With Facial Recognition Talks, NTIA Seen Starting First of Several Concurrent Privacy Discussions

Several privacy advocates told us they remain suspect of NTIA’s effectiveness in implementing the White House’s long-promised Consumer Privacy Bill of Rights (http://1.usa.gov/1hwy3KA) in a timely or useful fashion. But the long-rumored disclosure of those talks Tuesday brought praise from Capitol Hill and industry stakeholders.

The first round of discussions, which lasted just over a year, dragged on too long and the final code of conduct is ineffective, privacy advocates told us. The chosen topics “don’t get to the core of the privacy problem in the U.S.,” said Center for Digital Democracy Executive Director Jeff Chester. The White House should instead be offering suggested language for a broad consumer privacy bill to Congress, he said. The administration told privacy advocates in March to expect a draft soon, and last month observers said they heard language for a proposal was being considered by the Office of Management and Budget over a month ago, but there has been no indication a proposal is forthcoming since (CD Dec 2 p1). “All we have so far is an online data collection friendly self-regulatory initiative run by the Department of Commerce,” Chester said. “It’s time the administration lived up to its promise to protect online users."

Sen. Al Franken, D-Minn., wrote NTIA in November, asking it to take up facial recognition in its next round of talks (CD Nov 25 p10). “While facial recognition can be useful, these programs don’t do enough to protect privacy -- and they are just the beginning of what is a growing technology,” he said Tuesday. Franken chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and held a hearing in 2012 on facial recognition technology. Sen. Ed Markey, D-Mass., who has pushed a variety of privacy bills during his time in Congress, also commended the NTIA. “Clear policies that support consumer privacy are key as facial recognition technology is developed and deployed,” he said. Software and Information Industry Association President Ken Wasch, who participated in NTIA’s first code of conduct talks, said the agency “was wise to again focus on a definable area where stakeholders have already begun to collaborate on best practices.” The process of creating “voluntary, enforceable codes of conduct” gives “more flexibility for rapidly evolving technology than legislation or regulation can achieve,” he said.

The FTC has previously looked into facial recognition technology. In December 2011, the commission had a public workshop to discuss the privacy implications of technologies similar to those Facebook was beginning to employ, like its photo tagging suggestion feature (http://1.usa.gov/19gKlyi). The agency followed the workshop with a best practices guideline, released in October 2012 (http://1.usa.gov/IH61gu).

Facial recognition “is increasingly central to our online lives” and has “vast implications for the future of digital security,” said NTIA Administrator Larry Strickling in a Tuesday speech on data protection at the American European Community Association Conference in Brussels (http://1.usa.gov/1dPxLOm). Users can also expect to see “new, innovative disclosures in the coming months” from companies based on the mobile app transparency code of conduct,” he said. “Early test results have been positive.” Sparapani said he was “at the very center of drafting” the NTIA mobile app transparency code of conduct -- “it absorbed an exorbitant amount of my time.” The code was an “almost singular success in a year in Washington when pretty much nothing else was agreed to,” he said.

A slow process for the earlier privacy talks was unavoidable, Future of Privacy Forum Executive Director Jules Polonetsky told us last week. It was “novel” for the Commerce Department to be involved in the process and it required a learning curve. “We all spent many, many months going around in circles before the hard work started,” he said. “But to some degree, that needs to happen.” Lessons learned will expedite any future talks, he said, pointing to the NTIA’s outreach and events following the first round to “figure out how they would tweak things going forward.” The coming round of talks will have new rules and structure to “speed things” up and “block some of the dilatory tactics some people would like to put in place,” Sparapani said.

NTIA considered other topics and will likely start addressing some soon, Sparapani said. He declined to say which other topics are being considered, or when the NTIA might take them up. The App Alliance “had some input” in selecting facial recognition, but the group received “a variety” of suggestions from its diverse 30,000-plus membership, which ranges from small app entrepreneurs to roughly 150 corporate members, said Sparapani.

The largest sticking point in the discussions could be the difference between larger “incumbent players who use biometrics” and “may be wedded to a particular solution or system,” and smaller “disruptors” who can bring “brand new innovations to the marketplace,” Sparapani said. “People who have already done the hard work of engineering a system, putting the user interface together and building out to customers ... rightfully feel they have a right to say where the marketplace is and whether there would be rules around it.” Not all new innovations are “aligned well with the incumbents,” he said. “We intend to be a moderating voice.”

That means moderating with doubtful privacy and consumer advocates, whom Sparapani told, “If we're going to do this, we want to do this with you.” Strickling also spoke to European stakeholders, who have become increasingly skeptical of U.S. data security policy, during his speech in Brussels. “We welcome European participation in this process,” he said. Bringing all those voices to consensus was hard enough once, Sparapani said. “Pulling that trick off twice is going to take some extra work.”