The lead article in The Business section of the New York Times on Friday, “Unmasking a Problem: Amazon’s technology that analyzes faces could be biased, a new study suggests. But the Company is Pushing it Anyway“, by Natasha Singer talks about Amazon’s Recognition project, suffers from some of the same issues as products from IBM, Microsoft, Megvii/Face++. The short of it is that the software has a high success rate when identifying the gender of light skinned faces, but has a lower success rate for darker skinned faces.
The article implies that all of these companies are convinced that this is a problem that needs to be solved, and solved with a very high accuracy rate. Let’s pump the brakes on that and start with some simple terms/definitions:
- Verification. This is checking to see if the person is who they say they are. AuthenticID calls it the first mile in the identity arena. To verify that someone is who they say they are – you need to start with an ID like a driver’s license or passport. Make sure it’s a valid document that hasn’t been tampered with and it’s not a copy, and scan the details, including the name, and gender of the person. Then once it’s clear who the person is saying they are, have them take a selfie, check it for liveness, make sure it isn’t a picture of a picture, and match the selfie to the ID. All of this can be done in less than five seconds. Banks have been doing this for years because of regulations, but most industries have not done it because it meant requiring your customer go to a physical location and get verified. With software it’s fast and easy and establishes trust. One key piece here is that the person being verified is actively participating in Verification, this is not the case with Identification, below.
- Authentication. Authentication is using some “key” like an ID/password, or a fingerprint or facial recognition or other biometric. Today most organizations perform authentication (the second mile of identity in the parlance of AuthenticID), without the verification step. Airport security, and healthcare organizations are among the rare cases of combining Verification with Authentication – largely because those are places where the person must be physically present – it cannot be done online.
- Two-Factor Authentication. This has become increasingly popular in recent years. A common example of this is when you log in with an ID/password and change your password for something like Gmail, they will send a verification code to your cell phone to make sure it’s you. It’s a good idea, but as Josephine Wolff points out in Op-Ed piece in the January 28, 2019 issue of The New York Times “Two Factor Authentication Might Not Keep You Safe” – it’s all in the title. The short if it is, if the Verification step has not been completed, there is still not 100% certainty that the person is who they say they are.
- Identification. Identification is a whole different level, where people or cameras are looking at open spaces to figure out who the person is, usually when that person isn’t aware that they are being assessed (unlike with Verification – above). This requires having an existing photograph or detailed description of the person, and then scanning either with the naked eye or software to see if any of the faces in the crowd are faces they can identify with confidence. What’s stored as a “fingerprint” for the biometric is usually not enough to Identify someone, but only Authenticate them. A good example is Disney World in Orlando. If you have a multi-day pass, they capture a biometric to Authenticate you when you return, and to prevent the customers they call guests from throwing their pass over the fence to let a friend in. If the person going into Disney is on the FBI’s most wanted list, the information captured in the biometric isn’t enough to match that biometric with the much more detailed fingerprint that the FBI has – so they can’t Identify the person with the information used for Authentication.
So what I would say to Natasha Singer and Matt Wood (General Manager at Amazon for the software in question) is that they should be specific about which of these four things they are trying to accomplish with their facial recognition software. If they are trying to Authenticate having not done the Verification step, given how easy Verification is now, they should add that, which then relieves the facial recognition software of the task of identifying the gender (which doesn’t make much sense in the first place). If they are doing a Verification, then there’s no need for the software to determine the gender (because it’s written right on the ID). And if they are doing Identification, there are probably varying degrees in complexity in the use cases, but this seems to be pattern matching, where again asking the software to determine gender isn’t relevant.
It seems like these companies need to revisit their basic assumptions about what problems they are solving, which of the above three categories they are in, and then ask if they are wasting time asking the software to determine gender, when Verification is really the only step where it matters, and if you do that correctly – the gender is written right on the document.
AuthenticID is in the Verification and Authentication business, and companies around the World have been using it with great success for years. Join us for one of our weekly webinars to learn more about how this technology is used to establish and maintain trust in ways that can dramatically reduce fraud loss (a $4 trillion global industry) and grow revenues through lower abandonment rates at enrollment / sign-up.