Facial Recognition Code of Conduct Process Faces Enforcement Challenges, Say Privacy Experts
NTIA’s process to develop a code of conduct for commercial uses of facial recognition privacy protections lacks teeth and stakeholder discretion, said privacy and facial recognition industry officials in interviews last week. Although codes of conduct are helpful for guiding new technology, they can deter innovation, said Kevin Haskins, Cognitec Systems government sales manager. Such codes give the illusion of enforcement but don’t carry the weight of law, said Susan Grant, Consumer Federation of America (CFA) consumer protection director. NTIA has to create a forum that’s “forward thinking” on a “really heated” issue, said Michelle De Mooy, Center for Democracy & Technology Consumer Privacy Project deputy director. “That’s not easy,” particularly with slim hopes for privacy legislation on Capitol Hill, she said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The White House directed the Commerce Department to convene privacy stakeholders after releasing its Consumer Privacy Bill of Rights in February 2012. The facial recognition process is an “alternative” to legislation, which would be “harder to achieve,” said Grant. She said she worries whether the process will produce anything “workable,” suggesting the administration put forth privacy legislation even if it takes time to pass.
The first process on privacy disclosures on mobile devices "resulted in enhanced privacy notices for apps used by more than 200 million users, with more implementations on the way," said an NTIA spokeswoman. "The current process is a forum for stakeholders to draft a voluntary, enforceable code of conduct that addresses privacy challenges posed by commercial use of facial recognition technology."
NTIA’s process for facial recognition is “deeply flawed,” said Grant. NTIA is trying to achieve privacy protections for facial recognition while avoiding a “formal or negotiated rule making process,” she said. That kind of “facilitator” role was “part of the problem” with NTIA’s mobile app transparency process in 2012, said Grant. By “staying at arm’s length,” it’s difficult for NTIA to facilitate the process “adequately,” she said. The “scope” of NTIA’s facial recognition process is “unclear as to who it would apply to and whether those entities” are involved in the process, she said. Unlike a trade association that enforces a code of conduct for its members, NTIA has “no way of knowing” who’s going to agree to the code unless a company openly commits to it, said Grant.
NTIA’s multistakeholder process has matured since 2012, said De Mooy. Work on the facial recognition code of conduct is still in progress, she said, saying she was “encouraged” by the work thus far. The process has emphasized security and “strong encryption” measures for facial recognition, said De Mooy. But some of the largest consumers of facial recognition aren’t “active in the conversation,” even though they attend the NTIA-coordinated stakeholder meetings, she said. The “authenticity” of the code of conduct depends on “participation,” she said. De Mooy said there doesn’t appear to be much “incentive” for companies to agree to the code of conduct. NTIA's most recent facial identification stakeholder meeting was Nov. 6, and the next one is Dec. 15.
Once companies adopt the code of conduct, it's "enforceable" by the FTC, "which has an established track record of holding companies to their commitments," said the NTIA spokeswoman. "NTIA facilitates the process, stakeholders draft the code and implement the results, and the FTC and state Attorneys General have enforcement authority," she emailed. "The stakeholder group will decide who is best situated to address particular privacy concerns under a code of conduct."
NTIA’s process is “more or less a lynching mob,” said Cognitec’s Haskins. Cognitec is a member of the International Biometrics & Identification Association, which is involved in NTIA’s facial recognition process. NTIA is “allowing anyone” to participate in the process without being “vetted,” said Haskins. It’s good to develop “best practices,” but the “process is flawed,” he said. Facial recognition technology gives consumers a chance to locate forgotten family members, he said. “Anytime you want to limit or curb its uses, it gets in the way of companies that want to develop technology." Cognitec makes facial recognition software and shouldn’t be responsible for policing end-users, he said. If NTIA wants to develop a good code of conduct, it needs to ask those users, said Haskins.
"The NTIA process is open, transparent, and consensus-based," said the NTIA spokeswoman. "All stakeholders are welcome to participate," she said. "We are pleased that leading companies, trade associations, consumer advocates, technical experts, and others are contributing to the process."
NTIA’s staff is “quite sincere” in its hope that it will produce something “useful,” said Grant. But that’s not true of Commerce, she said. The facial recognition privacy process is “essentially a political ploy” to convince European nations that the U.S. has privacy protections, said Grant. “We don’t.” EU countries don’t consider U.S. privacy protections “adequate,” which is a “barrier” to U.S. companies that use EU consumer data, she said. A company subscribed to the code of conduct could be held “accountable” by the FTC, but there’s no “sign-up process or enforcement on a systematic basis,” she said. “It’s really not the same as a law.”
NTIA's Nov. 6 facial recognition conference emphasized security standards, said NetChoice Policy Counsel Carl Szabo. There was “consensus” that the code of conduct can’t be so “prescriptive that it become obsolete,” he said. The code needs to be “living and breathing,” said Szabo. NTIA’s process is trying to find a way for facial recognition to “comply with commercially reasonable security procedures,” he said. Facial recognition stakeholder will likely begin putting “pen to paper” on the significant issues, which won’t be limited to stakeholders in Washington, said Szabo.