If you use a social networking website like Facebook, then this applies to you. In October, the U.S. Federal Trade Commission (FTC) released a report that included best practices for companies that use facial recognition software with consumer information. Besides the best practices, the report, "Face Facts: Best Practices For Common Uses Of Facial Recognition Technologies" also includes reviews of the facial recognition technologies and sample application.
If you are a Facebook.com member, then you may be aware of how that social networking service uses facial recognition software. Facebook uses the software to help its users identify their friends in photographs, and to encourage its members to "tag" or verify their friends in those photographs.
While traveling recently, I experienced another way Facebook uses facial recognition software. While signing in from a different location in another state, the Facebook.com software challenged my sign-in. I could sign in using a code (since I had both Log-in Approvals and Log-in Notifications enabled), or identify my friends in several photographs. I chose the latter to see how the software works.
The FTC developed its report from a December 8, 2011 workshop and from comments submitted by the public and stakeholders about both the technologies and privacy concerns. The report described several ways the facial recognition software can be used:
"... Facial recognition technologies currently operate across a spectrum ranging from facial detection, which simply means detecting a face in an image, to individual identification, in which an image of an individual is matched with another image of the same individual... In between these two divergent uses are a range of possibilities that include determining the demographic characteristics of a face, such as age range and gender, and recognizing emotions from facial expressions... One company – called SceneTap – has also leveraged the ability to capture age range and gender to determine the demographics of the clientele of bars and nightclubs"
Given this, companies can (and do) use the software to compile from photographs personal data about individuals such gender, age, emotions, location, economic status and connections with other persons. Consider that group photo at a friend's wedding at a private golf course which you posted online, or a group photo at a college reunion. Consider video games like Xbox 360 Kinect that can "see" you. The gaming software can easily be modified to also capture and anlyze your face. Or, consider digital signs or kiosks that are located everywhere from malls to stores to schools to sports arenas:
"... technologies that can determine the gender and age range of the person standing in front of a camera can be placed into digital signs or kiosks, allowing advertisers to deliver an advertisement in real-time based on the demographic of the viewer... Unless these signs are labeled, they often look no different to consumers than digital signs that are not equipped with cameras. Panelists representing companies that currently use facial recognition technologies similarly acknowledged that there are privacy concerns surrounding the use of these technologies..."
It was good to read that a couple industry groups have developed guidelines for the use of digital signs (links added):
"... Point of Purchase Advertising International’s Digital Signage Group (“POPAI”) has developed a code of conduct containing recommendations for marketers to follow in order to maintain ethical data collection practices in retail settings. Similarly, the Digital Signage Federation worked with the Center for Democracy and Technology to craft a voluntary set of privacy guidelines for their members, which include advertisers and digital sign operators..."
I have not reviewed (yet) the documents from these two groups. I hope that it covers both usage and data security to prevent hacked digital signs used by identity criminals. The best practices recommended by the FTC:
"1. Privacy by Design: Companies should build in privacy at every stage of product development.
2. Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.
3. Transparency: Companies should make information collection and use practices transparent."
This list is a good start. However, there are many questions related about the appropriate use of facial recognition technology. Connecticut Senator Richard Blumenthal asked some good questions (bold emphasis added):
"Will a social networking site that uses facial recognition technology to tag friends in photos allow third-party apps to access this face data or create its own data sets from your pictures? Will a store that uses
facial recognition technology to identify shoppers check that information against other consumer data to predict customers’ income levels and direct them toward or away from certain products?"
And, should facial recognition be used on children and minors? Should digital signs scan and archive children's facial data? If so, beginning at what age: 13, 14, 18, or all starting at birth? What about facial injuries and medical conditions?
The above recommended best practices lists the items consumers should look for in the privacy policy and/or terms of conditions policy for a website or mobile app. I wish that it had said more about mobile apps, and had attempted to resolve situations where there are several, competing privacy policies (e.g., smart phone users have privacy policies by the mobile device manufacturer, the developer of the operating system for that device, the telecommunications provider, the app developer, and the app store operator). I found the following section of the FTC report particularly important, since it helps consumers evaluate companies that adequately protect your sensitive personal data and privacy:
"... there are at least two scenarios in which companies should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images. First, they should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data. Second, companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent... increased consumer education about the use of facial recognition technologies is of paramount importance and that all stakeholders – including industry, trade associations, consumer and privacy groups, and government entities – should engage in consumer education efforts..."
For privacy reasons, some of my Facebook friends have told me it's okay to post photos about them, but do not
tag them in photos. I have my Facebook privacy controls set to review
all tags of me in photographs by my friends, which I can either approve
or reject.
Download the FTC "Face Facts" report (Adobe PDF). Learn more about the POPAI Digital Signage Group.