The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Facing the Future of Biometric Regulation

by Dennis Fisher on Wednesday December 12, 2018

Contact Us
Free Demo
Chat

Microsoft's president warned about the implications of facial recognition systems this week, advocating the government to regulate the technology sooner than later.

Facial recognition technology is seeping into more and more areas of daily life and as its use expands in both government and private industry, some companies are urging the federal government to carefully consider regulation.

Microsoft, one of the many companies that sell some version of facial recognition software, has made the technology an integral part of its Windows platform. The company’s most recent versions of Windows have a feature called Windows Hello, similar to Apple Face ID that allows users to unlock their devices through facial recognition. Microsoft also provides facial recognition technology to commercial and government customers and has been working with the National Institute of Standards and Technology on improving standards for the technology and reducing bias and improving accuracy.

But Microsoft President Brad Smith has been one of the more vocal advocates for government regulation of the technology. Several months ago, Smith posted an essay calling for both the government and industry to examine their priorities and principles in developing and deploying facial recognition systems. Recently, Smith posted a detailed call to action, saying that the time to get a handle on this technology is now, not later.

“While we don’t have answers for every potential question, we believe there are sufficient answers for good, initial legislation in this area that will enable the technology to continue to advance while protecting the public interest. It’s critical that governments keep pace with this technology, and this incremental approach will enable faster and better learning across the public sector,” Smith wrote.

“Governments and the tech sector both play a vital role in ensuring that facial recognition technology creates broad societal benefits while curbing the risk of abuse. While many of the issues are becoming increasingly clear, the technology is young. We need to tackle the initial questions now and learn as we go, developing more knowledge and expertise as the technology evolves and public sector experience deepens. It’s possible and perhaps likely that additional steps will be needed with time. But as Mark Twain once noted, ‘The secret of getting ahead is getting started.’ The time to start is now.”

Facial recognition systems already are in use in any number of different venues, including airports, government buildings, stadiums, and public areas that draw large crowds. In many cases, they’re used not for real-time identification but for identifying people after an incident. However, some airports and other venues are considering systems that would use facial recognition as a primary source of authentication, replacing a physical or electronic ticket or boarding pass. The applications for the technology are diverse, but so is the field of potential concerns.

Some facial recognition systems have suffered from poor accuracy, especially when identifying women or people of color. Privacy is also a major concern with these systems, as is consent. Smith said all of these are serious concerns, but the one that could have the most detrimental effect on the most people is widespread government use of facial recognition.

“When combined with ubiquitous cameras and massive computing power and storage in the cloud, a government could use facial recognition technology to enable continuous surveillance of specific individuals. It could follow anyone anywhere, or for that matter, everyone everywhere. It could do this at any time or even all the time. This use of facial recognition technology could unleash mass surveillance on an unprecedented scale. Unprecedented, but not unimagined,” Smith said.

Some government agencies already deploy facial recognition, including Customers and Border Protection. This week, the House Committee on the Judiciary held a hearing on CBP oversight, and the Electronic Privacy Information Center urged the committee members to ensure that CBP is deploying the technology legally and responsibly.

“Without legal authority or the opportunity for public comment, CBP has deployed facial recognition technology in U.S. airports, sea ports, and land ports of entry and collected biometric identifiers from American travelers. Further, the agency intends to ‘deploy biometric capabilities across all modes of travel — air, sea, and land — by fiscal year 2025.’ This vast biometric collection program exposes Americans and other travelers to substantial privacy risks,” the EPIC letter to the committee says.

Microsoft’s Smith said that the technology providers themselves need to begin developing guardrails and principles for facial recognition and not sit on their hands waiting for Washington to move.

“We also believe that while it’s better to address these issues broadly, we should not wait for governments to act. We and other tech companies need to start creating safeguards to address facial recognition technology. We believe this technology can serve our customers in important and broad ways, and increasingly we’re not just encouraged, but inspired by many of the facial recognition applications our customers are deploying. But more than with many other technologies, this technology needs to be developed and used carefully,” he said.

Iris scan image via the U.S. Army's Flickr photostream, Creative Commons 2.0

Tags: Privacy

Recommended Resources


  • Data security challenges in healthcare
  • Case studies on how DLP prevented PHI egress
  • How Digital Guardian protects PHI from internal & external threats
  • HIPAA 101: 4 core regulatory rules that impact security
  • Security strategies for protecting patient data
  • How to use DLP to cut your risk of HIPAA fines

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.