6 minute read
Facial Recognition: Pre-deployment considerations
Writing for ASIS International’s Security Technology magazine, Reese Huebsch suggests that improper use of facial recognition technology may increase an organisation’s liability or damage its brand.
The use of facial recognition technology as a surveillance tool by the public and private sector is becoming more widespread. Organisations can benefit from reductions in investigation costs, improved incident management, and real time situational awareness.
These benefits can mean a reduction in risk to their people, information, and assets. But with the good, comes the bad; potential privacy concerns and the perception by some that facial recognition always delivers a perfect match can lead to the use of erroneous data. Another consequential drawback is the potential of racial bias in algorithms, which may not have been tested with a larger, more diverse population.
As with any tool if not developed properly, facial recognition is not likely to be effective. It is critical that users educate themselves and understand the current state of facial recognition as a surveillance tool to ensure its successful deployment and appropriate use.
Facial recognition has been used successfully in circumstances where an organisation actively manages access to its space for government, professional, or commercial purposes.
Positive results in these areas are driven by effective environmental design, limited obstructions, good camera angles, proper lighting, and controlled checkpoints and passageways to ensure high-quality surveillance data is collected. Some examples may include airports, arenas, event space, casinos, or a controlled office space.
Employees and visitors in these spaces will have a lesser expectation of privacy as they are public in nature and typically have layers of security controls in place. In some cases, people will have gone through a formal verification and enrolment process and provided a credential. During this process, a person’s face may be captured for enrolment purposes.
While there are currently no U.S. federal level requirement to notify that surveillance is in place, there may be local or state requirements. These checkpoints and visible controls should set privacy expectations accordingly. Organisations may choose to permit employees or visitors to opt-out or not participate in facial recognition surveillance programs but will need to have a formal process in place to ensure fairness of choice.
Successful use cases of facial recognition include identification of banned attendees at events, unauthorised access, and identification of persons in secure areas. While these venues may have a high population of people, they have likely developed good surveillance conditions and usually have numerous other security tools in place to support the operation. Many of these factors create favourable conditions to support the success of facial recognition as a surveillance tool.
Conversely, without the right conditions, it becomes increasingly difficult for facial recognition technologies to make accurate identifications, leading to false positives or negatives, potential lawsuits, and brand damage. Using facial recognition as a surveillance tool in poor conditions like lowquality lighting or poor visual angles negatively impacts accuracy.
Furthermore, use as a mass surveillance solution, gathering images and comparing them with data in databases with millions of images from various sources (frequently social media scrapes or DMV photos), has led to wrongful arrests, high-profile mismatches in the news, distrust of the technology, and damaged reputations. In some instances, local authorities have banned the technology outright.
As an organisation weighs the benefits of adding facial recognition technologies to its toolkit, there are important considerations to be made. First, conduct a comprehensive review of the facial recognition tools you are considering. Develop a clear use strategy, including outcomes. Understand the implications of false positives or negatives and what they may mean for individuals, as well as the organisation’s profile. Review with your legal team to understand all applicable privacy and compliance requirements for deployment.
This review process will help determine if facial recognition is the right fit for the organization’s culture and provide enough detail for an effective business case to leadership to ensure buy-in and support.
As with any purchase, the security team must invest time in selecting a quality product. Understand the history of the products you are evaluating to determine if the manufacturer is invested in the product’s future. Complete a thorough review of software and hardware in your test environment prior to making any extensive investments. Establish a pilot program with a diverse sample of willing participants who will report on their user experience.
Leverage your existing space types to emulate a live environment. Test practical, organisation-specific use cases and common changes in physical appearance—including masks, glasses, and hats—to ensure the product performs as advertised. More advanced scenarios that cannot be easily replicated will need to be researched and tested with the manufacturer. Engage IT stakeholders for infrastructure requirements, including power (PoE, PoE+), cabling, throughput, and access (ports, firewall rules, etc.). Testing should measure impacts on network resources and product performance.
Next, create awareness programs so that teams understand how to use the tool most effectively. Identify success and failure criteria, and complete a detailed product scorecard.
Review this scorecard with the manufacturer to understand how it will address shortcomings in the product roadmap. As with any technology review, it will be critical to understand information security controls and commitment of the manufacturer to deliver a secure product. Evaluate data protection strategies to understand how information will be stored and encrypted while at rest and during transport.
Engage internal teams responsible for technical evaluations of products to ensure a comprehensive risk-based assessment is completed. Develop a clear understanding of how the manufacturer may retain access to data stored in the application. Determine if the product’s information security controls are compliant with your requirements.
Build consensus and trust with peer organisations, and get buy-in from communities through transparency of use and communication of benefits. Acknowledge drawbacks and limit use accordingly. Every community faces its own challenges and gaining buy-in can be tricky; however, presenting the community specific benefits and risks of facial recognition used for surveillance is a good starting point for the conversation.
Finally, make sure your environment is right for facial recognition use. Create a detailed environmental and technical design to ensure the product will be successful, including lighting changes, device upgrades, and camera view studies. Plan for these adjustments as part of your facial recognition implementation roadmap and account for them in annual budget cycles or space refreshes.
Employers should discuss the privacy implications of adding facial recognition as surveillance with human resources, corporate legal, and other relevant privacy teams to ensure local requirements are met—particularly in multinational organisations with global footprints. Consider the current workplace culture and whether an enhanced facial recognition driven surveillance program aligns with it.
In highly secure environments with expansive existing security monitoring, adoption of facial recognition may receive minimal pushback. In organisations with minimal existing security controls, the initiative may meet substantial resistance. Ultimately, organisations and communities will need to weigh the benefits vs. risks and make the decision that is right for them.
Facial recognition is a single tool in the security and safety toolbox, and should be used as intended. Proper use may result in risk mitigation, while ineffective use may increase your liability or damage your brand. It is up to the organisation itself to understand the implications and plan appropriately.