When Apple deployed its Face ID feature on its iPhones and iPads starting in 2017, it became many peoples first daily interaction with facial recognition technology.
Prior to that, users entered passcodes or scanned fingerprints to unlock their devices. But as these smartphones and tablets advanced past mostly making calls and searching the internet — including using digital wallets and banking apps — more security for all that sensitive information became a must.
Today, facial recognition software is everywhere. Just on smartphones, users can just look at their screen to log into various online accounts instead of having to keep a mental rolodex of passwords. In some places, consumers already have the ability to purchase items at a register just by scanning their face.
In Minnesota, researchers and scientists are developing applications to streamline the customer experience with facial recognition. Others — like the Minnesota Robotics Institute at the University of Minnesota with its biometric technology for detecting signs of depression, cancer or diabetic retinopathy — are creating platforms to improve health and wellness.
Against the backdrop of a booming industry estimated to reach $70 billion by 2027, though, are concerned experts fearing facial recognition’s potential for mass surveillance as well as its lack of safeguards to protect millions of images of real people’s faces from theft or alteration.
“You’re face, unlike you’re driver’s license or government ID, can’t be reissued,” said Minnesota native Hayley Tsukayama, a legal analyst at California nonprofit Electronic Frontier Foundation, which focuses on defending digital privacy. “If someone is collecting information that’s tied to biometrics in general, it’s tied to your identity. If that’s breached, or if it’s sold in anyway that you weren’t expecting, you can’t replace it.
“You can’t get a new one.”
Necessary convenience
During the height of the COVID-19 pandemic, companies and governments put digital processes into place to allow people to continue everyday activities — like renewing driver’s licenses or completing large transactions — without having to go somewhere in person.
That upped business for Minneapolis-based software startup Token of Trust, which develops systems that allow businesses to verify customers’ electronic transactions.
The company works with businesses, about 70 so far, that need help onboarding new customers online. Token of Trust’s platforms are focused more for remote transactions, like verifying a person’s identity through comparing a government ID, national identification card or passport with a live image. The company has even used images from social media accounts, specifically selfies, to verify someone’s identity.
While Token of Trust strongly recommends supplementing facial recognition by authenticating a government ID, many businesses reach out to it just wanting facial recognition, simply because its the absolute minimum consumers have to do, said Austin O’Brion, Token of Trust’s chief revenue officer.
It’s also because the rapid sophistication of facial recognition technology has allowed machines to surpass capabilities of the human eye, said Saad Bedros, of the University of Minnesota’s Minnesota Robotics Institute.
“Cameras have become our eyes,” he said. “My eye and your eye has limits to resolutions.”
And it’s what consumers, mainly younger consumers, want, according to a 2022 survey by Shakopee-based identity verification and security software company Entrust. Of 1,450 consumers from 12 countries surveyed, Gen Zers (anyone born after 1997) and Millennials (those born between 1981 and 1996) were most likely to trust password-less login methods, with more than half of people in those groups saying they use electric identification. That’s compared to only 37% of Gen Xers (born between 1965 and 1980) and 12% of baby boomers (born between 1946 and 1964).
Only 6% of those surveyed view passwords as the most-secure method, and more than half disclosed they typically reset a password once a month because they can’t remember it.
“There’s this ground swell of desire from the average citizen or average consumer to say, ‘Hey, if I can do it digitally and not have to travel somewhere or submit an application through the mail or come to an office and present my certificates or driver’s license, I’m all for that,'” said Gordon Wilson, vice president Entrust’s identity verification business.
An ethical dilemma
Amid nationwide protests following the police murder of George Floyd in 2020, tech giants IBM, Microsoft and Amazon paused their facial recognition tools and vowed to no longer sell the tech to law enforcement agencies. Many were concerned law enforcement could use it for mass surveillance and racial profiling.
Others have criticized the tech for its high rates of error in identifying people of color, women, children and seniors, Tsukayama said.
According to the U.S. Government Accountability Office, six law enforcement agencies reported using facial recognition technology on images of the unrest, riots or national protests following Floyd’s death. Three agencies reported using it on images of people entering the U.S. Capitol on January 6, 2021.
Agencies said the searches only used images of suspected criminal activity.
How other countries apply the tech is also a growing issue.
“It’s coming from other countries that are mostly policed countries, and they have been perfecting it more and more and more,” Bedros said. Technology previously used to find terrorists is now deployed as a control tactic, with high-flying drones equipped with optical lenses seeking out certain individuals, he said.
“What will stop it is mostly legislation that says you can’t use it in different areas,” Bedros said.
In 2021, the House of Representatives passed the George Floyd Justice in Policing Act that would prohibit federal law enforcement officers from deploying facial recognition in their body cameras or patrol vehicle cameras. The bill didn’t pass in the Senate.
That same year, Minneapolis officials passed an ordinance prohibiting the city, including police, from using facial recognition surveillance technology.
Privacy is paramount
With the ability to digitally alter a person’s image easier than ever before, the chances of compromised identities are high, Token of Trust chief executive Darrin Edelman said. Implementing multifactor authentications and verifying cookies — small files of data stored on web browsers on the user’s computer — that help confirm past or recent logins are becoming paramount, he said.
In addition to acquiring consumers’ consent, the Electronic Frontier Foundation encourages entities to delete biometric information once it’s no longer necessary.
“People can’t steal what you don’t have,” Tsukayama said.
In 2008, Illinois enacted its Biometric Information Privacy Act, which regulates how private companies, not the government, collects, uses and shares biometric identification data for employees and customers. Washington and Texas have passed similar legislation.
Some organizations are already demanding new ways of verifying one’s identity to curb the potential use of stolen or altered face images. With liveness verification, businesses or agencies take multiple images in real time to ensure spaces around an individual are not fake, Bedros said.
“It’s an arms race,” Edelman said. “This is not going to stop. We’re going to be constantly trying to figure out is that or is that the real person or not.”
Eventually, facial recognition verification technology will move away from photos and snapshots, Edelman said. Live video — potentially while reading aloud some script to prove it’s in real time — is the next iteration.
“It’s going to be interesting,” Edelman said. “It won’t be enough in the future to just do facial recognition. You will have to combine multiple things.”