Tuesday, 22 January 2019 00:00

Facial Recognition – let’s all take a breath

Written by 
Rate this item
(0 votes)

One of the latest topics to be selected for media-mania is facial recognition. Can we of sound mind and technical education please provide a balance to the self-serving journalists who seek to promote their names through social media hype?

There are three areas of confusion that have surfaced over the past six months:

  • Privacy issues surrounding facial images

There are no privacy issues surrounding facial recognition. There are, of course, concerns regarding the storage and sharing of facial images that persons allowing themselves to be photographed as part of a registration process should question. But facial recognition uses facial templates (sometimes called facial signatures) and does not require transmission or storage of facial images.

  • Concerns regarding CCTV cameras

This item supposes that local councils are mapping our movements when we are caught on cameras in public spaces. The technology is not currently available to do this. It requires one-to-many matching and requires ICAO-grade images.

  •  Comparisons with the Chinese social credit program

Whatever you think of Beijing’s initiative to promote social harmony it has nothing to do with facial recognition – that just happens to be one of the technologies they purport to use. The only issue is whether or not democratic countries want to go down that route.

It’s important that technically competent people help to quell fear-mongering and ensure a level-headed approach as new technology becomes mainstream.

In helping people understand the technology it is important to differentiate between the two main types of facial-recognition, they are vastly different:

1. One-to-one

This is the area in which most change is occurring and where we are benefitting the most from a better user-experience. There are multiple use-cases, for instance:

-  SmartGate immigration stations. These are the automated devices used at border crossings that allow you, if you’re lucky, to enter a country without talking to a border-control officer. They work best in Europe where passports from a wide number of countries are accommodated. There are two steps to the process: you present your passport allowing the system to retrieve your facial template, and then a camera verifies that it is actually you travelling.

-  Windows Hello. After registering your face with your PC, and creating your facial template, subsequent logins will turn on the infra-red camera to verify your facial image even in low light.

This type of facial recognition is the future of authentication. Most new smartphones have strong graphic-processing capabilities and are able to positively identify you to a high assurance level. Many governments and commercial organisations want a higher level of assurance than most PIN-based or push-authentication systems can provide so this type of facial recognition has a bright future.

2. One-to-many

This is usually the type of facial recognition that garners the most interest and criticism from members of the public. It is widely used in criminal investigations where a visual image of an alleged perpetrator can be compared with police files of stored facial templates in order to identify a suspected criminal.

This type of facial recognition takes time and processing power; it is not suitable for authentication purposes. It has been trialled in multiple airports, to attempt to identify people on watch lists or individuals with red flag indicators from leaving or entering into a country. These trials have had very limited success because of high false negative rates.

So what should the technical professionals be recommending to our clients?

  1. When we allow ourselves to be photographed as part of a registration process i.e. obtaining a driver license, we should ensure we are satisfied with the privacy statement of the organisation involved. In most western countries privacy legislation allows companies and government to only collect the information they need for the transaction that a user is undertaking. They can’t collect information that just might be needed in the future or would be useful for their demographic analysis program. An organisation cannot collect a facial template if they don’t need it for authentication; and they can’t ask for a photograph unless it’s needed for the requested business process e.g. application of a driver license. If a facial template or a facial image is collected it can only be used for the purpose for which it was collected. Government cannot use driver license photos to authenticate citizens to government services, unless explicit consent is collected.
  2. We need to identify the current limitations of the technology. Much has been written about the ability to “fool” facial recognition systems with a modified photograph. It seems that a suitably “doctored” image can be used to cause a false positive. We would be remis, as with any authentication mechanism, if we did not assist our clients in identifying situations in which a technology does not provide the required level of security.
  3. Perhaps the most important advice we can give, however, is the potential for facial recognition to radically change user experience in the future. Users of Windows Hello won’t go back to passwords, PINS or fingerprints. Facial recognition is so simple and exceeds most security requirements that it is the future for authentication on PCs and laptops, and it will be the authentication tool of choice on smartphones too, with the FIDO Alliance supporting a facial recognition certification program.

No – passwords aren’t dead, but facial recognition is one more nail in the coffin.


Thx.
Graham

Read 1037 times Last modified on Tuesday, 22 January 2019 02:46

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.