The views expressed by contributors are their own and not the view of The Hill
Opinion>Cybersecurity

Basic biometrics: Why this emerging technology must be regulated now

by Adam Levin, opinion contributor

It’s been a while since news broke of a massive data compromise that affected an undisclosed number of people driving through border patrol checkpoints in the United States. A juicy target had been hit, and the haul was quickly distributed on the dark web.

In play were the license plate images and traveler ID photos of individuals who had crossed U.S. Border Patrol checkpoint lanes across Texas, New Mexico and Arizona. Experts covering the incident believed that it was possible the breach was under-reported and still more sensitive data was exposed. One of the main concerns was the amount of facial recognition data that went walkabout.

The DHS wants to use facial recognition on 97 percent of departing air passengers by 2023. Apple has been using facial recognition as a security option on the iPhone X since its launch in 2017. The applications are various, and there are more announced nearly every day.

Facial recognition has obvious uses in the area of crime prevention and law enforcement. U.S. Customs and Border Protection reported that biometric data has thus far been used to catch more than 7,000 travelers who stayed past the six months allowed by a typical tourist visa. Now, retailers use the technology for loss prevention, an operations term for theft — shoplifters.

When used for loss prevention, the technology works by comparing scanned images of shoppers’ faces against a database of known shoplifters and presumably other recorded criminals. Herein lies the problem. In order to find a criminal, everyone has to be scanned. That data has to go somewhere. The companies that provide this technology are not obligated to let you know that they are collecting and storing it — and possibly selling it to third parties.

Meanwhile, if you’re on social media, chances are good that your face is already known in the megadata universe. You’re in the system. So, what’s to stop a government official from buying data that leads to you, and finding you whenever they want and for whatever reason they choose? That’s a good question for Congress.

All of these versions of facial recognition implementation are old news now, but historically that means very little in the United States where it generally takes quite some time for something that poses a danger to consumers to be regulated — for instance, the known link between cigarettes and lung cancer. The more money in the equation, the longer it takes.

Enter the advertising dragon

Cooler Screens is just one example. “At Cooler Screens,” the company website says, “we’re transforming retail cooler surfaces into IoT enabled screens. And in doing so, we’re creating the largest retail point-of-sale merchandising platform in the world.”

Walgreens is rolling out the technology, which implements embedded cameras with sensors and digital screens to make “smart” point-of-purchase displays. According to Business News Daily, “The sensors and cameras connect to face-detection technology that can pick out a customer’s age and gender, as well as external factors like if it’s hot or raining outside and how long you stand there, and even pick up on your emotional response to what you’re looking at.”

If you’re not at least a little creeped out by this, I have a defibrillator I’d like to introduce you to.

Clear!

So, Cooler Screens has a killer application for facial recognition. Law enforcement is using it to find the bad guys, and ICE is using it make President Trump’s anti-immigration agenda a reality. What now?

It’s time to get down to basics. Why are companies allowed to gather so much information on us? Should it be legal? How can it be used? How should it be used?

For those of us searching for examples to say why biometric technology needs to be regulated, there’s an embarrassment of riches. But the real embarrassment is the lack of foresight lawmakers have where the collection of such sensitive personal data is concerned — especially with regard to commerce.

While the Fourth Amendment will protect individuals from the potential misuses of biometric data in the prosecution of criminal cases, there is no parallel protection for consumers whose identities are effectively stolen by the many-tentacled creature that is modern data-based marketing. The time has come for Congress to get to work on those protections.

NOTE: This post has been updated from the original to correct the spelling of Walgreens.

Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com. He is a former director of the New Jersey Division of Consumer Affairs and is the author of Swiped: How to Protect Yourself In a World Full of Scammers, Phishers, and Identity Thieves.