FTC Addresses Facial Recognition Privacy

Facial recognition applications now link faces with other databases, allowing companies to identify anonymous individuals and obtain their personal information without the consumer ever knowing, thus raising privacy concerns.

In an effort to give companies guidance and protect consumer privacy, the Federal Trade Commission (FTC) released a pamphlet with Best Practices for Common Uses of Facial Recognition Technologies.  The FTC urges facial recognition developers to incorporate “privacy by design” into the technology at every stage of development.

The FTC observes that facial recognition “is quickly moving out of the realm of science fiction and into the commercial marketplace.”

“In the most advanced application, companies can use the technology to compare individuals’ facial characteristics across different images in order to identify them,” the report said.  “In this application, an image of an individual is matched with another image of the same individual.  If the face in either of the two images is identified—that is, the name of the individual is known—then, in addition to being able to demonstrate a match between two faces, the technology can be used to identify previously anonymous faces.  This is the use of facial recognition that potentially raises the most serious privacy concerns because it can identify anonymous individuals in images.”

The FTC uses three examples to demonstrate the issues with facial recognition technology.  They are:

Facial Detection.  An eyeglass company allows consumers to upload their images on the company’s website and then uses the facial detection to detect the face and eyes and superimpose glasses.  The company then stores the image.  The FTC notes that, under this scenario, the eyeglass company should take measures to protect the security of the images to prevent unauthorized access.  In addition, the company should dispose of the images once they no longer are necessary and should also delete the images if the consumer deletes her account.  The company also should notify the consumer if it uses the images for a different purpose.

Digital Signs.  Digital signs in stores, bars, and other locations include hidden cameras that have the ability to access the age range and gender of the consumer standing in front of them.  Using this information, the sign then displays an advertisement targeted to those demographic characteristics.  The FTC’s best practices would have the company secure the sign so that it could not be hacked.  The signs also should be placed in non-sensitive areas and not where children congregate.  The company should not store the information.  In addition, the FTC urges that consumers be given notice that the technology is being used before the consumer comes into the range of the sign.  Finally, if the company identifies the consumer by running the image against a database of images identified by name, the company should first obtain the consumer’s affirmative consent.

Online Social Networks.  The social network uses the technology to identify individuals in images that the user uploads to find “friends” on the social network.  The FTC recommends that this information be encrypted and that users not be able to identify persons who are not their “friends” on the network.  The FTC also recommends that the social network not collect and store biometric data of non-users of its service.  The FTC further urges social networks to give clear notice—outside their privacy policy—about how facial recognition is used on the network and what data it collects and provide users with “an easy to find, meaningful choice not to have their biometric data collected and used for facial recognition,” as well as “the ability to turn off the feature at any time and delete any biometric data previous collected from their tagged photos.”

The FTC states that if companies abide by the best practices for facial recognition, they will “promote consumer trust and ensure the continued growth” of the industry.