What is the Facial ID?
- Put it simply, the Facial ID is a Universally Unique Identifier (UUID) assigned anonymously by the underlying Facial Recognition Engine to each enrolled user on your FACEIO application, after its explicit consent.
- Enrolled users are managed in FACEIO via this anonymous ID, enforcing privacy-protecting separation of biometric hashes (a stream of meaningless floating point numbers that cannot be reverse engineered), and all metadata you have already linked to a particular user on your application. This design is especially directed to facilitating GDPR compliance through strong data protection and pseudo-anonymized data handling.
- On each new user enrollment that is done via simple call to the
enroll()method of the
- You can rely on this Unique ID, as a lookup key on your database for example to fetch the information linked to this particular user. Facial authentication is done via simple call to the
authenticate()method of the
- When you create a new FACEIO application, and implement
- It is your responsibility now to safeguard, and to provide or proceed to the deletion of each Facial ID assigned to any of your enrolled users whenever the user in question is requesting it, and to follow our Privacy Best Practices Guide.
The Facial Recognition Engine
The facial recognition engine is the critical key component that is responsible for mapping each enrolled user’s face at real-time into a mathematical feature vector, better known as biometrics hash, which is in turn stored in a sand-boxed binary index.
When you create a new application, FACEIO gives you the choice between two production hardened facial recognition engine: PixLab Insight and AWS Rekognition. Insight is the default engine developed by PixLab exclusively for FACEIO. Insight is optimized for accuracy and real-time performance for live video feed, and is architected to instantly detect and match millions of faces in near real time, even under challenging conditions where faces are in motion, at different angles, under poor lighting conditions, or partially obscured with face covers. Both engines (Insight and AWS Rekognition) are able to search and match potentially millions of faces from images or video feed at near real-time. You can freely test the accuracy of both engines by creating a new application on the FACEIO Console.
Facial Vectors (Biometrics Hash)
Facial vectors (hence biometrics hash) are stored as an array of floating point numbers. The data is meaningless on its own, effectively acting as a hash, and cannot be reverse engineered. Only your application have access to the currently built index. You can manage, download, grab your encryption key as well as collect analytics on this index via the Application Manager on the FACEIO Console. You can learn more about our privacy practices and compliance via our Trust Center & Privacy Best Practices pages.
Deleting Facial IDs
Facial ID deletion are done via simple REST (HTTP) API call to the /deletefacialid endpoint. That is, you specify the Facial ID you want to remove from the target application via a simple
POST HTTP request, and you are done. Refer to this Python code sample on how to delete a given Facial ID from a particular application.
On success, the meta-data and facial vectors (biometrics hash) linked to the deleted Facial ID are completely purged from the application's facial index and you can no longer authenticate this particular user with the purged Facial ID until he enroll again and another Facial ID shall be assigned to him in such case.
Facial IDs falls in the category of Personal data just exactly email addresses, and therefore subject to Data Protection including the right to be forgotten.
It would make sense to write a set of security and privacy requirements for your project team(s) that specify usage of such features to mitigate the associated risks. You should enlist the help of a web security expert to write these requirements, and consider both user needs and welfare, as well as other issues like policy and regulation enforced by legislation such as the EU General Data Protection Regulation (GDPR).
Consider the following scenarios where you have to delete the user's Facial ID:
If your implementation includes user profiles or accounts (i.e. A dashboard), and a user deletes his/her account/profile, you should interpret this as a revocation of consent and thus proceed to the deletion of the Unique Facial ID assigned to this user on the target application if any.
For detailed informations on when to provide or delete the Facial ID of a given user, please refer to our Privacy Best Practices Guide.
Addressing Privacy & Security
Internally, FACEIO uses TLS encrypted transactions for all metadata transfers between the selected facial recognition engine and your website or web application, and no data passes through the Internet if run on Premises.
Privacy & Security are thoughtfully addressed from a full set of security configurations options available to you via the application manager. Options includes easy opt-out capabilities, PIN code requirements, country code or domain name based restrictions, and many other settings as advertised in our Privacy & Security best practices guides.