In the midst of the ongoing coronavirus pandemic, facial recognition technology is being adopted globally as a way to track the virus’ spread.
But privacy experts worry that, in the rush to implement COVID-19 tracking capabilities, important and deep rooted issues around data collection and storage, user consent, and surveillance will be brushed under the rug.
“Faced with a pandemic, the public may be rapidly accepting the risks involved with providing biometric data for healthcare services, but individuals should not be so quick to give up that data,” Matt Gayford, principal consultant at the Crypsis Group, told Threatpost. “While facial recognition technology provides a fast and zero-contact method for identifying individuals, the technology is not without risks. Primarily, individuals scanned by facial recognition services need to be aware of how their data is being used.”
The reason why demand for no-touch facial recognition solutions is currently peaking is two-fold. First, in an attempt to curb the spread of the coronavirus authorities are cutting down contact-heavy biometrics programs that require fingerprints or iris scans. Recently, for instance, the New York Police Department stopped employees from using a fingerprint ID entry security procedure. This is creating a level of demand for facial recognition companies to step in and market their services as an identification alternative – sans contact.
Second, facial recognition companies are customizing their solutions so that they are better equipped to track citizens who may test positive for coronavirus.
Take Chinese biometrics company Hanvon (also known as Hanwang Technology) for example. The company, whose customers include the Chinese Ministry of Public Security, recently updated its facial recognition technology so that it can identify users even when they are wearing masks.
Hanvon’s facial recognition technology can be connected to a temperature sensor, measuring subject’s body temperature while also identifying their face and name. Others are pitching their own variations of this application: According to a OneZero report, German-based Dermalog is marketing its facial recognition tech that determines temperature as a safety feature (already in use by the Thai government for border control); while Chinese company Telpo has created temperature sensor-equipped facial recognition terminals.
And in some places, these applications are already being rolled out at massive scale. China has reportedly installed trial facial recognition thermometers on buses to detect coronavirus symptoms, which scan passenger’s faces at the entrance of the bus, and alerts the driver if an anomaly has been detected (according to The Hill, the temperature data of riders is stored in real-time for tracking vehicles, drivers and passengers if necessary).
The Moscow Times, meanwhile, reports that Russia is using facial recognition cameras to enforce quarantine orders. In one case, Moscow’s facial-recognition network helped to reportedly track down a woman who had recently traveled from China – and who failed to follow the city’s order to self-quarantine for two weeks after travel.
It’s important to note that the thought process behind tracking the coronavirus make sense – particularly as stories crop up about “super spreaders” who fail to isolate themselves after they have tested positive for coronavirus, potentially spreading the virus to others.
“There is of course a space for facial recognition systems and their potential use, especially during the COVID-19 pandemic, is clear in becoming an alternative to fingerprint and other biometric technologies that rely on touch based sensors,” Steve Durbin, managing director of the Information Security Forum, told Threatpost.
But, he said, “the issue of privacy and protection of the rights of the individual remains unchanged. Facial recognition is not a perfect science, we have seen public dissatisfaction with the way in which some governments have used facial recognition resulting in its withdrawal from use.
Facial recognition itself is not new. In the U.S. facial recognition is also already actively used by police forces and even at the White House. And, the EU last year approved a massive biometrics database that combines data from law enforcement, border patrol and more for both EU and non-EU citizens.
The privacy debate around facial recognition is also longstanding. Last week, in fact, the American Civil Liberties Union (ACLU) filed a lawsuit against the Department of Homeland Security (DHS) over its use of facial recognition technology in airports; while California in September passed a bill to ban the use of facial recognition-equipped cameras by law enforcement.
But privacy advocates worry that panic around the coronavirus right now – and the potential of facial recognition for helping its containment – could cause people to turn a blind eye to its privacy risks.
Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that facial recognition comes with a flurry of drawbacks. While regulations like GDPR have taken a hard stance on data collection by companies online, the same level of oversight doesn’t exist when it comes to the collection, storage and sharing of facial recognition data.
“Using facial recognition, it is easier than ever for governments to monitor and track their citizens, destroying the assumed privacy that comes with anonymity in a crowd,” Lopes said. “Great care must be taken by any organization that adopts facial recognition at this time, and should disclose their data collecting practices. It is easy to imagine hackers going after a database of facial recognition data to exploit, thereby giving criminals yet another weapon to use.”
Another privacy concern when it comes to facial recognition is consent. Questions still remain unanswered around how users can knowingly opt out of their facial recognition data before it’s collected and stored.
“It’s important to understand the legal implications and potential repercussions to an individual’s privacy,” Crypsis Group’s Gayford told Threatpost. “Before using the services, individuals should understand how their data will be used, where it will be stored, and who will have access to it. If used by third parties, it would be possible to identify individuals on security cameras using the facial recognition data. Advertisers could easily build a profile of shopping behaviors and begin targeted advertising. On the other end of the spectrum, the same data could be used to track an individual’s movements, habits, and even their online presence by scraping photos from social media.”
Looking ahead, experts urge governments and regulators to consider ironing out the privacy wrinkles before adopting facial recognition technology.
“For facial recognition systems to become an acceptable, widely used means of validating that we are who we say we are we first need to ensure that the privacy rights of the individual are protected, that the data is responsibly collected, stored and managed and that its use is restricted to the purpose for which it was originally taken,” Information Security Forum’s Durbin told Threatpost. “I think we are a long way off these safeguards being consistently rolled out.”