Access Management , Biometrics , Identity & Access Management
US Agencies Increasing Use of Facial Recognition TechGAO Finds Increasing Use for Security and Access; Privacy Concerns Remain
At least 10 U.S. government agencies are planning to increase their use of facial recognition technologies by 2023, according to a study released this week by the Government Accountability Office. Examples of expanded uses include for accessing applications and data, for criminal investigations and for greater security of sensitive physical locations.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The report is based on a survey of 24 federal department about their use of facial recognition technology in 2020. Of those, 19 reported that they already used the technology for one or more purposes, the GAO notes.
The most common use of facial recognition technologies among these federal agencies is for securing devices as part of their identity and access management strategy of moving away from passwords, the report notes.
"Of these, 14 agencies authorized personnel to use [facial recognition technology] to unlock their agency issued smartphones - the most common purpose of FRT reported by the agencies in our survey," according to the report. "Two agencies - General Services Administration and Social Security Administration - reported conducting pilots that used agency employees to test FRT systems as a means to control access to certain government websites, such as GSA's login.gov."
Ten executive branch agencies - Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury and Veterans Affairs - plan to expand the use of facial recognition by 2023, according to the report.
For example, the Agriculture Department wants to deploy a facial recognition device called IDEMIA VisionPass at some of its facilities by 2023 to identify personnel to allow them access to secure facilities. Another facial recognition system under consideration by the department could be used to identify "individuals of interest based on secure watch lists," according to the GAO report.
Meanwhile, the Transportation Security Administration and U.S. Customs and Border Protection - both of which are under the Department of Homeland Security - are planning to expand the use of biometrics, including facial recognition technology, for screening at U.S. airports and other points of entry in 2023, the GAO report finds.
The growing deployment of facial recognition technology inside and outside the government, however, is raising concerns by privacy advocates and even some companies.
For instance, in May, Amazon announced it would stop selling Rekognition - its facial recognition software - to police in the U.S. because of concerns of how it was being deployed, according to the Washington Post.
In California, lawmakers placed a three-year moratorium on using facial recognition technology in police body cameras starting in January 2020, according to the Electronic Privacy Information Center.
While the GAO report released this week did not raise concerns about privacy and security of facial recognition technologies, a June report by the federal watchdog found that many agencies do not know which systems they are using for facial recognition - their own internal databases or one provided by a third party.
Storing, Securing Images
While it's not surprising to see some departments increase their use of facial recognition technologies to improve their internal security plans, including access management, the collecting and storing of this data is concerning, says Justin Antonipillai, who served as acting undersecretary for economic affairs at the U.S. Department of Commerce during the Obama administration.
"The place that I'm most uncomfortable as a former official is that the gathering, storing, protecting and deleting of those images is not something that I think most people feel a tremendous amount of confidence in," Antonipillai says. "You're also not talking about one federal agency. You're talking about a lot of different agencies, each of which is going to protect that data, store and retain it, and delete it in different ways."
U.S. Customs and Border Protection ran into problems with this technology in June 2019, when a third-party contractor was breached following an attack, which exposed license plate images and photos of travelers. The facial images were being used for biometric identification purposes (see: US Border License Plate and Traveler Photos Exposed).
Antonipillai notes that federal agencies looking to expand the use of facial recognition technology have likely conducted an internal privacy impact assessment to judge the reliability of the technology, which can also determine privacy controls for the data collected. And while this might offer some assurances, there are still concerns about how data collected for one purpose might then be used for another, he says.
"How do you know that those images are not going to be used by an agency for other purpose?" asks Antonipillai, founder and CEO of security firm WireWheel. "People do have to be worried that those kinds of [facial recognition] images are going to be used for other purposes."
Chris Morales, the CISO at security firm Netenrich, also notes that while biometric technology, including facial recognition, is increasingly used to help authenticate identity as alternatives to passwords, they raise concerns about how images are stored and secured.
"There are a number of methods used to safeguard these biometric templates, including distributed data storage. How that data is stored and managed, like any data, is where problems can arise from data theft," Morales says.