Cashless Catering

Facial Recognition

The school currently uses a Facial Recognition System for its cashless catering system, however given the recent recommendations from the ICO, this is currently under review, whilst the school looks at all options.

In the meanwhile, our supplier Cunninghams have provided the following information about the system.

What is a cashless system?

A cashless catering system allows parents to pretop up their child’s account to ensure that those funds are used in school for school meals, and therefore they cannot be used for unintended purposes. The user will identify themselves at the Point of Sale, and the operator will deduct the users balance by inputting the items that the user is purchasing. Additionally, cashless catering aims to eliminate bullying with regards to free school meals as eligible user accounts have the allowance automatically applied, providing anonymity, no longer does a student need to obtain and present a voucher/token. Lastly, using a cashless catering system, schools/caterers can offer a more efficient meal service by reducing the time required to perform a transaction, as there is no requirement for the operators to handle cash and count change.

What is facial recognition?

Facial recognition is an optional identification method to authenticate users at the Point of Sale. Facial Recognition Technology (FRT) is a category of biometric technology that maps an individual’s facial features (such as the length and width of the nose, the distance between the eyes and the shape of the cheekbones) mathematically and compares this data against a database of known users. When a user is enrolled, an image is captured, transforming the analogue information (their face) into digital information (data) using the geometry of their face and then stores this data as a faceprint template within the database. This database of faceprints is then used as a basis for comparison when a user presents themselves to the system for identification.

What are the benefits of Facial Recognition?

The utilisation of biometric technology (both fingerprint and facial recognition) provides enhanced security and safeguarding as these cannot be lost, shared, or guessed in the same way that cards or PINs can. This ensures that the funds are being used by the intended user and that when purchasing items, any limits imposed on the user will be enforced and any allergen information is considered and will prevent the user purchasing items where the product is known to contain an allergen that the user is known to be allergic to. Additionally, Facial recognition offers a completely contactless method of identification as users no longer need to hand over a card, enter a PIN, or place their finger on a fingerprint reader. It is also a more intuitive solution and there is no reliance of users using the system “properly” as FRT eliminates common, time-consuming occurrences present with other recognition methods such as ensuring that their fingers are correctly placed on readers, their PIN is input correctly, or making sure that their payment card is in their hand ready to start the transaction. This increased speed of transaction further reduces the time spent by users queueing to pay for their items, allowing them more time to enjoy their break times, and allowing the caterer to serve more users in a shorter timeframe.

A user (i.e child) does not wish to grant permission for the use of facial recognition, how would they access the system?

If a user does not wish to grant consent, they can be provided with an alternative method of identification, in Chelmer’s case this is via manual operator lookup. They are not be treated differently from those users who have consented, such as being made to use a different till or wait until last before they can use the system.

A parent/user previously granted permission but now wishes to withdraw. How easy is this to do and what happens to the data?

Should a parent or user withdraw consent, their permission status within the system can easily be updated to ‘Denied’. When the permission status is updated to no longer be ‘Approved’, any faceprint template data will be automatically removed as part of this process and a new faceprint template  cannot be captured while the permission status remains in this state. It can later be reset to ‘Approved’ should the parents/guardians or user change their mind again.   To withdraw consent, please contact the school office.

How is the facial data captured?

When consent granted to use FRT, an authorised member of staff will manually set the users facial recognition permission to approved. Once this action has been performed, if the user has a photograph (received from the MIS data feed) on their account, the system will attempt to convert this into a face template. If the image is of a sufficient quality, with a single person’s face orientated in a similar fashion to a passport style photo, with minimal facial coverage (facial hair, glasses and headscarves are fine) the system will be able to successfully convert this into a face template for the user and they can now begin using the system. If the photograph is of poor quality, and/or does not contain a single face, correctly facing forwards, with enough of the user’s facial features visible, the system will be unable to create a face template for this user and they will need to be manually captured.

Manual facial template capture

Additional to the capture process detailed above, face templates can also be manually captured by an authorised member of staff at the Point of Sale. A face template can also be manually captured for users that already have a face template stored. During manual enrolment, the user will present themselves to the enrolment point and the authorised member of staff will verify their identity. The operator will then have the user look directly towards the camera and the operator will capture the user’s face template by clicking on the users face from the video feed displayed on the screen. This will crop the users face and removing any background noise/faces. This cropped image is then converted into a faceprint template against the user’s account.

How is the data stored?

Facial recognition data is stored as a unique string of characters known as a faceprint template. This data is encrypted using AES 256 and is either stored on a school server within the secure school network, or hosted on a secure Azure server by CRB Cunninghams if the school are paying us to host this and the cashless system. To provide further enhanced protection, the SQL databases that we use are protected by Transparent Data Encryption, which uses AES 256 encryption to secure the data at rest as detailed at: https://docs.microsoft.com/en-gb/azure/sql-database/transparent-dataencryption-azure-sql

 

How secure is the use of facial recognition? Will it allow someone to access an account using a photograph of another person?

Facial recognition could be spoofed using a photograph of a user with a registered faceprint template to open another person’s account. It is for this reason, that CRB Cunninghams only employ the use of this technology at the Point of Sale as this is attended and operated by an authorised member of staff.

Is the data shared with any sub-contractors or third parties?

No, the data is not transferred to or shared with any sub-contractors or third parties either in the UK or internationally.

Can the face templates be used for other purposes outside of the dining hall, such as for access control or registration?

No. Facial recognition is only available at the Point of Sale and is always operated by an authorised member of school or catering staff. CRB Cunninghams do not share the face template data and do not utilise facial recognition in any way other than for this intended purpose.

Has the algorithm been subject to adversarial/penetration tests (can the algorithm be influenced)?

The facial recognition algorithm used in our system has been subject to several adversarial attacks/benchmarks by an independent body, the National Institute of Technology and Standards (www.nist.gov) .

Is the facial recognition process live/automatic?

A common misconception of our implementation of FRT is that the system is completely live/automated using multiple cameras located around the canteen/serving area. This is incorrect and the use of FRT on the CRB Cunninghams cashless catering system requires manual operation by a member of catering staff at the Point of Sale. On the Point of Sale, the person operating the till will be presented with a live video feed being captured by an attached camera which will be in very close proximity to the till (under 1 metre). As a user presents themselves to the operator for identification, the operator presses on the user’s face within the camera feed. This captures a still image and crops out any background leaving only the users face. This face image is then converted into a face template and compared against the database of pre-enrolled face templates. If a match is found, the users account is opened. If no match is found, then the captured image and template is destroyed.

What cameras are used?

Any USB camera can be used with Facial Recognition at the Point of Sale. Whereas any USB web camera will be able to perform facial recognition, CRB Cunninghams use “pro”, “streaming” style 8 cameras as these are able to provide higher-quality images, auto-adjusting to changing light conditions, and auto-focusing to varying user distance, more quickly and consistently than cheaper models.

How accurate is the technology?

 The accuracy of the algorithm varies depending on the number of face templates stored within the database. Our system can hold a maximum of 10,000 users. According to independent testing performed by the National Institute of Standards and Technology (www.nist.gov), assuming that there are the maximum of 10,000 users with face templates enrolled with good quality templates, the likelihood of a false positive is 0.001875%, or in other words we can expect that in every 100,000 identifications performed over the database of 10,000 there will be 2 users incorrectly identified. In a typical school usage, the number of face templates registered would be circa 1,000, therefore the likelihood of a false positive is reduced 10-fold. However, as the use of FRT is a manual operation, the operator will be able to notice that an incorrect account has been opened and retry the identification.

In addition to False Acceptance Rates, we also consider the False Rejection Rate. This is where a user who has been successfully enrolled is not identified by the system when the operator triggers an identification attempt. Using the same 10,000 users, for each identification attempt, there is a 0.34% chance that a previously enrolled user will be rejected and will be asked to try again.

Does Facial Recognition work with glasses, facial hair, face coverings or religious headwear?

Facial Recognition has been proven to work with users growing/removing facial hair before and after registering a template and has no issues with users wearing or removing glasses. Facial recognition is also able to work with religious items such as turbans, head scarves, and hijabs as the algorithm is only interested in facial features. Facial recognition has also been shown to perform relatively well with partial face coverage (such as when the user is wearing a nose/mouth covering often worn during the COVID-19 pandemic), however due to reduced visible facial features, users wearing such a covering may have more difficulty being identified. Facial recognition is unable to work with full face coverings.

How does the system deal with identical siblings?

When it comes to identifying users where their face template data will be very similar, for example with identical siblings, if there are multiple potential matches, these will be presented to the operator who will then be able to manually select the user from these available options.

Are there any racial and/or other biases present in the algorithm?

The facial recognition algorithm that is used by our system has been trained with increased datasets containing male and female images as well as images of all demographic regions and age groups. It has also been deployed all over the world – in Africa, many Asian countries, Latin America, but also Europe and Northern America, in a wide-range of use-cases where the number one condition is to be able to identify with a high reliability – i.e., extremely low False negative rates while keeping the False positive rates at the lowest possible values. The National Institute of Standards and Technology, who provide the dataset that the algorithm is trained upon, is also addressing this issue by increasing the test dataset – they currently test on 30 million images taken under different conditions and containing images varied by age, gender, and demography.

Are the templates stored used to further train the algorithm?

No. The templates processed by CRB Cunninghams use of the algorithm are not used to further train the algorithm.