Facial Recognition Software: Is It Safe?
If DeepFace demonstrates the capacity of machines to emulate human thinking, what does that mean for facial recognition security? Imagine someone stole your face as well as your credit card? You can cancel a credit card, but you can’t cancel out your own face.
As the facial recognition market continues to expand, with experts predicting it will “garner $9.58 billion by 2022”, the question on everyone’s lips should be: “How secure is facial recognition?”. Clearly, facial recognition has its place, but what are its vulnerabilities and limitations?
What is Facial Recognition?
Teaching a computer to recognize human faces isn’t a recent development and work started on automated facial recognition back in 1964. Facial recognition technology can identify a person based on their facial features, shape, and textures using either geometric or photometric algorithms.
While the geometric approach looks at individual facial features, the photometric approach is more holistic, examining the photograph in its entirety and comparing it against a database of similar images. Both approaches are effective, although facial recognition as a form of biometric identity authentication lags behind both fingerprint and iris recognition in terms of accuracy. Nevertheless, the non-invasive nature of facial recognition makes it popular as a form of identity verification, whether for security reasons or purely commercial ones.
Recent developments have seen the introduction of live face recognition which is capable of identifying each face in a video feed and then mapping it using specific nodal points or landmarks before comparing it to a database of facial images.
How Does Facial Recognition Work?
Each face is made up of a series of landmarks, like the eyes, face, cheekbones, chin, forehead, etc., and the distances between those features. The human face has 80 such nodal points which are used by facial recognition software to create a numerical code known as a ‘faceprint’.
Facial recognition software looks at a number of features, including:
- Width of the nose
- Distance between the eyes
- Length of the jawline
- Shape of the cheekbones
Traditional facial recognition methods, however, couldn’t adapt to a dynamic environment which meant that, unless the subject was looking directly into the camera, it was virtually impossible to correctly identify an individual or verify their identity.
To combat these challenges, technicians developed 3D facial recognition which can recognize an individual face even when viewed in profile by focusing only on the areas of the face that remain fixed, namely the bony structures of the nose, chin, and eye sockets.
The process of identification using facial recognition requires the following steps:
- Detection – the actual physical capturing of an image depicting an individual’s face
- Alignment – ascertaining the angle of the face at the time the image was captured
- Measurement – each facial node is measured to create a template
- Representation – the template is converted into a series of numerical values
- Matching – the image is compared to those in an image database
- Verification or Identification – verification matches the image to one other to confirm an individual’s identity. Identification compares the image to all those in the database to establish the individual’s identity.
Who Uses Facial Recognition Security?
Most of us have been exposed to facial recognition procedures at an airport at some point but you’d be surprised how widespread its applications are.
Facial recognition first made the headlines back in 2001 when it was used to scan the crowds at the Super Bowl stadium in Tampa, looking to identify known terrorists and criminals. Although the system worked effectively, identifying 19 possible suspects, the challenges of finding and arresting those people proved greater than anticipated.
According to Detective Bill Todd, who was in charge of the operation, admitted at the time, “We thought we were ready to use it, but getting through the crowd and the architecture of the stadium proved overwhelming”.
Facial recognition systems have come a long way since then, although they have yet to really tackle the security concerns surrounding this form of biometrics. Nevertheless, facial recognition technology is becoming increasingly prevalent and is now used in a variety of situations, some of which will come as a surprise!
Law enforcement agencies were the first to use facial recognition security in airports to verify the identity of travelers and clamp down on illegal immigration. The Department of Homeland Security has since started to expand the use of facial recognition to replace manual passport checks. Airlines themselves are also experimenting with this biometric identification process to streamline the boarding process and potentially do away with the boarding pass altogether.
The FBI has a phenomenal database that contains an estimated 641 million facial images and uses facial recognition to assist in the identification of known suspects. Police departments are also using this technology to scan crowds of people, searching for known terrorists, criminals, and troublemakers.
In the so-called ‘Vegas of China”, the former Portuguese enclave of Macau, facial recognition systems are being implemented all over, from cash machines to casinos. In a desperate bid to combat money laundering, capital flight, and casino robberies, the Macau government said “all holders of mainland-issued China UnionPay bank cards will be required to scan their mainland identity card and undergo a facial recognition check’’.
Security in school is always a serious issue and some education establishments in the US, Australia, and China have introduced facial recognition security systems to combat unauthorized entry and keep track of pupil attendance.
Social media platforms like Facebook have introduced facial recognition as a method of organizing and tagging images. Facebook uses facial recognition to identify the same face throughout a series of images and recommend which users to tag in a specific image.
One of the most widely accepted applications of facial recognition is in the diagnosis of rare diseases. A system known as DeepGestalt has proved even more effective than expert clinicians when it comes to diagnosing rare diseases like Angelman syndrome (characterized by the sufferer’s small head, wide jaw, and deep-set eyes) and Cornelia de Lange syndrome (sufferers have distinct eyebrows that arch and meet in the middle).
China seems to be the most enthusiastic about facial recognition security and has even introduced a system to prevent the theft of toilet paper! Some public restrooms now scan people’s faces before issuing toilet paper and, should the same person return for more less than nine minutes after their initial toilet paper hand out, the machine will deny them.
Benefits of Facial Recognition
Despite having something of a Big Brother feel to it, facial recognition has the potential to be a highly effective form of identification. Not only can it be used to combat toilet paper theft and money laundering, improve school attendance and keep an eye out for known terrorists, but it could also be highly effective when it comes to identifying and locating missing persons.
Clearly, there are many benefits to using facial recognition and not only that you can unlock your smartphone without pressing a button. Some of the advantages facial recognition has over other identification systems include:
While a hacker can quite easily steal your password, when facial recognition was introduced on iPhones, for example, many of us celebrated. After all, who can steal your face, aside from a member of the Mission Impossible team? Don’t worry, we’ll get back to this point later.
Facial recognition only requires video footage which many businesses already have available thanks to their CCTV systems, making it easier to introduce than a fingerprinting system, for example, which requires special scanners.
If you think of DNA, that’s the polar opposite to facial recognition when it comes to intrusiveness. Even fingerprinting requires a certain amount of interaction, whereas facial recognition can be done completely passively, without the subject even knowing.
Technological advancements, including liveness detection, make it more accurate and more difficult to fake. Advocates of iPhone’s facial recognition security claim that the “probability that a random person… could look at your iPhone or iPad Pro and unlock it using Face ID is approximately 1 in 1,000,000”.
Detecting and identifying a face literally takes a few seconds, making it faster than manual identification processes and quicker than fingerprinting.
Dangers of Facial Recognition
Just as the benefits of facial recognition vary depending on where and why it’s being used, so do the dangers. It may have some benefits, but just how secure is facial recognition? On the surface, it seems almost bulletproof, after all, every face is unique and no face can be stolen except by a dangerous and skilled plastic surgeon (see Stolen Face circa 1952). The trouble is, facial recognition isn’t as infallible as its developers would like us to believe.
Accuracy and False Positives
Over in the UK, London police have been conducting trials on face recognition security systems over the past three years and have so far managed an accuracy percentage of just 19%. The trials have cost taxpayers £222,000 (around $287,000) and of the eight trials conducted, the results have produced a 96% rate of false positives.
Furthermore, although facial recognition is capable of producing fairly accurate results when the subject has pale skin, the darker the skin, the greater the chance of false positives.
According to a report by the founder of the Algorithmic Justice League, Joy Buolamwini, facial recognition technology, like other artificial intelligence systems, “are shaped by the priorities and prejudices — conscious and unconscious — of the people who design them”. As a result, facial analysis software, like that used by Microsoft, Amazon, Face++, and IBM, performs “better on male faces than on female faces” and is 34% less accurate when analyzing the faces of dark-skinned women compared to those of white men.
The Orlando Police Department was even less successful than the London police when they tried out Amazon’s Rekognition system. Technical difficulties meant the officers could use the system with only one camera at a time, while the standard and position of surveillance cameras meant the images weren’t clear enough for the facial recognition technology and that, in most instances, only the tops of the individuals’ heads were visible.
According to Orlando’s chief information officer, Rosa Akhtarkhavari, even after 15 months of battling with the facial recognition technology, “We’ve never gotten to the point to test images”.
The US Customs and Border Protection encountered similar problems using facial recognition at airports, saying it experienced a number of “technical and operational challenges” including “poor network availability, a lack of dedicated staff, and compressed boarding times due to flight delays”.
As we mentioned earlier, facial recognition can be done without the individual’s consent or even their knowledge which means no one is given the chance to opt-out. Some organizations using facial recognition security are already up to speed on this issue and US airline, Jet Blue, recently stated that it is possible for passengers to opt-out of facial recognition… but you’ll have to have your wits about you if you’re going to pull it off.
According to the Electronic Frontier Foundation, “the key to opting out of face recognition is to be vigilant. There’s no single box you can check, and importantly, it may not be possible for non-U.S. persons to opt-out of face recognition entirely”. This is consistent with the CBP’s position to some degree and reflects the unsympathetic sentiments laid out by the CBP in its privacy impact assessment which states that “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”
Research has already indicated that even multifactor identification systems using liveness detection, like those on the latest smartphones, can be hacked relatively easily. According to one researcher, Bin Ma, because many facial recognition systems resort to 2D analysis when glasses are worn, by putting pieces of black tape in the center of the lenses and a smaller piece of white tape on top, you can fool a phone into believing it’s seeing “attentive human eyes”.
Not only that but how that data is stored, handled, and shared could have serious implications when it comes to identity theft. Some stealing your credit card is worrying enough but that can be canceled with a quick call to the bank – your face can’t be canceled so increasing identity theft protection to ensure such biometric data is kept safe is crucial if facial recognition systems are to succeed.
Although databases of biometric data can be protected through the use of anonymization, this isn’t all it’s cracked up to be either and can be reidentified fairly easily.
3 Tips for Staying Safe with Facial Recognition
You could walk around with a brown paper bag over your head, thereby avoiding all the implications of facial recognition identification but that’s not really practical. We’ve established that the answer to “How secure is facial recognition?” is a resounding, “Not very”, but what can we do about it?
1. Change your Social Media Privacy Settings
Although Facebook is hardly a leading light when it comes to online privacy, it has at least decided to give its users the chance to opt-out of face recognition. Simply go to your settings and find Face Recognition in the menu. Click on edit and turn it off. Now Facebook will no longer use face recognition technology to identify you in images… or so they say.
2. Use a Digital Disguise
Not even the best VPNs can encrypt your face and make you look like someone else but there are some tools out there that can help shield you against online facial recognition. CV Dazzle, for instance, allows you to explore your wild side, adding hair extensions and outlandish makeup to your image to disguise your identity. FaceShield does a similar job but with less creativity.
3. Create Imaginary Faces
Digital disguises are no good if you’re in a stadium that’s being scanned by the FNI’s facial recognition security system. There are few ways to get around such mass surveillance, but one collaboration thinks it may have a solution. HyperFace “is a new kind of camouflage that aims to reduce the confidence score of facial detection and recognition by providing false faces that distract computer vision algorithms”. It’s not available to the public yet but we at Secure Thoughts will certainly be keeping abreast of its developments.”
Anyone still thinking that George Orwell’s futuristic vision in 1984 was a little off the mark must be living in a technological void. New technology is oftentimes seen as positive progress and facial recognition software is no different.
Certainly, it has the potential help law enforcement agencies reduce crime and track known criminals and even missing persons. It could also streamline the check-in process at airports, but at what risk?
In its present state, facial recognition security lacks the accuracy required to make it truly effective. Furthermore, research indicates that algorithms tend to reflect the creators’ preconceived ideas, making them potentially prejudiced. Facial recognition systems, for example, prove much more accurate when identifying white men than dark-skinned women.
Few cybersecurity tools have been developed to deal with the privacy issues surrounding facial recognition but it’s surely only a matter of time. A brown paper bag over the head certainly won’t cut it, being aware of the issues and practicing constant vigilance are both steps in the right direction.
While software developers contemplate their answers to the issues of facial recognition security, look after your online privacy by following our suggestions above and using reliable cybersecurity software, like ExpressVPN, to give you at least some semblance of privacy and anonymity.