When you are identified in a picture on Facebook, biometric software remembers your face so it can be “tagged” in other photographs.
Facebook Inc. (Nasdaq: FB) says this enhances the user experience. But privacy advocates say the company’s technology -- which regulators in Europe and Canada have ordered shut off -- should only be used with explicit permission.
As commercial use of facial recognition technology grows to replace password log-ins, find people in photos and someday even customize displays for shoppers as they browse in stores, it’s raised privacy questions. That’s one reason the U.S. government is participating in a working group to develop rules for companies using facial recognition -- even if those are voluntary.
“Face recognition data can be collected without a person’s knowledge,” said Jennifer Lynch, an attorney for the Electronic Frontier Foundation, a San Francisco-based privacy rights group. “It’s very rare for a fingerprint to be collected without your knowledge.”
Privacy groups such as Lynch’s last month cited the business community’s opposition to requiring prior consent as the reason they walked out on the government meetings. The Department of Commerce’s National Telecommunications and Information Administration, which sponsored the talks, plans to continue the process Tuesday without most of the privacy advocates.
“The process is the strongest when all interested parties participate and are willing to engage on all issues,” said Juliana Gruenwald, an agency spokeswoman.
Facebook defends its use of facial-recognition technology, a form of biometrics. It works by assigning numbers to physical characteristics such as distance between eyes, nose and ears in order to come up with a unique faceprint that can be used to identify someone when they’ve already been identified through tagging.
The technology powers a photo feature called “tag suggestions” that is automatically turned on when users sign up for a Facebook account. The suggestions are only made to a user’s friends.
“Tag suggestions make it easy for friends to tag each other in photos,” Facebook said in an e-mailed statement. “And when someone is alerted they’ve been tagged in a photo, it’s easier to take action, whether it’s commenting, contacting the person who shared it, or reporting it to Facebook.”
Users can opt-out at any time, Facebook said. But that requires that they change their settings.
“Facebook isn’t getting permission,” said Alvaro Bedoya, executive director of Georgetown University’s Center on Privacy & Technology, who walked out on the U.S. meetings. “Facial recognition is one of those categories of data where a very prominent and a very clear consent is necessary.”
The U.S. government’s approach to regulating use of face data by companies is inadequate, privacy activists said. They point to Europe, where strict privacy laws forced Facebook in 2012 to delete data collected for its tag-suggestion feature following a probe by Irish authorities. Tag suggestions have also been turned off in Canada.
Companies such as Microsoft Corp. (Nasdaq: MSFT), which is building facial recognition into Windows 10, and MasterCard (NYSE: MA), with its plan for selfie verification for online payments, require the download of an app or the purchase of hardware. Those acts can verify consent, privacy advocates say.
“It’s a complicated question,” said Carl Szabo, policy counsel for NetChoice, an association of Web companies such as Facebook, Google (Nasdaq: GOOG) and Yahoo! Inc. (Nasdaq: YHOO). “My concern is that if we go down this road, we’re not going to give this technology the opportunity to flourish and provide some of the really cool innovations that I can’t even think of today.”
Szabo said he’s in favor of a code of conduct that would require companies using facial recognition to be transparent about their use of the technology with a notice or sign. That would allow consumers to “vote with their feet” if they feel uncomfortable, he said.
Facebook first started using facial recognition by licensing technology from another company, Face.com, which it acquired in 2012. Last month, Facebook introduced a new standalone app using the same technology as in tag suggestions called Moments, which groups photos in a user’s smartphone based on the faces identified. Photos can be shared with specific friends, as opposed to uploading them to Facebook.
The Mountain View company’s current policy on facial recognition has made it the subject of a pending lawsuit in Illinois, which along with Texas has some of the nation’s strictest biometric privacy laws.
The lawsuit argues that Facebook didn’t notify users when updating its terms of service to disclose that the company collects facial data on users tagged in photos.
Photo publishing site Shutterfly Inc. is the subject of another pending lawsuit in Illinois that takes issue with the company’s photo tagging feature.
The fear that facial data can be used to track people may be overblown. It reveals “less information about your habits than most customers would reveal by carrying around a mobile phone that also tracks and shares location data,” Daniel Castro, vice president of the Information Technology and Innovation Foundation, a nonpartisan think tank, said in an email.
Coming up with rules for the technology is not “black and white,” said Nick Ahrens, vice president of privacy and cybersecurity at the Retail Industry Leaders Association, which has members including Nike Inc. (NYSE: NKE), J. Crew Group Inc., Dillard’s Inc. (NYSE: DDS) and Wal-Mart Stores Inc. (NYSE: WMT).
“I think transparency is the name of the game,” Ahrens said. But, “I don’t know if a sign on the door is the answer.”