Tunnel vision – Time for a broader debate on facial recognition tech

What do we mean by ‘biometric information’?

What characterises information as ‘biometric information’?

Biometric identification uses physiological information about a natural person (known as biometric information, or biometric identifiers) to identify that person. The kinds of biometric information available for collection and use is growing exponentially alongside the development of technical capabilities and the required technological infrastructure to support such use. This might range from facial images, fingerprints and iris patterns to others less discernible to the naked human eye. For example, French and Australian researchers have discovered that individuals may have unique ‘muscle activation signatures’ apparent in their movement, which may be used for identification purposes.

What is unique about biometric information?

Biometric information is both universal and accessible; that is, each individual has unique biometric identifiers, and such information is easily accessible (making this information difficult to change or conceal). Unlike a password or an alias, biometric identifiers are not intentionally created by the individual. The nature of such information also means that the individual does not necessarily need to be informed about, or give consent for, the collection and use of data about them.

Further, although facial images have long been available and attached to government or other identifying documents, these can now be captured with any number of cameras in public or private environments. Similar technologies are an increasing part of the infrastructure around us: some banks are recording the way that individuals scroll, click and move their mouse or fingers while using banking platforms, creating haptic and gestural profiles that have been used to detect fraud. Not only is it easier than ever to capture biometric information; comparisons of biometric templates and correlations within an abundance of available data, in turn, create even more data about an individual.

How might biometric information be collected?

Clearview has reportedly set itself apart from competing biometric identification systems by scraping images from the open web to gather a total three billion photos, forming part of a much larger database than the 640 million photos available to the FBI or the 1.8 million photos in the San Diego police’s recently shuttered mobile facial recognition system. These photos are also more diverse than the mugshots or DMV photos used by most other facial recognition databases, potentially providing images with a variety of angles, points in time, environments and photos of (or including) a person uploaded by another.

The automated collection of large volumes of information via ‘scraping’ (usually from a website) is prohibited by many major platforms including Facebook, Youtube, Instagram and Twitter. However, it is technically difficult to prevent while maintaining the usability of these services on the open web, and has only been actively prevented by digital platforms in recent years. Furthermore, data that has been scraped at one point in time will remain available even where it has been taken down or restricted on the original point of upload.

However, Clearview is not the only organisation scraping online personal photos, nor is scraping the only way in which individuals may fail to give consent to the collection, and subsequent use, of their biometric information. In mid-2019, Microsoft removed public access to its database of 10 million scraped photos of 100,000 public figures. Other methods of re-purposing available information may also bypass consent: in the US, the FBI and ICE can search state databases of driver’s licence photos.

What are the applications of biometric identification technology?

How does biometric identification technology work?

Biometric identification technology can operate on a:

• ‘one-to-many’ basis (such as Clearview’s solution), where a person’s biometric identifier is captured probabilistically compared to biometric information in an existing database to find the closest, but not an exact match; or
• ‘one-to-one’ basis (such as Apple’s Face ID on its mobile devices), which determines whether an individual’s biometrics match with existing information in order to verify that they are who they purport to be.

Artificial intelligence (AI) now enables this matching to be performed by algorithms that are complex and efficient enough to match ‘one-to-many’ identifiers and produce results with minimal delay and input: Clearview was reportedly able to identify a reporter even when their nose and the bottom of their face was covered.

One of the principal appeals of AI is the capacity of the technology to itself learn and apply what is and is not useful in accomplishing a particular task. However, this ability to self-select and weigh data points often means that it is difficult to know what criteria an algorithm is using to reach its result — the creators and users of these systems see inputs and outputs, but not the process for getting from one to the other (also known as the ‘black box’ problem). As a result, biometric identification systems are particularly vulnerable to poor design choices or errors, as well as attacks, that impact upon or introduce bias into the decision-making components of the technology as well as the biometric information collected and stored within it.

The opacity of AI decision-making is likely to increase as systems become both more sophisticated and exposed to (and ‘trained’ upon) more information. In addition, as more biometric identification systems become commercially available, this technology may increasingly be used by laypersons who are unable to discern (or may be less concerned with) how these systems work. At the same time, ‘algorithmic bias’ may lead users to place too much confidence in the results achieved by the technology, regardless of its real-world accuracy or effectiveness.

How is biometric identification technology currently used?

One of the most popular applications of biometric identification technology is for law enforcement purposes. For example, Clearview pitches itself as a tool for law enforcement to identify suspects or perpetrators. However, neither the biometric information collected nor the identification technology employed by Clearview itself limits its potential uses and applications: the current exclusive application of Clearview’s technology to policing and security is a decision made by the business behind it.

In accordance with the general lack of consensus on the use and applications of biometric identification, current use of the technology by both the public and private sector varies widely and is not limited to police and law enforcement. For example:

• In terms of police use, San Diego shut down its mobile facial recognition services after seven years due to California’s short-term ban from the end of 2019, whereas the widespread roll-out of similar services in London was confirmed in early 2020.
• China has introduced a law that requires anyone purchasing a SIM card or registering for new mobile phone services to provide a facial scan.
• Blurring the line between government and private biometric identification, the Department of Home Affairs has submitted that the identification services contemplated under its proposed legislation could be used for age verification to determine access to online wagering and pornography, and be made more broadly available to private sector participants that apply for access.

What are the current regulatory responses and approaches?

In response to the rapid growth of the information and technology available for biometric identification, there is also an increasingly widespread public concern about whether and in what circumstances the use of biometric identification technology is necessary, as well as what happens after an individual is identified.

What concerns are regulators grappling with?

In many contexts, public concern has arisen from the lack of detail and transparency in relation to the technology itself. The broadest criticism of the proposed Australian legislation was that the identification services it contemplated lacked sufficient detail across the board. The Parliamentary Committee noted that the rejected bills did not clearly specify the technology that would be used in the identification services and as a result, Australian citizens could not determine how their rights and responsibilities might be affected, concerned parties had insufficient detail to engage with how information would be shared and used, and the Department of Home Affairs’ unwillingness to reveal technology vendors made it impossible to verify the accuracy of the technology used. In Clearview’s case, until the New York Times publication, there was little awareness among the general public that such technology was being used at all.

This lack of transparency often extends to what the technology could do in future, as well as its current capabilities. For example, the New York Times found that Clearview’s source code contained language that would allow it to be integrated with augmented-reality glasses, allowing identification of every person in the wearer’s field of view. Although the identification technology supported it, and an internal prototype had been developed, Clearview merely clarified that there were no current plans to introduce that service. Similarly, the Department of Home Affairs reported that the proposed ‘identity matching’ services in Australia would not be used for mass surveillance due to the Department’s lack of current capability and resources, rather than any restriction within the proposed laws themselves.

What current regulatory proposals are under discussion?

Governments are facing active challenges to their proposed uses of biometric identification and the legal protections available against corresponding potential harms. The UK and US governments are facing legal challenges from civil rights organisations for information about the facial recognition technology used in visa applications and surveillance by the Justice Department, DEA and FBI respectively. These challenges have extended to calls to impose moratoriums and bans on the use of this technology entirely, including:

• NYU’s AI Now Institute has pushed for a ban of facial recognition in sensitive social and political contexts, by both governments and private actors, until there is sufficient knowledge of and regulations for risks;
• the Australian Human Rights Commission has also suggested a moratorium on potentially harmful uses of facial recognition until the introduction of a legal human rights framework;
• some American jurisdictions are banning or restricting the use of facial recognition by certain actors or in certain applications; and
• in early 2020, it emerged that the EU may be considering a five-year ban on the use of facial recognition by public agencies, until a framework for ethical AI use is formulated.

From an industry perspective, some technology providers have expressed support for proposed legal restrictions on the widespread use of facial recognition technology. Google is supportive of a temporary moratorium on the use of facial recognition, citing concerns about the technology for why it has not been rolled out across their services; Microsoft supports limited bans on private use, but believes that moratoria would impede development of both the technology and strategies to deal with its negative repercussions. Similar discussions are likely to ensue as other forms of biometric identification come to the fore, again in both private and public spheres.