Earlier in March, US Senators Brian Schatz of Hawaii and Roy Blunt of Missouri introduced a bill aimed at creating legislative oversight over commercial use of facial recognition technology. The new legislation is the first identity verification regulation of its kind in the US. In this article, we will explore what the identity verification regulation is, who is covered by it, why it matters and how this affects identity verification providers who rely on facial biometric identity verification.
The Purpose of the Facial Biometric Identity Verification Legislation
The bill proposed to regulate facial recognition technology in the Senate is known as the Commercial Facial Recognition Privacy Act. It would force companies to obtain user consent before collecting facial recognition data. It would also prevent companies from distributing facial recognition information with third parties.
Senator Brian Schatz and Senator Roy Blunt explain that this legislation is intended to provide consumers with protection. Many consumers are becoming increasingly concerned with how their data is collected and used, and facial recognition data is no different. The Senators state that the legislation will ensure that facial biometric identity verification technology is implemented responsibly, protect consumers from acts of discrimination or bias, and preserve consumer privacy.
The Importance of the Regulation
Our faces are a part of what identify us as humans. They are personal and unique to each and every one of us. The legislation proposed by Senator Brian Schatz and Senator Roy Blunt aims to give people the information they need to accurately decide how they want to share their facial data with companies. It also gives them control over how their facial information is shared with companies that use facial biometric identity verification. The goal of the legislation is to prevent consumer focused facial recognition companies from mismanaging people’s facial data.
Who the Legislation Does Not Cover
The Commercial Facial Recognition Privacy Act is a consumer-focused piece of legislation. The legislation explicitly excludes the Federal Government, State and local governments, law enforcement, national security agencies and intelligence agencies from having to adhere to the proposed facial recognition rules. This means this particular legislation does not cover the use of facial recognition technology in police departments, as many of them begin to deploy it as a tool to track, identify and catch potential criminals.
How this Affects Identity Verification Companies
For companies who rely on facial recognition technology as a part of their identity verification solutions, the Commercial Facial Recognition Privacy Act will affect their products. Specifically, for IDMERIT, we will have to update our identity verification solution, IDMscan, to adhere to these new legislative rules.
Our app IDMscan adheres to the following process:
- A user scans their identity document (national ID, driver’s license or passport) into the app
- The app analyzes the ID to determine if it is legitimate or fake
- The personal information on the identity document is extracted and compared with information within official data sources in the ID’s country of origin
- A facial selfie is taken by the individual who imputed the ID
- The selfie is biometrically analyzed in comparison with the photo on the identity document scanned at beginning of the process
- A score is generated to confirm or deny the user’s identity
- On the backend, the score report—which includes a copy of the scanned identity document photo and biometric selfie—is sent to the client using the app for their records
As demonstrated through the above process, our app IDMscan uses facial biometric identity verification technology for identity analysis. This allows IDMERIT to provide more secure identity verification confirmations than its competitors. The proposed legislation will force IDMERIT to update its application but will not affect its functionality in a major way.
In order to comply with the proposed rules in the legislation, IDMERIT will have to add a consent prompt before it asks a user to take a selfie. Furthermore, users will have to consent to distributing the biometric selfie they take with the company they are doing business with. The consent prompt will outline that a user’s facial information is being used for analysis, and only being stored for compliance purposes. After the user consents, they will then move forward with the rest of the biometric identity verification process.
Conclusion
The Commercial Facial Recognition Privacy Act aims to regulate how companies can use and distribute consumer facial biometric data. The authors of the bill showcase how they believe that facial recognition technology offers many benefits to society, should continue to be developed and should be used responsibly. Nevertheless, they limit the scope of this legislation to consumer facial recognition use cases, leaving out how governments, law enforcement or surveillance agencies can use the technology. IDMERIT and other identity verification providers will have to update their solutions in order to adhere to the rules in the proposed regulation. This will not affect their functionality and make it clearer for consumers to understand how their data is being used by these secure identity verification providers.