On a cold, sunny October day on the outskirts of Copenhagen, Denmark, a group of men dressed in black gathers outside Brondby Stadium to shoot off a couple of rockets, raise their fists and shout about how the home team will soon beat — and beat up — the visiting archnemesis, FC Copenhagen.
Police are out in force, riot helmets at the ready. Brondby-Copenhagen matches have a history of leading to vandalism, arrests and general mayhem.
An attempted photo of the group gets a gloved hand in the face. "You need to stop," says the hand's black-clad owner, before he disappears back into the crowd. A security officer scurries over in concern.
"Don't film them," she warns NPR. "It'll end badly. They don't want to be recognized."
Ironically, this group of black-dressed men is also the primary target of Brondby's new facial recognition system.
Once the men's chant is over, the group moves toward the stadium's entrance, where the men — along with 21,000 other fans — are asked to remove masks, hats and glasses so a computer can scan their faces. The scans will be compared against a list of roughly 50 banned troublemakers and will be used to determine whether the spectators will be allowed in.
No one is stopped on this day. But since the system's launch in July, it has caught four people on the blacklist, who were then turned over to police.
The use of facial recognition is best known in China, but it is also used in countries including Israel, the U.S. and the United Arab Emirates. In Europe, biometric data is protected under the General Data Protection Regulation, arguably the world's most comprehensive privacy law, which went into full effect in mid-2018. Several institutions that had been using facial recognition technology prior to that — including a school in Sweden and a police force in Wales — have since been challenged, with differing results.
What's unique about the use of facial recognition in Brondby is that experts agree that it appears to be one of Europe's first large-scale, private systems created and vetted in the era of GDPR. (A definitive list is hard to come by since every country implements GDPR differently.)
Brondby resident Martin Lund, waiting in line for the game with his kids, is on board.
"I think it's great!" he says. "We're here to enjoy the game. We're here to have a nice time. We're here to shout at the opponent ... but we're not here to fight. If people want to fight, they shouldn't go to the game."
While the idea of facial recognition technology gives him pause, Lund says he trusts in his country to ensure that it's being used well.
"You can't do anything in Denmark without getting the proper approval," he says. "So it's not being misused, I don't think. You can't do that in Denmark."
According to the Brondby soccer club's security chief, Mickel Lauritsen, getting this system approved was a long process. It started almost five years ago, when the team kept getting fined for lax stadium security but felt hamstrung in its attempt to make improvements.
For example, stadium stewards were allowed to see only descriptions of the troublemakers they were expected to pick out of the crowd. Then they won approval to use photos. With that approval in place, the team launched its request for a facial recognition system and began nearly three years of negotiation involving the Danish Data Protection Agency, team lawyers, fan input and system developer Panasonic.
With the system in use now, Lauritsen says, he's very careful to stay within its prescribed boundaries. That means pictures of those on the watchlist are entered into the system on game day and are deleted again at the end of the day. The system is not connected to the Internet. There's a cross-check to avoid false positives.
Lauritsen says that at one point, the police asked him to enter a suspect's picture into the system to help with an investigation. He said no.
"I know if I misuse the system, I'm not allowed to do anything with it going forward, and then we'll be restricted in what we can do even further than we are now," he explains.
Lauritsen would eventually like to be able to share watchlists with other soccer clubs in Denmark. As a former police officer, he'd like it if the Brondby system could be of service to law enforcement. But for now that is not part of the agreement. "So I'm not going to misuse the system," he says, "or misuse the trust we've been given."
Still, that's not enough reassurance for everyone. Jesper Lund, who chairs the IT-Political Association of Denmark, a watchdog group, says it's a slippery slope from one facial recognition system to the next. He believes it's a tool that should be reserved for rare situations involving terrorism or serious crimes. He also notes that this particular technology can be unreliable and inaccurate.
"Using this very invasive and error-prone technology for something like making sure that persons on a banned list cannot go to a football match is really not proportionate," he says. "So in my opinion, this should never have been allowed by the DPA," Denmark's Data Protection Agency.
Even so, Lund acknowledges that his is a tough fight. Every non-hooligan whom NPR interviewed at the Brondby Stadium expressed some version of "I have nothing to hide" or "Facial recognition is inevitable."
University of Copenhagen IT law professor Henrik Udsen believes the best thing any country can do is start having the conversation. Udsen was involved in the Brondby decision as a member of the council that makes precedent-setting decisions under the Danish Data Protection Agency. He explains that GDPR includes different options for legal processing of personal data. The most common, user consent, is not practical in a stadium situation. Instead, Brondby had to convince regulators that improving stadium security was in the public interest.
Of course, not everyone agrees about what constitutes the public interest.
"The important part," says Udsen, "is that we have these discussions and we are taking both advantages and risks into account when we decide what to do. Because there are no necessary right and wrong answers here."
In the U.S., no federal laws explicitly regulate facial recognition technology — yet — so discussion has been happening primarily at the state and local levels and usually focuses on the public sector. San Francisco, for example, recently banned the use of automated facial recognition by the police and city agencies.
But that could soon change. Several bills now pending in Congress would regulate facial recognition technology on multiple fronts.
AUDIE CORNISH, HOST:
This month on All Tech Considered, we're looking at how easy it's become to track people. And one reason - facial recognition technology.
(SOUNDBITE OF MUSIC)
CORNISH: They've been called hooligans, though they're officially known as active supporters. Either way, diehard fans of Denmark's Brondby soccer team have a reputation for being rowdy, sometimes even violent. So team officials are using facial recognition software to cut down on stadium brawls. Sidsel Overgaard reports from just outside Copenhagen.
SIDSEL OVERGAARD, BYLINE: It's a cold but sunny day on the outskirts of Copenhagen, and dozens of men dressed in black - a few with face masks - are gathered outside Brondby Stadium, fists in the air, shouting about how their team will soon beat - and beat up - the arch enemy, FC Copenhagen.
UNIDENTIFIED BRONDBY ACTIVE FANS: (Chanting in foreign language).
OVERGAARD: My attempted photo of the group gets a gloved hand in the face and a security guard scurrying over with concern.
UNIDENTIFIED SECURITY GUARD: (Foreign language spoken).
"Don't film them," she says. "It'll end badly. They don't want to be recognized."
Ironically, this would-be anonymous group has become the target of one of the first large-scale facial recognition systems approved for private use under Europe's strict data protection laws.
Chant over, the group moves towards the stadium entrance where they, along with 21,000 other fans, will be asked to remove masks, hats and glasses so a computer can scan their faces, compare it to a list of banned troublemakers and determine whether they can get in. Since being launched a few months ago, the system has caught four people on the watchlist.
MARTIN LUND: I think it's great. I think it's OK.
OVERGAARD: Martin Lund is here with his kids.
M LUND: We're here to enjoy the game. We're here to have a nice time. We're here to shout at the opponent. But we're not here to fight. And if people want to fight, they shouldn't come to the game.
OVERGAARD: Lund says that while the idea of facial recognition technology gives him pause, he trusts that here it's being used well.
M LUND: You can't do anything in Denmark without getting the proper approval. So it's not being misused. You can't do that in Denmark.
OVERGAARD: Brondby's security chief, Mickel Lauritsen, says getting this system approved did involve government regulators, team lawyers, the software company and fan input.
MICKEL LAURITSEN: It was a long process. It took us about 2 1/2, three years to get in place.
OVERGAARD: And now that it's here, Lauritsen says he's very careful to stay within the prescribed boundaries. That means pictures of those on the watchlist are entered into the system on game day and deleted again at the end of the day. The system is not connected to the Internet. And there's a cross-check to avoid false positives. Lauritsen says at one point, the police asked him to enter a suspect's picture into the system to help with an investigation, and he said no because that is not part of the deal.
LAURITSEN: I know if I misuse the system, I'm not allowed to do anything with it going forward. And then we'll be restricted in what we can do even further than we are now. So I'm not going to misuse the system or misuse the trust we've been given.
OVERGAARD: Still, that's not enough reassurance for everyone. Jesper Lund is chairman of the IT-Political Association of Denmark. He says it's a slippery slope from one facial recognition system to the next. And he believes it's a tool that should be reserved for rare situations involving terrorism or serious crime.
JESPER LUND: Using this very invasive and error-prone technology for something like making sure that persons on a banned list cannot go to a football match is really not proportionate. So in my opinion, this should never have been allowed by the Danish DPA.
OVERGAARD: But he acknowledges this is a tough fight. Everyone I talked to at the Brondby Stadium expressed some version of it's inevitable. And in that light, says IT law professor Henrik Udsen, the best thing any country can do is have the conversation.
HENRIK UDSEN: The important part here is that we have these discussions and we are taking both advantages and risks into account when we decide what to do because there are no necessary right and wrong answers here.
OVERGAARD: In the U.S., it's a conversation that so far has been happening on the local and state level and is usually about how government uses the technology, not so much the private sector. But now there are several bills pending in Congress to regulate facial recognition, and some have bipartisan support.
For NPR News, I'm Sidsel Overgaard in Denmark. Transcript provided by NPR, Copyright NPR.