GAO reviews facial biometrics as SIA launches principles for ethical use
The global market for biometric facial recognition is forecast to reach $20.63 billion by 2030, on a 17.2 percent annual growth rate from 2020, in a report from GMD Research. With the market continuing to leave U.S. laws and federal government regulations in the dust, the Government Accountability Office (GAO) has issued a report on biometric facial recognition technology, specifically ‘privacy and accuracy issues related to commercial uses,’ in order to inform Members of Congress who requested the guidance.
The report comes just as the Security Industry Association (SIA) has released a set of ‘Principles for the Responsible and Effective Use of Facial Recognition Technology’ to guide both private and public-sector applications of facial biometrics, including by law enforcement agencies.
The GAO issued its 65 page report to update guidance from 2013, at the request of four Senators and two House representatives, all Democrats.
Representatives from eight facial recognition vendors and seven customers were interviewed for the report. The vendors were selected after being identified by agencies and privacy advocacy groups, the GAO says, and the customers based on participation in industries commonly cited in a review of relevant literature.
Key findings include that the market for commercial uses of facial recognition is expanding, citing market research which generally shows the overall market was worth between $3 billion and $5 billion in revenue, and that between 2022 and 2024, it is expected to be worth $7 billion to $10 billion. Common applications are reviewed.
The GAO explores issues related to the collection of images for datasets, and recognizes different privacy considerations for different functions of the technology, among face detection, verification, and identification. GAO also notes that facial biometric data can be sold, and the frequency of such sales is not known.
NIST testing on demographic differentials in accuracy is reviewed, with the GAO noting performance gaps are common, while a small number of algorithms were found to have no difference in performance between groups. GAO also explains accuracy concepts like false positive, false negative, and failure to enroll rate.
Privacy frameworks associated with facial recognition developed by the Asia-Pacific Economic Cooperation (APEC) organization, Biometrics Institute, FIDO Alliance, Future of Privacy Forum, International Biometrics + Identity Association (IBIA), National Telecommunications and Information Administration (NTIA), Safe Face Pledge, and U.S. Chamber of Commerce and their key concepts are reviewed.
Ultimately, the GAO identifies seven laws at the federal level that may apply to areas of biometrics use, but recommends that Congress strengthen consumer privacy protections to reflect the development of the facial recognition market, just as it did in 2013.
SIA establishes 10 core principles for facial recognition
The core principles for responsible and ethical facial recognition use as defined by the SIA are transparency, clear and defined purpose, using accurate technology, human oversight, non-discrimination, data security, privacy by design, training and education, ethical acquisition, and targeted public policy.
The benefits of facial recognition, from detecting identity fraud to preventing terrorist attacks, is outlined in the introduction of the document, along with the SIA’s values. The organization notes in the section on non-discrimination that the NIST report found performance across demographic groups is “much more consistent than had been widely reported in the media and with several nonscientific tests.”
The nine-page document explaining them discusses how the principles apply to uses in different sectors. The SIA recommends facial recognition uses in the public sector be scrutinized for consistency with existing laws, frameworks and regulations, and adhering to standards. They should be based on standards and include appropriate accountability mechanisms, SIA says. Specific legitimate uses in law enforcement are listed, and recommendations provided for policies, operator training, and image adjustments. In the private sector, issues of use limitation, notice and consent, clear criteria for safety and security applications, and redress are considered, among others.