As facial recognition begins to face regulatory scrutiny, industry and privacy advocates spar over who owns your data

As facial recognition begins to face regulatory scrutiny, industry and privacy advocates spar over who owns your data

Tech companies pushing their own frameworks in bid to outpace local legislation

Written by
Edited by Michael Morisy

For almost a year, tech companies have called for federal legislation addressing facial recognition. Some have even released public recommendations to government or drafted sample legislation. Privacy advocates, however, worry this lobbying will dilute efforts, particularly at the state and local level, to enact the strong consumer protections around personal information and biometric data needed in an evolving digital landscape.

“Industry hopes that a federal bill would preempt state bills or state privacy laws,” said Emory Roane, policy counsel at Privacy Rights Clearinghouse. “It seems a certainty that unless there are new regulations put in place around facial recognition scanning, around the collection of biometric information, that this information will be gathered on public streets and will just be another area to commodify and to be used for surveillance or commercial purposes.”

Currently, there are a few state laws that have allowed people some control over their digital data. Illinois’s 2008 Biometric Information Privacy Act is only beginning to be tested in the courts, but a judge recently ruled that citizens could sue Facebook under the law for retention of their photos. In California, the Consumer Privacy Act, which goes into effect in 2020, will allow individuals to limit the retention and sale of their data.

“What we want to avoid are very narrow definitions of biometric information that would preclude, for example, photographs or imagery of faces and specific mathematical measurements of hands,” Roane said. “Microsoft has proposed last year that an appropriate solution to privacy concerns is just clear laws that businesses disclaim that they’re using biometric technologies, and people consent to that by being around these businesses, which privacy advocates believe is absolutely the wrong approach.”

Advocates and companies do agree, though, that the issue is urgent, as law enforcement access to facial recognition expands and its uses in advertising and commerce grow.

Brad Smith, president of Microsoft, warned that in five years, the challenges of facial recognition services “will be much more difficult to bottle back up” and that a “commercial race to the bottom” could be prevented by new laws to support “healthy market competition.”

Facebook’s Mark Zuckerberg has recommended a “globally harmonized framework” for privacy and data protection. Last month, Amazon CEO Jeff Bezos said the company’s public policy team was “working on facial recognition regulations.”

That company’s Rekognition software has been particularly criticized by civil rights groups for being inaccurate and a potential tool of discrimination, and another facial recognition company used by law enforcement, FaceFirst, posted a blog earlier this month to say its representatives had met with lawmakers regarding the Commercial Facial Recognition Act, one of the only to currently address the technology.

Though lawmakers have expressed concerns about facial recognition, few have offered any solutions. Presidential hopefuls Kamala Harris and Elizabeth Warren both signed a letter to the Equal Employment Opportunity Commission with concerns about its role in discrimination but both have since released criminal justice reform plans that, rather than limit use, look to improve its accuracy and policies around for law enforcement. Sen. Bernie Sanders has proposed it be banned in policing, a step that San Francisco, Oakland, and Somerville have enacted.

“[T]his kind of technology deals with personal identifying information that – if hacked – cannot be replaced or reset like a password or a credit card number. At the very least, we need to establish minimum security requirements for companies dealing with personal identifying information. We also need to make sure that companies are held accountable for any breaches involving this kind of information,” wrote Senator Mark Warner of Virginia, Vice Chairman of the Senate Intelligence Committee.

Any state or federal legislation would have implications beyond facial recognition, with potential effects on all biometric information, including DNA, fingerprints, facial geometry, vocal qualities, and motor ticks. Part of what makes regulation so difficult - and corporate involvement so sticky - is that in the changing digital landscape, what actually constitutes personal information is evolving. As technology develops the ability to turn once innocuous observation into biometric information to be sold and shared, the trade and its effects on individual lives can ripple far beyond the app or other context in which permission may initially have been obtained.

“The problem with facial recognition technologies, in particular, and a lot of biometric scanning technologies is the fact that consent is so difficult to get and the information can be captured without any consent whatsoever,” Roane said. “The other issue is that biometric information - unlike a lot of other information businesses might be interested in capturing about us - is irrevocable, irreplaceable. You can’t change your thumbprints. You can’t change your facial geometry. Once your facial geometry has been scanned and is out there, there is very little you can do.”

Meanwhile, industry is pushing ahead with new ways of recording the world and tracking our experiences through it. Both Facebook and Amazon announced last month plans to develop augmented reality glasses. In addition to use in an AR gaming world, Facebook will be using its glasses platform to develop “Live Maps,” which aims to create a “live, dynamic index” of the surrounding environment. The Amazon Echo glasses won’t be released with a camera, but others working in the space see cameras and other biometric reading as a likely near-future possibility. Amazon did not respond to a request for comment; Microsoft provided links to existing materials.

“[W]e think there are valuable use cases for collecting and interpreting that type of information…But we definitely think it’s important to have regulatory frameworks in place, especially as sensors continue to advance and proliferate,” said Aaron Rowley, co-founder of the startup Vue Smart Glasses. His company omitted a camera in its design because it made people, including himself, uncomfortable. “[Glasses] have the unique ability to capture both what your eyes are doing and in what direction your head is pointed, for example. And though perhaps a bit far off, you can imagine how the glasses might be able to capture EEG data from your brain as well.”

Facial recognition regulation, then, is just the beginning of a larger conversation around what parts of being and experience are a person’s to keep and to keep private, and for consumers, there will need to be more shareholders on their side, free of the interests of business.

“It’s almost certain that eventually there will be regulations in place around biometric information. The risks are so obviously clear, and the general public readily understands not just the creepiness of biometric information, biometric technologies, but the risk from a civil liberties perspective,” Roane said. “I think folks can also easily understand the commercial privacy risks, consumer privacy risks to biometric information. Industry, meanwhile is hoping that new regulations will allow them to operate as frictionless as possible.”

Image via U.S. Army

Creative Commons License
Algorithmic Control by MuckRock Foundation is licensed under a Creative Commons Attribution 4.0 International License.