Facial Recognition Bans Don't Mean What You Think

Here's something that trips up nearly everyone the first time they hear it: the laws that are "banning facial recognition" across the U.S. and Europe almost certainly don't apply to you comparing two photographs in a case file. Not even close. The phrase "facial recognition ban" has become one of those rhetorical sledgehammers that sounds definitive but is actually aimed at something very specific — and that something is not what trained investigators do when they analyze evidence images.

The confusion is understandable. "Facial recognition" has become a catch-all term that does a huge amount of legal and psychological work it was never precise enough to carry. When someone reads a headline about San Francisco banning facial recognition, or the EU AI Act restricting biometric surveillance, they picture any software that looks at a face and draws a conclusion. That mental model is wrong — and for investigators, that mistake has real consequences.

The Taxonomy That Actually Runs the Rules

Start with the technical foundation, because this is where everything else flows from. The National Institute of Standards and Technology (NIST) maintains a formal taxonomy that distinguishes between two fundamentally different operations. Identification is a 1:N search — one face query run against a database of N enrolled individuals. You don't know who you're looking for. You're asking the system, "who is this?" Verification is a 1:1 comparison — you have two specific images, and you're asking, "are these the same person?"

That's not a subtle distinction. Those are different computational tasks, different evidentiary frameworks, and — increasingly — different legal categories. Regulatory bodies writing new biometric legislation have begun importing NIST's exact technical language into statutory definitions, which means the taxonomy isn't just academic. It's the structure that determines what's restricted and what isn't. For a comprehensive overview, explore our comprehensive face comparison tools resource.

Think about it this way. Imagine a city installing cameras at every major intersection that silently log every pedestrian's face against a law enforcement database, in real time, without any of those pedestrians ever knowing it happened. Now imagine a detective who has pulled two specific photographs from a case file — one from a surveillance still, one from a known reference image — and is asking a forensic analyst to compare them. We have never treated those two things the same under any legal framework. License plate readers vs. a detective reviewing photos. Wiretapping an entire city vs. a court-authorized wiretap on one line. The facial comparison laws being written right now are following that exact same structural logic.

What the Laws Actually Say

The EU AI Act — the most comprehensive AI regulatory framework currently in force — classifies real-time remote biometric identification systems used in publicly accessible spaces as high-risk, with very narrow exceptions. The operative words matter enormously here: real-time, remote, publicly accessible. All three conditions have to be present for the most restrictive provisions to apply. A forensic comparison you perform in a controlled environment on images you already hold as evidence hits none of those three triggers.

At the state level in the U.S., the picture is patchwork but directionally consistent. Illinois' Biometric Information Privacy Act (BIPA), one of the most stringent state biometric laws in the country, centers on the collection and storage of biometric identifiers from individuals without their consent — again, a framework built around unsolicited mass capture, not the forensic analysis of evidence a professional already holds. As NPR has reported, with no federal facial recognition law in place, states have rushed to fill the void — but the legislation that's actually passed has overwhelmingly targeted commercial surveillance and law enforcement's use of live public scanning, not controlled forensic comparison workflows.

Norway's data privacy authority, Datatilsynet, made headlines recently by seeking a ban on remote biometric identification — a move tracked closely by European privacy observers. And yet even that effort, aggressive as it is, is aimed squarely at ambient identification systems, not at the kind of bounded, case-specific facial comparison work that forensic professionals conduct.

"Remote biometric identification in public spaces poses unique risks to fundamental rights — enabling surveillance at scale in a way that other biometric uses do not." — Center for European Policy Analysis (CEPA)

There's your through-line. The regulatory concern is about scale and absence of subject knowledge. It's about systems that operate on populations, not professionals who work on cases. Continue reading: Demographic Bias Facial Recognition Test Set.

The "Subject Autonomy Spectrum" — And Where Your Work Sits

Legal scholars have a useful framework for thinking about this. They map biometric tools along what you might call a subject autonomy spectrum. At one extreme: mass identification where individuals have absolutely no awareness they're being scanned, no opportunity to consent or refuse, and no control over what happens to their data. At the other extreme: verification or comparison where a specific, known set of images is analyzed by a defined party for a defined evidentiary purpose — the subject of the comparison either is an identified individual already involved in the case, or is a reference image the investigator holds.

These aren't just philosophical categories. They represent genuinely different threat models, and regulators are treating them accordingly. The crowd-scanning end of the spectrum creates risks of political surveillance, discriminatory targeting, chilling effects on public assembly, and cascading errors across populations. The forensic comparison end of the spectrum is bounded — bounded by the case, by the images the investigator holds, by the specific evidentiary question being asked.

This is exactly where tools designed for professional facial comparison — like what we build at CaraComp — operate by design. The architecture of a one-to-one comparison system is structurally different from a mass identification engine. Different inputs, different outputs, different accountability chain. Regulators increasingly recognize that difference in the statutory language they write.

Why This Matters More Than Legal Trivia

Here's where the practical stakes come in. Investigators who don't understand this distinction are walking into two different traps simultaneously. First, they may be avoiding entirely legitimate, legally protected forensic work because they've mentally lumped it in with the surveillance practices under fire. That's a real cost — evidence goes unanalyzed, cases go cold, conclusions go unsupported. Second — and this matters in court — they can't explain what they actually did.

If you can't articulate the difference between running a face against a nationwide biometric database and comparing two photographs from your own case file, a sharp opposing attorney will happily blur that line for a jury. "The investigator used facial recognition software" lands very differently than "the investigator performed a one-to-one forensic comparison of two images using a NIST-aligned verification methodology." Both sentences might describe the same action. Only one of them is going to survive cross-examination intact.

The MIT Technology Review has noted that some law enforcement agencies are actively finding ways around facial recognition bans — which tells you two things. One, the bans are specific enough that workarounds are possible. Two, the agencies doing this are operating in legal gray zones they don't need to be in, precisely because they haven't understood what the bans actually cover versus what they don't.

The professionals who thrive as these rules tighten won't be the ones who simply avoided the technology out of caution. They'll be the ones who understood the NIST taxonomy well enough to place their own methodology precisely on the spectrum — and explain that placement clearly to anyone who asks.

So ask yourself honestly: when you hear "facial recognition ban," do you picture the city camera scanning strangers' faces in real time — or do you picture yourself comparing two photographs in a case file? Because regulators have already decided those are different things. The question is whether you have too.