Facial Recognition: Identifying Friends and Foes
There’s been a lot of buzz lately around facial recognition and what exactly that means to consumers. When the average consumer thinks of facial recognition technology, a Jason Bourne-esque scenario probably comes to mind, with high-tech devices constantly scanning crowds, identifying individuals, accessing vast databases, and using that recognition information to some nefarious end. Present use of facial recognition technology is far more benign and useful to consumers than some would have you think. The emergence of new photo sharing and storage apps like Google Photos and Facebook’s Moments demonstrates that current facial recognition tools are better suited to helping users categorize and share their photos, rather than populating an ominous law enforcement or commercial database. As such innocuous uses of facial recognition become more and more common, consumers’ comfort with and understanding of the technology will grow correspondingly. The next step is ensuring that privacy-focused regulators and legislators are able to develop frameworks that enable this growth and adapt as consumer expectations and facial recognition technology change.
The Google Photos app was recently released as a tool to streamline the photo backup and sharing process. It boasts free and unlimited photo storage and aims not only to keep similar events grouped together, but also to scan, identify, and easily share different photo subjects with others. Part of the identification process involves scanning and recognizing people, places, and things. However, the app doesn’t see faces in the same way humans do. Humans see faces and recognize specific people, whereas a computer scans an image and recognizes colors, patterns, and shapes. This process is called facial detection. Facial recognition is one step above facial detection in that it compares “known faces” or patterns to newly uploaded faces to see if there is a probable match.
Facebook’s Moments utilizes similar technology. Moments is a recent app that was launched to help organize and share photos with frequently photographed friends. When photos are uploaded to the app, Facebook’s technology scans for a face in the photo. If there is a face, then the app compares features and patterns of your profile picture and other tagged pictures to the newly uploaded photo. Like Google Photos, Moments looks for unique characteristics and patterns, such as the shape of your face or distance between facial features, to recognize and connect profiles. In essence, both apps use algorithms to create a system of recognizable models or templates for comparison, rather than referring to an on-file photograph. This pattern of connecting and “recognizing” faces creates tag suggestions of the subjects of the uploaded photo—but only if the photo uploader and picture subjects are friends.
Both apps are a win for consumers. The idea is that quick recognition helps streamline the social sharing process for group events. Whereas people once might have followed a social event like a wedding or reunion with an endless email chain of shared pictures (or exchanged CDs or flash drives), users can instead allow Google Photos or Moments to group and categorize photos into events based on the subjects of the photos and additional metadata. Given that social networking sites and mobile devices are already the chief digital photo curation tools used by consumers, extending their existing functions via facial recognition-based apps seems like the sort of harmless, pro-consumer innovation that ought to be encouraged.
However, regulators on the other side of the Atlantic have been less than welcoming of apps using facial recognition tools. Currently, Facebook’s Moments has not launched in Europe due to privacy concerns. EU regulators have cited the lack of an “opt-in” consent mechanism for the use of facial recognition technology, though Facebook offers an opt-out setting for tag suggestions. Google Photos is also under similar scrutiny, and is currently limited to a U.S.-only user base despite an opt-in mechanism.
It’s not just EU regulators who are struggling to develop a framework for commercial use of facial recognition technologies. State lawmakers have produced privacy legislation, and the Federal Trade Commission produced a staff report following a public workshop in late 2012. For two years, the National Telecommunications & Information Administration has convened a multistakeholder process to develop a code of conduct or best practices for commercial use of facial recognition technology. The process has been fraught, to say the least, and the majority of participating privacy advocacy groups have disengaged. It is simply not that easy to balance consumers’ current and future expectations of privacy with respect to a still-developing technology that can be used in both innovative, innocuous tools and also serve as a physical or logical security measure.
A key difficulty facing public and private rule-makers is the interest in managing highly variegated commercial uses of facial recognition within one framework. The technology can be implemented to benign ends, like the extension of existing social networking functions found in Google Photos and Facebook’s Moments, but is also used to flag shoplifters in retail settings and control access to secure physical and digital spaces. Naturally, reasonable consumers have less concern about the use of facial recognition technology to improve their social networking experiences, but have greater expectations for control, transparency, and security where a system can deny them access to a service, privilege, or location.
The differing expectations of consumers and sensitivities of the range of uses of facial recognition technology should inform the best practices and/or regulatory frameworks that develop going forward. It doesn’t make sense to hinder the beneficial innovation growing out of manual functions in existing apps and websites that consumers regularly use. The FTC acknowledged this in its staff report, when it endorsed the idea that “tag suggestions” based on existing photos and relationships between social network users should not necessarily require opt-in consent as compared to more sensitive uses.
The only way to foster innovation in the use of facial recognition technology while addressing privacy concerns in commercial applications is to develop a flexible framework that accounts for ever-evolving consumer expectations. At this point, consumers have only had a small taste of the potential of facial recognition, and have enthusiastically taken to it where it supports their prior use of social media. Codes of conduct should recognize consumers’ existing and growing comfort level with certain commercial uses and appropriately scale control, transparency, and security requirements to the actual risk of harm. Responsive, rather than prescriptive, frameworks are the most likely to see widespread adoption and thereby successfully increase the baseline level of protection for all who have a stake in the safe adoption of facial recognition technologies.
Chelsea Reckell is a Law Clerk at CCIA and a 2L at American University Washington College of Law. Follow @creckell