How Verkada Helps Organizations Responsibly Use Facial Recognition Technology (FRT)

Facial recognition technology (FRT) is becoming ubiquitous in our lives today, and demand for its application is growing. This technology powers our phone access, our lobbies, and airport check-ins. Today, there is no longer a question of living without FRT, but rather how do we use this technology responsibly and in a way that helps maintain our privacy. 

We think about this delicate balance every day at Verkada, and it's what drives us to find new, innovative ways to help our customers. It is what has inspired our privacy-focused controls and features – from Person of Interest Only Face Search, which helps companies more tightly control when and how they use FRT in alignment with local privacy requirements, to Face Blur, which enables live monitoring while respecting individual privacy.

A snapshot of the regulatory landscape

It’s important to talk about this increasingly important technology in context given the many regulatory frameworks that impact FRT’s use globally. Most privacy laws place limits on the collection and use of biometric information, a category of sensitive personal data required for FRT, but there are also a number of new laws emerging that govern the use of FRT specifically. To date, there are at least 25 state laws in the U.S. regulating the use of biometric data and/or FRT – and dozens more under consideration. Globally, we are seeing the same trend: in the EU, biometric data is regulated under the EU AI Act, in Canada under PIPEDA (in addition to provincial laws) and in Australia under the Privacy Act, to name a few.

Frameworks for implementing facial recognition at your organization

When evaluating when and where facial recognition technology should be used, security professionals and their counterparts in legal and compliance need to ensure that the use (“purpose”) is reasonable and proportionate. Simply put, is FRT the right tool to solve the right problem? It is important to take into consideration a number of factors, such as:

• Can you solve the problem through less intrusive means? 

• How can you limit its impact? 

• How do you notify people when you are using it? 

• How long do you keep the data? 

• How do you train those who use it? 

• What policies do you have to control its use?

• What oversight are you providing?

At Verkada, we’ve built our solutions in a way that helps our customers answer these questions and, ultimately, enhance their privacy practices around FRT.

How Verkada helps support privacy and compliance goals

Necessity and Proportionality

First and foremost, context matters. It’s important to understand whether FRT is necessary and to measure its impact. If standard video security camera footage isn’t adequate to help solve the problem, it's critical that organizations justify and support their FRT use case with data. As part of this documentation, using the history of retail theft as an example, security professionals should track key data points to support it, such as frequency, cost, or associated violence, and perform a risk analysis of imminent or serious harm. Pilot programs to measure “before and after” results of using facial recognition in a controlled manner can also help support responsible use cases. 

Targeted programs also help ensure proportionality. Most lawmakers readily acknowledge that there is no blanket approach to regulating FRT and that in situations where the risk to life and property is high – such as airports, schools, or hospitals – it can be an essential tool to leverage. But even in those high-stakes environments, policymakers and leaders alike want a targeted, responsible approach to its use. One way we’ve made more targeted approaches possible is through our Person of Interest Only Face Search, which allows users to upload images of known threats and limit searches to matches solely for them. The feature is designed to immediately discard images of individuals who are not identified as a potential match in the system. By instantaneously discarding “non-matches”, the biometric data is removed and is not stored for future use.

Notice and Transparency

In some jurisdictions, regulations require organizations to post prominent signs notifying the public of when and where FRT is used. Many are going a step further, and requiring organizations to provide the public with even more detailed policy information, such as how long the biometric data is kept, how it’s secured and who to contact for more information. This can be challenging where signage is limited. We designed Verkada’s privacy disclosure feature to leverage QR codes so that signs displayed at the point of entry are not only as clear as possible, but also provide more detailed context about how FRT is used. 

Governance

While customers should develop their own policies and training, security platforms like Verkada can help customers with oversight and reporting. One way that we’ve done this in Verkada’s Command platform is to ensure that only the designated administrator can enable FRT and that user actions on the platform are recorded in an audit log. Verkada’s audit log tracks system access and ties each action, like viewing a camera feed, logging in, or enabling FRT on a specific camera, to an individual user. This allows admins to “watch the watcher” – whether it is through routine audits or one-off investigations of activity. 

We're only at the beginning of realizing the ways that facial recognition technology will improve our daily lives – from convenience and security to beyond – but it's important that we continue to build rigorous controls to ensure that it is used as responsibly as possible.