1(630)802-8605 Ravi.das@bn-inc.net

The world of Cybersecurity today involves the use of many other tools and technologies from other realms.  For example, this includes the use of Biometric technology (especially when it comes to the use of Multifactor Authentication, also known as “MFA”), and Artificial Intelligence (AI) and Machine Learning (ML). 

The latter two have been gaining a lot of attention lately, especially when it comes to automating routine tasks, and doing deep dives into the exploration of data sets in order to see what the future threat landscape looks like.

But these technologies are not without their fair share set of controversies.  One such tool is that of Facial Recognition.  I have been around Biometrics for quite a long time (n fact, have even written and published three books about the subject matter).  This technology started to really evolve in the last decade, especially after 9/11.

But after that, Facial Recognition failed to live up to its hype and claims and was often chastised by the media as the tool in which Big Brother is watching over you.  Over these last few years, the technology has really evolved as a more of a mainstream one, and one of its best-known applications is that of the “FaceID” on the latest version of the iPhone.

But Facial Recognition is still being hounded as one with many issues – especially when it comes down to Privacy Rights and consent.  In fact, these issues are nothing new to this tool.  They have been around even when Facial Recognition first started coming out back in 2000.  But according to recent poll conducted by Threatpost, a leading Cybersecurity magazine portal, consent tops the list. 

There were 170 respondents in this survey, and here is a high-level overview of what they believe in:

*53% of them claimed that they were never asked for their consent when being exposed to a Facial Recognition system;

*The question of what “consent” really means was also asked, and here is what they said:

              *32% of the respondents felt that that consent is the act of giving notifying people that an area is using Facial Recognition;

              *10% claimed that giving consent is the ability to opt out of using Facial Recognition if they chose to do so.

*55% of the respondents have fears about privacy and surveillance issues when it comes to Facial Recognition;

*29% of have serious reservations as to how the information from a Facial Recognition system will be stored and shared (especially with government agencies);

*85% of the respondents felt that Facial Recognition should be regulated in the future.

The main trigger for the issue of consent came about when the Department of Homeland Security announced a pilot program for monitoring the public areas around the White House.  The question was directly asked about consent, and the answer was simply put as the following: “If you have reservations about, then don’t come near the White House”. 

The importance of consent to these respondents is depicted in the illustration below:

(SOURCE:  https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/25163405/consent.png)

My thoughts on this?

Finally, the survey concluded with the following:

*50% of the respondents have extremely negative feelings about Facial Recognition;

*30% of them claim to have “mixed” feelings about it (meaning, they were unsure what they felt about the use of Facial Recognition).

Honestly, I am not surprised by these findings, as these are the very same issues that have compounded Facial Recognition in the past and will do so into the future.  I have never understood why Facial Recognition has received so much controversy, when there are other tools that have the potential to come out and cause even more controversy, such as that of DNA Recognition.

But, the issue of consent is one that surprises me.  I have never really thought of that one before, until I read about it today. So, what does consent mean to me?  Well, it simply means that you have the right to opt out if choose to do so.  But this does not mean that you have to give your explicit consent.  For example, many of the major international airports worldwide have implemented the use of Facial Recognition, in a very covert fashion.

Do airport officials have the time to ask each and every passenger if they are OK with having their face scanned?  Of course not.  But in my opinion, perhaps they should notification signs in these pubic areas that surveillance is being conducted with Facial Recognition.  Thus, in this regard, if you have reservations about being watched, then you don’t have to go to that particular area of the airport.

But again, this all depends upon the environment in which Facial Recognition is being used.  If it is being used in a business in order to confirm the identity of their employees before they gain physical access to a certain area or to shared resources, then I think explicit permission should be asked.  In this case, there is time to do this.  If an employee does not want to have their face scanned, then alternate means of identification should be provided.

In other words, the giving and receiving of explicit permission when it comes to using Facial Recognition depends upon the application for it is being used.  But as the Cybersecurity Landscape continues to grow in complexity, the issue of consent will soon be drowned out. 

There are already cases of this happening.  For example, there has been a recent law adopted here in the state of Illinois expanding the use of Facial Recognition, without giving a second thought to the use of consent.  Details of that can be seen here:

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Also, the EU is coming out with a new database called the “Common Identity Repository” which is designed to collect Biometric information/data of both EU and non-EU residents.  Nobody is giving a second thought here to consent as well.

But, as there have been many bills and legislations still pending as it relates to Cybersecurity, there are a few of them as well that deal explicitly with Facial Recognition.  One of these is the “Commercial Facial Recognition Privacy Act.”  The goal of this pending bill is to prevent the covert sharing of information and data amongst businesses when it comes to using Facial Recognition.

But keep in mind that policy makers simply cannot keep up with the pace of the Cybersecurity Threat Landscape, so by the time this bill passes (assuming it does), it may even become obsolete as technology overall drastically changes and improves.

These are tough questions obviously, and there really many never be a concrete answer to it all. But in the end, I can see this happening:  Consent will simply mean that if you are participating in a system, it means that you approve of being in it, regardless of having any notification or not. 

Finally, more information about the study conducted by Threatpost can be seen here: