The IT Law Wiki


Facial recognition (also called face recognition) is

[the] automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.[1]
[a] biometric modality that uses an image of the visible physical structure of a biometric subject's face for recognition purposes.[2]

Facial recognition is "any technology that is used to extract data from facial images."[3]


Facial recognition software analyzes an individual's photo and measures various aspects of the face, which may include the distance between different features such as the eyes, nose, and mouth. The unique set of measurements representing one facial image is compared to the measurements representing others, to detect images that are potentially associated with the same person.[4]

"Facial recognition used locally employs a mobile device's camera to take a picture of a user's face and compare it against data of the same user's facial characteristics captured during enrollment/registration. This authentication mechanism is offered natively by some mobile device platforms and the necessary hardware sensors are built into many mobile devices."[5]

The technology is typically used to compare a live facial scan to a stored template, but it can also be used in comparing static images such as digitized passport photographs. Facial recognition can be used in both verification and identification systems. In addition, because facial images can be captured from video cameras, facial recognition is the only biometric that can be used for surveillance purposes.

Facial recognition technologies currently operate across a spectrum, ranging from pure facial detection, which simply means detecting a face in an image, to biometric analysis of facial images, in which unique mathematical data are derived from a face in order to match it to another face. In the latter example, if one of the faces is identified, i.e., the name of the individual is known, then in addition to being able to demonstrate a match between two faces, the technology can be used to identify previously anonymous faces. In between these two points are a range of possibilities that include determining the demographic characteristics of a face, such as age range and gender, and recognizing emotions from facial expressions.[6]

Facial images can be used in situations where fingerprints cannot be taken. Capturing facial images provides a non‐contact form of identification/verification for situations where physical contact may not be possible or practical for whatever reason. Capture of facial images can be done at a distance and therefore provides the capability for covert mobile identification operations. Capturing facial images may be of more value than taking fingerprints in some circumstances. For example, known or suspected terrorist databases or other watch lists may be more likely to contain facial images than fingerprints.

The computer-based facial recognition industry has made many useful advancements in the past decade; however, the need for higher accuracy remains. Through the determination and commitment of industry, government evaluations, and organized standards bodies, growth and progress will continue, raising the bar for face-recognition technology.[7]


The two primary algorithms used in facial recognition systems are based on the eigenface method and local feature analysis (LFA). The eigenface method looks at the face as a whole and represents a person’s face as a set of templates that require 1,300 bytes. LFA breaks down the face into feature — specific fields, such as the eyes, nose, mouth, and cheeks, creating an 84 byte template.


Given the state of face recognition technology, a privacy protection assessment would seek to identify the implementation options and potential match errors and use the information about these options and potential errors to inform the decision-making process of the biometric system. Limitations in technology are not in themselves absolute barriers to privacy protective system design and operations. Limitations such as lighting conditions, the quality of photographs that might be used, and varying facial expressions, should be identified, understood, and the likely effects of those limitations should be measured and accommodated so that both the individual and the organization can accurately assess the significance of the system’s functioning and place the results into the proper context.

The ability of facial recognition technology to identify consumers based solely on a photograph, create linkages between the offline and online world, and compile highly detailed dossiers of information, makes it especially important for companies using this technology to implement privacy by design concepts and robust choice and transparency policies. Such practices should include reducing the amount of time consumer information is retained, adopting reasonable security measures, and disclosing to consumers that the facial data they supply may be used to link them to information from third parties or publicly available sources.[8]


  1. Opinion 02/2012 on facial recognition in online and mobile services.
  2. Biometrics Identity Management Agency, Biometrics Glossary, at 2 (Ver. 5) (Oct. 2010) (full-text).
  3. Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies, at 1 n.2.
  4. Driver's License Security: Federal Leadership Needed to Address Remaining Vulnerabilities, at 11.
  5. NISTIR 8080, at 17.
  6. Maneesha Mithal, Prepared Statement of the Federal Trade Commission on the Use of Facial Recognition Technology by Governments and the Private Sector Before the U.S. Senate, Comm. on the Judiciary, Subcomm. on Privacy, Technology, and the Law (July 18, 2012) (full-text).
  7. FBI, Biometric Center of Excellence, "Facial Recognition" (full-text).
  8. Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, at 46.


See also[]