Naked Security

Privacy groups walk out of US talks on facial recognition guidelines

A 16-month effort to set guidelines for use of facial recognition technology that satisfy consumers’ expectations of privacy and meet existing state laws went up in flames on Tuesday.

That’s when all nine civil liberties and consumer advocate groups participating in talks with trade associations on a voluntary code of conduct for US businesses to use facial recognition walked away from the table.

Their reason?

Not a single industry representative would agree on the most basic premise: that targets of facial recognition should opt in before companies identify them.

They’d been at it since February 2014, when the US Department of Commerce’s National Telecommunication and Information Administration (NTIA) brought together industry representatives and privacy advocates to come up with voluntary guidelines.

The nine pro-privacy advocates, including the Electronic Frontier Foundation, the American Civil Liberties Union, the Center for Digital Democracy and other consumer advocates, put up a joint statement explaining their move.

From the statement:

At this point, we do not believe that the NTIA process is likely to yield a set of privacy rules that offer adequate protections for the use of facial recognition technology. We are convinced that in many contexts, facial recognition of consumers should only occur when an individual has affirmatively decided to allow it to occur. In recent NTIA meetings, however, industry stakeholders were unable to agree on any concrete scenario where companies should employ facial recognition only with a consumer's permission.

According to The Washington Post, the camel’s back broke last Thursday, at the NTIA’s 12th meeting on the issue.

Insiders told the newspaper that this is how it went down:

First, Alvaro Bedoya, the executive director of Georgetown University's Center on Privacy and Law, asked if companies could agree to making opt-in for facial recognition technology the default for when identifying people - meaning that if companies wanted to use someone's face to name them, the person would have to agree to it. No companies or trade associations would commit to that, according to multiple attendees at the meeting.

That’s right: not a single company would agree that consumers should have the say-so in facial recognition.

But while this industry/advocates collaboration on voluntary guidelines has fallen apart, the images companies are collecting without any federal direction haven’t gone anywhere.

Face-slurping companies include tech giants Facebook, Google and Apple.

For its part, Facebook is facing a class action lawsuit over facial recognition, started by an Illinois man who claims the social network violated state privacy laws by not providing him with written notification that his biometric data was being collected or stored.

Also in the mix are retailers, such as Wal-Mart, which love to spot who’s looking at what and for how long inside their stores.

In the UK, things are very similar: Tesco, the UK’s largest supermarket chain, in 2013 announced it was to install facial recognition technology in all 450 of its petrol station forecourts – all the better to target-market at you, my pretty.

The companies trying to hammer out guidelines in the US have turned away not only from the basic premise of opt-in, but also from a specific, concrete scenario of opt-in that was offered up by Justin Brookman, the director of the Center for Democracy & Technology’s consumer privacy project.

According to The Washington Post, Brookman sketched out the concrete scenario like so:

What if a company set up a camera on a public street and surreptitiously used it [to] identify people by name? Could companies agree to opt-in consent there?

The results were the same: not a single company went for opt-in, even under such specific circumstances.

Privacy advocates have said that their withdrawals from the multi-stakeholder process will be a fatal blow to the perceived legitimacy of the NTIA’s efforts, now that it’s just the foxes – as in, the companies implementing facial recognition – guarding the hen house (the hens being all us being surveilled).

But the NTIA says the talks will go on.

An agency spokesperson said this to The Washington Post:

NTIA is disappointed that some stakeholders have chosen to stop participating in our multi-stakeholder engagement process regarding privacy and commercial facial recognition technology. A substantial number of stakeholders want to continue the process and are establishing a working group that will tackle some of the thorniest privacy topics concerning facial recognition technology. The process is the strongest when all interested parties participate and are willing to engage on all issues.

The privacy advocates said in their letter that the barest minimum privacy expectation should be that we can simply walk down the street without our every movement being tracked and without then being identified by name, all thanks to the ever-more-sophisticated technology of facial recognition.

Unfortunately, we have been unable to obtain agreement even with that basic, specific premise. The position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.

It might look good, at least on the surface, that the industry representatives are apparently playing ball by not walking away from the official guidelines-setting process.

But it’s hard to imagine anything privacy-positive coming out of that process now that the privacy advocates have walked away.

And without any guidelines, these companies will continue to use facial recognition in an unregulated environment.

Image of face tagging courtesy of Shutterstock.com .