Is facial recognition insecure?

When we think of biometrics, sometimes the first thing that may come to our minds are the highly sophisticated devices that you may find in a sci-fi film. We may also think that this technology is extremely expensive and will cost a fortune. This cannot be further from the truth.

While the advantage of biometrics for identification is clear, it’s completely understandable that people are concerned about the security of this information.

Passwords have been around for many years as one on the primary methods we use for security. The problem is that they are easy to forget, can be broken into if they are not secure and difficult to remember over the hundred of other passwords we can have.

Facial recognition access control matches a face’s characteristics against a template in a database. That template must have been enrolled and authorised in the database first, then a matching process follows where identifying points are verified against the authorised template.

The data is stored as a biometric template, rather than a picture of your face. All data is encrypted using 256bit encryption. Essentially a hacker would require 2256 different combinations to break a 256-bit encrypted message, which is a huge challenge even for the fastest computers. If they were trying to steal your identity, they would find it far, far easier to lift an image from your social media than to break into the database with your facial biometric template and backwards engineer it to a photo.

Any facial template that is created through companies using biometric access control is covered under the GDPR (General Data Protection Regulation). This means that the collection, storage, use and retention of the data must be carefully thought through. A PIA (privacy impact assessment) should be undertaken to ascertain whether it is a reasonable impingement of a person’s right to privacy.

Yes, but under the GDPR there is a special category of ‘vulnerable data subjects’ and children or Individuals can be vulnerable where circumstances may restrict their ability to freely consent or object to the processing of their personal data, or to understand its implications. You must undertake a Data Protection Impact Assessment to help you identify and systematically analyse, identify and minimise the data protection risks of a project or plan. Ask us for further information.

Facial detection merely identifies a face – with some CCTV camera systems the view can then zoom in to see the face in more detail. Facial recognition implies trying to identify whose face it is. Normally by comparison with a database. For private organisations, this database would consist of enrolled facial templates given when new users are added, with their consent, to a closed system. The data templates are encrypted and are not shared outside the system.

In the UK it’s the Information Commissioner’s Office (ICO); organisations that process data should be registered with them. If you’re unsure whether you should be there is a simple and effective self-assessment tool that you can use to check. For Ireland it’s the Data Protection Commissioner; you can find advice on their website.