Banning facial recognition is missing the point

While he is right I think Bruce is also missing the point here himself: he states that this law is the wrong way to fight surveillance – but that is not the stated goal of the law.<p>The goal of the law is to prevent the development of a technical reality in Europe, to which a Jurisdiction can only passively react. The technical space moves so fast at times, that reality has been made before the law can even start to think about what is okay and what isn&#x27;t.<p>This time they wanted to say: &quot;Yeah it is a shiny new thing, that would definitly come if the law stayed as it was, but it is such a hairy ball of mud that we ban it till we figured out what is allowed.&quot; Or phrased differently: it is so obvious for them that this is prone to abuse, they ban it first and then figure out how to deal with it in an adequate fashion.<p>So Bruce&#x27; idea that the goal was to fight surveillance is a tad bit to optimistic in my eyes..

&gt; These efforts are well intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we&#x27;re in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it&#x27;s being built by corporations in order to influence our buying behavior, and is incidentally used by the government.<p>He’s right, but we should take every winning battle we can, no? Even a few notable victories could help to change public opinion about whether things are inevitable or not

I see his point, but practical face recognition is a lot easier to implement and a lot harder to defend against than all the other types of recognition. You could, for example, no carry a phone or turn it off. But your face is expected to be on show (obv exceptions aside).<p>So no, it’s not missing the point. It’s a different point. He’s right, but action against face recognition is also worthwhile.

Everyone on HN is no doubt sitting there nodding along sagely but there’s also a pretty good bet that 90% of us (nerdy, apparently in-the-know tech types) have done very little to think about cutting down on smartphone use. It’s the single biggest surveillance vector (a device that you carry everywhere that knows where you are and reports your habits into a data store we know pretty much nothing about!), but we all now assume - hilariously, in my opinion - that we “couldn’t live without our phones”.<p>Personally I think the battle is totally lost until people start actually thinking about the negative impact of these devices, both from a surveillance POV and a wellbeing one.

My fear of facial recognition is not just governments it&#x27;s criminals. All they have to do is crawl my linkedin on facebook and bam they have my name next to my face.<p>Worse they know where I work or where I live.<p>This opens up a world of problems.<p>Say someone sees a stranger in a situation that the stranger may find embarrassing. Embarrassing enough that they could be extorted. They open their phone and find out who the person is. They can now make contact and threaten to contact your employer or spouse with images of you in this embarrassing situation.<p>You now have a real life avenue for this sort of thing <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Sextortion#Webcam_blackmail" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Sextortion#Webcam_blackmail</a>.<p>I know the greater problem is that we now share our details online maybe no linkedin no facebook is smarter.

We shouldn&#x27;t ban any technology. However, we should ban a technology when it is used for _____. The ban should cover the use, not the technology itself. It&#x27;s fine to make building a nuclear bomb illegal, but studying radioactive elements should not be.<p>Similarly, the technologies this article describes &quot;identification, correlation and discrimination&quot; should not be outright banned, but maybe they should be when their use conflicts with other important values (e.g., due process in criminal prosecution, privacy rights).<p>Recent targeting of facial recognition does not &quot;miss the point&quot;, the reason it has become an issue is because it has started being used in the criminal justice system. No one really gets upset when it&#x27;s just used to tag your photos.<p>I know developers love abstractions, but we should not try to build abstractions of technology and regulate those. To borrow from the article, identifying a person based on their &quot;gait&quot; is not nearly as serious an issue as facial recognition, even if abstractly they may seem similar to a developer. Instead, focus on the direct problem at hand, regulate it, and only after the passage of time when commonalities become clear, build an abstraction.

Also see the discussion 4 days ago from the same essay published in the nytimes: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22098021" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22098021</a>

I think the scariest thing is that in a world of unlimited data retention - a future powerful bad actor will have access to all our past behaviour - whether that&#x27;s liking the wrong political party, or visiting a gay bar.

Schneier is missing the point.<p>&gt; The whole purpose of this process is for companies — and governments — to treat individuals differently.<p>This isn&#x27;t true. It&#x27;s about population control, not treating individuals differently. He has an extremely close-minded view of the future here. The point of this isn&#x27;t to treat people differently, it&#x27;s to contain the overton window and basically thought-police entire populations. Nothing to do with the individual being treated differently, that is merely the lipstick-pig moment where it <i>happens</i> but isn&#x27;t really the core problem.<p>&gt; The point is that it doesn&#x27;t matter which technology is used to identify people.<p>It sure does matter! Bugs in code, hacking the system itself is all &#x27;implementation details&#x27; of the &#x27;technology&#x27; used to do the tracking. Techniques that are especially susceptible to both of these make a surveillance technology dramatically more dangerous.<p>The details <i>do</i> matter, because they add up to a larger, unknown future. Schneier has a bizarrely close-minded view of the dangers of facial recognition.<p>I haven&#x27;t heard any of the proponents of the ban say that it is the only surveillance that is happening or that should be banned, but that seems a central tenet to his point.<p>Some progress is better than no progress, especially in this case where things move quickly. I do not think we are at risk of a population thinking that its problems would be solved if we could just ban this one thing. It&#x27;s a straw-man argument that I haven&#x27;t even heard elsewhere.

He&#x27;s right to an extent, but face recognition is instant, silent, works from a distance, allows near perfect identification of a specific individual in many cases, and is <i>particularly onerous on the individual to evade</i> compared to other forms of tracking.<p>That makes it entirely reasonable to single out and ban it, whilst also thinking about and pushing for further curbs on surveillance.

Strange that Schneier omits the new CA privacy law, which looks to have teeth. That said, no law will be sufficient unless it&#x27;s binding on the state as well as private actors.

If you accept that ubiquitous surveillance, for which this is one of several technical enablers, is technically feasible, is being implemented by multiple parties, and is basically happening, the only logical conclusion is that there is going to be way more of this stuff happening in the next years&#x2F;decades. This will become normal; whether we like it or not.<p>IMHO trying to stop this or slow it down is an exercise in futility. It may postpone the inevitable outcome for some short time but the outcome is inevitably going to be multiple parties tracking our every move either openly or covertly.<p>I would like to emphasize the notion that it&#x27;s not just going to be a handful of parties doing this. This stuff is rapidly becoming a commodity. Just because you are in the US or Germany (in my case) does not mean, Russia, North Korea, Iran, China, etc. are not tracking you (in addition to your &#x27;friendly&#x27; local secret service). Assume the worst; you probably are already on file in multiple countries in some form. Also, who says it&#x27;s just going to be just nation states? Several big corporations exist now that basically have a bigger valuation than the GDP of most countries.<p>The fact that the parties that are going to do the tracking are mutually hostile (or at least not very friendly), also represents an opportunity: they&#x27;ll be watching each other. Effectively nobody is excluded from being under surveillance; including those doing the surveillance. That means anyone breaking laws has to worry about being observed doing so and has to assume that he&#x2F;she is going to be found out in case something inappropriate happens. IMHO this is a good thing and effectively the only defense we&#x27;ll have against this being abused and enforcing any privacy legislation.

Meanwhile in China local governments even install surveillance cameras on the top of 3900 metres mountain <a href="https:&#x2F;&#x2F;twitter.com&#x2F;kidrulit&#x2F;status&#x2F;1216197264202293253?s=21" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;kidrulit&#x2F;status&#x2F;1216197264202293253?s=21</a><p>Other than ethical problems cameras cause urban planing and aestheticcal problems.

A few years from now, cameras and vision software will be advanced enough to recognize a person just by analyzing the small differences in colors of the clothes, how s&#x2F;he walks or mapping micro scratches on his&#x2F;her car without any need to take pictures of either the plate or the face. I&#x27;m also pretty sure we could already build a model of a walking person or animal just by having it walk or run on a weight sensors equipped mat, so that after due training recording when someone walks in or out of a place would be doable without cameras.<p>The ban should be on the final purpose, that is, pervasive generic surveillance. Otherwise it keeps being a moving target in which the most powerful party is constantly one or more steps ahead.

I see that these bans regulate use by police.<p>But how could any of them affect use by federal agencies? Which would then share information with local police.<p>I mean, police lie to courts about StingRay use, or data from the NSA via SOD,[0,1] and do parallel construction.<p>I really do think that privacy in meatspace is hopeless.<p>0) <a href="https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-dea-sod-idUSBRE97409R20130805" rel="nofollow">https:&#x2F;&#x2F;www.reuters.com&#x2F;article&#x2F;us-dea-sod-idUSBRE97409R2013...</a><p>1) <a href="https:&#x2F;&#x2F;www.deamuseum.org&#x2F;wp-content&#x2F;uploads&#x2F;2015&#x2F;08&#x2F;042215-DEAMuseum-LectureSeries-MLS-SOD-transcript.pdf" rel="nofollow">https:&#x2F;&#x2F;www.deamuseum.org&#x2F;wp-content&#x2F;uploads&#x2F;2015&#x2F;08&#x2F;042215-...</a>

While most of these systems work well enough to identify a person, there are a number of well-known ways to defeat them. One is simply to apply newer technology to cracking algorithms used inside these devices. Improvements in processing power from one generation to the next, and a proliferation of information about where the vulnerabilities are, applies to biometrics as well as other technologies.How Secure Is Your Face? <a href="https:&#x2F;&#x2F;semiengineering.com&#x2F;how-secure-is-your-face&#x2F;" rel="nofollow">https:&#x2F;&#x2F;semiengineering.com&#x2F;how-secure-is-your-face&#x2F;</a>

Some times a technology is so cheap and easy to use that banning it becomes absurd, and you just have to accept the new reality.<p>Face recognition isn&#x27;t quite there yet, but in 5 or 10 years every kid with a phone can do this.

Schneier&#x27;s points are dead on. One of the few talking sense here. Biometric and related identification technologies are here and multiplying. We need to regulate data sharing and 3rd party data compiling, regardless of the data. Dirty data and incorrect data will haunt people, existing in who knows what databases. This is what needs to be regulated. Not the individual identification technologies. Stop the abuse of new tracking technologies before they are invented. As well as end the advertiser tracking that is out of control. (FYI: I write FR software.)

What is your view on the decentralization of facial recognition?<p>I believe that surveillance cameras can help to decrease physical violence, but the main concern I have that the algorithm and embeddings databases are out of mine control even for validation.<p>Hence, are there any authorities that publicly disclose the FAR metrics? So far I came around UK case only <a href="https:&#x2F;&#x2F;bigbrotherwatch.org.uk&#x2F;all-campaigns&#x2F;face-off-campaign&#x2F;" rel="nofollow">https:&#x2F;&#x2F;bigbrotherwatch.org.uk&#x2F;all-campaigns&#x2F;face-off-campai...</a>

&gt; <i>Finally, we need better rules about when and how it is permissible for companies to discriminate. Discrimination based on protected characteristics like race and gender is already illegal...</i><p>This is they key point of the article, but unfortunately he doesn&#x27;t give any solutions or even hint at them. Does anyone know if he does elsewhere?<p>It also feels a bit disingenuous for him to use the word &quot;discriminate&quot; here.<p>&quot;Discrimination&quot; is generally understood to give someone an <i>unfairly</i> negative experience due to inherently <i>irrelevant</i> factors, such as denying someone a job due to the color of their skin.<p>I think most people would agree that &quot;discrimination&quot; is the wrong word to use when showing different people different ads due to their browsing history, or giving different people different credit card offers based on their credit scores, or charging young people more for car insurance based on their age. All of these are based on what people generally consider to be non-discriminatory, <i>evidence</i>-based distinctions -- and so words like &quot;targeting&quot; or &quot;market segmentation&quot; are more appropriate.<p>If he wants to argue for a better framework for what is considered legitimate targeting&#x2F;segmentation or not, I&#x27;d love to hear it. Otherwise there&#x27;s not really much to say?

Schneier&#x27;s title made it seem like we should not be banning facial recognition, but in the blog itself he spent lengthy verbiage arguing there are 3 components we needs do more to fight against of a surveillance state. In other words, we need to do more to ban&#x2F;regulate those rather than undo the facial recognition ban.

Interesting he mentions festivals banning it. There&#x27;s a startup in LA who&#x27;s trying to add facial recognition to ticket gates of large venues like stadiums for both security and marketing. I wonder how 50,000 people think about being facially recognized &#x2F; tracked just to go see the ball game or concert?

proves we are in hell. Some geek ape figured out to use a rock as a tool-the rest of the apes started throwing rocks at each other and just took what the other apes made. Some geeks figure out nuclear power and a way to provide endless free energy- the rest of us turn it into a weapon. Some other geeks make a foolproof way to communicate for free-the rest of us weaponize that too. Cant wait for skynet to clean out this crap. Our brains just cannot handle complexity.

It took me awhile to grok but I think that people like Schneier want to take the ideology of online anonymity and apply it IRL.

Bruce is missing the point too. He does see that the problem with facial recognition is the backend database with data about individuals. The way to index this database is not the problem, and that&#x27;s where facial recognition comes in.<p>Facial recognition used <i>exclusively</i> to access my hotel room? Fine! Even fingerprint. No problem. As long at that data <i>is not linked to other databases</i>, and is erased, at minimum when I request it. And, most importantly it needs to be protected against cross-referencing to government databases.<p>Because that&#x27;s where the real problem lies. Cross-referencing. Is a store allowed to remember data about me? Sure. That&#x27;s what store clerks do. The employees at the post office don&#x27;t ask for my name anymore, they use facial recognition (the wetware kind) and then go look for the packages with my name on it. Great!<p>I go to a psychiatrist and he proposes that if he diagnoses me with something I can get all the visits paid back. Ok, whatcha got? Well, autism seems somewhat justifiable and is very popular at the moment. Okay. Now this data gets passed to the government in my medical file, cross-referenced to my insurance, passed to them, and now I can&#x27;t renew my car insurance. There&#x27;s special cover for that, more expensive, of course. Even worse: it got cross-referenced in the government itself to, and I now have to get approval from a psychiatrist to get my driver&#x27;s licence renewed, every time.<p>Okay, so I contact the psychiatrist, and this cannot be removed from my medical file (&quot;because then I could sue medical professionals and they wouldn&#x27;t be able to defend themselves using the data they have&quot;). Okay, fine, YOU can keep your notes on me if you must, but I want it out of my government medical file. Nope, that system just doesn&#x27;t support that. We can add some additional explanation if you want, but that&#x27;s all.<p>So I feel like the needed laws are: 1) Any medical data is off-limits for cross-referencing of any kind with no exceptions. It is also off-limits for government and cannot be used for traffic, tax, ... purposes. Even law enforcement should not be able to see this data under any circumstances. If such data is needed or important in a case, a judge can call my doctor to testify, to answer specific questions, and that&#x27;s the absolute limit of government access. 2) Any data you record on me you need to specify what it will be cross-referenced with, for companies, but ESPECIALLY if you are the government. There must not be any consequences for saying &quot;no&quot;. And when asking permissions, only explicitly enumerated named companies&#x2F;departments and databases with clear listing of what that data is used for and nothing outside of that. 3) I want the ability to withdraw that permission at any time, which means ANY system that it was cross-referenced in must delete that reference 4) I want the ability to delete any data about me that was passed on AFTER THE FACT, ESPECIALLY in government databases, even if I initially didn&#x27;t tell them not to pass it on. 5) I want something like Google&#x27;s privacy dashboard, but for the entire government. Ideally also including companies&#x27; data. Which has buttons to delete this data that actually work.<p>If you follow these rules, feel free to use facial recognition, fingerprints, heartbeats, ... to index the data you do have on me. Not a problem. I can always demand you delete your data and start from scratch though.

Because the conversation is so lopsided, I feel like somebody has to ask: what opportunities are we giving away when banning face recognition tech?<p>Obvious one would be no more purse snatchers, ever. Almost no rapes, much fewer violent crimes. No lost kids. Lives and wallets saved.<p>What else? This feels like the kind of tech that creates its own broad fields of use where there were none before. It might take time or imagination to see where it goes.<p>And if - just saying - if the benefits are good enough to stop and think for a second, aren&#x27;t there any better ways of skinning this cat than banning tech? Might be worth a brainstorm.<p>I&#x27;m not a big fan of EU&#x27;s GDPR - I&#x27;ve literally just fired a client last week on an emailing consulting gig because the threat of unpredictable huge fines is too big for me. Plus I freaking hate cookie popups. But I have to admit it&#x27;s also doing a lot of good - if companies can&#x27;t store my IP address without my consent, I&#x27;m pretty sure they can&#x27;t store my facial profile and daily movements. Which leaves the choice in the hands of the consumer, where it should be. I have Google Location enabled on my phone - it&#x27;s creepy accurate, but I like it. Maybe you don&#x27;t. Let&#x27;s not chose once for everybody.