Contributions made by members of the DIACC’s Outreach Expert Committee
One of the nicest things about this pandemic is wearing our sweatpants all day, every day, while working. Right? Wouldn’t it be nice to wear sweatpants to the office, when this is all over? Sure, but that’s unlikely, at least if we want to keep our jobs. So, we choose to forgo our private sweatpants rights, to keep our more public jobs. Privacy and how we protect it has never been more important in our daily lives. Yet, a balance is necessary, between privacy and security, in our ever increasingly digital lives. With that, there is a rather public debate about privacy and the ethical use of biometrics. In particular, face biometrics can be misunderstood and feared with respect to our Right to Privacy. This article is an attempt to create a better understanding of it and, hopefully, reduce fear of such a promising and effective technology.
Our use of biometrics enables our safety. At its most basic level, a biometric is a physiological trait or attribute that is unique to an individual person. When we recognize the faces of our loved ones, friends, and colleagues with our own eyes, we are using biometrics to help us build relationships and trust. Biometrics are, in a way, fundamental to human interaction and society. Today, biometrics can be used in person or automated, to increase convenience and security in various situations.
There are many types of biometrics that we use daily. Face images are, by far, the most common. Any time somebody requests to see our driver’s license, passport, or ID badge, we are using biometrics. Most governments include face biometrics, in the form of a photograph, in their driver’s license, passport, or other national ID databases, as well as on the credential, itself. We use face biometrics, attached to a credential, to establish trust, when we access privileges, like driving a car, government services, commercial air travel and even buying liquor.
Today there is some confusion and fear about biometrics, what they are, and what they can actually do. There are only two basic functions that a biometric can perform, Identification and Authentication. When we first meet somebody, we may associate their name with their face. When we see that face we can identify that person by accessing the information in our mind. “Hi, I’m Jennifer” associates a name to face and allows us to identify them. When we arrive at a restaurant, we might scan customers to see if we recognize any of them. We identify Jennifer by recognizing their face in the crowd of people. In another instance, we can authenticate Jennifer by recalling information about them when presented with their face. If Jennifer were to knock on our front door, we can authenticate them with our own simple sight. Fundamentally these are the only two functions of a biometric. A properly designed face biometric system should include high confidence liveness checks, to differentiate between a real human face and a photo (for example) and face matching, in order to prove that a person is in fact who they claim to be. Stay tuned for our next blog where we’ll talk about liveness checks, anti-spoofing, and other methods to prevent various types of fraud.
In this age of information hyperbole, perhaps it’s understandable that there is some public misunderstanding of how these important technologies can and should be used. Big Brother surveillance and Privacy are central to debates about the ethical use of face biometrics. However, when examined thoroughly, we find that most, if not all of the ethical debate centers on how the biometrics are used and, more specifically, whether the biometric is used Voluntarily or Involuntarily.
We tend to prefer freedom of choice, with our personal privacy. Sometimes we guard it. Other times, we agree to forgo some privacy, to access and enjoy many privileges of our society. For example, when applying for a credit card loan, the bank logically prefers to understand whether or not we are likely to repay the loan. To control its fraud and compliance risk, it requires knowing who it’s lending to and whether we are an existing customer, or potential fraudster, posing as a customer. So, we volunteer to divulge our private identities and backgrounds. We also allow the bank to compare our identity to those of existing customers, to learn if we are an existing customer or a fraudulent account holder at the bank. The bank Identifies us as a new customer (or not), as well as a legitimate customer (or not). It’s our choice to participate in this identification process, or not. It’s voluntary. If we agree, once we are approved, the bank requires us to Authenticate ourselves, every time we try to access the valuable privilege. In this case, we voluntarily relinquish our privacy Right, to get something of value in return. Moreover, the process includes both Identification and Authentication in a safe, productive and ethical way.
However, in some cases, the privilege we want to enjoy is so valuable (granting it is so risky) that the service provider may be tempted to invade our privacy, without our consent, to protect it. Of course, there are some bad people out there. The problem is that we can’t tell who is good and who is bad, unless we specifically identify them all. To this end, law enforcement may wish to investigate and identify everyone within a certain group, like those walking down the street. The City of London, England, for example, installed CCTV cameras on most city street corners, to survey walkers-by for criminal activity. Moreover, the CCTV system was equipped with biometric facial recognition technology, to learn if any passers-by were in the criminal mugshot database. The City used Involuntary face recognition surveillance to Identify anyone in the field of view. Innocent passers-by had no choice but to submit to such a surveillance investigation and many view this as a clear violation of privacy.
Similar to any tool, there is nothing inherently ethical or unethical about face biometrics, however these tools must be used responsibly. In a voluntary scenario, both Identification and Authentication can be important functions when used to protect our privacy and enable privileges that could not be offered without the presence of a human authentication method. This can help break down barriers to accessing government services or performing international business (by using authentication to reduce instances of fraud) or even protecting your own assets by granting access to your files via authentication of your unique profile. However in an involuntary scenario, potentially unethical scenarios exist that require deep conversations and eventually regulation about the balance between safety and privacy.
Understanding the difference between Voluntary and Involuntary facial recognition is a foundational issue that is helping us set the boundaries for the ethical use of biometrics by both governments and businesses. How that data is stored and used are all tied into this same problem. While there is nothing inherently ethical nor unethical about face biometrics, understanding and regulating its acceptable use is an important step to building public confidence in this trust enabling tool.
Care to learn more about this topic? Be sure to read our last release Exploring Facial Biometrics. What is it?