Computers, Privacy & the Constitution

Facial recognition technology: Risks and possible regulations

-- By KojiOhtani - 10 Mar 2022 (Updated 28 April 2022)


Facial recognition technology (FRT), a biometric technology, is used in many scenes in society today, including criminal investigations. FRT typically involves three steps: (i) collecting facial data to create a searchable database; (ii) obtaining facial data that the user wants to identify; and (iii) matching the data obtained in (ii) with the database created in (i) using pattern recognition to identify the person.


While FRT is useful, it entails a threat to our privacy. Moreover, mass surveillance will cause a chilling effect on our activities. Suppose the government can continuously trace our whereabouts using FRT. In that case, they will know what kind of gathering or speech activities we participate in(1). Some people are acting to resist the use of FRT. ACLU initiated a lawsuit against Clearview AI based on Illinois Biometric Information Privacy Act (BIPA). This regulation is focused on step (i) above(2). If people suspect that the government abuses FRT like in China, then FRT cannot be trusted and accepted in our society. Therefore, FRT should be used under certain regulations.

How should we regulate FRT?

A. Warrant or legislation?

(a) Warrant

If the government collects data from private corporations (e.g., employee/student lists) to structure the database (step (i)), then it may fall under the definition of "seizure." See Carpenter v. United States 138 S. Ct. 2206(2018).

If the government uses data from the police's CCTV in public spaces (for step (ii)) or pictures posted on Facebook (for step (i)), which anybody can see, there will be a gray area. Our privacy expectations are generally low in such situations. However, before FRT developed, we did not expect that our appearance in public spaces would cause such a threat to our privacy. We should be afforded stronger protection when our faces are processed by FRT(step (iii)). This understanding could be supported by precedents such as Kyllo v. United States 533 US 27(2001).

(b) Legislation

Another possibility is to legislate a new law/ordinance to regulate the use of FRT wholistically. One way is to prohibit the use of FRT for law enforcement purposes altogether. For example, EU published its draft regulation, which in principle prohibits the use of remote biometric identification systems, including FRT, in public spaces for law enforcement purposes. Many ordinances recently made put broad prohibitions by regulating step (iii) above (e.g., San Francisco, Boston).

Another way is to allow the use of FRT under certain restrictions. Washington State requires law enforcement bodies to observe specific procedural requirements (e.g., observation of data management policy, periodical submission of accountability report).

(c) Which way should we take?

As discussed, steps in FRT use may amount to "search and seizure", but it would take time for the Court to create a rule regarding FRT(3). Also, legislative rulemaking is more fitful in establishing detailed requirements and periodic audit practices. Therefore, legislation that specifically covers the requirements for the lawful operation of FRT would be better.

If we focus on privacy, comprehensive prohibition would be preferred. However, if used appropriately, FRT's usefulness is obvious. The government needs to utilize it to cope with criminals or espionage who use more complicated technics. For instance, if there is a kidnapping case or immediate threat of a terrorist attack, FRT would enable the police to find the victim/suspect swiftly with limited resources. Therefore, legislation should leave some room to use FRT on the condition that authorities follow the legislation's requirements and are subject to audit under it.

B. Should the US seek a nationwide and uniform regulation?

If we regulate FRT with legislation, should it be based on federal or state laws and ordinances? Justice Brandeis stated in his opinion in New State Ice Co. v. Liebmann, 285 U.S. 262(1932) that the state may serve as a laboratory of democracy to try novel social and economic experiments without risk to the rest of the country. As he predicted, states and municipal bodies legislate various statutes and ordinances as mentioned above. For example, while many ordinances prohibit government authorities from using FRT, Portland's ordinance prevents private entities from using FRT in public facilities to provide more privacy protection. On the other hand, Washington State's BIPA, unlike Illinoi's, limits the scope of the biometric identifier and does not stipulate citizens' rights to bring a suit. It is said that this is because of Microsoft's lobbying to leave the possibility for FRT's study and business.

A uniform regulation in one market is better to attract investment from other countries and take the lead in rulemaking from the international perspective as the EU did with the GDPR. The US approach can seem inefficient(4). However, it would be reasonable that local governments create regulations with their people's initiative, which brings more accountability, and promptly try regulations considering the area's situation. Also, the US federal system's flexibility to let states keep relaxed regulation intentionally (like Washington State) is attractive for innovation. Therefore, States/municipal bodies should lead in this movement.


FRT is a strong weapon for law enforcement and has a lot of business potential. However, to secure trust from people and prevent abusive use, the local governments should take the lead in creating rules to operate the system safely and transparently as soon as possible.


1 : FRT can cause a biased output problem when applied to people of color (fairness problem). I will not discuss it in detail in this draft as this is not a privacy issue. However, it is notable that many ordinances regulating FRT mention this problem.

2 : Clearview AI structures a massive facial database using online sources such as Facebook.

3 : There are still other practical issues, for instance, how and when the government should show the warrant to the persons whose face data is processed.

4 : Suspect would flee to a jurisdiction where FRT regulation is strict.


Webs Webs

r4 - 28 Apr 2022 - 20:30:45 - KojiOhtani
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM