Facial Recognition Technology Now Allows you to Pay with Your Face—But Should you?

Facial recognition payments—a pandemic fad or the future of contactless payments?  Gone are the days of handling germ-ridden cash and touching unsanitary credit card machines—now, payment can be as easy, and quick, as a selfie. The California company PopID has introduced a new contactless payment concept—facial recognition. To participate, users sign up for a Pop Pay Account with a selfie, and add money or save payment information to their account. To make a purchase from a participating location, they can alert the cashier and look into the PopID tablet to process the transaction. But, despite the ease, and obvious draw to a more sanitary way to pay, facial recognition technology should raise some serious red flags for consumers, and prompt them to think twice before putting themselves, or their biometric data, in a vulnerable position. 

Facial recognition is a type of biometric technology which measures physical characteristics—here, specific “facial details”—to identify individuals or confirm identity. The unauthorized use of facial recognition data, its potential for misuse, and its documented inaccuracies have created significant concerns. Companies and city agencies alike are beginning to acknowledge these flaws, and take steps to ensure this technology isn’t abused or misused on their watch. For example, the City of Portland recently implemented a ban on facial recognition technology, not only by city agencies, but also private entities. Although other cities have enacted similar ordinances, Portland’s is the first to constrict the private use of facial recognition technology.

Not only could biometric data be hacked, but it can also be gathered without users permission and used without their approval.

The truth is, there is good cause for concern. Not only could biometric data be hacked, but it can also be gathered without users permission and used without their approval. For example, Clearview AI recently made headlines when it came to light that they collected images of users from public platforms, such as Facebook, and have been allowing law enforcement agencies to access their data. In addition to the vast privacy concerns, there is also doubts about the accuracy of this technology. Studies have found that facial recognition technology misidentifies people of color, women, and older adults, at an alarming rate.

While federal laws governing the use of facial recognition technology are virtually nonexistent, despite the fact that police agencies have been using this type of technology for the past couple of decades, bills are beginning to be introduced in Congress which would establish at least some red tape in this area. For example, the Facial Recognition and Biometric Technology Moratorium Act of 2020, which was introduced to the Senate in June, seeks to limit not only the federal use of facial recognition technology, but also to prohibit federal agencies from obtaining this information from third parties. The legislation also pushes states to adhere to these regulations by making certain federal funding conditional on compliance with certain guidelines.

With these concerns in mind, PopID is taking steps to ease consumers apprehensions. First, the company claims that images of users, which are stored in the PopID cloud, are never used to identify someone without their consent; customers must acknowledge every time they want to use this technology. And, the company claims it won’t be sharing any data with third parties—including the police—unless, they are compelled to do so by a  court order. Additionally, the company follows the most stringent facial recognition technology legislation, the Illinois Biometric Privacy Act (BIPA). BIPA was implemented to address some of the privacy concerns surrounding technology that uses biometric identifiers, including facial recognition. This strict legislation requires written consent from users before obtaining any biometric data, and allows citizens to sue companies for violations.

Despite the steps PopID takes to protect consumers, they should still be wary and consider important questions to protect themselves and their biometric data. For example, how secure is the PopID cloud? How long is biometric data store in the cloud? When, if ever, is it deleted? What happens to your biometric data after you delete your PopID account? And under what circumstances would data be provided to third parties, like the police? Sanitary or not—should this technology be trusted? Moving forward, consumers should continue to exercise caution and keep in mind that while the legislation regulating this technology is scarce, the concerns surrounding it are plentiful. As BIPA points out, a social security number can be altered if stolen – biometric data cannot.

Marissa Flack