skip to main content

Applying RSVP to Use of Facial Recognition Technology?

AcxiomJuly 31, 2014

The National Telecommunications and Information Administration (NTIA) has an active multi-stakeholder project underway to consider the risks and issues related to the use of facial recognition technology. The technology is getting quite good and being adopted in the retail space for both security purposes and for marketing.

Thus far the NTIA project has identified a number of issues they hope to address that relate to developing a voluntary code of conduct for using facial recognition technologies.  From the full list of 19 issues, they have identified 6 as the most important to start.

  1. What obligations should the code impose when a facial recognition system distinguishes the presence of a human face, without creating a digital representation of the distinct characteristics? 
  2. Is notice and consent possible?
  3. If so, what kind of transparency should be required?
  4. Should consent be required.  If so, how?
    1. Should the code address whether and how an individual may have a right to understand how facial recognition data is collected and used and determine its accuracy?
    2. Should the code address withdrawal or deletion of a facial template?
    3. How should an organization provide individuals with the ability to request withdrawal/deletion?
    4. Under what circumstances should the individual be allowed to request withdrawal/deletion?
      1. How should the code address storage of facial recognition data?
      2. Should it address retention periods?
      3. Should retention depend on reasonable expectations of the subject?
        1. Commercial facial recognition data could be subject to security breaches that result in sensitive biometrics being revealed to unauthorized entities and biometric identity theft.
        2. What entities and what data should be subject to security obligations?
        3. Should the code address reasonable measures to secure the data at rest and in transit?
        4. Under what conditions should the code require encryption?
        5. Should the code impose breach notification obligations not addressed by current state breach notice laws?
        6. Should the code establish a “material risk of harm” threshold for notice?
          1. What should the code say about government (e.g. law enforcement) access to facial recognition data obtained by the commercial sector?

While these questions are not surprising or particularly new to privacy professionals, they do point to the need for industry to thoughtfully consider the risks associated with various uses of facial recognition technology and develop guidance for the commercial sector.  I applaud NTIA for undertaking this project.

I share information about this initiative because these are the kinds of analysis that need to happen more often when technology is new.  We should never forget the challenges or the need to establish guidance for emerging technology.

In 1980 David Collingridge wrote in The Social Control of Technology that “Regulators having to regulate emerging technologies face a double-blind problem: the effects of technology can’t be predicted until the technology is extensively deployed.  Yet once deployed they become entrenched and are difficult to change.”

A few years later in 1986, but still very relevant today to facial recognition and other emerging technologies, in his book Technology and History: Kranzberg’s Laws, Melvin Kranzberg states in   his first law that ”Technology is neither good or bad, nor is it neutral”.

I will comment on the final recommendations from the facial recognition project when the NTIA multi-stakeholder process concludes sometime later this year.

Other key issues to watch include:

  • Public comments due August 8th on the Department of Commerce’s Consumer Privacy Bill of Rights.