Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Facial recognition technology brings security & privacy concerns

In recent years, facial recognition technology has had some great successes. They include recognizing the faces involved in terroristic attacks, scanning faces at the airport for identification instead of using a passport, and—now—becoming a feature of our digital devices. It’s clear that new applications of this technology are being utilized to streamline and simplify.

Facial recognition is a biometric identifier, but it has very different implications from using our fingerprints, or more traditionally, our passcodes. While some point to their similarities, it is very important to recognize that biometrical markers are not necessarily interchangeable, depending on their application.

FRT as biometrical authentication

Not all human characteristics are created equal when it comes to being used as biometrical markers. Eye scans, fingerprints, and facial recognition are probably the most prevalent, though all have weaknesses, strengths, and associated risks. Even among this group, each has different applications that vary widely depending on the environment in which they are being used. Some are more expensive than others, more difficult to use, or come with varying degrees of accuracy. While eye scans are typically very expensive and require a lengthy enrollment process, and fingerprints cannot be used for surveillance purposes, facial recognition technology theoretically enables identification from a distance and doesn’t require as much work getting individuals enrolled.

Some key variables surrounding biometrical markers involve the kind and degree of protection these identifiers are afforded in court. Recent cases include a verdict allowing an individual to be forced to give her fingerprint to unlock a phone. This situation sparked a debate over what an individual “has” (their fingerprint) vs. what he or she “knows” (their passcode) and whether there’s a difference when both serve the same purpose. Since smartphones are essentially snitches we carry around in our pockets and typically contain huge amounts of information, it is not surprising that “what” is being unlocked with a biometrical marker is a very important consideration.

It was ultimately determined that a fingerprint is different in kind from a passcode, because it’s classified as something that someone has. But what will the ruling be when it’s someone’s face and they may or may not be aware that it’s being used to unlock a device or to surveil them without their knowledge? Clearly, issues of privacy and security will be at the forefront, as people attempt to determine a balance between convenience, privacy, and security.

Surveillance, privacy, and security

Facial recognition technology poses a number of interesting problems because it implies a degree of surveillance of which the average person may not be aware. Should people have to consent? How will this information be stored once collected? Will the uses of this information be transparent? When using a biometrical marker that is—unlike a fingerprint—readily perceptible, it is important to consider how people will be informed of how this identifier is to be used, and what the benefits are on a wider scale.

Clearly, privacy is also at stake when using facial recognition technology. Compared to using a fingerprint as the go-to method of opening your phone, using your face may be even more problematic. The September 12 Apple Keynote described the newest iPhone, iPhone X, and one of its most amazing features: Face ID. By using the improved camera, Face ID serves as the new authentication for opening an iPhone. While the security aspects seem strong—there is a purported 1 in 1,000,000 chance that a stranger will be able to open your phone with his or her face—it’s important to remember the implications of biometrical authentication for law enforcement. Since your face is something you have, not something you know, it’s also important to recognize that this biometric marker is most likely not going to have the same protections as a passcode in court. Given that this feature is always “on” and can be used in almost any condition, night or day, it’s clear that it would be fairly easy for law enforcement to obtain access to someone’s phone.

Using your face as your digital identifier also comes with security risks. If someone gets your biometric information, there is seemingly little that can be done, especially since facial information is more or less unchangeable. And unfortunately, many experts agree that facial recognition technology is currently not as accurate as fingerprint technology, meaning it may be easier to access a phone with a faulty scan. Or a photo stolen from a social media account. Keeping a passcode safe is one thing, but especially today, many people post a number of photos of themselves that may be the key to anything using facial recognition technology. While Apple assured its customers that Face ID is secure, it should be acknowledged that what may be secure today will not necessarily be secure tomorrow.

In sum, facial recognition technology poses the same kind of problem as many other technologies that make our lives easier. Where convenience is gained, privacy and security are often diminished. While we may be assured today by security efforts, that may change:  Cybercriminals tend to adapt quickly to new technologies and new vulnerabilities. And while facial recognition technology may be easier to use than a passcode, it comes with the same privacy caveats as any other biometrical identifier in court.

 

MARK LANTERMAN is the chief technology officer of Computer Forensic Services. A former member of the U. S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security and forensic experience and has testified in over 2,000 cases.

www.compforensics.com

Leave a Reply

Articles by Issue

Articles by Subject