Why you should be worried about facial-recognition technology

Germany has issued an ultimatum to Facebook over privacy violations. Law enforcement is interested in this sort of technology, as well. It's time for you to pay attention to what they're doing.

Violet Blue
5 min read
It could be time for you to start worrying about what Facebook might be doing with the identity information collected on you and "tagged" photos.

The Hamburg Commissioner for Data Protection and Freedom of Information in Germany has announced legal action against the company and charged that Facebook's use of facial-recognition technology is illegal.


In addition, the Federation of German Consumer Organizations is ordering Facebook to stop giving third-party applications users' data without their consent. 

If the social network doesn't do this by Sept. 4, the FGCO will sue. Earlier this month, Norway also announced that it is looking into the legality of the social network's use of face-matching technology.

Unlike the United States, Germany has regulations that allow Internet users control over their data.

Regarding photo tags, a Facebook spokesperson told CNET: "We believe that the photo tag suggest feature on Facebook is fully compliant with EU data protection laws. During our continuous dialogue with our supervisory authority in Europe, the Office of the Irish Data Protection Commissioner we agreed to develop a best practice solution to notify people on Facebook about photo tag suggest."

Facebook: facial recognition profiles without user consent

A number of companies - like Facebook, Apple and Google - have facial recognition or detection as an automatic part of various services and apps.

With Apple and Google, users must opt-in, and they can opt-out. While its users can remove tags, Facebook's facial recognition feature is active by default.

But what happens with that information? It's not just that Facebook is using facial recognition (biometric data) to increase the worth of its data for sale, trade, or for whatever currency it's lining litterboxes with in Menlo Park.

In its December 2011 comments the Electronic Privacy Information Center told the Federal Trade Commission:

(...) the Commission should specifically prohibit the use of Facebook's biometric image database by any law enforcement agency in the world, absent a showing of adequate legal process, consistent with international human rights norms.

Facebook reportedly possessed an estimated 60 billion photos by late 2010, and approximately 2.5 billion photos are uploaded to Facebook each month.

The democratization of surveillance

EPIC's comments came after the FTC held a day-long forum called "Face Facts: A Forum on Facial Recognition Technology," focusing on the commercial applications of facial recognition technology and its potential privacy implications.

The "Face Facts" participants came from disparate sides of the discussion. They included FTC attorneys, the Face.com CEO, Facebook's senior privacy advisor and director, and reps from Google, the Privacy Rights Clearinghouse, the Center for Democracy and Technology and the ACLU.

Demos were done for participants by Intel AIM Suite (Audience Impression Metrics: a CMS-friendly and API-ready, public-use face detection software product) and Andrew Cummins, self-described strategy expert in tech/defense markets and the chief technology officer of controversial app-maker SceneTap.

There was also a representative from the National Institute of Standards and Technology. Interestingly, in 2010 NIST tested various facial recognition systems and found that the best algorithm correctly recognized 92 percent of unknown individuals from a database of 1.6 million criminal records. 

FTC Chairman Jon Leibowitz opened "Face Facts" saying this summit was timely because, "Facebook has launched new facial recognition technology" and that "These sorts of technologies have already taken hold in law enforcement and the military; in that area, they are as controversial as they are interesting."

I'm not sure if his use of a clip from the Tom Cruise film Minority Report in his opening remarks was meant to be ironic or not. Perhaps Mr. Leibowitz misses working for the MPAA (where he was chief lobbyist until being tapped for the FTC by George W. Bush in 2004). 

Leibowitz did say, "We must confront openly the real possibility that these technologies, if not now, then soon, may be able to put a name with the face, so to speak, and have an impact on our careers, credit, health, and families."

The Face Facts meeting raised an alarm for privacy organizations; Privacy Rights Clearinghouse director Beth Givens stated outright that there is insufficient public awareness about all aspects of facial recognition tech, and zero auditing mechanisms in place for any entity using the technologies.

Six months after the FTC meeting, Facebook acquired one of the biz-dev side participants, Face.com.

It's clear that after meetings and summits, even with good intentions for privacy protections, regulators like the FTC are merely only still on the outside looking in.

Ties between video profiling in private and government sectors more murky than ever

Back in July at a Senate Judiciary subcommittee hearing Senator Al Franken said, "Facebook may have created the world's largest privately held database of face prints without the explicit knowledge of its users."

Franken continued to link the holes in citizen protections and stressed implications with the then-new Federal Bureau of Investigation facial-recognition pilot program. 

Franken stated that any law-enforcement gains from the program could come at a high cost to civil liberties. "The FBI pilot could be abused to not only identify protesters at political events and rallies, but to target them for selective jailing and prosecution, stifling their First Amendment rights," he said.

Think about the implications of facial recognition profiles on social media sites along with current trends in cybersecurity legislation hysteria.

Remember CISPA? The surveillance bill would have given Homeland Security a backdoor pass to access your email, private information and social network data without a warrant or notice if it fit into a plan to stop "cybersecurity" threats. CISPA would have made it so that Facebook would be completely unrestricted (say, by your rights) to cooperate with Homeland Security to the fullest extent.

Just in the past few weeks, information has surfaced from a Wikileaks leak of private intelligence documents that the purpose of a surveillance product called TrapWire is to combine various intelligent surveillance technologies with tracking and location data, individual profile histories from various sources (datamining and social media), and image data analysis (such as facial recognition; TrapWire's video component) to monitor people under the guise of threat detection.

TrapWire is a commercial product sold to and implemented by private entities, the US Government "and its allies overseas."

Too little FTC, too late?

Facial recognition technologies are no longer held back from commercial sectors by high costs and poor accuracy and are quickly becoming directed at recording faces in public places and business establishments, rather than only online.

The FTC had impressed the point that the avenue of interest for "Face Facts" would solely address commercial uses and does not address the use of facial recognition technologies for security purposes or by law enforcement or government actors.

Right now there is nothing that requires any private entity to provide the individual with notice that facial recognition information is being collected, or the duration of the period in which the information will stored, or used.

There is nothing preventing private entities (businesses, app developers, data brokers or advertisers) from selling, trading, or otherwise profiting from an individual's biometric information - or from disclosing or disseminating the information without obtaining the individual's consent or pursuant to a valid warrant or subpoena.

It will be interesting to see how Facebook handles its newest privacy problem in Germany.

Update August 30 at 6:48 a.m. PT: Added Facebook response.