When you are identified in a picture on Facebook, biometric software remembers your face so it can be “tagged” in other photographs.
Facebook says this enhances the user experience. But privacy advocates say the technology – which regulators in Europe and Canada in particular are concerned about – should be used only with explicit permission.
As commercial use of facial recognition technology grows to replace password log-ins, find people in photos and some day even customise displays for shoppers as they browse in stores, it has raised new privacy questions. That is one reason the US government is participating in a working group to develop rules for companies using facial recognition – even if they are voluntary.
“Face recognition data can be collected without a person’s knowledge,” said Jennifer Lynch, an attorney for the Electronic Frontier Foundation, a San Francisco-based privacy rights group.
“It’s very rare for a fingerprint to be collected without your knowledge.”
Privacy groups such as Ms Lynch’s cited the business community’s opposition to requiring prior consent as the reason they walked out of the meetings in June. The talks restarted this week.
Facebook defends its use of facial recognition technology, a form of biometrics. It works by assigning numbers to physical characteristics such as the distance between the eyes, nose and ears to come up with a unique faceprint that can be used to identify someone once they have been identified through tagging.
The technology powers a photograph feature called “tag suggestions” which is automatically turned on when users sign up for a US Facebook account. The suggestions are made only to a user’s friends.
“Tag suggestions make it easy for friends to tag each other in photos,” Facebook said in an emailed statement. “And when someone is alerted they’ve been tagged in a photo, it’s easier to take action, whether it’s commenting, contacting the person who shared it, or reporting it to Facebook.”
Users could opt out at any time, Facebook said, by changing their settings.
“Facebook isn’t getting permission,” said Alvaro Bedoya, the executive director of Georgetown University’s Centre on Privacy & Technology, who also walked out of the US meetings. “Facial recognition is one of those categories of data where a very prominent and a very clear consent is necessary.”
The US government’s approach to regulating the use of face data by companies was inadequate, privacy activists said.
Professor Bedoya noted that other web companies sought consent. He mentioned Google, which gives users of its Google+ application the option to use face identification by turning on the “find my face” feature.
Companies such as Microsoft, which is building facial recognition into Windows 10, and MasterCard, with its plan for “selfie verification” for online payments, require the download of an app or the purchase of hardware. Those acts can verify consent, privacy advocates say.
“It’s a complicated question,” said Carl Szabo, policy counsel for NetChoice, a trade association of major web companies including Facebook, Google and Yahoo. “My concern is that if we go down this road, we’re not going to give this technology the opportunity to flourish and provide some of the really cool innovations that I can’t even think of today.”
Mr Szabo said he was in favour of a code of conduct that would require companies using facial recognition to be transparent about their use of the technology with a notice or sign. That would allow consumers to “vote with their feet” if they felt uncomfortable, he said.
Facebook first started using facial recognition by licencing technology from another company, Face.com, which it acquired in 2012. Last month, Facebook introduced a new standalone app, called Moments, using the same technology as in tag suggestions, which groups photos on a user’s smartphone based on the faces identified. Photographs can be shared with specific friends without uploading them to Facebook.
The company’s current policy on facial recognition has made it the subject of a pending lawsuit in Illinois, which, along with Texas, has some of the nation’s strictest biometric privacy laws.
The lawsuit argues that Facebook did not notify users when updating its terms of service to disclose that it was collecting facial data on users tagged in photos.
Shutterfly, the photo publishing site, is the subject of another pending lawsuit in Illinois which takes issue with its photo tagging feature.
Daniel Castro, vice-president of the Information Technology and Innovation Foundation, a non-partisan think-tank, said the fear that facial data could be used to track people may be overblown. He said it revealed “less information about your habits than most customers would reveal by carrying around a mobile phone that also tracks and shares location data”.
The EU policy: Opt-in for users
Facebook launched its photo sharing app Moments last month, but made the service unavailable in Europe after Brussels regulators told the social media site it would have to offer an opt-in choice for users.
“We don’t have an opt-in mechanism so it is turned off until we develop one,” its head of policy in Europe, Richard Allan, told the Wall Street Journal.
On Google Photos, launched in the US in May, facial tagging is likewise limited to the US, even though it does work on an opt-in basis.
Facebook has also turned off its “tag suggestions” feature in Europe after the European Commission forced it to delete data following an inquiry by Irish authorities in 2012. Tag suggestions have also been turned off in Canada.