Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.

6 minute read

Technology

Is Facial Recognition The Next Privacy Battleground?

Technology can now link your face with data about you—a powerful tool that has privacy experts concerned.

[Photo: Flickr user Tim Dorr]

While much recent retail technology buzz has focused on the promise and peril of Apple's iBeacons, another identity tech has matured: facial recognition. It's now powerful enough to let stores use cameras to link customers' faces to information stored in databases—but it's also finding use in industrial and transportation settings, where it can be used to keep people away from sensitive areas. But are we ready for this tech to start linking personal data with our faces without our knowledge?

Legally, there's nothing stopping American businesses from doing so. A recent BBC article posited the future concern that retail businesses could compare photos taken in-store with databases drawing from data found on the Internet—like databases of social media or Facebook users. But no business wants to be the first on its block to start scanning customer faces and get caught with data the customer didn't want collected, says Joe Rosenkrantz, CEO of FaceFirst, a Los Angeles-based company that sells facial recognition systems. Instead, FaceFirst's retail clients mainly use the company's biometric analytics to track known shoplifters.

FaceFirst's facial analysis software requires a minimum of one megapixel of resolution for its facial recognition to work (you can find 1.3MP security cameras for $150 online), but the software isn't restricted to fixed cameras: It's designed to work with smartphones. Armed with an iPhone, employees can snap customer photos and upload them to FaceFirst's analytics servers to compare with database entries.

Beyond its present and possible future retail applications, the tech that FaceFirst has built works just as well at identifying faces for industrial, utility, and transportation authorities—alerting managers when people have wandered where they're not supposed to be and even bringing facial recognition to law enforcement smartphones.

How It Works

Rosenkrantz and his cofounders started FaceFirst in 2007 when they recognized that facial recognition algorithms had become mature and accurate, but there were no platforms for enterprise deployment. Even now, FaceFirst has few competitors that can rapidly scale up a facial recognition system for thousands of stores, say—or process a massive database to help keep a bus terminal or airport secure.

Simply put, FaceFirst's system has a camera take a photo of a person's face, analyze it on a 128-by-128-point (for a total of 16,384 reference points) facial overlay grid, and compare it to faces in a database. The client chooses the database, which can be any size, but the larger the database, the more processing power it'll take to get a timely comparison result. When someone snaps a photo, FaceFirst's system compares those reference points to entries in the database, giving a percentage match. The client decides what the accuracy threshold should be, with 80%-90% the default threshold to trigger alerts.

It takes a ton of bandwidth to deal with live HD video and biometric data, but FaceFirst has spent years whittling down file sizes to streamline high-scale enterprise demand. Further, the company built a web-based portal for global access to the facial recognition system, even from smartphones.

The facial recognition algorithm FaceFirst uses has been vastly improved since its introduction in the early '90s, Rosenkrantz says. More intermediate steps between acquisition and match filter lighting and choose the best pose from a series of photos that aligns with the algorithm's facial grid. The algorithm marks those grid reference points on-site, sending only biometric data to the database comparison engine, saving bandwidth.

This speed and mobile access lets retail businesses intercept suspicious parties quickly. But FaceFirst doesn't just have clients looking to bolster loss prevention: The company has created a custom mobile app for law enforcement and sold their services to 71 police agencies, Rosenkrantz says. The largest police agency database among FaceFirst's clients has 8 million entries—and processing that data more quickly for officers on the move has obvious advantages.

But Will Retail Keep Your Data Private?

Retail privacy advocates have been concerned about iBeacons that automatically track customers via Bluetooth. But customers can turn off Bluetooth easily. But it's much more difficult for them to hide their faces. They would need to apply particular camouflage that distorts facial geometry, wear a gadget, or simply cover their face to fool facial analytics—both of which are fairly conspicuous countermeasures.

Despite ongoing controversy over technology-related privacy violations, America is one of the few developed nations without a universal or federal privacy law governing how data is collected and shared. The Electronic Frontier Foundation has been up in arms about data privacy in general, but the organization is especially concerned about data collection in the retail sphere.

"I don't think that people do understand that yet, but I don't think that people in general are able to grasp or gather how companies share data," says Jennifer Lynch, legal counsel for the EFF. "It's definitely something to be concerned about, especially with data leakage along the way, and to think about how many cameras are already in society."

"Facial recognition, like any biometric, is unique to an individual—like a Social Security number or driver's license or credit card number, it can't be changed. So if there's ever a security breach, it could really impact an individual more than we have seen in the recent Home Depot and Target data leaks," Lynch says. "It impacts the fundamental values of being able to participate in society anonymously."

The Question of Consent

Building databases of shoplifters and suspicious characters is one thing, but even without a federal data collection law, retail outlets are wary of offending the customers they're trying to woo. Of course, all bets are off if customers give their consent—which many already do wittingly or unwittingly, often simply by signing in to an app with a Facebook account. Lynch is worried that voluntarily linking biometric data from facial scans to retail data will have ramifications that customers can't foresee.

"Oftentimes with data collection in retail, the customer doesn't know how that data is being used. The customer might be offered five bucks off if they give the retail company their email address, but with a face template, it's data that follows you: It's tracked in-store, tracked in the checkout counter, it might be linked to your credit card data," Lynch says. "And all that might be sold to a third party."

Without a broad federal or universal law, there's no way to regulate against this collection and selling of data, Lynch says. It comes down to the semantics of consent—and Lynch thinks even something like a notification sign at business entrances might count as consent in court.

But there are places that customers already knowingly consent to facial recognition of a sort: casinos. "Facial recognition is used pretty widely...in the gaming industry, not only to track card counters but to recognize big spenders," Lynch says. "For those people who find it helpful to be greeted and handed their favorite drink, it might be what they're looking for."

Rosenkrantz is very aware of the delicate, untested nature of data collection legality. While FaceFirst only sells the analytics platform, both as standalone software and as a cloud-based service, FaceFirst has nevertheless expanded into other markets besides retail, including industrial utility and transportation security. Clients in the latter areas use facial recognition for geofencing, making sure particular employees or civilians don't wander into restricted areas.

Surprisingly, almost no U.S. airports use facial recognition tech. FaceFirst has sold its tech to the Panama City airport, among other South American government customers. But to secure a U.S. government contract would require an extremely expensive lobbying campaign and long negotiations with Homeland Security and the Transportation Security Administration. Panama, Colombia, and Brazil went out of their way to approach FaceFirst to use their facial recognition systems in bus depots, says Rosenkrantz.

The potential for businesses to compile new customer data is too tempting to pass up for long. Facial recognition technology has advanced, and if privacy advocates and businesses don't agree on what precautions to take with all that stored personal data—and the government doesn't step in—some future Target-size leak could spill biometric-linked data that's even more personal and much harder to recover.