ID recognition + face verification technologies: the alliance for digital freedom or slavery?
The worldwide spread of the coronavirus disease (COVID-19) is changing the consumer behavior patterns dramatically. The growing mood of panic has led to either conscious or involuntarily avoidance of any physical contact between people. And, as a consequence, stimulated the development of remote online services, such as food delivery, mobile banking and insurance services, even medical and legal help. We are already beginning to see changes in marketing and distribution strategies that organizations have started implementing to ensure a smooth switch to online transactions. This involves active integration of IT systems, particularly technologies for remote customer identification. The security of personal data here is of utmost importance, thus remote services that demand such sensitive information have to ensure it is provided.
So let’s think about one case: medical consultations; now that we are in the middle of the quarantine, those can only take place online. And because to provide such a service, a patient would most likely need to upload his medical history, analysis results, and not just the ID, ensuring a high level of identification security and accuracy is necessary. Ideally, organizations need systems that allow them to not only remotely recognize a user’s document and check whether their selfie matches the photo on that document but also be able to detect whether the identity document is genuine or fake, as well as identify and prevent possible attempts to bypass facial identification using side technologies.
Or, to take another example of insufficient data security practices: financial organizations have long learned from their own bitter experience with poor remote recognition practices, which resulted in offering and issuing online loans to fraudsters that have purchased passport images on the darknet and applied for a loan.
Both service providers and customers now understand that single-factor authentication is clearly not enough. We don’t even talk about relying on just login + password data, but as history has shown, even an image of an ID document is not sufficient — high incidence of image leaks have marked ID verification impractical if used as an only step to verify user’s identity. This is because it poses a real threat of easy unauthorized access both to the user’s personal data, and also their account.
Today, multi-factor authentication seems to be the only solution to user verification, namely a combination of ID document and face recognition. The process would go like this: upon successful recognition of document fields, including the photo — which most ID documents have, — the technology checks the document on falsification indicators. Now there comes the second necessary step of the verification process: facial recognition technologies recognize the user’s face from the camera of their device and check if the face matches with the one in the document photo. Given the spread of deepfake, both developers of document recognition and face recognition systems have increased their requirements in the detection of falsifications to combat frauds.
In this context, it is necessary to mention that here we talk exclusively about active face recognition, where the user “presents” their own face of their own free will by showing it to the camera of the scanning device — a smartphone or webcam. But face recognition can also be passive, so to speak, where the person does not know at what point their face gets recognized and what was the purpose of it. Passive face recognition takes place on the streets and in public places to ensure public safety, but at the same time, it is seen as an explicit form of freedom restriction. In contrast, active face recognition, as well as document recognition, are strictly voluntary acts, which, given the tightened security requirements for remote identification, act as a step towards practical realization of rights and freedoms. For us, it is indeed obvious that today, in the era of accelerated development, any technology should be used solely with the individual’s consent, and be the service of development and support of people’s rights and freedoms — especially when it comes to collection, accumulation, systematization and transfer of personal data. Moreover, there should be a number of methods of identification, and the choice of how to be identified should also be the users.
In both document and face identification, we are dealing with extremely sensitive data that all participants in the process must carefully protect from the public view. The user has to ensure they do not upload images of their own document or the face to unknown webpages, signing up for questionable services. Organizations, on their part, are responsible to select appropriate contractors that develop technical solutions and ensure that those solutions are security integrated into their own IT systems. System integrators, in turn, are absolutely required to avoid the involvement of third-party uncontrolled servers, where sensitive data could get stored, and then transmitted through some unprotected channels. And last but not least, developers of technical solutions for remote identification have to eliminate the chances of data transfer to third-party resources which are outside the control of the end-user of that data.
To conclude, the safest solution today seems to be such an IT infrastructure where recognition is performed autonomously on the user’s end device without saving and transferring images of documents through third party channels, so that the scammers do not have a way to steal, sell, and use that data illegally for their own needs. Thus, in remote identification, face recognition and document recognition processes are not mutually replacing steps but should rather be a synergy, because the functionality of both is revealed at their fullest extent when used together.
In today’s pandemic, when 90% of the active population is put in quarantine, reliable and secure recognition systems, on one hand, allow businesses to maintain interaction with their own customers instead of breaking up, in despair, for the forced vacation; and on the other, those systems do not infringe the freedoms of ordinary citizens, already suffering from compulsory self-isolation. It is important that such systems — unlike those that practice total control of society, the prototype of which was described by George Orwell in his infamous dystopia, — do not monitor citizens at any time, including in times of pandemic; that those technologies do not collect or carelessly transfer personal data through encrypted networks. It requires a willingness on the part of the public to use recognition technologies. The introduction of ignorant solutions, the irrational use of existing recognition abilities may rapidly lead to a real digital dictatorship. Instead of improving the quality of life and creating positive changes in socio-economic environment, there is a huge risk of getting the complete opposite effect: we might end up with technologies that pose a threat to ordinary citizens and peace, and contribute to the prosperity of fraudsters.