At the end of 2011 the FTC hosted a unique workshop (archived webcast and materials available at http://www.ftc.gov/bcp/workshops/facefacts/) on the privacy and security implications of facial biometric recognition, prodded in part by Facebook’s introduction that summer of technology to automatically recognize faces and propose friend “tags” for submitted photos. Controversy erupted immediately, and recently, Facebook agreed to disable facial recognition for users in the EU (http://www.dailymail.co.uk/news/article-2207098/Facebook-switch-controversial-facial-recognition-feature-following-data-protection-concerns.html). Still the issues and technology isn’t going away.
To help companies of all sizes stay ahead of the curve, the FTC followed up on its workshop with the release this month of a staff report called, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” – available at http://ftc.gov/os/2012/10/121022facialtechrpt.pdf.
While many may consider such facial recognition tech as strictly the province of larger companies or social networking applications, that won’t be the case for long. And as more companies explore advertising in numerous online channels – with such efforts are frequently contracted out – it bears repeating that any potential arising liability or legal concerns cannot necessarily be similarly outsourced.
With ubiquitous smartphones, high-resolution cameras in every hand, and better facial recognition algorithms the option to use facial recognition in new, innovative – and surprising ways – will mushroom in short order for all companies.
As the FTC notes, even now there are multiple uses, such as “determining an individual’s age range and gender in order to deliver targeted advertising; assessing viewers’ emotions to see if they are engaged in a video game or a movie; or matching faces and identifying anonymous individuals in images. “ It’s the last item that is potentially most problematic.
So, what does the FTC recommend?
First, the FTC staff stresses that its focus on “privacy by design” (privacybydesign.ca) – as detailed more fully in its final proposed privacy framework report http://www.ftc.gov/opa/2012/03/privacyframework.shtm) – applies with full vigor to facial recognition.
Second, appropriate collection, retention and disposal practices are even more important in a facial recognition context where images of us are easily and readily taken by others and thereafter posted online without our knowledge or with potentially broad and unspecified or unrecognized copyright licenses for further use.
Third, simplified notices, meaningful choices and transparency on when, how and where facial recognition is implemented is a must. The FTC recognizes that a sliding scale for notice and choice is appropriate, depending on the associated application. As an example in this area, the FTC notes companies are considering “using digital signs [in supermarkets] capable of demographic detection – which often look no different than digital signs that do not contain cameras.” In such circumstances clear notice that facial recognition technologies are in use should be provided as a best practice before consumers enter the facial capture range and that such technology not be used where children gather.
Finally, and perhaps most significantly, the report highlights “at least two scenarios in which companies should get consumers’ affirmative consent before collecting or using biometric data from facial images.”
One is where images or any biometric data are used in ways different than represented when the data is collected. The other, where the FTC recommends affirmative consent is necessary, is when utilizing “facial recognition to identify anonymous images” of someone to a third party “who could not otherwise identify him or her.”
Although it may seem that facial recognition is still an infant technology in the making and that there are more pressing infosec concerns when it comes to data security, it’s worth keeping this technology and the FTC’s recommendations in mind.
