Surveillance & Policy

Facial Recognition Surveillance: How It Works and Who's Using It

July 1, 2026 8 min read Haven Team

Clearview AI built its facial recognition database the same way anyone could: it scraped billions of photos from public web pages and social media, indexed them by face, and sold search access to law enforcement agencies. No court order authorized the collection. No individual consented. That's the tool a growing number of police departments now use to identify a stranger from a single photograph.


Facial recognition has moved from a novelty at airport security to infrastructure deployed across retail stores, transit systems, and police departments, often without the public debate that usually precedes a new surveillance capability. Understanding how it actually works is the first step to understanding why regulators in multiple jurisdictions have started pushing back.

How it actually works

A facial recognition system converts a photo of a face into a mathematical representation, a set of measurements describing the geometry of the face rather than the image itself. That representation gets compared against a database of similarly processed reference images. A match doesn't require the original photo to be high quality or posed; modern systems work reasonably well on angled, partially obscured, or low-resolution faces, which is part of why they're effective for surveillance footage that was never intended to be identification-grade.

The two things that make a facial recognition system powerful are the size of the reference database and the volume of footage it's applied against. Clearview AI's product was notable specifically because its database, built by scraping public images at scale, was orders of magnitude larger than what any single police department could have compiled from mugshots and driver's license photos alone.

Who's actually using it

Retailers use facial recognition for loss prevention, matching shoppers against internal watchlists of prior offenders. Transit and airport authorities use it for identity verification at checkpoints. Law enforcement agencies use it investigatively, running a photo from a crime scene or a witness's phone against a database to generate leads. The IRS briefly required facial verification through a third-party vendor, ID.me, to access online tax accounts in 2022, then reversed the requirement after public backlash over mandating biometric enrollment for a government service.

The accuracy problem is not evenly distributed

Multiple independent studies, including federal testing by the National Institute of Standards and Technology, have found that facial recognition error rates are not uniform across demographic groups, with higher false-match rates for some groups than others depending on the algorithm and dataset. Several documented wrongful arrests in the US have followed a facial recognition match that turned out to be incorrect, in cases where the technology was treated as more conclusive than the underlying error rate justified.

A concrete case: barred at the door by a database

Madison Square Garden Entertainment drew wide coverage in 2022 and 2023 for using facial recognition to identify and deny entry to attorneys whose law firms had active litigation against the company, unrelated to the event they were attending. A parent walking into a Christmas show with her daughter, or a lawyer holding tickets to a Rangers game, was flagged and turned away at the door because their employer's name appeared on an internal list, not because of anything they personally had done at the venue. New York's attorney general and legislature both took public interest in the case, and it became one of the clearest public examples of facial recognition being used for something far removed from its usual justification of safety or loss prevention: a company using biometric identification to enforce a business dispute against unrelated individuals at the door of a public venue.

The regulatory patchwork

Because there's no comprehensive federal law governing facial recognition in the United States, the response has been local and inconsistent. San Francisco banned government use of facial recognition in 2019, and several other cities followed with similar ordinances. Illinois' Biometric Information Privacy Act, one of the strongest state-level biometric privacy laws, has been the basis for major litigation against companies including Clearview AI, which settled a nationwide class action in 2022 restricting its sales to most private companies while continuing to permit law enforcement use in many jurisdictions. European regulators, including the UK's Information Commissioner's Office, France's CNIL, and Italy's Garante, separately fined Clearview AI over its data collection practices and ordered it to delete data on their residents, though enforcement across borders against a company with no EU presence has proven difficult in practice.

The EU's AI Act, which entered into force in 2024, takes a more structural approach: it classifies real-time remote biometric identification in public spaces by law enforcement as high risk and prohibits it outright except under narrow, specifically enumerated exceptions such as searching for a victim of a specific serious crime, subject to judicial authorization.

Jurisdiction approach What it actually does
City-level bans (San Francisco and others) Prohibit government agencies within that city from using facial recognition; doesn't reach private-sector use.
Illinois BIPA Requires consent before collecting biometric data and creates a private right of action, letting individuals sue directly rather than relying solely on regulators.
EU AI Act Prohibits real-time public biometric identification by law enforcement by default, with narrow judicially-authorized exceptions.
No law at all (most US states) Retailers and local police can deploy facial recognition with essentially no statutory constraint on collection or retention.

What you can actually do

Facial recognition sits in the same broader category as other surveillance infrastructure that scaled faster than the law governing it, alongside tools like automated license plate readers and geofence warrants, both of which turned routine public movement into a searchable database well before courts and legislators caught up to what that made possible.

Where Haven fits

Haven's mission is about who this kind of surveillance infrastructure threatens most directly: journalists, activists, and anyone communicating under conditions where being identified carries real risk. Facial recognition is a physical-world counterpart to the metadata surveillance we build encrypted messaging to resist, and it's worth understanding on its own terms, independent of any product.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →