Support 416-591-6711 option 1 or Email Us

Facial Recognition Technology (FRT), Privacy Rights and Theft - Cybersecurity Approach

Wed, 17 Jul 2019

Smile. Your face just allowed you to purchase a Coach bag without ever reaching for your wallet. Was that your purchase, or did you lose your face?

It sounds ridiculous, the idea that you could experience face-theft. But the reality is actually a growing concern for the cybersecurity industry that guards facial recognition technology (FRT) and the data that it garners. Facial recognition software turns your face into a QR code or barcode. Stores can use your face to compile shared databases of customers, tracking products that they purchase, as well as products they browse with interest, or products they simply pass by. Online retailers already use this data, analyzed by artificial intelligence, to notice customer’s patterns, likes and dislikes to drive marketing, suggesting purchases tailored to their consumers. Now, brick and mortar stores will have those same advantages. A new mega-mall in Singapore is having FRT installed to track shoppers' habits and suggest deals to them

Facial Recognition Technology (FRT), Privacy Rights and Theft - Cybersecurity Approach 

Customized shopping experiences

Remember the old-timey feeling of going into a shop and being greeted personally by a shopkeeper that knows you and could make suggestions based on their interactions with you? Everything old is new again. It’s now a goal for retailers to offer this same sort of experience only using FRT and machine learning to customize your greeting and experience. In fact, the future for shopping at brick and mortar retailers is that your face will be tracked as you shop and, without having to wait in line, you can exit the store with your purchases because your face already paid. FRT can also help to combat shoplifting as it can instantly recognize known shoplifters by comparing their likeness to a database of images and alerting employees to their presence. Mastercard is developing selfie-pay. Retailers aren’t the only ones in the FRT game, the American MLB is moving away from paper ticket stubs, and towards fans being able to validate their tickets by scanning their faces. With FRT those sinking moments of realization when you’ve left your ticket or wallet at home will be a thing of the past. But, with great convenience, comes great liability. 

While biometric data is highly reliable for authentication purposes, it also comes with significant risk. If someone's credit card information gets compromised in a massive breach like that of Equifax in 2017, then the individual can cancel their card and change personal information such as passwords. A face that betrays emotions and thoughts is one thing, but a face that reveals personal data is a problem. If your face is compromised as part of a data breach, what then?

At this point, the answer is not much.

Face the future

Globally, biometric data is captured, stored and examined in baffling quantities. The question becomes, just how much should your face give away? There is a high probability of security breaches due to the sheer volume of personal information being obtained. Facial recognition software is still mostly in its early stages of implementation. The laws surrounding the use of this technology, and the data it collects, are relatively non-existent. It is up to government agencies and the companies that will employ this technology to protect consumers. The problem is that without widespread regulations, facial recognition software can be used unethically. The potential for facial data to be auctioned to the highest bidder exists. Ironclad privacy agreements and full transparency have to be enforced so that human rights are not violated. 

“Privacy is a human right,” said Microsoft CEO Satya Nedella at the 2019 World Economic Forum Annual Meeting.[i] In speaking specifically about facial recognition technology, Nedella said, "It's a piece of technology that's going to be democratized, that's going to be prevalent, I can come up with 10 uses that are very virtuous and important and can improve human life, and 10 uses that would cause problems.” Microsoft, under Nedella’s leadership, has established a set of values for the ethical use of such technologies. But Nadella said that self-regulation within a company is not enough. "In the marketplace there's no discrimination between the right use and the wrong use... We [Microsoft] welcome any regulation that helps the marketplace not be a race to the bottom."[ii] FRT is a Pandora’s box of privacy issues. High standards, high cybersecurity, and high governance are the trio that needs to be put in place.

Nadella celebrated the European Union’s General Data Protection Regulation (GDPR) that came into place in May of 2018. The GDPR is working to combat identity theft by laying out specific requirements surrounding data management to stop the abuse of data being collected for one purpose and then sold off for another. As Artificial Intelligence, Machine Learning and Facial Recognition software become more commonplace, regulations, like the GDPR, become increasingly important.

The right to save face

According to the GDPR, individuals have the right to privacy and to control what happens to their personal data. Personal data refers to all personally identifiable information, from phone number to birthdate, to home and email address, to biometric data. The physical characteristics of your face are considered biometric data. Everything that can identify a person, or place them, is their secret to keep. The principle at the root of this is the idea of informed consent. A user’s personal data cannot be used without obtaining their consent, and there are strict compliance mandates to ensure an individual’s data is protected once obtained. Companies can no longer just "mine" for personal data without giving notification and obtaining consent that the use of the data has been deemed suitable by that individual. This shifts the power from the aggregator to the owner of the data. Companies that do not follow the GDPR requirements can’t do business in Europe, regardless of the company’s physical location. 

Your firewall’s not good enough

Even if your company and website have no direct connection with the EU, someone in your supply chain might. It’s vital to be aware of what GDPR compliance entails and create a data processing and cybersecurity strategy. The Internet of Things has hyper-connected the corporate world. Almost every piece of office equipment, from computers and printers to HVAC units and alarm systems, is now connected to the internet. This makes seemingly secure networks more vulnerable to attack, so more sophisticated security measures need to be in place. 

While firewall protection is good, it’s not enough anymore. Instead, a multi-layered cybersecurity approach is required. Your network access endpoints need to be integrated with one consolidated entry dashboard and a secure audit trail. A cybersecurity solutions provider, like ISA, can help create a plan to transition your company into a state of security that will befit the privacy regulations that are on the horizon for North America. There is a growing need for rules, such as those that the EU has adopted, so the rest of the world will soon follow their lead. It is just a matter of time until national, or global, legislation is created that mimic or builds on the GDPR. It's essential that your company is proactive in its preparations. Talk to an ISA cybersecurity solutions specialist about how to create the highest possible security standards so that you won’t have to fear any future legislation.




‹ Back