of transparency and control over the data. Individuals may not be aware that their facial images are being collected and stored, and they have limited control over who can access their data. Additionally, remote databases are prone to errors, as the data may be outdated or incomplete, leading to false positives or negatives. It is, therefore, crucial to implement measures that protect individuals' privacy when using facial recognition technology. Here are some ways in which privacy can be protected when using facial recognition technology:
Obtain consent: This is the first principle of privacy, the “opt-in” model espoused by GPDR, Facebook/Meta’s current policy since 2021, and others. [1] [2] Organizations must obtain explicit consent from individuals before collecting, storing, and using their facial biometric data. Individuals must be informed of the purpose of data collection, how the data will be used, and who will have access to it. Unfortunately, in security screening applications it is very difficult to obtain prior consent of the patron, and if a specific patron disagrees with the policy, it is hard to make a procedural exception in screening.
Implement strong security measures: Organizations must implement strong security measures to protect the facial recognition database from unauthorized access or cyber-attacks. This includes using encryption techniques, firewalls, and access controls to secure the data.
Limit data retention: Organizations must limit the retention period of biometric data to the minimum necessary for the intended purpose. After the retention period expires, the data should be securely deleted.
Transparency: Organizations must be transparent about their use of facial recognition technology. Individuals must be informed about the type of technology used, the purpose, and the scope of data collection and use.
Accuracy: Organizations must ensure that the facial recognition technology used is accurate and does not result in false positives or negatives. This includes regular testing and calibration of the technology to ensure it operates correctly.
Right to access and deletion: Individuals must have the right to access their biometric data and request its deletion if they no longer consent to its collection or use.
Government regulations: Governments often establish regulations and guidelines to ensure the responsible use of facial recognition technology and protect individuals' privacy rights, for example the GPDR has some clauses for dealing with facial recognition [2] . This includes regulating the collection, storage, and use of biometric data and providing oversight to ensure compliance.
Organizations should consider obtain explicit consent, implement strong security measures, limit data retention, be transparent about their use of the technology, ensure accuracy, provide individuals with the right to access and deletion, and governments must establish regulations to protect privacy rights. By implementing these measures, organizations can use facial recognition technology while protecting individuals' privacy.
Facial recognition technology in security screening is a sensitive topic when it comes to individual privacy versus collective safety, as it collects and stores personal biometric data without explicit consent and is prone to errors that can harm individuals' privacy. Organizations must consider these privacy concerns before implementing facial recognition technology and should prioritize the protection of individual privacy rights. Both local and remote facial recognition databases can pose significant privacy concerns. Organizations must be transparent about the collection and use of biometric data, implement strong security measures to protect the data from unauthorized access, and prioritize the protection of individuals' privacy rights. Any organization involved must establish policies, regulations, and guidelines to ensure the responsible use of facial recognition technology and protect patron’s privacy.
[1] https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/
[2] https://www.europeanbusinessreview.com/facial-recognition-and-gdpr-how-to-stay-compliant/
MIS Security LLC is a technology solutions provider, not a physical security consultant. The content of the website and MIS Security Insights blog should not be taken as professional security advice, and are subject to the Terms of Use found at https://www.missecurity.com/s/MIS-Security-Website-Terms-of-Use.pdf . MIS Security®, RONIN® and the respective logos are trademark property of MIS Security, LLC Tallahassee FL. Copyright © MIS Security 2023, all rights reserved.