Who Am I, and Why Am I Here in this Database? Addressing Privacy Concerns With Security Technology

facial recognition
Antoinette King headshot
Antoinette King, founder of Credo Cyber Consulting, serves as vice chair of SIA’s Cybersecurity Advisory Board.

The definition of personal data, also known as personally identifiable information (PII), has expanded in recent years. Previously, personal data typically referred only to the most sensitive information, such as name, address, Social Security number, health records and date of birth. Today, it has expanded to include things like location data, IP address, MAC address, biometric data, behavioral patterns and browsing history.

The sources of data collection are many. When online, browser cookies record things such as IP address, MAC address and browsing history, while offline, behavioral activity is recorded by surveillance video and analytics. Additionally, people give varying degrees of consent to the collection of their data. In some cases, people freely give away their most personal information, as when they turn over their DNA information to ancestry services in return for a glimpse at their family tree. That same data is highly protected by HIPAA when it is being processed by a health care facility.

The current climate of data privacy is unstable at best. According to a recent study by Pew Research Center, approximately 62 percent of Americans believe that it is impossible to go through a single day without having their personal data collected by private companies, and 63 percent think it is impossible to go through a single day without the government collecting data about them. Most people feel like they have no control over the collection of their data by companies or the government. The same study found that 59 percent of Americans indicate a lack of understanding about how their data is used by companies, and 78 percent express similar concerns about the use of their data by the government. Understanding what PII is, how it is collected and how it is used is essential when considering technologies to implement in business.

Personal Data and Physical Security

The commercial use of physical security has traditionally been concerned with creating safe and secure environments for assets (people and property) in a given location. Physical access control, perimeter protection and video surveillance are combined to form a comprehensive system of protection. Video surveillance has also been a key tool in helping law enforcement to investigate and solve crimes. With the rapid advancement in technology, the physical security industry now finds itself in the throes of transformation. Biometric technologies, such as fingerprints, iris scans and facial recognition, require identifying information to be collected and stored as a means of secure access control and as an aide to investigations. Although the use of biometric data in the physical security industry has been mainstream for many years, the understanding of the ramifications of collecting and storing this kind of data is clearer now than ever before. If the biometric template is compromised, the subject can never use it again.

Facial recognition has been getting a lot of attention in recent months. To understand the technology, it is important to note the difference between facial recognition and facial detection. For a system to “recognize” a person, there needs to be an enrollment process in which a master photo is taken and associated with the person, then stored in a database for future comparison. A direct link is created between the picture and the identity of the person in the image. A person can be “enrolled” into a system consensually, as when an employee’s ID photo is used as a template, or without their knowledge, perhaps when an image from a video surveillance system is used as the template. Consent plays a very important role in the controversy surrounding facial recognition. Citizens are very sensitive to their image being used without their consent. Facial detection, in contrast, simply determines that there are faces in the field of view, and sometimes through software, a box is drawn around the face to bring attention to it. Facial detection does not create a link between the image and the identity of the person in the image. Facial detection may be used as a deterrent, as in the case of public view monitors in retail applications. As people enter the store, they are made aware of the use of video surveillance in order to discourage theft.

There are many beneficial applications of facial recognition. In the state of New York, it is used to detect identity theft and to find people with multiple licenses. The technology enables law enforcement to efficiently scrub through many hours of video to identify suspects and collect evidence. In August 2019, the New York Police Department was able to apprehend an attempted rape suspect within 24 hours of the incident in part because of facial recognition. The technology is also being implemented in airport security applications for more accurate identification of passengers. In addition, it can be used by retailers to identify known shoplifters and to alert security personnel when people on watchlists enter the establishment, a modern-day equivalent to taping a shoplifter’s photo to the entrance wall of the store.

Some people are highly concerned about how their biometric data is being used and consider the use of facial recognition in security and surveillance to be a threat to their privacy. However, facial recognition, in conjunction with geotagging, has been widely implemented by Google and Facebook, as well as many other social media platforms that consumers use daily, for years. People have been putting their image and location – their PII – out there for all the world to see at least since the days of MySpace. When a person “tags” someone in a photo on social media, they are essentially supporting the learning engine for that platform. Somehow, social media giants have convinced consumers that facial recognition use on their sites is not only OK, but cool, and they have been profiting from it for years. Yet when use of the same technology has been suggested to improve safety and security, consumers resist, citing invasion of privacy. Along similar lines, many cell phone manufacturers use fingerprint and facial recognition technology to unlock their devices. The security behind the management of that biometric information has fallen under very little public examination or scrutiny.

Legislation on Data Privacy and Physical Security

Despite the myriad benefits of the technologies, many individuals and organizations fear that video surveillance and biometric device advancements may be abused by both commercial entities and government agencies. Commercial entities stand to make a lot of money from consumer data, and government agencies can use the information in many ways that would infringe on citizens’ rights. As a result, legislation and regulations have been enacted in several places around the world to respond to these concerns.

The European Data Protection Board recently published its Guidelines on Processing of Personal Data Through Video Devices, which outlines how and when video surveillance can be used in commercial environments. It sets very strict standards regarding the process that needs to be followed if video surveillance is implemented, including:

  • Video based solely on general security is no longer a sufficient reason to implement a surveillance solution; the purpose must be specific and documented.
  • It must be demonstrated that video surveillance is necessary and that less intrusive technologies or alternatives would not suffice.
  • There must be an existing threat or situation sparking the need for video surveillance.
  • It establishes a clear definition of how and when consent is required.
  • It sets very specific requirements regarding disclosure of video surveillance to subjects.

These guidelines apply to all video surveillance, not just systems that include facial recognition.

In the United States, Pennsylvania, Oklahoma and Oregon have all passed legislation pertaining to the use of facial recognition technology. Oregon has prohibited its use with body-worn cameras; Oklahoma prohibits the sharing of biometric data (including images of its residents) with the federal government; and Pennsylvania requires any agency that uses facial recognition to create a written use policy. Several cities have also passed laws completely banning the use of facial recognition by the government and law enforcement, including San Francisco and Oakland, California, and Somerville, Massachusetts, and at least nine states are considering legislation concerning law enforcement’s use of the technology. The California Consumer Privacy Act, meanwhile, creates a comprehensive set of rules pertaining to consumer privacy that are akin to the European Union’s General Data Protection Regulation.

Industry Response to Data Privacy Concerns

Citizens are concerned about how their biometric data is being used. Given the negative attention that facial recognition technology has received recently, these concerns are understandable. There need to be mechanisms in place to safeguard citizens’ privacy. If a person is recorded as they pass through a public area, there is no basis for any expectation of privacy. However, if a person is recorded over an extended period of time, and there is a mass of data that can be used to identify the behavioral patterns of that person, then they could certainly make a case that their privacy has been violated.

At the same time, businesses are using video technology not only as a security measure, but to collect behavioral information about their customers for many reasons, including:

  • Knowing how many people enter and exit the facility
  • Learning which displays customers are most interested in
  • Determining how long customers are in the store
  • Measuring how long people wait in line
  • Determining the average number of customers in line when a waiting customer decides to abandon a cart

While collecting this kind of information is important to the overall business plan, upstanding employees do not want to feel like they are being “watched” their entire shift if they have never given their employer a reason to suspect them of any wrongdoing. Surveillance camera manufacturers are now incorporating solutions, such as redaction and real-time privacy shielding, so that the employee, and other innocent people in the scene, are not necessarily identifiable. An unredacted view would also be recorded in the event the video is required for evidence in an investigation. In addition, the use of static masking enables the user to block out sensitive areas in a camera’s field of view, effectively eliminating the ability to view parts of the scene live and on playback. Another alternative to video surveillance is using thermal imaging technology as a detection tool. Rather than relying on visible light, this technology measures and displays the temperature differences in the scene, making it an excellent option for perimeter protection.

The use of video surveillance by businesses to improve service offerings and the customer experience is growing each year. Options such as live privacy shield and redaction provide businesses with the ability to collect data about their operations while also being sensitive to privacy concerns. Behavioral patterns can be examined and shared without compromising the personal information of the subjects in the video.

Outlook for the Future

Artificial intelligence and machine learning are the wave of the future. As society becomes more reliant on Internet of Things devices to perform security and safety functions, the subject of data privacy will become more pronounced. Having a strong understanding of what information is being collected and how it is being stored and used is paramount in creating a trust relationship between data subjects and those collecting the data.

It is up to security industry professionals to demonstrate the value of using these technologies to protect the assets. Educating the public on how the technologies work, listening to their concerns and developing use policy recommendations are all fundamental to security and surveillance innovation.