Surveillance technology – and, in particular, facial recognition – has become the subject of significant mainstream media debate over the past 12 months. In many cases it has been presented as a significant threat to our privacy and a danger to the very foundations of liberal democracies. With judicious application and proper oversight, security technology can increase efficiencies with minimal impact on privacy. Andrew Elvish has the detail.
There are many situations in which facial recognition can be considered proportionate and beneficial for its users. For example, to reduce queues at passport security or grant access to a secure facility that requires an additional level of authentication beyond just an access control card. However, there are many more cases in which it’s technically, ethically or logistically unsound.
Much like other forms of analytic before it, facial recognition will go through the stage where hype greatly exceeds reality and where some in the industry choose to propose its deployment in ethically or technically unsound ways. Meanwhile, the rest of us will quietly continue to focus on the challenge the customer needs to solve and leave the ‘hype cycle’ to work itself out.
Much of the current concern specifically around facial recognition may well be overblown owing to the fact that it’s still a nascent technology. Scratch just beneath the surface, though, and it’s true that wider threats arising from the misuse of technology are real. Technical ignorance (often informed by Hollywood ‘movie magic’) and a focus on hype over accuracy can dictate policymaking and legal decisions to the detriment of citizens.
In recognition of this regulatory vacuum, it’s imperative that system manufacturers, specifiers and installers alike take great care in educating end users and building solutions with appropriate safeguards in place that ensure their responsible and proportionate use.
Danger is real
China’s mass surveillance programme and its use of facial recognition software for ethnic profiling offers a chilling example of how technology can be deployed by authoritarian regimes with seemingly no respect for individuals’ privacy. The very technology that has been developed for China’s surveillance state is now being widely exported across the world, populating cities, Government organisations, businesses and critical infrastructure sites with low cost cameras and communication systems.
When you look at what’s happening in Ecuador and in countries throughout Africa, a technology-driven authoritarian world doesn’t seem so far-fetched after all. Yet, from the UK to Italy, European organisations and Governments are connecting potentially dangerous devices to their private networks. It’s a recipe for disaster that we underestimate at our own peril.
The right to privacy is one of the basic tenets of liberal democracies and, in recognition of this, democratic institutions around the world have been drafting policies. The European Union’s General Data Protection Regulation and California’s Consumer Privacy Act in North America are prime examples. India’s Supreme Court even states that “a right to privacy is part of the fundamental rights to life” and an inherent part of the fundamental freedoms enshrined in the constitution. Similar legislation also exists in Malaysia and Brazil.
In addition to laying the legal and regulatory foundation necessary to protect privacy and create safer networks, Governments play another important role by restricting the use of technology from vendors or manufacturers deemed to present security concerns.
Encouraging responsible use
Intrinsically, technology is neither good nor bad. How we deploy and use it, however, is what may lead to far-reaching benefits or negative results. The developing conflict between the consequences of technology and the survival of some of our fundamental rights is rife with dangers.
We believe that technology can play a crucial role in making liberal democracies even stronger, not weaker. Technology can enhance our ability to build safer cities and businesses. It can help find missing people and direct the Emergency Services to the scene of an incident much faster. Importantly, technology can do all of that without compromising personal privacy.
The raging debate around facial recognition technology is based on the false assumption that the technology itself is mature when that’s far from the case. Policymakers are overestimating its capabilities in the same way that they underestimated the power of Facebook to sway public discourse and influence political elections.
The real issue here (and the real threat to the security of a nation and the proper functioning of a democracy) is the decisions being made by policymakers, business leaders and citizens without full account of the technical considerations being part of the equation.
A similar situation occurred in the early 2000s in the world of finance and accounting. Following a number of major corporate and accounting scandals where the long and short of the defence mounted by the responsible CEOs was “accounting is hard and we didn’t really understand what was happening”, the Sarbanes-Oxley Act was put in place. Just as finance and accounting can be complex, technology also requires a solid level of understanding of what’s available, what’s achievable and how this technology must be responsibly managed.
With the introduction of the Sarbanes-Oxley Act in 2002, the ability for an executive to plead ignorance of the fundamentals of accounting and finance became an impossibility. In much the same way, we would argue that these same executives should not be allowed to plead ignorance on the fundamentals of cyber security and that we as a society should aim for a new type of ‘Cyber Sarbanes-Oxley Act’ to hold those leaders accountable.
The thought of a large-scale video surveillance system being implemented by people who don’t fully understand the fundamentals presents a far scarier proposition than facial recognition.
Protecting liberal democracies
While Governments can play an important role in regulating the use of technology and ensuring that their citizens’ privacy is protected, we cannot expect every legislator to instantly develop the technical expertise to make fully-informed decisions.
When it comes to ensuring privacy and protecting us from cyber threats, technology vendors also carry a huge burden of responsibility. They need to work hand-in-hand with policymakers, civil rights organisations, business leaders and members of the public to educate and inform.
This means designing products in such a way as to deliver both innovative technology and responsible frameworks for implementation. It also means making cyber security and privacy protection features ubiquitous and built into the products. This is what’s called ‘Privacy By Design’: a product development approach that calls for privacy to be taken into account throughout the whole engineering process.
In the case of facial recognition, all data needs to be encrypted and faces must be blurred such that the privacy of individuals is respected at all times. This ensures that nobody can view images or video unless faces are recognised and matched to an existing search. For video surveillance, technology should automatically protect the identity of individuals caught within a given camera’s field of view by dynamically obscuring/pixelating individuals and only allowing the clear image to be accessed through the mutual agreement of two or more empowered officials.
Strong identity authentication features (ie ‘Are you who you say you are?’) should be built-in to prevent captured video and data from falling into the wrong hands and ensure an unambiguous record of who has accessed video data and for what specific reason.
Acknowledging the risks
Acknowledging the risks and limitations of new technologies is a fundamental step in ensuring that they work to our benefit and that our privacy is protected. Blurring faces in video, and anonymising and encrypting data, should be as much a part of an organisation’s overall security plan as encrypting sensitive data or protecting employees’ computers.
This can only happen if we increase our technology literacy across the board. Legislators, technologists, Human Rights organisations and corporations need to work in tandem. As technology experts, our role is to help educate and support users and Government regulators. We need to anticipate the ways in which customers and Governments will want to balance privacy and efficiency and then build the tools that allow new technology to be used ethically.
It’s also our role to be transparent about the technology’s abilities and explain the value of striking this balance, as well as the risks of not doing so.
Andrew Elvish is Vice-President of Marketing and Product Management at Genetec and a Member of ASIS International