Facial Recognition technology is still a relatively new concept for many clubs and pubs across Australia. There are legal questions around what the legislation allows as well as how and where sensitive data is stored. Element Security have rolled out Facial Recognition technology into several clubs, so they have practical and operational knowledge of what is required. Here they answer the most common areas of concern for venues with your Top 10 questions answered.
There are multiple methods in which facial recognition systems work. In simple terms, they compare extracted “features” from a given source image with a reference database. In the context of security cameras, there is usually a server monitoring the streams of nominated cameras to process them through a facial recognition pipeline. That server can be hosted in the Cloud, locally in the customer’s premises, or a combination of both.
Whenever a face is detected on the camera’s stream, it is tracked and assessed on quality metrics and a verdict is determined if there is a match against anyone stored in the database. This verdict relies on predefined thresholds.
Q2. Is the use of facial recognition technology legal in Australia?
Yes, it’s even mandatory in South Australia for venues with over 30 gaming machines as per recent legislation.
There is no specific legislation regulating the use of facial recognition technology per-se, but there are federal and state laws that regulate the use of CCTV in private property, workplaces, and liquor-selling venues, and the handling of Australian’s personal information.
State-based liquor-related legislation requires venues to install and maintain surveillance recording systems to ensure that licensing laws are upheld, and serve as an effective tool for monitoring, documenting, and reporting violent behaviour. The minimum standard for those systems, and the types of liquor licenses that are needed to fulfil this requirement varies from state to state. Liquor-related legislation also mandates venues to enforce all the different types of patron bans and multiple self-exclusion lists.
At a federal level, the Privacy Act 1988 governs the way in which business entities and federal government agencies must handle personal information, through the Australian Privacy Principles (APPs). Sensitive information can only be collected with the consent of the individual or authorised by an Australian law. If an Australian organisation engages an overseas contractor to process personal information, they must ensure that the overseas recipient does not breach the APPs and is accountable for any acts or practices of the overseas recipient that would breach the APPs.
Facial recognition as a technology assists a venue to identify and remove persons who have been suspended, banned or self-excluded from their premises, so there is a lawful basis for such an implementation. In addition, the collection of faces is reasonably necessary for venues to perform everyday activities and operations.
Q3. Do we need to inform patrons of the use of facial recognition technology?
Following the guidelines of relevant international legislation such as GDPR and California’s CCPA, it is always advisable to gain consent, at least implicitly.
As clubs and pubs are private venues the use of CCTV itself is regulated by the Surveillance Devices Act which varies from state to state. For example, in NSW the SDA 2007 requires cameras used for surveillance to be clearly visible, and signs must be in place to notify patrons. If these two conditions are met a patron choosing to remain in the venue is consenting under the law. Under South Australian legislation a venue must notify each person who is about to enter a gaming area that a record of their facial image will be made by the approved facial recognition system.
Q4. Is a patron’s facial data stored automatically in a database by entering a venue?
No, identities and watch-lists are created only by user action. As an example, venues using facial recognition technology to manage their Self Exclusion list will create an identity for each registered patron using the image file associated with the submitted record. That way, if a registered patron is detected in a connected camera, there is a reference image to check his identity against.
If no explicit user action is taken, data flowing through the system will expire and be automatically deleted after a configurable period, much like how regular CCTV works.
Depending on the solution, facial recognition systems store databases and results either entirely in the Cloud, entirely locally, or a combination of both.
Onsite servers are typically installed on the same local area network as security cameras, which yields low latency recognition results and avoids the high ongoing costs typical of cloud GPU compute. Storing information locally reduces excessive transfer and storage costs. The downside to these setups is that they are usually siloed, as fully local setups have no way of communicating with each other. On-premise servers are expensive pieces of hardware.
On the other hand, Cloud infrastructures provide fast, highly available data to end user applications. Cloud computing is more expensive than local processing, and involves some sort of data transfer, sometimes locally and even internationally.
Lastly, some vendors choose to work with a combination of both Cloud and on-premise infrastructure. This leverages the best of both worlds, offering cheaper processing and low latency results with a local server, and multi-location model synchronisation and fast notifications powered by the Cloud.
Cloud security breaches consistently make news headlines. However, the challenge exists not only in the security of the Cloud itself, but also in the security policies and audit mechanisms customers put in place when it comes to users and data. In nearly all cases research suggests, it is the user who fails to protect an organisation’s data. So ultimately, both Cloud and local infrastructures are exposed to similar vulnerabilities.
It’s important to ask vendors for information regarding crucial infrastructure elements such as user authentication, encryption protocols applied to collected and transferred information, and the location of their servers. Biometric data is sensitive information and it is important that venues establish internal security procedures to protect their users, their generated content, other systems, and networks. At the same time, it’s important to confirm the vendor’s policy regarding customer data ownership.
Q6. How do mobile notifications generally work? What’s the role of the Cloud in facial recognition systems?
Mobile Push Notifications are cloud-based services provided by Apple and Google that allow app developers to send messages to their app users. The benefit of AI is that the system can monitor the cameras and notify us when something needs our attention. Cloud infrastructure enables this, along with many other benefits.
Q7. How accurate is the system?
The short answer is: 99.6% accurate.
The longer answer is that accuracy depends on the dataset it is tested against. In the real world, it is impossible to know as every site is different with lots of random factors. To scientifically produce an accuracy rating per site, one would have to collect tens of thousands of faces, humanly “label” each face, then run the Facial Recognition system again to yield an accuracy rating. This is not feasible, so we test against available datasets to get a sense of accuracy.
While 99.6% is true, the caveats should be known. Real-world accuracy can be estimated to be over 90% at least.
Not necessarily, unless you choose a vendor that’s locked to its brand.
Camera-agnostic facial recognition systems take a copy of IP cameras’ RTSP h264 or h265 stream, something any modern IP camera has.
That being said, camera placement, lens quality and hardware performance are crucial factors in the future success of a facial recognition implementation, so even if your cameras are compatible, they may need to be repositioned – to better focus on choke points – or replaced if they don’t yield good quality faces.
Q9. Are 4K cameras the best cameras to run facial recognition on? What is the minimum camera resolution required?
Every site is different, so it’s hard to generalise without specific details about the characteristics of the areas to be monitored, lighting conditions and camera quality and placement. 1080p is usually the most popular resolution. There are diminishing returns with resolution increases: manufacturers usually use the same sensor size and quality for their product ranges, so a 4K camera would have to fit more pixels on the same physical area as lower resolutions, with each pixel being smaller as a result. Therefore, a 100px face on a 4K image is often very grainy compared to a 100px face on a 1080p image.
Ultimately, what matters most in a facial recognition setup is face quality, usually a direct result of a good quality camera lens and a thorough installation effort.
Q10. Why is Facial Recognition so costly?
There is a misconception around Facial Recognition technology and the associated costs.
Facial Recognition technology has quite rapidly evolved over the past few years, with more and more developers implementing recognition solutions, which in turn has created a competitive market space. Similarly, hardware capabilities have increased exponentially, so running AI algorithms that require large amounts of processing power is cheaper than it’s ever been.
As a result, facial recognition technology is now affordable for any venue, big or small. It is also a scalable solution, starting from $3000 upfront with small monthly licensing fees. As an example, a Facial Recognition Solution can be as little as $80 per month.
To find out more contact Wes Stevens