Industry Agrees to new Facial ID Privacy Practices; Consumer Advocates Vilify Them
Industry stakeholders agreed to new privacy best practices for the commercial use of facial recognition technology at an NTIA-hosted meeting Wednesday. Also as expected, (see 1606140014), it came without the blessing -- or presence -- of several prominent civil liberties and consumer organizations. They said the recommendations offered "scant guidance for businesses and no real protection for individuals."
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Privacy advocates walked out of the NTIA multistakeholder process a year ago over several differences, including whether to give consumers consent to allow their images to be collected and used with the technology. They said the new set of best practices "make a mockery of the Fair Information Practice Principles on which they claim to be grounded," in the joint statement from Alvaro Bedoya, executive director of Georgetown Law's Center on Privacy & Technology, and from the Center for Digital Democracy, Common Sense Kids Action, Consumer Action, Consumer Federation of America, Consumer Watchdog, Privacy Rights Clearinghouse and U.S. PIRG.
But industry participants, who remained in the process that began in early 2014, said it's important to give businesses, consumers and developers the agreed-upon privacy guidelines, which are three pages long, since none existed before. "This is a really good starting place for everyone to think about how to best implement facial recognition privacy," said NetChoice Senior Policy Counsel Carl Szabo, who emerged as one of the main leaders in developing the new practices, in an interview. "We are now in a better place today ... than we were yesterday and I don't think anybody can dispute that."
Tovah LaDier, managing director with the International Biometrics Identity Association, said during the meeting that the document is a "terrific first step" especially in a "volatile and changing environment." She also said it isn't a "forever document," meaning it can be revisited and changed. That's something Szabo has said, saying the document establishes rules of the road where stop lights and speed bumps can be added later.
The finalized document, which NTIA is expected to post online by Thursday, is aimed at providing better guidelines for transparency, which encourages entities to alert consumers that facial recognition technology is present; good data management practices; use limitations; security safeguards; data quality; and redress. Alex Reynolds, CTA regulatory affairs director, said his association will incorporate the new best practices into its member education and ensure that members are aware of all the tools to improve privacy, security and data management.
But the facial recognition best practices also should be viewed in the context of other similar efforts, said Reynolds. "What companies are looking at now is a landscape where they know the FTC is watching and they know that their peers in industry and also consumer advocates are watching what they're doing on privacy," said Reynolds in an interview. He cited efforts around drones and mobile apps and other initiatives. Szabo said it's now incumbent on industry, businesses, media and consumer groups to push the document out as widely as possible so everyone can begin thinking about the issue.
Unlike the collaboration between some privacy and industry groups that produced privacy guidelines for the commercial and private use of drones in another NTIA process (see 1605180044 and 1605200048), the two sides split in the facial recognition process. "Through this process, stakeholders advanced the conversation on how to balance innovation and privacy when it comes to the use of this technology," emailed an NTIA spokesman. "However, multistakeholder processes are strongest when all interested parties participate and are willing to engage on all issues. We appreciate those stakeholders who remained engaged in the process until its conclusion. We look forward to continuing the conversation with stakeholders on how to make further progress on this important issue.”
In the statement issued by the consumer and privacy groups Wednesday, they said entities following the recommendations "are merely 'encouraged' to 'consider' issues such as voluntary or involuntary enrollment, whether the facial template data could be used to determine a person’s eligibility for things such as employment, healthcare, credit, housing or employment, the risks and harms that the process may impose on enrollees, and consumers’ reasonable expectations. No suggestions are provided, however, for how to evaluate and deal with those issues."
The groups also said there's much lacking in these practices, but it does "make the case for why we need to enact laws and regulations to protect our privacy." They said the documents fail to address the collection and use of "one of the most intimate types of individuals’ personal data -- their facial images -- it falls so short that it cannot be taken seriously and it demonstrates the ineffectiveness of the NTIA multistakeholder process." In a separate statement, Center for Democracy & Technology Deputy Director of Privacy and Data Michelle De Mooy said businesses at a minimum "should notify consumers and seek permission when facial technology is used, especially if it’s being deployed to track them in public or inform decisions on issues such as employment, health care, credit, or housing. The best practices don’t even do that. Industry can and must do better.”
Szabo, who had said he wanted to reach out to the privacy groups about the document, reacted to their statement in an email to us. "It is unfortunate that these individuals chose to abandon the multi-stakeholder work in developing these best practices," he said. "The statement here seems like these individuals want all of us all to get the consent of our friends and family before using facial recognition in our own private photo albums and that seems to run counter to what consumers actually want."
Craig Spiezle, executive director and president of the Online Trust Alliance, who attended Thursday's NTIA-hosted meeting, said his group walked out last year along with the privacy groups. He characterized OTA as lying in the middle between privacy and industry, but said the facial recognition best practices are the "floor" or the minimal amount that companies should consider when using the facial recognition technology. Still, he said there are valid concerns such as the collection and use of images of children and tracking. "I do think we're looking for leadership for companies to springboard off of this and make privacy and security part of their value proposition," he told us.