Facial recognition is a rapidly evolving area of technology with myriad potential commercial uses. Reflecting the rapid growth in this area, regulations related to facial recognition are changing across all levels of government. In an environment where consumers are increasingly concerned about privacy, this primer takes a closer look at how facial recognition works, who uses it and what to expect if regulations tighten in this area.

What is facial recognition technology, and how is it used?

Facial recognition is a subset of biometrics that compares an individual's facial features to available images for identification and authentication. It is separate from facial detection (which determines whether an image contains a face) and facial analysis (which analyzes attributes such as gender, age and emotion). Although facial recognition has been used since at least the 1980s, the quality of the technology has improved greatly in recent years, and the biometrics market is expected to grow to $59 billion by 2025.  

Both government organizations and private companies use facial recognition. Here is a partial overview of how the U.S. federal government uses facial recognition for law enforcement:

  • Federal Bureau of Investigation (FBI): The FBI has two units using facial recognition, the Next Generation Identification Interstate Photo System (a database of criminal mug shots associated with fingerprints) and the Face Services Unit (which leverages databases of federal and state organizations that have agreed to share images, such as driver's license photos).
  • Immigration and Customs Enforcement (ICE): ICE has also used state driver's license databases for facial identification.
  • Department of Homeland Security (DHS): Three separate DHS entities — the Office of Biometric Identity Management, the Science and Technology Directorate, and U.S. Customs and Border Protection — have used facial recognition technology and participated in biometrics research.

In the private sector, facial recognition is used in many different contexts and industries, from university campuses to social media platforms to news media and financial services.

What are the current standards, and who sets them?

The National Institute of Standards and Technology (NIST) develops standards on technologies, including biometrics, in partnership with other federal agencies. NIST conducted the Face Recognition Grand Challenge (2004 ‒ 2006) and the Multiple Biometric Grand Challenge (2008 ‒ 2010) programs, in part to improve the accuracy of facial recognition technology. To keep up with technological changes, NIST expanded its facial recognition evaluations in 2017, and its work in this area is ongoing. It's expected a report on the demographic effects in mug shots collected for domestic law enforcement applications will be published in fall 2019.

NIST is not an industry regulator, and it does not have an exclusive standard-setting role in the area of biometrics. Its legislated mandate is to encourage and coordinate federal agency use of voluntary consensus standards as well as federal agency participation in the development of those standards.

NIST's programs include:

  • Face Recognition Vendor Testing Program: This program evaluates both prototype and commercially available facial recognition algorithms in order to help the U.S. government determine where and how facial recognition technology can best be deployed. The most recent evaluation, from 2018, reported broad industrywide gains, combined with a wide range of capabilities. The most successful algorithms failed in only one-quarter of 1 percent of searches, and the failures were associated with images of injured persons or images of persons where there had been long time lapses between the photographs.
  • Face in Video Evaluation Program: This program assesses the effectiveness of facial recognition algorithms applied to video sequences. NIST completed this program in 2017, and the results showed that video facial recognition is a difficult challenge because the persons in the videos were sometimes looking at smartphones, wearing hats, etc.
  • Facial Forensic Examiners: NIST is also researching how to measure the accuracy of forensic examiners matching identity across different photographs.

NIST does not have a policy role in determining whether the U.S. government should deploy facial recognition; it only provides advice on how to deploy it from a technical perspective. Additionally, NIST does not have regulatory oversight on the use of this technology by private organizations, as this area remains largely unregulated at the federal level.

What are recent or upcoming regulatory changes, and what is at stake?

State and local governments are driving much of the current regulatory agenda. The cities of San Francisco and Oakland in California, and Somerville, Massachusetts, for instance, have banned the use of facial recognition in public places. The new ordinances apply to the police and other municipal government agencies and stem from concerns that the technology is often inaccurate and lacks government oversight and appropriate ethical standards.

These measures do not constitute a total ban on facial recognition but rather are restrictions on where the technology may be used. Law enforcement in some 300 California cities (including Oakland) reportedly uses a facial recognition system through the Northern California Regional Intelligence Center (NCRIC), a regional law enforcement agency. Access to this technology in California has prompted criticism from privacy advocates that the municipal ordinances have merely facilitated the outsourcing of facial recognition.  

With state and local governments wrestling with the issues — and potentially creating conflicting and contradictory rules — the use of facial recognition is now a subject of debate at the federal level. While there is no guarantee that Congress and the Trump administration will arrive at a unified set of rules and standards, the U.S. House of Representatives Committee on Oversight and Reform recently held a hearing on the subject, and more activity in this area is likely.

During the hearing, lawmakers expressed concern that the FBI has not fully implemented recommendations made by the Government Accountability Office in 2016 to adhere to privacy laws and policies and to ensure the accuracy of its facial recognition capabilities. Committee members referred to testimony by academics and privacy advocates arguing that the technology resulted in false-positive matches that disproportionately affected minorities, especially women of color. The committee also cited concerns that the technology has been and continues to be deployed by government agencies without oversight. The committee chair cited growing bipartisan consensus that action must be taken in order to respond to First Amendment and Fourth Amendment concerns.

Any changes to how the federal government governs its own use of facial recognition technology may lead to a collateral tightening of privacy laws and policies, whether through amendments or stricter enforcement. This is a complex area, since certain government agencies are subject to unique rules. For example, the FBI is subject not only to federal privacy laws (the Privacy Act of 1974 and the privacy provisions of the E-Government Act of 2002) but also to Department of Justice policies, DHS policies, and FBI policies and operating manuals.

Changes at the government level are also prompting discussions about the rules applicable to U.S. industries and individual companies. For example, the Commercial Facial Recognition Privacy Act (SIL 19337) was recently introduced, which, if adopted, would be the first of its kind to regulate commercial use of facial recognition. The bipartisan bill has received initial support from major technology companies. For businesses, a single set of federal rules likely would be easier to navigate than multiple sets of state and local rules.

The Commercial Facial Recognition Privacy Act is inspired by European data privacy laws but contains less restrictive rules on facial recognition. If it becomes law, the bill would require "affirmative consent" to be provided, which, in practice, would require notices to be posted in public places using facial recognition. Additionally, the bill would prohibit the use of facial recognition for purposes that violate applicable federal or state laws. The bill would also prohibit the sharing of facial recognition data with unaffiliated third parties without additional consent that is separate from initially provided consent. Finally, the bill includes exceptions for personal file management, identification of public figures by journalistic media, identification of public figures in copyrighted material, and emergencies involving imminent danger or risk of death or physical injury.

How can you prepare for regulatory changes?

There is a possibility that future federal legislation will prevent or restrict the acquisition and use of facial recognition technology by the government. There is also a possibility that more American municipalities will adopt moratoriums on the municipal use of this technology, potentially creating pitfalls for companies with nationwide commercial interests. Although these measures would not extend to private use of facial recognition, this technology carries potential reputational risks that companies are anticipating and working to manage.

As this is a rapidly changing area, governments and private organizations that use facial recognition should carefully monitor any legislative and regulatory changes and take appropriate measures to ensure compliance and minimize disruption to business operations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.