Partilhar via


Code of conduct for Azure AI Vision Face API

The following Code of Conduct defines the requirements that all Azure AI Vision Face API (“Face API”) implementations must adhere to in good faith. This code of conduct is in addition to the Acceptable Use Policy in the Microsoft Online Services Terms.

Access requirements

Azure AI Face service is a Limited Access service that requires registration and is only available to approved customers and partners. Customers who wish to use this service are required to register through this form. To learn more, see Limited Access to Azure AI Vision Face API.

Responsible AI mitigation requirements

Integrations with Face API must:

  • Implement meaningful human oversight
  • Implement strong technical limits on inputs and outputs to reduce the likelihood of misuse beyond the application's intended purpose
  • Establish feedback channels
  • Implement additional scenario-specific mitigations

To learn more, see the Azure AI Vision Face API transparency note.

Integrations with Face API must not:

  • be used in any way that violates Microsoft’s Acceptable Use Policy, including but not limited to any use prohibited by law, regulation, government order, or decree, or any use that violates the rights of others;
  • be used in any way that is inconsistent with, or prohibited in, this code of conduct, including the Limited Access requirements, the Responsible AI mitigation requirements, and the usage requirements;
  • exceed the use case(s) you identified to Microsoft in connection with your request to use the service;
  • be used for individuals under the age of consent in any way that could result in exploitation or manipulation or is otherwise prohibited by law or regulation;
  • make decisions without appropriate human oversight if your application may have a consequential impact on any individual’s legal position, financial position, life opportunities, employment opportunities, human rights, or result in physical or psychological injury to an individual;
  • infer sensitive information about people without their explicit consent unless if used in a lawful manner by a law enforcement entity, court, or government official subject to judicial oversight in a jurisdiction that maintains a fair and independent judiciary;
  • enable end users to use automation to probe for weaknesses of Face API liveness detection functionality for the purpose of bypassing facial liveness detection, also known as biometric presentation attack;
  • enable customers or end users from using your application to develop derivative applications that probe for weaknesses of Face API liveness detection functionality for the purpose of bypassing facial liveness detection;
  • be used to identify or verify a person without first obtaining valid consent from them in accordance with all applicable laws;
  • be used to infer a person’s gender;
  • be used to infer a person’s emotional state from their facial expressions or facial movements;
  • be used by or for a police department in the United States;
  • be used for any real-time facial recognition technology on mobile cameras used by any law enforcement globally to attempt to identify individual in uncontrolled, “in the wild” environments, which includes (without limitation) police officers on patrol using body-worn or dash-mounted cameras using facial recognition technology to attempt to identify individuals present in a database of suspects or prior inmates
  • without the individual’s valid consent, be used for ongoing surveillance of real-time or near real-time identification or persistent tracking of the individual.

Usage requirements

We prohibit the use of our service in any manner that can inflict harm on individuals or society. Our usage policies are intended to improve the safety of our platform.

We prohibit activities that directly support probing weaknesses of facial liveness detection for the purpose of bypassing liveness detection, also known as biometric presentation attack.

We prohibit activities that directly support unlawful active attacks or malware campaigns that cause technical harm, such as delivering malicious executables, organizing denial of service attacks, or managing command and control servers.

We prohibit the use of Azure AI Face service for activities that significantly harm other individuals, organizations, or society, including but not limited to use of the service for purposes in conflict with the applicable Azure Legal Terms and the Microsoft Product Terms.

Without limiting the foregoing restrictions, Microsoft reserves the right to revise and expand the above usage requirements to address specific harms to people and society.

Report abuse

If you suspect that Azure AI Face API is being used in a manner that is abusive or illegal, infringes on your rights or the rights of other people, or violates these policies, you can report it at the Report Abuse Portal.

Report facial liveness detection failure

If Azure AI Face API does not detect a presentation attack instrument that you believe should have been detected as spoof, create an Azure support request.

The support request should include:

  • Type of spoofing material presented;
  • Service information returned from the service as part of the API call. At a minimum this must include API path, request ID (apim-request-id), session ID (sid), and API model version (model_version);
  • Any specific conditions required to reproduce the attack;
  • Step-by-step instructions to reproduce the attack;
  • Exploit image or proof of concept image (if possible);
  • Business impact of attack.

You may attempt to recreate the attack prior to reporting it to Microsoft. This would be especially useful if you cannot provide the exploit image.

Report other facial detection or recognition failures

If Azure AI Face API does not detect or recognize a person correctly , or fails in any other way, create an Azure support request.

The support request should include:

  • Service information returned from the service as part of the API call. At a minimum this must include API path, request ID (apim-request-id), session ID (sid), and API model version (model_version);
  • Any specific conditions required to reproduce the failure;
  • Step-by-step instructions to reproduce the failure;
  • Failure image or proof of concept image (if possible);
  • Business impact of the failure.

You may attempt to recreate the failure prior to reporting it to Microsoft. This would be especially useful if you cannot provide the failure image.

Next steps