Ensuring facial recognition is ‘a force for good’ with Corsight’s new privacy chief Tony Porter
After seven years working on regulation of face biometrics and other technologies used for surveillance by law enforcement and intelligence agencies as UK Surveillance Camera Commissioner, Tony Porter has joined Corsight as the company’s new chief privacy officer.
Porter tells Biometric Update in an interview that fulfilling the role has required some on-the-job learning in his early days with Corsight.
“It takes a great deal more knowledge about the technology if I’m to do my job effectively, so I’ve spent a lot of time talking to the developers and the business developers, the research and development, getting my head around the technology that I never had to understand to the fine grain of detail before, but I do now,” he says.
Corsight launched to the facial recognition market to serve the security and business intelligence markets just last year. Helping to navigate the legal and regulatory landscape is part of Porter’s role, but he speaks more about his plans in terms of ethical use, and a holistic approach to winning over public support.
As a regulator, Porter crafted 72-page guidance document for the use of real-time facial recognition by police. He also worked to bring regulators together, having realized that they often seem to be speaking different languages not just from those they are trying to regulate, but even each other, despite biometric technology’s overlap with several different areas of regulation.
Regulators must ask the questions as the technology is increasingly implemented, but organizations are entitled to question back to regulators why they are not speaking with one voice, he says, and why they are not producing harmonized guidance.
Frameworks, reviewability, and implementation
The complex challenge of meeting the various concerns raised by facial recognition can be met, Porter argues, by putting frameworks into place for each step in the process, from research and development through product development and strategy to sales and deployment. That means discussing those frameworks with each element of Corsight and agreeing on them.
“The sales team, the marketing team, because I will be holding their feet to the fire, will be saying ‘We’ve not got an engagement with this business; where does this leave us? How do we feel about this? How do we make sure that our organization is delivering this technology as a force for good and not unleashing an asset than can do untold harm?’,” Porter explains.
Each unit within the company must be able to produce evidence about the effectiveness of the framework it works within so it can be constantly reviewed, and then customers must be supported in their deployments, not just to make the technology work, but to make it work within the agreed-upon framework.
A good deal of Porter’s work as a regulator was creating guidelines around how to implement face biometrics and other sensitive technologies and answer to public scrutiny, he points out.
“There is a process that you can consider that takes you from the operational requirement to delivery of the asset,” he says, “whereby you hold the hand of the customer and force them to confront the ethics, the legality, the method of operation, and be able to hold themselves to account for how and why they’re using the technology.”
Of course, this process is easier if the customer is clearly using the technology as a force for good, and Porter also contends that in some cases “there needs to be a maturity in the solution providers that this is a step that’s not acceptable.”
Porter notes that he has been the only regulator consistently saying that facial recognition will be used to benefit the public, so removing the potential for harms is necessary. Legislation specific to facial recognition may be coming in the UK, but not likely for at least two or three years.
Legitimate use principles well-established
The existing guidance and understanding of the risks that can be associated with facial recognition make it possible for companies to move forward without that legislation, Porter suggests, even in jurisdictions with different rules, because the basic principles of ethical technology deployment are widely acknowledged.
Lawful use, transparency, fairness, accountability, data minimization and fair data acquisition are all well-established as criteria for appropriate deployment.
“With such as invasive form of technology, the onus is on the user to evidence beyond reproach that they’re doing this work in a way that is accessible to the public,” Porter observes.
Porter sees the debate around the use of facial recognition beginning to shift towards how to make it safe and effective. This is why Corsight approached him; to bring in a CPO that would demonstrate to the public its seriousness in addressing the concerns of the technology’s critics. Porter professes a profound respect both for the privacy advocates he does not always agree with, and the scientists who are being presented with new questions about the ethical roots of their work.
Those new questions are also influencing the social dialogue.
“We’re already beginning to seen energized debate where we say, ‘well actually, yes, we know to do this,’” Porter says.
Contentions that “the genie is out of the bottle” does not sit will with Porter, as it seems not to give full credence to legitimate questions and concerns, some of which he shares.
The High Court ruling in Bridges, for which Porter provided an ‘amicus curiae’ brief, brought some much-needed nuance to the social dialogue, he says. While “the civil libertarians perhaps would have thought there would be a stake in the ground saying, ‘No.,’” the decision, which he call “seminal,” “was more setting the parameters of how facial recognition might be used lawfully going forward.”
At this point, it is possible for facial recognition to be used in a way that no-one is concerned about privacy, he says.
“People like Corsight and other providers need to make the argument,” Porter opines. “I think politicians need to recognize the argument is there to be won, not simply to be engaged in, because this provides a public good.”
For biometrics vendors, winning the argument means carrying out a responsibility to make sure responsible policies, as well as laws and regulations, are followed.
“If as an organization you can demonstrate a clear and honest commitment to privacy, to standards, to security by design and by default, to ensuring that the customer at the end of the day is delighted at the product, but then importantly that the supplier provides a helping hand to that customer, from receipt of the box to deployment, then I think the industry will get a kinder reputation, a reputation of being an enabler for a safer society,” Porter says. “And my hope is that Corsight will take the lead in that debate.