A government-led effort to develop commercial guidelines for face-recognition technology is moving forward, and it has privacy advocates red in the face.
The National Telecommunications and Information Administration, an agency within the U.S. Commerce Department, held a meeting in Washington Tuesday to consider a set of “best practices” for collecting and storing facial data and to discuss how face-recognition technology might apply to the Obama administration’s so-called Consumer Privacy Bill of Rights publicized in 2012. The meeting is part of an ongoing process being billed as a “multistakeholder” effort to develop an enforceable code of conduct for emerging biometric technologies, but privacy groups say their warnings about potential privacy abuses are not being heard. Instead, they say the process has been hijacked by technology industry interests intent on harnessing sensitive private data for monetary gain.
“Lobbyists craft purposefully vague proposals without any real safeguards for biometric data,” Jeff Chester, executive director of the Center for Digital Democracy, wrote in a blog post Tuesday. “Americans face new privacy threats from the use of their facial and other biometric information, as personal details of our physical selves are captured, analyzed and used for commercial purposes.”
Last year, a number of privacy and civil-rights groups withdrew from the discussions because of what they described as an obstinate refusal by tech trade associations to concede even the most basic protections. A particular point of contention was the industry’s resistance to a rule that would require companies to obtain written consent before collecting and storing facial data, or “faceprints,” as they’re sometimes called.
Alvaro M. Bedoya, executive director of the Center on Privacy & Technology at the Georgetown University Law Center, said the proposals currently on the table give consumers “zero choice” about whether companies enroll them in face-recognition databases. He said the collection and storage of faceprints raises security and privacy concerns that other forms of data collection don’t.
“You cannot delete your face,” Bedoya said in a statement Tuesday. “And once companies have enrolled you in a facial-recognition system, there are few limits to what they can do with that information. Consumers must be given a choice as to whether or not this powerful technology will be used on them. Any set of privacy guidelines that doesn’t do that is an Orwellian farce.”
Currently, only two states — Illinois and Texas — regulate the use of biometric data. Illinois, which has had a law on the books since 2008, has been the focus of several lawsuits against major tech companies, such as Facebook and Google, which routinely collect and store faceprints scanned from online photos.
Bedoya said whatever agreements come out of Tuesday’s meeting are bound to be toothless given the lack of lack of input from privacy or civil-rights groups. “As a result, this is no longer a multistakeholder process,” he said. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.”