printer friendly version

A picture spoofs a thousand cameras

Hi-Tech Security Solutions looks at the reliability of facial biometrics and what is being done to respect people’s privacy.

Facial recognition is nothing new in the security and even the consumer market, but it is only recently that we have seen the awareness of facial biometrics growing and questions being asked about its reliability and effectiveness, and of course, there have been and still are many concerns about privacy.

The reason for the growth in interest, use and available technology for facial biometrics could be ascribed to the continual evolution of technology to become better and cheaper, but, as with fingerprints, a significant factor in facial biometrics becoming a mainstream technology has been its adoption in smartphones and other computing devices, starting with Apple.

Initial facial recognition technologies were based on two-dimensional (2D) recognition, but these systems were not secure as they could be fooled (or spoofed) quite easily. Today we have three-dimensional (3D) recognition algorithms that can include an infrared component to create a map of the individual’s face. Exactly what the third dimension is varies between technology vendors, but they are all working to improve accuracy and reliability, and above all else, liveness detection.

Today there are few biometrics manufacturers that do not have facial solutions in their portfolio. Moreover, we are seeing the technology being used as a trusted and secure identity verification and authorisation solution. And, as readers of the Access & Identity Management Handbook 2020 will discover, South African companies are not lagging in making facial biometrics mainstream (see below and in the article ‘Reducing identity fraud with a selfie’).

Hi-Tech Security Solutions set out to discover more about the current state of facial biometrics, how reliable it is and what is available out there. We not only focus on the technology, but also the concerns about privacy. And privacy is a hot potato; some American cities have banned facial recognition altogether, while China has made it part of its citizens’ social life.

Are privacy concerns valid?

As noted, facial recognition is a sensitive subject due to privacy and tracking concerns, but also because of the media coverage of AI being able to create realistic fake faces (called deep fakes) that perform like real ones when scanned and can fool facial scanners. So where are we currently in terms of the reliability of the technology as well as the ability to preserve people’s privacy?

Jannie Erasmus, business unit head: Surveillance and Analytics at NEC XON explains that as far as privacy is concerned, “facial biometrics systems like NeoFace Watch have many functions that protect the privacy and anonymity of people who are not being analysed and verified. The systems frame and blur faces by de-pixelating the images to ensure that unknown persons aren’t matched against watch lists and remain anonymous.”

He continues that reputable solutions will purge facial recognition matches after a set time in compliance with PoPIA (The Protection of Personal Information Act in South Africa) and GDPR (General Data Protection Regulation in the EU). “They also have other built-in measures to comply with regulations. For example, tracking people of interest not only requires large-scale infrastructure, it must be authorised by the relevant government or other organisations.”

Erasmus adds that for access control and ID verification, there are safeguards against deep fakes by detecting what the industry calls the liveness of a subject. Liveness detection depends on the type of biometric being used. In facial recognition, for example, it determines if an actual authorised person was present at the time the image was captured and that it isn’t a digitally created 2D or 3D image.

Jannie Erasmus

Laurence Seberini

“Liveness detection is typically used at border controls and other secure facilities,” he says. “That means it has to be robust and accurate, but must also facilitate processing large volumes of people quickly. That isn’t achievable yet using software alone running solely against a video feed, for example. That is why every facially-enabled e-gate at a border control, to my knowledge, also uses an additional biometric such as a fingerprint scanner in combination with facial.”

On the topic of reliability and the trustworthiness of facial biometrics in use today, Laurence Seberini, co-founder of Camatica, a local company that provides facial biometric solutions to businesses, says that the facial model Camatica uses has been deployed by the Department of Defence and several law enforcement agencies in the USA and was one of the highest ranked models in NIST’s (National Institute of Standards and Technology, www.nist.gov) ongoing benchmark tests. The technology is therefore at an advanced stage where it can be trusted in the real world.

Andrew Mu, product marketing manager in the Africa business department at Hikvision South Africa, backs this up by saying that Hikvision’s facial recognition technology is continually advancing and now uses 3D recognition to deal with fake faces and to ensure high recognition accuracy. He does, however, suggest clients use double authentication factors, such as face and fingerprint, or face and password, to improve the safety level in access control applications.

And with a view to the privacy debate, Mu adds that Hikvision is an equipment supplier and is not going to create a face library. Privacy concerns are therefore an issue that involves more than the supplier, but requires processes and regulations by the entities using facial biometrics.

Recognising disguises

Unlike fingerprint readers that require users to be close to the readers and where one can, to a degree, control the environmental factors, facial recognition is often done in areas where the lighting can vary quite dramatically. In addition, people can grow beards, wear dark glasses, makeup or even wear hoodies or caps – a favourite of local criminals. Given that these variations can be part of normal life and people can’t be forced into a dress code when going out shopping, for example, are today’s facial recognition systems reliable enough to cater for these changes and still deliver accurate identification and verification?

Seberini says it depends on the camera angle, distance of the individual from the camera and the application itself. If the face is at the same height as the camera (for example at an access terminal) then it will be more reliable and be able to handle more discrepancies, such as when facial features are obscured by a beard or a cap.

“If the camera is at a distance and at a downward angle (for example, surveillance cameras in stores or malls) then the error rate will be higher. The best case scenario is the iPhone sensor which deploys a camera and a depth sensor, which has the highest success rate because the face is in the closest possible proximity to the sensors versus in retail or office environments.”

NEC XON’s Erasmus believes facial recognition systems are “exceptionally capable and their accuracy can be improved by ensuring the entire facial recognition infrastructure is properly set up and maintained.

“Our recognition software, for example, now automatically creates darker and lighter images of faces entered into its database for comparison purposes, simulating how a person’s face may appear in altered lighting conditions. It immensely improves the accuracy of matching people against passport-quality photos captured by CCTV.”

However, he notes that extremes of light and dark can obscure facial features so it’s important (and quite easy) to control the ambient lighting to a certain extent in areas where faces are being recognised. Accurate facial recognition must ‘see’ at least 75% of the face, so it’s also important to tune the observing cameras correctly and periodically check them.

He adds that, short of full-blown cosmetic surgery, using beards, caps, sunglasses and other glasses, hoodies, makeup and other measures people may take won’t hide them from facial recognition. “Our platform, for example, uses mathematical functions and artificial intelligence (AI) to remain highly accurate as long as the face is visible. Not even a 20-year age difference between the photo and the subject fooled the system in the independent 2019 Facial Recognition Vendor Test.”

Erasmus states that NEC’s facial recognition technologies “are advancing all the time and we are acknowledged by independent organisations that monitor this sector to be among the best, if not the best. They’re reporting that the latest version of our solution, our M30 algorithm, has raised the bar. We’re getting that right and making it less intrusive for facial recognition to be used for applications in banking, retail and even residences and estates.

“Interoperability is now also much better. We’re able to use most any CCTV and video management system on the market, meaning we work with the equipment that’s already in place. We’ve had great success creating these solutions for customs, immigration and police services across Africa.”

Mu says that light variations can be dealt with by taking advantage of Hikvision’s video processing technology, for example WDR (wide dynamic range), to reduce the impact of different conditions. However, things that obscure a face can impact the recognition (dark glasses or a hat, for example), but the software algorithms are continually improving and the company’s recognition rate will continue to improve.

Is it alive?

The same applies when it comes to liveness detection, where Hikvision’s algorithms can detect a 3D rendering of a face on a screen. And it is in the area of liveness detection that significant work is being done in the industry, not only for facial biometrics, but also for fingerprints and other modalities.

While technology and algorithms have improved dramatically when it comes to liveness detection, Erasmus says the best way to ensure a subject is really there and are who they say they are when doing something like a financial transaction is to use dual biometric modalities (multifactor authentication). “Palm print, fingerprint, retina scan and even ear recognition in combination are powerful tools.

“Some companies try to claim that a dual camera system works, but the truth is that it’s not as effective and can still be fooled. Using a face mask like Tom Cruise in the Mission Impossible movies, which is not as far-fetched as we might think, can still fool systems, but it becomes exponentially more difficult when you throw in a retina, finger or ear biometric, too.”

Camatica does not include liveness detection in its products currently as it is mostly used for authentication-type applications for the financial industry – such as logging in or registering for a service. However, Seberini says that the technology is constantly improving as more data is applied to the deep learning models.

Stealing your face

One of the common complaints or risks people raise in all biometric modalities is the question of what happens if hackers get into a system and steal your biometric. You can change a card, PIN or password, but not your fingerprints or face. As discussed elsewhere in the Access & Identity Management Handbook 2020, the way vendors manage the data they collect, how it is stored and transmitted is critical in this regard.

Mu states that Hikvision clients can save data in the company’s cameras, face terminals, NVRs or on the face server. In order to prevent hacking and losing the data, Hikvision adheres to internationally recognised cybersecurity standards and best practices, and advises clients in terms of network defence capabilities. Hikvision publishes regular cybersecurity white papers and the latest one can be downloaded at www.securitysa.com/*hikvision1 (redirects to https://www.hikvision.com/en/support/cybersecurity/cybersecurity-white-paper/hikvision-cybersecurity-white-paper2019/).

Camatica encrypts the images it stores and Seberini says it is looking into blurring the images for additional security. Additionally, he explains, “The facial template/vector we use is proprietary and cannot be used without access to the model we deploy.”

Erasmus explains that security typically isn’t done in the recognition platform, but rather is part of the environment in which it is deployed. “In the case of NEC XON installations, that means that the system can be configured to the individual customer’s requirements according to the purpose of the recognition platform. The user interface and the API are secured via HTTPS as that’s the current industry best practice. The back-end server environment uses industry standard stacks that allow it to be configured according to the customer’s information security strategy.”

In terms of cybersecurity, he adds that NEC XON has global cybersecurity teams and services with a footprint across southern Africa, staffed by the company’s own experts with the infrastructure to provide the most advanced cybersecurity on the African continent. “We always recommend their services to customers because security isn’t something you can drop in as software and forget about, particularly where sensitive personal data is concerned. It has to be a live environment that remains dynamic to the evolving risks that are the reality we all face today.”

What’s on the shelf?

It’s clear that the three companies mentioned in this article, as well as numerous others, are seeing success with their facial biometric systems. However, these systems still have a way to go before they can be used for the most sensitive and secure transactions. Although, as noted above, to secure those extra-sensitive transactions most people would recommend multifactor authentication processes as opposed to any single method of identity verification and authentication.

In order to get some idea of what is available in the market, we conclude by asking the three interviewees for some insights into their solutions and what they can do today.

Seberini says Camatica offers its customers face listing, which matches faces against a black list (criminals or shoplifters, for example) and a white list (for VIPs, for example). The system can also determine demographics, which covers age, gender, mood and ethnicity; as well as statistics such as the number of visitors. QueueAlytics counts the number of people in a queue, at an ATM or checkout and notifies the relevant people when a threshold has been exceeded. It also uses facial recognition for CRM and attendance applications.

Hikvision’s facial recognition technology is mainly used in the field of CCTV and access control, says Mu. “We have facial recognition NVRs, facial recognition cameras and face terminals for access control.”

Erasmus says NEC has just launched NeoFace Watch 5.1 with the latest M30 algorithm and all the required system configurations to allow it to be GDPR as well as PoPIA compliant. “Frontal face angles, the sideways pitch and roll angles of faces in a non-compliant environment, for example as you may find on city streets and airports, has been dramatically enhanced and allows for the AI to learn how people react in certain environments. This new capability has really separated NEC’s facial recognition from its competitors.”

He adds that NeoFace Watch has been used in the following scenarios:

• Safe city street surveillance in Europe, India and East Africa.

• International airports and border posts all over Europe, the US, South America and Africa.

• Hospitality environments for hotels where we can even do self-check-in via facial recognition.

• Casinos in Australia, Europe and Asia.

• Sport stadiums in Europe and South America.

• Banking environments in South America.

• The mining industry.

• Retail and residential environments.

• Mobile facial recognition units in Europe and Britain during various critical events.

“NEC’s NeoFace Watch version 5.1 is really a game changer for Faces in Video Extraction (FIVE) where we need to do face recognition during live video footage. This is not template matching in controlled environments, but the harsh everyday environment where you can have 20 to 30 faces in a single video frame and you require almost immediate facial recognition and notification for security or hospitality requirements.

“When the latest NIST report was released earlier this year, NEC’s NeoFace Watch algorithm was once again rated number one for FIVE and FRVT (Face Recognition Vendor Test). Its report also found NEC’s NeoFace Watch was three times more accurate and effective than the closest competitor – and that was using a database of 1,6 million faces and produced an error rate of less than 0,4%.

For more information contact:

•Camatica, +27 11 080 8827, [email protected], www.camatica.com

•Hikvision South Africa, +27 87 701 8113, [email protected], www.hikvision.com

•NEC XON, +27 11 237 4500, [email protected], www.nec.xon.co.za

Share this article:

Further reading: