Facial recognition raises eyebrows
When Facebook rolled out facial recognition tools in the European Union this year, it promoted the technology as a way to help people safeguard their online identities.
“Face recognition technology allows us to help protect you from a stranger using your photo to impersonate you,” Facebook told users.
It was a risky move. Six years earlier, it had deactivated the technology in Europe after regulators there raised questions about its facial recognition consent system. Now the Menlo Park company was reintroducing the service as part of an update of its user permission process in Europe.
Yet Facebook is taking a huge reputational risk in aggressively pushing the technology at a time when its data-mining practices are under heightened scrutiny in the U.S. and Europe. Already, more than a dozen privacy and consumer groups, and at least a few officials, argue that the company’s use of facial recognition has violated people’s privacy by not obtaining appropriate consent.
The complaints add to the barrage of criticism over Facebook’s handling of users’ personal details. Several U.S. agencies are investigating its response to the harvesting of user data by Cambridge Analytica, a political consulting firm.
Facebook’s push also puts the company at the center of a broader and intensifying debate about how the powerful technology should be handled. The technology can be used to remotely identify people by name without their knowledge or consent. While proponents view it as a tool to catch criminals, civil liberties experts warn that it could enable mass surveillance.
Facial recognition works by scanning faces of unnamed people in photos or videos and then matching codes of their facial patterns to those in a database of named people. Facebook has told users, “You control face recognition.”
But critics said people cannot actually control the technology — because Facebook scans their faces in photos even when their facial recognition setting is turned off.
“Facebook tries to explain their practices in ways that make Facebook look like the good guy, that they are somehow protecting your privacy,” said Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, a digital rights group. “But it doesn’t get at the fact that they are scanning every photo.”
Facebook spokeswoman Rochelle Nadhiri said its system analyzes faces in users’ photos to check whether they match with those who have their facial recognition setting turned on. If the system cannot find a match, she said, it does not identify the face and deletes the data.
At the heart of the issue is Facebook’s approach to user consent.
In the European Union, the General Data Protection Regulation now requires companies to obtain explicit and “freely given” consent before collecting sensitive information like facial data. Some critics, including the former government official who originally proposed the law, contend that Facebook tried to improperly influence user consent by promoting facial recognition as an identity protection tool.
“Facebook is somehow threatening me that if I do not buy into face recognition, I will be in danger,” said Viviane Reding, the former justice commissioner of the European Commission, who is now a member of the European Parliament. “It goes completely against the European law because it tries to manipulate consent.”
In Ireland, where Facebook’s international headquarters are, a spokeswoman for the Data Protection Commission said regulators “have put a number of specific queries to Facebook in respect of this technology.” Regulators were assessing Facebook’s responses, she said.
In the U.S., Facebook is fighting a lawsuit brought by Illinois residents claiming its face recognition practices violated a state privacy law. Damages in the case, certified as a class action in April, could amount to billions of dollars. In May, an appeals court granted Facebook’s request to delay the trial and review the class certification order.
Nikki Sokol, associate general counsel at Facebook, said in a statement, “This lawsuit is without merit and we will defend ourselves vigorously.”
Separately, privacy and consumer groups lodged a complaint with the Federal Trade Commission in April saying Facebook added facial recognition services, like the feature to help identify impersonators, without obtaining consent from people before turning it on. The groups argued that Facebook violated a 2011 consent decree that prohibits it from deceptive privacy practices.
“Facebook routinely makes misrepresentations to induce consumers to adopt wider and more pervasive uses of facial recognition technology,” the complaint said.
Nadhiri said Facebook had designed its consent process to comply with the new European law and had previewed its approach with European regulators. As to the privacy groups’ complaint, she said the social network had notified users about expanded facial recognition services.
“We provide clear information to people about how we use face recognition technology,” Nadhiri wrote in an email. The company’s recently updated privacy section, she added, “shows people how the setting works in simple language.”
Facebook is hardly the only tech giant to embrace facial recognition technology. Over the last few years, Amazon, Apple, Facebook, Google and Microsoft have filed facial recognition patent applications.
In May, civil liberties groups criticized Amazon for marketing facial technology, called Rekognition, to police departments. The company has said the technology has also been used to find lost children at amusement parks and other purposes.
But Facebook may only be getting started with its facial recognition services. It has applied for various patents, many still under consideration, which show how it could use the technology to track users in the real world.
One patent application, published in November, describes a system that could detect consumers within stores and match those shoppers’ faces with their social networking profiles. Then it could analyze the characteristics of their friends, and other details, using the information to determine a “trust level” for each shopper. Consumers deemed “trustworthy” could be eligible for special treatment, like automatic access to merchandise in locked display cases, the document said.
Another Facebook patent filing described how cameras near checkout counters could capture shoppers’ faces, match them with their social networking profiles and then send purchase confirmation messages to their phones.
In their FTC complaint, privacy groups — led by the Electronic Privacy Information Center, a nonprofit research institution — said the patent filings showed how Facebook could make money from users’ faces. A previous EPIC complaint about Facebook helped precipitate a consent decree requiring the company to give users more control over their personal details.
“Facebook’s patent applications attest to the company’s primary commercial purposes in expanding its biometric data collection and the pervasive uses of facial recognition technology that it envisions for the near future,” the current complaint said.
Nadhiri said that Facebook often sought patents for technology it never put into effect and that patent filings were not an indication of the company’s plans.
But legal filings in the class-action suit hint at the technology’s importance to Facebook’s business.
The case was brought by Illinois consumers who said that Facebook collected and stored their facial data without their explicit, prior consent — in violation, they claim, of a state biometric privacy law.
If the suit were to move forward, Facebook’s lawyers argued in a recent court document, “the reputational and economic costs to Facebook will be irreparable.”