Phone unlocking vs biometric mass surveillance: what’s the difference?

Facial recognition is one of the most hotly-debated topics in the European Union’s (EU) Artificial Intelligence Act. Lawmakers are more aware than ever of the risks posed by automated surveillance systems which pervasively track our faces – as well as our bodies and movements – across time and place. This can amount to biometric mass surveillance (BMS), which undermines our anonymity and freedom, and weaponises our faces and bodies against us.

One of the main technical forms of BMS is the use of ‘Remote Biometric Identification’ (RBI) systems in publicly-accessible spaces. These include parks, streets, shopping centers, libraries, sports venues and universities. RBI systems have been used by police, other public authorities, and private companies in a majority of EU countries.

EU law already distinguishes generally accepted uses of biometric data – like unlocking your smart phone using your face or fingerprint – from unacceptable forms – like being surveilled when you in a public space. But laws which are supposed to stop BMS need to be reinforced in response to the almost exponential rise in the capacity and capability of algorithmic processing.

Biometric verification vs identification

Biometric verification is a technological process most commonly used to authenticate someone’s identity. It’s sometimes referred to as ‘claiming your identity’ because you are in control, and you can use the biometric verification system to demonstrate that you are who you say you are.

Biometric identification, however, is a process of comparing your data to multiple other sets of data. For example, this could be by comparing your face to a database of face templates to see if there is a match. This database might be relatively small (e.g. a watchlist) or very large (e.g. a national identity database).

Biometric identification requires the collection of your sensitive biometric data in order to compare it against other sets of stored biometric data. Unlike with biometric verification, where you need to present yourself and your comparison data (e.g. held in your phone, on your passport chip, or in an entry badge), when it comes to biometric identification, you just need to be there.

What makes a use case ‘remote’?

Another key characteristic of biometric mass surveillance practices is the ‘remoteness’ of the use case. When you are unlocking your own phone, you are fully aware of what you are doing. It is done on an individual basis, and ‘by’ you, rather than ‘to’ you. Even if your face is a few centimeters away from your phone, you’re still present. Biometric verification is therefore (at least in theory) not remote.

By contrast, biometric identification is usually performed remotely. Remote uses of biometric identification have the capacity to scan the biometric data of anyone that comes into view – of a camera, a sensor, or a CCTV feed. So although biometric identification is often referred to as 1:n (1-to-many matching), it’s actually more accurate to think of RBI as n:n (many-to-many matching). That’s because – even if only one person is being searched for – every single person gets scanned and matched against everyone else.

Remote biometric identification is always risky and limits human rights, because it makes it possible that one or more persons will be surveilled, and that there is a potential that they might not know it is happening. This means that every person passing by gets treated as potentially suspicious – which can make us self-censor or behaviour or feel less comfortable and free going to a protest or even just walking around. This precludes any possibility of the surveillance being targeted against a specific individual, constituting mass surveillance. That’s why we are calling for a full and comprehensive ban on all uses of RBI in publicly-accessible spaces in the AI Act.

Read the full legal and technical analysis in the longer version of this blog here.