Security news that informs and inspires

Regulation of Facial Recognition Not Likely Soon

Although executives at Microsoft and some lawmakers are pushing for federal regulation of facial recognition software--especially as it's used by law enforcement agencies--experts say the chances of that happening any time soon are relatively slim.

Microsoft President Brad Smith last week said in a lengthy essay that the advancement of the technology coupled with more and more deployments of facial recognition have created a need for the government to draw up rules on how and where it should be used.

“It seems especially important to pursue thoughtful government regulation of facial recognition technology, given its broad societal ramifications and potential for abuse. Without a thoughtful approach, public authorities may rely on flawed or biased technological approaches to decide who to track, investigate or even arrest for a crime,” Smith said.

Many people in the privacy and security communities have voiced concerns about the ever-expanding use of facial recognition systems, not just by law enforcement but in retail stores, stadiums, airports, and many other venues. Right now, there’s little in the way of formal guidance or regulation in the United States on how these systems can be deployed and what can be done with the data they collect. Some states have laws that can apply to facial recognition data collection, but Smith and others say there’s a clear need for a federal law, as well.

However, that could be a long time coming.

“It’s not particularly realistic in the U.S. right now. Some members of Congress are interested, but there’s not a critical mass yet,” Cindy Cohn, executive director of the Electronic Frontier Foundation, said.

“I don’t see anything moving in the current Congress. I don’t see any indication the president would sign it even if good legislation was passed.”

"I do think Congress should step in and make sure Americans can walk through society without being tracked.”

One of the issues with facial recognition systems is that when they’re used in serial and in conjunction with other technology such as geolocation, they can create a detailed picture of a person’s movements on a daily basis. Private companies, as well as law enforcement agencies, can compile large databases of information collected from these systems.

“You’re able to be positively identified everywhere you go, as opposed to a situation where you’re asked for your identification,” Cohn said. “It has really troubling implications. Corporations are doing this in order to create profiles and track people and they’re using it for all kinds of things.”

Another concern is how facial recognition data is stored and used. Databases of biometric information are sweet targets for attackers, as the 2015 breach at the Office of Personnel Management showed. In that incident, attackers made off with the fingerprint data of more than five million people, among many other sets of data. Once such data is out in the world, there’s no real way to unwind that.

“We don’t live in a world where data is collected for one purpose and never leaks out in ways that can be really damaging to people. You have to look at the whole chain and by the time you get to the end of that chain it can be pretty terrifying for people,” Cohn said.

“We know that collecting this information can pretty divisive for our society. We don’t have good limits on what happens to this information.”

Cohn said there are basic human rights, as well as Constitutional rights, to be considered in all of this.

“As a human being walking around in the world, you shouldn’t have the burden of parsing through a hundred thousand privacy policies to understand how you’re being tracked,” she said. “This is a good place for the law to come in. We just lose something fundamental to our society and our Constitution. I do think Congress should step in and make sure Americans can walk through society without being tracked.”