Facial Recognition Technology: Who Can Use Your Image Without Your Consent?
Facial recognition technology has rendered human faces into bar codes that can be scanned, logged and tracked, potentially making anonymity obsolete. Being under surveillance is nothing new, but now facial images can be linked to our names and massive amounts of personal data — what we like, what we buy, where we go, what we do.
But the technology also benefits us. Apple and Samsung customers willfully give companies permission to scan their faces to unlock their phones. Facial recognition helps save doctors critical moments by providing access to patient records with just a glance. It lets passengers board a plane without boarding passes. It helps burger chains identify regular customers as they walk in the door, and alerts transit systems when a criminal comes through the turnstiles. It helps employers eliminate wage theft. It can tailor a Hawaiian vacation based on when we smile during a two-minute video. And it has helped diagnose rare genetic disorders.
With all those applications, facial recognition is going to grow into a bigger part of our lives — and become a $10 billion-per-year industry by 2022. The key will be striking a balance between what one hotel business consultant tracking facial recognition calls the “creepy and convenient.”
Not to mention the importance of remaining transparent to consumers. Most people do not understand what their rights are when using products or visiting stores that use facial ID, or the obligations of entities to disclose how they are using the technology.
That’s because, for the most part, consumers have no rights, and users of facial recognition technology have no obligations.
Welcome to the Wild West
Photos are getting sharper and clearer by the day, and public and private entities are working tirelessly to link them to information about us, almost without restriction. Creators of facial recognition technology are quick to point out their products aren’t responsible for collecting vast amounts of data about people. Their products are just recording what is plainly visible.
“The fact is, your face is public,” said George Brostoff, CEO and co-founder of Sensible Vision, a Cape Coral, Fla., firm that has developed facial recognition software for use in hospital settings. “Face recognition is really not the collector of the data. It's simply an enabler for personalization or security. All the data, for good or for bad, is already being collected.”
Yet, the United States does not have any federal laws that restrict the use of facial recognition technology or that impose obligations on companies with regard to using the technology online or offline.
Certain states are more stringent. Texas, Illinois and Washington have enacted laws that regulate the use of facial recognition technology despite intense lobbying against those bills. They have different provisions, but all require companies to get informed consent from people before using facial recognition technology.
That recently came into play with a feature of the popular Google Arts & Culture app, which analyzes a selfie and finds lookalikes in famous art. Google has disabled that feature in Illinois and Texas. The company hasn’t said why but it’s likely because those states have the nation’s strictest laws on the use of biometrics, which include facial, fingerprint and iris scans.
For companies that process European data, the forthcoming General Data Protection Regulation will restrict their use of face images, which are defined as “sensitive personal data,” and require the application of strong security protections.
In other parts of the world, anything goes. An app in Russia, for example, allows strangers to find out who you are with 70 percent accuracy by taking your photo.
U.S. companies that use facial recognition technology are largely left to police themselves, and it’s anyone’s guess if they are doing so.
The closest thing to regulations are the final guidelines issued in 2016 by a U.S. Commerce Department working group that are intended to serve as a set of best practices for the commercial use of facial recognition tools. For example, entities that use facial recognition to identify an individual are encouraged to let the individual control how that information is shared.
Companies that use facial recognition technology online, like Google and Facebook, have opt-ins or notices for users in advance of its use, said Michelle De Mooy, director of the Privacy and Data Project at the Center for Democracy & Technology. Most of their practices are detailed in their privacy policies, she said, “which of course very few people read.”
And that could be key. The public generally doesn’t see facial recognition as an invasion, but as a natural step in the evolution of convenience.
“So people start saying, ‘OK, this is a part of a way of life,’ ” said Angela Rulffes, a course instructor for media law at Communications@Syracuse, and an expert on privacy in the digital age. She said the idea of having your face scanned has become normalized. “And it leads people to give up privacy rights without really considering what the consequences are. And once you've lost privacy, it can’t be returned.”
One way to combat that: Read the fine print and don’t use technology that makes you uncomfortable. “They are telling you what can happen to your information,” Rulffes said.
Even when customers become more savvy to how their likenesses are being used, they may opt for convenience over privacy, the restaurant and food consultants Baum+Whiteman said in their 2018 trend forecast.
What if a married couple enters a bar and a camera spots the husband as a regular customer but the wife thinks he’s never been there? Could be awkward. Or what if the husband is wanted by the FBI “and he’s led out in handcuffs before finishing that martini?”
Wow Bao, a chain of dumpling restaurants, is facing federal class action lawsuits in Illinois for allegedly violating the state law by failing to inform customers how their face recognition data would be used or how long the data would be stored. Illinois is the only state that allows consumers to sue for damages for unauthorized release of biometric data. Wow Bao has denied the claims and asked the court to dismiss the cases.
James B. Zouras, of the Stephan Zouras law firm in Chicago, representing the plaintiff, said in an interview the potential harm to his client was immense.
An image of a person’s face is “valuable, a piece of property that you own and yet somebody else under the guise of selling you an egg roll, is taking that data from you and doing something with it, potentially losing it in a data breach.”
Citation for this content: Syracuse University's Online Master’s in Communications program