Facial recognition for MRT rides a bad idea


By: Terence Sim

On 21 Oct. 2016, The Straits Times reported that facial recognition may used instead of fare cards for MRT rides, if the Advanced Fare Gate System developed by ST Electronics “takes off”. This is a bad idea, and I would advise against using it in Singapore. Reason: loss of privacy, and the risk of privacy abuse.

The purported reason for replacing the usual fare cards with a facial recognition system is speed and convenience: commuters need not remove their cards, or tap them at the gate to enter. This will in turn allow more people to pass through the gates faster, supposedly by 50 percent, according to the news article.

But these same benefits can be achieved by alternative technologies, such as RFID cards, or other electronic tokens, which are far less privacy-invasive. With facial recognition, my identity is revealed, and hence my daily movement and habits. You may argue that this is only for MRT rides, and not all forms of public transportation. But why open a can of worms?

Once implemented and accepted by the public, such technology will most likely spread to other forms of public transportation, and in due course, other daily public services as well.

The Key Issue: Authorization vs Identity

But let’s take a look at the key issue here: that of confusing Proof of Authorization with Proof of Identity. When you go to watch a movie, you purchase a ticket and present it to the cinema. The ticket tells the cinema that you have the right to watch the movie; it does not reveal who you are.

Indeed, many people would baulk if the cinema demanded your ID card before admitting you. (Presenting your ID for age verification to watch “mature movies” is a different matter. Even here, your identity is not recorded by the cinema, but only seen as an ad hoc means to check your age, which is not recorded either.)

For many transactions in daily life, a Proof of Authorization is all that is required to consume a product or use a service. Examples include: magazine subscriptions, club memberships, store loyalty cards. There is no need reveal your identity. For other transactions, a Proof of Identity, which is a stronger requirement than Authorization, is needed.

Examples of these are: taking a bank loan, receiving Government aid, getting medical treatment. A Proof of Identity is required because such services are either customized to the individual (eg. medicines) or is a rationed entitlement (eg. Government gives a monetary top-up to all citizens) and identity is used to ensure that the entitlement gets to the correct person, and not to a fraudulent impostor.

But every time identity is revealed, there is the potential for loss of privacy, and for privacy to be abused. This should be weighed against the benefits derived from the transaction.

For MRT rides, it should be clear that a Proof of Authorization is sufficient for a commuter to board the train. Identity is unnecessary, and in fact, reveals too much about the commuter’s traveling habits. The humble fare card provides the necessary Proof of Authorization, and does so without revealing identity. It keeps the commuter anonymous, yet allows him to take the train. Not so with Facial Recognition.

When I ride the train, I don’t wished to be tracked by Big Brother. I should be able to choose the people to whom I reveal my travel plans. For other people, it is none of their business. What is important is that this choice should not be taken away from me; otherwise I live in fear that someone may stalk me, or attack me where I’m vulnerable. If Facial Recognition replaces fare cards, then commuters are trading travel convenience for loss of privacy. This is a very bad trade that leads to great loss. Worse if the data containing everyone’s daily commute is leaked or hacked.

Just as sinister, yet not widely understood, is function creep, which is the use of personal data for purposes other than that for which the data was first collected. For example, if the train company decides to sell or share the identity data for advertising revenue, then such usage is beyond the original intention of using Facial Recognition to speed up gate clearance. And in this age of Big Data and Data Analytics, the economic pressure for function creep is very, very real.


There is no need to go down this road. As at today, alternative technologies exist that provide the right amount of Proof, and yet are just as convenient for commuters and beneficial for the train company. More generally, we should all distinguish between Proof of Authorization vs Proof of Identity.

They are not the same and should not be interchanged. (Another example where they are confused is the replacement of the low-tech padlock on gym lockers with a high-tech fingerprint reader.) Please use the right technology to solve the right problem.