Will banks get caught up in facial recognition backlash?
As consumer advocates, state authorities and national lawmakers line up in protest against facial-recognition technology, banks using it to let customers log in to mobile banking may need to brace for a fight.
Last week, 40 consumer advocacy groups — including the American Civil Liberties Union, the Electronic Privacy Information Center and Fight for the Future — called for a ban on the use of facial recognition, starting with college campuses.
“While we ultimately believe that facial recognition should be banned across the board, we’re specifically calling out colleges and universities because they are being targeted by unscrupulous companies aggressively marketing their tech to colleges,” said Evan Greer, deputy director of Fight for the Future.
A recent New York Times article about Clearview AI, a tech company that scrapes millions of photos off the internet and with a high degree of accuracy uses them to identify people, has reignited worries that such technology could be misused. New Jersey’s attorney general, Gurbir Grewal, banned police officers from using the Clearview AI app after the article was published. The state of California has banned the use of facial recognition by law enforcement officials for three years. Rep. Carolyn Maloney of New York, the chair of the House Oversight and Reform Committee, said last month that she is committed to advancing legislation that would regulate the use of facial recognition by law enforcement and government.
The consumer advocacy groups said the technology is fraught with potential for bias. In December, the National Institute of Standards and Technology released a study that found that many facial recognition algorithms falsely identified African-American and Asian faces 10 to 100 times more often than Caucasian faces. Women were more likely to be misidentified than men in the study.
Greer said banks' use of facial recognition technology should be curtailed. “We think there are serious privacy, civil liberties, and security concerns with private corporations collecting people's sensitive biometric information,” she said.
Even though banks do not force the technology on consumers but allow them to opt in, that does not let them off the hook, she said.
“Having the process be opt-in does not alleviate these concerns,” Greer said. “People are not giving informed consent because they often are not aware of the potential risks associated with handing over this type of information.”
Greer noted that the technology is not always accurate.
“Facial recognition verification systems can be easily fooled, sometimes by something as simple as a printed photo of a face,” she said.
So-called deepfakes seem to be less of an issue for banks that are using facial recognition for login because the providers of the software they use — such as Daon and Mitek — can detect whether there is a living, breathing person taking the selfie. That ability is said to reduce the chances someone could download a doctored photo or video.
“Biometric databases can be hacked," Greer said. "If your credit card number gets leaked, you can get a new one. If a scan of your face gets leaked, you can't get a new face.”
Consumers seem less concerned
Consumers themselves seems less worried about the use of their biometric identity.
Twenty-four percent of consumers aged 25 to 39 said they already use facial recognition technology to confirm their identity for online purchases, according to a study of 6,000 people conducted by Paysafe.
In a survey of 6,500 consumers that Experian released in early February, 72% said they would be willing to give more personal information to a business in return for easier access to accounts.
The surveyed people also said their top concern is security, said David Britton, vice president of industry solutions for global fraud and ID at Experian.
But inevitably, even if people say security is their priority, as soon as users have difficulty logging in to an app, they will become frustrated.
“If you ask a consumer how they want to be secured, they don’t really know,” Britton said. “They’re not security practitioners. They don’t really understand what that means other than it usually means visible signs of security with low barriers of entry. It’s a matter for the practitioners in the space to say, what can we bring together that is completely transparent, completely frictionless for the consumer to use and gives us a much more robust sense of security than what we may have with just usernames, passwords and one-time passcodes.”
U.S. Bank and USAA are among the banks that let consumers enroll in and log in to mobile banking by taking a quick photo of themselves from within the app. Neither responded to a request for comment on the backlash against the technology.
Charles Subrt, a senior analyst at Aite Group, said he has not heard of any banks scrapping their facial recognition projects because of the public outcry. But they are proceeding carefully, he said.
“The public protest has to be one factor that financial institutions consider as they start to roll out some of these newer technologies,” he said. “It's going to require a lot of dialogue within the private and public sector, financial institutions and technologists.”
The European Data Protection Regulation and the California Consumer Privacy Act are also making everyone more privacy conscious, Subrt said.
“There's certainly an increasing momentum to give consumers data protection, greater control and greater transparency within the CCPA,” he said. “There's a right of nondiscrimination. There's also the expectation to provide adequate protections and safeguards to personal information. And there are certainly individual private rights to action for any potential loss or theft. There's a balance that needs to be taken by financial institutions in terms of using some of these new technologies for better convenience and security versus a potential for bias, errors and false identification.”
In addition to the potential for violation of privacy rules and for discrimination in access to and pricing of financial services, Subrt said he expects financial criminals will inevitably find loopholes to exploit within the technology.
“Organizations as they embark on this journey have to be cognizant of how they're using this data and ensure that they're getting not only the appropriate consent, but that they’re careful about how they keep the information, how they share this information, how they protect and send the information,” he said.
Texas, Illinois and Washington are coming out with rules governing the use of biometrics and facial recognition, he said.
“As this debate intensifies, you're going to see more and more of this legislation,” Subrt said. “It's not going to stop it, but companies are going to have to be very careful how they move forward.”
One more concern advocates like Greer sometimes raise is that if a biometric is stolen, it is gone — you can reset your password, but you cannot reset your face.
Subrt does not see protection of biometrics as different from securing other personal information.
“This is just one additional data element that institutions are capturing off their consumers and that has to be protected like anything else,” Subrt said.
The reality is, most banks that use selfie authentication, including U.S. Bank, TD Bank and USAA, do not rely solely on facial recognition. They use it as part of a layered authentication approach that includes device authentication (recognizing the user's laptop or smartphone, and raising a red flag if it is one that has not logged on to the account before), behavioral biometrics (keeping track of how users hold their devices, how they type and swipe, etc.) and other elements. The banks argue that even if the facial recognition itself is flawed, the extra checks and balances their other authentication measures provide help compensate for any privacy, security or bias issues.
But if state and national authorities continue to curtail the use of this technology, banks may not be immune.