Your face defines who you are, but in the age of AI and social media, your facial features can be used against you.
This was seen with the recent Coldplay ‘kiss cam’ scandal, where social media users were able to uncover the offending CEO and the company’s Chief People Officer in rapid time.
Even if you’re not guilty, AI deepfake apps give everyday people the tools to superimpose your facial features into offending situations. While you may be adjusting your privacy settings on social media or thinking twice about who is recording you at public events, the reality is that your facial features may be used in other contexts, such as identifying you when accessing your online banking.
In this time where boundaries are blurred and multiple parties seem to be vying for your data, who has access to your face? And when is it safe to use facial biometrics?
The difference between facial recognition and biometrics
Facial biometrics is being used more and more in banking and other highly secure environments to verify a person’s identity. This is a completely safe process where your facial identity confirms your identity, but is not held by the company in any way or used for any other purpose.
Lance Fanaroff co-founder and chief strategy officer of iiDENTIFii, says: “One of the prevailing misconceptions is that, by scanning your facial features, companies can hold onto your data and use it for surveillance or identity theft. The reality is that opt-in biometrics are the most secure way to identify someone – and keep their information and identity safe from misuse – and these differ a great deal from biometrics used for surveillance.”
When facial features are used for surveillance, this is referred to as facial recognition. Facial recognition is a specific application of facial biometrics that identifies or verifies an individual by comparing a live facial image or video frame against a database of known faces.
This can be used for various purposes, including security, law enforcement and access control. For example, facial recognition has been put to use in some boroughs in the UK to scan the faces of ordinary citizens, triggering an alert if features match those of a person on a watch list. The boundaries of facial recognition and what it is used for is a growing concern and topic for global debate.
Fanaroff emphasises that, when South African consumers are asked to scan their facial features to access their personal online credentials, for example during banking, this process is completely safe. “Remote biometric onboarding links a person’s biometric data, whether their face or fingerprint, to their personal banking profile so that they, and only they, can access the account safely and securely. Opt-in biometric onboarding with liveness detection protects institutions and their clients from fraud. Users do it on their own terms to access their accounts, as opposed to surveillance.”
Facial biometric data is not stored by the organisations using it to authenticate their clients. Fanaroff explains, “iiDENTIFii, for example, makes use of a biometric hash technology to protect identifying information. A biometric hash is a cryptographic transformation of biometric data into a string of characters that acts like a unique digital finger or face print. As it is a one-way process that is achieved without using Personally Identifiable Information (PII) data, it is both secure and private.”
The safety of facial data needs to be an ongoing priority
South Africa’s private and public sector needs to work together to ensure that facial biometrics is used securely, and that the public understand the difference between this and facial recognition used in surveillance.
iiDENTIFii’s inaugural Identity Index 2024 – South Africa Edition says: “Despite the trend towards investing in Identity Verification (IDV) solutions, such as facial biometrics, there are still some significant barriers to implementation, with 31% citing regulatory compliance and 23% citing user acceptance as the most substantial barriers. This points towards an opportunity for more coordinated industry-wide approaches to digital identity, from stronger collaboration to a sustained commitment to investing in advanced technologies.”
The regulation of how any biometric PII data is used needs to occur frequently and rigorously. Maxine Most, Principal of Acuity Market Intelligence, a thought leader on emerging identity verification technologies, says, “In the past, when digital systems have been put in place, it has opened users up to function creep with data, meaning that corrupt actors use the data for purposes for which it was not intended. Regulatory compliance is therefore critical in building these systems in a way that this doesn’t happen. Systems need to be built with privacy first so that they can’t be abused.
“Our use of biometric hash technology at iiDENTIFii illustrates that it is possible to use facial data to provide secure identification, without retaining identifying personal information,” says Fanaroff.
In South Africa, consumers can protect themselves by only using opt-in biometric verification and authentication services. Businesses can work together with the regulatory authorities to ensure that a landscape is created that protects individuals and is focused on privacy and security.
“From a South African perspective, the use of robust facial biometric technologies need to be highly secure and controlled so that consumers can transact on these platforms confidently.”
Attending a Coldplay concert, however, can be a completely different matter.