Authenticating Purchases with Facial Recognition

Facial recognition technology has rapidly advanced in sophistication and accuracy over the years. Early use of the technology was focused on facial detection in security systems. Since 2014, the federal government has introduced facial recognition technology, along with collecting travelers’ fingerprints, in its U.S. Global Entry system in an effort to strengthen border security in major airports across the U.S. And perhaps the most widely known use of facial recognition technology today is the function of “tagging” in online social networks which allows users to identify friends in photos.

Businesses have begun exploring facial recognition’s potential benefits for increasing the level of security in commercial transactions. Amazon recently proposed to implement a patented method (“Image Analysis for User Authentication”) for its customers to complete a transaction by performing an action in front of a camera, such as a smile or a wink to help confirm the person’s identity. Google has been testing its newly developed mobile payment app called “Hands Free,” which allows smartphone users to complete a transaction in the store without taking out their devices. Hands Free allows small businesses to confirm the identity of the shoppers at check out to complete the transaction by uploading a picture of them via an in-store camera that confirms their identity. Similarly, MasterCard is also planning to introduce a similar facial recognition technology called “Selfie Pay” in the U.S. this summer.

Adding facial recognition technology to authenticate purchase transactions will indeed remove unnecessary steps for customers at the point-of-sale and simplify their bill-paying experience.

For restaurant operators, adding facial recognition technology to authenticate purchase transactions will indeed remove unnecessary steps for customers at the point-of-sale and simplify their bill-paying experience—an industry trend we see in payment processing. However, a breach of one’s facial image data would cause the customer to suffer greater injury than a breach of PINs or passwords because facial image data are inherently unique and cannot easily be changed or “re-set” like passwords or usernames, exposing the restaurant to increased liability and possible severe sanctions for violating privacy laws. In recent years, the food and beverage industry has been a large target for cybercriminals, second to retail.  According to the 2015 Trustwave Global Security Report, the retail sector accounted for 43% of 574 data breach investigations last year, while 13% were in the food and beverage industry.  Overall, 49% of the data compromises investigated by Trustwave involved the theft of personal identifiable information and cardholder data. Most importantly, point-of-sale breaches due to weak PINs or passwords have been the most common attack.  The data security challenges and grave privacy concerns facing restaurant owners and managers are that, unlike financial institutions, the food and beverage industry is not regulated, and restaurants tend to have limited resources to focus on cybersecurity. Like implementing any other cybersecurity measures, when considering facial recognition technology, restaurant operators should carefully weigh the benefits against the cost.     

Despite the vast benefits of using facial recognition technology, companies using or planning to use facial recognition technology to identify and authenticate consumers in commercial transactions face challenges in developing best practices for collecting, using and storing biometric data. According to a 2015 study by the U.S. Government Accountability Office (GAO), stakeholders believe the privacy and data security issues raised by the use of facial recognition technology in authenticating personal identity in purchase transactions “mirror concerns about the collection, use, and sharing of personal data more broadly by commercial entities.” The lack of uniform federal laws expressly regulating commercial uses of facial recognition technology increases a company’s costs in ensuring their existing policies are robust enough to cover this more advanced technology.

Despite the lack of federal laws directly regulating the use of facial recognition technology in commercial settings, it is important to note the GAO study points out that existing federal laws may potentially apply to commercial uses of facial recognition technology in the following three areas:

1. the capture of facial images;
2. the collection, use, and sharing of personal data; and
3. unfair or deceptive acts or practices, such as failure to comply with a company’s stated privacy policies.  For example, for banks and financial institutions using or planning to offer facial-recognition technology to customers in completing purchase transactions, the Gramm-Leach-Bliley Act, which governs the disclosure of nonpublic information collected by financial institutions, almost certainly covers facial recognition data.

Furthermore, Section 5 of the Federal Trade Commission Act has been interpreted to give the FTC broad power in examining a company’s practices in collecting various kinds of personal data. FTC may certainly, in the future, bring an enforcement action against a retailer or a restaurant franchise for breaching its privacy policies in collecting, using, and sharing data collected in conjunction with facial-recognition technology under its Section 5 power. The FTC could also exercise authority in the absence of a privacy policy, when “an act or practice causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Currently, two states—Texas and Illinois—have adopted state privacy laws that specifically address biometric identifiers, including the use of facial recognition technology in commercial settings. In the absence of federal regulations, these state laws could be seen as establishing a guideline for commercial entities that are not directly regulated by federal laws and are using or planning to use facial recognition technologies in their products and services. According to a recent GAO report, the essence of these state privacy laws focuses on three themes:

• “Requir[ing] that before collecting a biometric identifier of an individual, a private entity must obtain that individual’s consent;
• Prohibit[ing] an entity in possession of a biometric identifier from sharing that person’s biometric identifier with a third party, unless the disclosure meets an exception, such as for law enforcement or to complete a financial transaction that the individual requested or authorized; and
• Govern[ing] the retention of biometric records, including requirements for protecting biometric information and destroying such information after a certain period.”

The FTC has published a best practices guideline for the commercial use of facial recognition technology. The agency recommends that companies using facial recognition should “design their services with privacy in mind” – otherwise known as privacy by design. The level of protection employed should take into account that biometric identifiers are unlike traditional personal identifiers like passwords and usernames in an important way. As discussed above, a password or PIN, once compromised, can be changed or deleted and “re-set” with more secure data. But a breach of biometric data, which by definition cannot be changed, requires a much more thorough fix. The FTC’s Guideline recommends a number of practices to reduce the risk of a companies’ exposure to a data breach involving biometric data. It’s a good first step for any restaurant operator considering employing this quickly advancing technology in a consumer context.

 This article is based on a blog post Han wrote for the firm’s Information Counts blog.