When Apple deployed its Face ID feature on iPhones and iPads in 2017, it was many people's first daily interaction with facial recognition technology, doing away with entering passcodes or scanning fingerprints.
But as these smartphones and tablets advanced past mostly making calls and searching the internet — including using digital wallets and banking apps — more security for all that sensitive information became a must.
Today, facial recognition software is everywhere. Users can just look at their device screens to log into various online accounts. In some places, consumers already have the ability to purchase items at a register just by scanning their face.
In Minnesota, researchers and scientists are developing applications to streamline the customer experience with facial recognition. Others — like the Minnesota Robotics Institute at the University of Minnesota with its biometric technology for detecting signs of depression, cancer or diabetic retinopathy — are creating platforms to improve health and wellness.
Against the backdrop of a booming industry estimated to reach $70 billion by 2027, though, are concerned experts fearing facial recognition's potential for mass surveillance and its lack of safeguards to protect millions of images of real people's faces from theft or alteration.
"Your face, unlike your driver's license or government ID, can't be reissued," said Minnesota native Hayley Tsukayama, a legal analyst at California nonprofit Electronic Frontier Foundation (EFF), which focuses on defending digital privacy. "If someone is collecting information that's tied to biometrics in general, it's tied to your identity. If that's breached, or if it's sold in any way that you weren't expecting, you can't replace it.
"You can't get a new one."
Necessary convenience
During the height of the COVID-19 pandemic, companies and governments put digital processes into place to allow people to continue everyday activities — such as renewing driver's licenses or completing large transactions — without having to go somewhere in person.
That upped business for Minneapolis-based software startup Token of Trust, which develops systems that allow businesses to verify customers' electronic transactions.
The company works with businesses, about 70 so far, that need help onboarding new customers online. Token of Trust's platforms are focused more for remote transactions, like verifying a person's identity through comparing a government ID, national identification card or passport with a live image. The company has even used images from social media accounts, specifically selfies, to verify someone's identity.
While Token of Trust strongly recommends supplementing facial recognition by authenticating a government ID, many businesses just want facial recognition, simply because it's the absolute minimum consumers have to do, said Austin O'Brion, Token of Trust's chief revenue officer.
It's also because the rapid sophistication of facial recognition technology has allowed machines to surpass capabilities of the human eye, said Saad Bedros of the Minnesota Robotics Institute.
"Cameras have become our eyes," he said. "My eye and your eye have limits to resolutions."
And it's what consumers, mainly younger consumers, want, according to Shakopee-based identity verification and security software company Entrust's 2022 survey. Of 1,450 consumers from 12 countries surveyed, Gen Zers (born after 1997) and millennials (born 1981-96) were most likely to trust password-less login methods, with more than half of people in those groups saying they use electric identification.
That's compared with only 37% of Gen Xers (born 1965-80) and 12% of baby boomers (born 1946-64). Only 6% of those surveyed view passwords as the most-secure method, and more than half disclosed they typically reset a password once a month because they can't remember it.
"There's this ground swell of desire from the average citizen or average consumer to say, 'Hey, if I can do it digitally and not have to travel somewhere or submit an application through the mail or come to an office and present my certificates or driver's license, I'm all for that,'" said Gordon Wilson, vice president Entrust's identity verification business.
An ethical dilemma
Amid nationwide protests following the police murder of George Floyd in 2020, tech giants IBM, Microsoft and Amazon paused their facial recognition tools and vowed to no longer sell the tech to law enforcement agencies. Many were concerned law enforcement could use it for mass surveillance and racial profiling.
Others have criticized the tech for its high rates of error in identifying people of color, women, children and seniors, Tsukayama said.
According to the federal Government Accountability Office, six law enforcement agencies reported using facial recognition technology on images of the unrest, riots or national protests following Floyd's death. Three agencies reported using it on images of people entering the U.S. Capitol on Jan. 6, 2021.
Agencies said the searches only used images of suspected criminal activity.
In 2021, the House of Representatives passed the George Floyd Justice in Policing Act that would prohibit federal law enforcement officers from deploying facial recognition in their body cameras or patrol vehicle cameras. The bill didn't pass in the Senate.
That same year, Minneapolis officials passed an ordinance prohibiting the city, including police, from using facial recognition surveillance technology.
How other countries apply the tech is also a growing issue. For example, a recent Reuters report showed how Moscow's installation of video surveillance — including having 3,000 of its 160,000 cameras connected to facial recognition tech — helped arrest hundreds of protesters.
"It's coming from other countries that are mostly policed countries, and they have been perfecting it more and more and more," Bedros said.
Privacy is paramount
With the ability to digitally alter a person's image easier than ever before, the chances of compromised identities are high, said Token of Trust Chief Executive Darrin Edelman. Implementing multifactor authentications and verifying cookies — small files of data stored on web browsers on the user's computer — that help confirm past or recent logins are becoming paramount, he said.
In addition to acquiring consumers' consent, EFF encourages entities to delete biometric information once it's no longer necessary.
"People can't steal what you don't have," Tsukayama said.
In 2008, Illinois enacted its Biometric Information Privacy Act, which regulates how private companies — not the government — collect, use and share biometric identification data for employees and customers. Washington and Texas have passed similar legislation.
Some organizations are already demanding new ways of verifying one's identity to curb the potential use of stolen or altered face images. With liveness verification, businesses or agencies take multiple images in real time to ensure spaces around an individual are not fake, Bedros said.
"It's an arms race," Edelman said. "This is not going to stop. We're going to be constantly trying to figure out is that or is that the real person or not."
Eventually, facial recognition verification technology will move away from photos and snapshots, he said. Live video — potentially while reading aloud some script to prove it's in real time — is the next iteration.
"It's going to be interesting," Edelman said. "It won't be enough in the future to just do facial recognition. You will have to combine multiple things."