Facial Recognition – Through the Privacy Prism
The decade gone by has seen a lot of discussions around data privacy and necessitated the formulation of Global Data Protection Regulation (GDPR) around the world.
The decade gone by has seen a lot of discussions around data privacy and necessitated the formulation of Global Data Protection Regulation (GDPR) around the world. The debate is set to become more heated in the coming years. Disruptive technologies such as Machine Learning, Artificial Intelligence, Big Data, and Cloud Computing are being leveraged to develop numerous use cases for making life easier.
Facial recognition is one such area that is changing almost every industry. Scientists and engineers have been working since 1960s to train a computer to recognize faces and make decisions just like humans would. Now we have the associated technologies that has made facial recognition of practical use.
In this series, we focus on the positives of the face recognition technology, its use cases across industries, and the stuff you need to careful about – data protection.
How Does Face Recognition Work?
If you use the face unlock feature of your smartphone, you’re already using facial recognition technology. Companies like Google are already using facial recognition technology to group all your photographs together.
Simple as it sounds, there are many complex activities going on in the background that make facial recognition possible. We break it down into four steps for the sake of simplicity and understanding:
- Capture: Your picture is taken from a video or a photograph. Whether you feature alone in it or are walking in a crowd, high definition CCTV cameras are smart enough to determine different faces in a scene and capture them separately.
- Facial Analysis: This is where things get really technical. Different features of your face – the distance between your eyes, shape of cheekbones, dimensions of forehead, distance between forehead and chin, distinguishing facial landmarks, etc. are all analyzed and stored. There are up to 80 nodal points in a human face, that can be combined to identify it uniquely.
- Face Printing: All the analysis points are converted into mathematical formula by assigning them numbers. The resultant data is unique to a particular face and is called facial signature or a face print. This can be thought of as a digital signature or a biometric of your face. This is stored in a database. American police have about 117 million such faces already stored in their databases, which comes handy during investigations.
- Matching: Now that the faces have been codified and millions of face prints are stored in inter-connected databases, it becomes easy to match a new face against these. The subject’s face has to be digitized, its face print generated and matched against millions of records sitting in the databases. The FBI has ready access to over 641 million digitized faces!
Given the advancements in mobile devices and high-speed wireless connectivity, this entire process is often completed within seconds. As technology is becoming more reliable and affordable, facial recognition is getting plenty of traction across industries – more on that later.
What’s the catch with Facial Recognition Technology?
The biggest concern with facial recognition is that your facial data is often being captured without your permission. Our cities are full of Close-Circuit Television (CCTV) cameras – parks, shopping malls, highway toll plazas, airports, residential societies, streets – they are everywhere! As we now know, all it takes is a single image or a video footage to extract facial data, process it and store it in the form of a unique faceprint. It can be used for malicious reasons such as gaining unauthorized access to systems, wrongfully authorizing financial transactions and much more.
Sometimes, you yourself share your facial signature without realizing it. Think of the countless selfies and other photographs you’ve uploaded on social media websites – are you really sure their use is restricted to the intended purpose? Facebook has already been ordered by German and Irish data regulators to delete all the facial recognition user data it had gathered for suggesting tags, as users were not giving their consent.
How can Facial Recognition Technology (FRT) and GDPR go together?
GDPR defines biometric data as:
[Biometric data] means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Facial data clearly falls under this.
Given the manifold benefits of FRT, it would be unwise to ignore it because of privacy concerns. Instead, you can have the best of both worlds – use cutting edge Facial Recognition Technology while being on the right side of the law. Despite its limitations, GDPR has provisioned clauses under which FRT (and any other technology that uses biometrics) can be used after taking user consent.
These are the use cases where FRT can be applied fairly easily:
- Employment or social security related verification
- Protect an individual’s interests at a time when he/she is incapable of giving consent
- Covering legal issues
- Public health emergency
- Include FRT specific Data Protection Impact Assessment (DPIA) policy
- Anonymize/pseudonymize the data so it becomes impossible to associate with a person for outsiders
We will explore FRT’s legal and implementation aspects further in the next articles of this series.