The rampant spread of COVID-19 around the globe continues to challenge public health officials and governments alike to find ways to manage the spread of the disease until an effective vaccine can be developed. This challenge has led to new and novel approaches, particularly in the use of technology. One of the most recent technology applications to control the spread of the virus is the use of security cameras combined with facial recognition software.

Facial recognition is part of a computer software category that uses video content analysis (VCA) technology. VCA technology uses machine learning and artificial intelligence to detect objects within a video image and then extract, identify, classify, and index them for a broad range of applications.

As schools and businesses reopen, contact tracing has become an essential tool in preventing the spread of COVID-19. However, not surprisingly, people infected with the virus often struggle to remember everyone they have come in contact with in the previous two weeks, which reduces the effectiveness of contact tracing.

Video security systems

Instead of relying on human memory, schools and businesses that have video security systems can use facial recognition to quantify people's proximity across time and location. They can track where on the premises a student or employee has been and identify any other people that person has been in contact with while in the building.

This technology helps avoid having to close an entire school or business when an individual tests positive for the virus by providing more precise information about what areas need to be sanitized and who may need to be quarantined.

Safe and responsible reopening

VCA technology and video security systems can also be used together to help ensure safe and responsible reopening

In addition to contact tracing, VCA technology and video security systems can also be used together to help ensure safe and responsible reopening during the current pandemic in other ways, too:

Improving compliance with face mask requirements -- Providing the ability to search for people with or without a mask, facial recognition can be used to detect face mask violations in real-time and alert those responsible for ensuring compliance.

Limiting occupancy to ensure proper social distancing -- Video management systems software can be encoded with lower occupancy thresholds and rules to count the number of people entering and exiting a building or an area within it and send alerts when the occupancy thresholds are met. This allows security staff to ensure proper social distancing and provides a better understanding of where social distancing may be more challenging.

Contact tracing

Here is one example of how a business might use facial recognition for contact tracing. When an employee self-discloses that he/she has tested positive for COVID-19, the employer can upload a digital image of that employee into its VCA system to conduct a filtered search through its video footage for the last 2-3 weeks for any face matches for that employee.

When matches are identified, the operator can review the video for each match to identify where in the facility the employee has been and who the employee may have come in contact with. The employer can then notify those individuals that they may have been exposed to the virus and recommend or require that they self-quarantine for the recommended 14 days.

It is incumbent on the employer and required by the federal Health Insurance Portability and Accountability Act (HIPAA) to protect the individual’s identity when notifying the people he/she has interacted with.

Important Considerations

Critics argue that using video surveillance with facial recognition in hospitals and public spaces creates privacy issues

Research has found that facial recognition is not as accurate as people may think. In an analysis of the use of facial recognition technology in law enforcement, Cardiff University found thousands of false-positive matches. Concerning facial recognition algorithms' accuracy, the National Institute of Standards and Technology (NIST) defines a false positive as two different individuals incorrectly identified as the same person. A false negative means that the software failed to match two images of the same person. 

The fact is, facial recognition technology has been controversial since its development. While facial recognition has been used to locate missing children and has improved the security at airports against terrorism, critics argue that using video surveillance with facial recognition in hospitals and public spaces creates privacy issues. In contrast, others point to concerns that inaccurate results can lead to false arrest problems when used in law enforcement.

Facial recognition

Given the strong feelings that the use of this technology can elicit, any organization considering using facial recognition should be prepared to address them openly.  

The Brookings Institute has developed several recommendations to help protect people from the potential problems facial recognition software can pose. These recommendations were developed prior to the emergence of COVID-19.


However, while many of them will take years to implement, there are two that, in the short term, can do much to help ensure the responsible use of facial recognition in preventing the spread of the disease:

Limit the Data Storage Time -- This is a reform that could go far in mitigating privacy concerns and fears around the misuse of data for purposes other than that for which it was originally collected. Data collected for contact tracing will no longer be relevant after the pandemic is over; therefore, there is no need to retain it beyond that. Defining limits on how long such videos will be retained will instill confidence that their images are used only for beneficial purposes and only for a specific period.

Provide Clear Notification in Public Areas that Facial Recognition is Being Used and Why -- This would allow those who object to avoid those areas. While it would seem that everyone who wants to do whatever they can to help control the spread of COVID-19, some may not agree that facial recognition is an appropriate way to do that. Transparency concerning the use of these technologies in public spaces is therefore very important.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Water Plant Attack Emphasizes Cyber’s Impact On Physical Security
Water Plant Attack Emphasizes Cyber’s Impact On Physical Security

At an Oldsmar, Fla., water treatment facility on Feb. 5, an operator watched a computer screen as someone remotely accessed the system monitoring the water supply and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. The chemical, also known as lye, is used in small concentrations to control acidity in the water. In larger concentrations, the compound is poisonous – the same corrosive chemical used to eat away at clogged drains. The impact of cybersecurity attacks The incident is the latest example of how cybersecurity attacks can translate into real-world, physical security consequences – even deadly ones.Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. The computer system was set up to allow remote access only to authorized users. The source of the unauthorized access is unknown. However, the attacker was only in the system for 3 to 5 minutes, and an operator corrected the concentration back to 100 parts per million soon after. It would have taken a day or more for contaminated water to enter the system. In the end, the city’s water supply was not affected. There were other safeguards in place that would have prevented contaminated water from entering the city’s water supply, which serves around 15,000 residents. The remote access used for the attack was disabled pending an investigation by the FBI, Secret Service and Pinellas County Sheriff’s Office. On Feb. 2, a compilation of breached usernames and passwords, known as COMB for “Compilation of Many Breaches,” was leaked online. COMB contains 3.2 billion unique email/password pairs. It was later discovered that the breach included the credentials for the Oldsmar water plant. Water plant attacks feared for years Cybersecurity attacks on small municipal water systems have been a concern among security professionals for years. Florida’s Sen. Marco Rubio tweeted that the attempt to poison the water supply should be treated as a “matter of national security.” “The incident at the Oldsmar water treatment plant is a reminder that our nation’s critical infrastructure is continually at risk; not only from nation-state attackers, but also from malicious actors with unknown motives and goals,” comments Mieng Lim, VP of Product Management at Digital Defense Inc., a provider of vulnerability management and threat assessment solutions.The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online “Our dependency on critical infrastructure – power grids, utilities, water supplies, communications, financial services, emergency services, etc. – on a daily basis emphasizes the need to ensure the systems are defended against any adversary,” Mieng Lim adds. “Proactive security measures are crucial to safeguard critical infrastructure systems when perimeter defenses have been compromised or circumvented. We have to get back to the basics – re-evaluate and rebuild security protections from the ground up.” "This event reinforces the increasing need to authenticate not only users, but the devices and machine identities that are authorized to connect to an organization's network,” adds Chris Hickman, Chief Security Officer at digital identity security vendor Keyfactor. “If your only line of protection is user authentication, it will be compromised. It's not necessarily about who connects to the system, but what that user can access once they're inside. "If the network could have authenticated the validity of the device connecting to the network, the connection would have failed because hackers rarely have possession of authorized devices. This and other cases of hijacked user credentials can be limited or mitigated if devices are issued strong, crypto-derived, unique credentials like a digital certificate. In this case, it looks like the network had trust in the user credential but not in the validity of the device itself. Unfortunately, this kind of scenario is what can happen when zero trust is your end state, not your beginning point." “The attack on Oldsmar’s water treatment system shows how critical national infrastructure is increasingly becoming a target for hackers as organizations bring systems online for the first time as part of digital transformation projects,” says Gareth Williams, Vice President - Secure Communications & Information Systems, Thales UK. “While the move towards greater automation and connected switches and control systems brings unprecedented opportunities, it is not without risk, as anything that is brought online immediately becomes a target to be hacked.” Operational technology to mitigate attacks Williams advises organizations to approach Operational Technology as its own entity and put in place procedures that mitigate against the impact of an attack that could ultimately cost lives. This means understanding what is connected, who has access to it and what else might be at risk should that system be compromised, he says. “Once that is established, they can secure access through protocols like access management and fail-safe systems.”  “The cyberattack against the water supply in Oldsmar should come as a wakeup call,” says Saryu Nayyar, CEO, Gurucul.  “Cybersecurity professionals have been talking about infrastructure vulnerabilities for years, detailing the potential for attacks like this, and this is a near perfect example of what we have been warning about,” she says.  Although this attack was not successful, there is little doubt a skilled attacker could execute a similar infrastructure attack with more destructive results, says Nayyar. Organizations tasked with operating and protecting critical public infrastructure must assume the worst and take more serious measures to protect their environments, she advises. Fortunately, there were backup systems in place in Oldsmar. What could have been a tragedy instead became a cautionary tale. Both physical security and cybersecurity professionals should pay attention.

What Are The Positive And Negative Effects Of COVID-19 To Security?
What Are The Positive And Negative Effects Of COVID-19 To Security?

The COVID-19 global pandemic had a life-changing impact on all of us in 2020, including a multi-faceted jolt on the physical security industry. With the benefit of hindsight, we can now see more clearly the exact nature and extent of that impact. And it’s not over yet: The pandemic will continue to be top-of-mind in 2021. We asked this week’s Expert Panel Roundtable: What have been the positive and negative effects of Covid-19 on the physical security industry in 2020? What impact will it have on 2021?

Expert Roundup: Healthy Buildings, Blockchain, AI, Skilled Workers, And More
Expert Roundup: Healthy Buildings, Blockchain, AI, Skilled Workers, And More

Our Expert Panel Roundtable is an opinionated group. However, for a variety of reasons, we are sometimes guilty of not publishing their musings in a timely manner. At the end of 2020, we came across several interesting comments among those that were previously unpublished. Following is a catch-all collection of those responses, addressing some of the most current and important issues in the security marketplace in 2021.