The Washington PostDemocracy Dies in Darkness

Facial recognition technology is everywhere. It may not be legal.

Co-administrator of the facial recognition program for the Pinellas County (Fla.) Sheriff's Office, Scott McCallum, displays a method of facial mapping used to set criteria for facial image searches. The sheriff's office uses one of the most advanced facial recognition programs for law enforcement in the country. (By Edward Linsmier for The Washington Post, 2013 file)

Ben Sobel is a researcher and incoming Google Policy Fellow at the Center on Privacy & Technology at Georgetown Law.

Being anonymous in public might be a thing of the past. Facial recognition technology is already being deployed to let brick-and-mortar stores scan the face of every shopper, identify returning customers and offer them individualized pricing — or find “pre-identified shoplifters” and “known litigious individuals.” Microsoft has patented a billboard that identifies you as you walk by and serves ads personalized to your purchase history. An app called NameTag claims it can identify people on the street just by looking at them through Google Glass.

Privacy advocates and representatives from companies like Facebook and Google are meeting in Washington on Thursday to try to set rules for how companies should use this powerful technology. They may be forgetting that a good deal of it could already be illegal.

There are no federal laws that specifically govern the use of facial recognition technology. But while few people know it, and even fewer are talking about it, both Illinois and Texas have laws against using such technology to identify people without their informed consent. That means that one out of every eight Americans currently has a legal right to biometric privacy.

The Illinois law is facing the most public test to date of what its protections mean for facial recognition technology. A lawsuit filed in Illinois trial court in April alleges Facebook violates the state’s Biometric Information Privacy Act by taking users’ faceprints “without even informing its users — let alone obtaining their informed written consent.” This suit, Licata v. Facebook, could reshape Facebook’s practices for getting user consent, and may even influence the expansion of facial recognition technology.

How common—and how accurate—is facial recognition technology?

You may not be walking by ads that address you by name, but odds are that your facial geometry is already being analyzed regularly. Law enforcement agencies deploy facial recognition technology in public and can identify someone by searching a biometric database that contains information on as many as one-third of Americans.

Companies like Facebook and Google routinely collect facial recognition data from their users, too. (Facebook’s system is on by default; Google’s only works if you opt in to it.) Their technology may be even more accurate than the government’s. Google’s FaceNet algorithm can identify faces with 99.63 percent accuracy. Facebook’s algorithm, DeepFace, gets a 97.25 percent rating. The FBI, on the other hand, has roughly 85 percent accuracy in identifying potential matches—though, admittedly, the photographs it handles may be harder to analyze than those used by the social networks.

Facebook and Google use facial recognition to detect when a user appears in a photograph and to suggest that he or she be tagged. Facebook calls this “Tag Suggestions” and explains it as follows: “We currently use facial recognition software that uses an algorithm to calculate a unique number (“template”) based on someone’s facial features…This template is based on your profile pictures and photos you’ve been tagged in on Facebook.” Once it has built this template, Tag Suggestions analyzes photos uploaded by your friends to see if your face appears in them. If its algorithm detects your face, Facebook can encourage the uploader to tag you.

With the boom in personalized advertising technology, a facial recognition database of its users is likely very, very valuable to Facebook. The company hasn’t disclosed the size of its faceprint repository, but it does acknowledge that it has more than 250 billion user-uploaded photos — with 350 million more uploaded every day. The director of engineering at Facebook’s AI research lab recently suggested that this information was “the biggest human dataset in the world.”

Eager to extract that value, Facebook signed users up by default when it introduced Tag Suggestions in 2011. This meant that Facebook calculated faceprints for every user who didn’t take the steps to opt out. The Tag Suggestions rollout prompted Sen. Al Franken (D-Minn.) to worry that “Facebook may have created the world’s largest privately held data base of faceprints— without the explicit consent of its users.” Tag Suggestions was more controversial in Europe, where Facebook committed to stop using facial identification technology after European regulators complained.

The introduction of Tag Suggestions is what’s at issue in the Illinois lawsuit. In Illinois, companies have to inform users whenever biometric information is being collected, explain the purpose of the collection and disclose how long they’ll keep the data. Once informed, users must provide “written release” that they consent to the data collection. Only after receiving this written consent may companies obtain biometric information, including scans of facial geometry.

Facebook declined to comment on the lawsuit and has not filed a written response in court.

It’s unclear whether today’s paradigm for consent — clicking a "Sign Up" button that attests you've read and agreed to a lengthy privacy policy — fulfills the requirements written into the Illinois law. It’s also unclear whether the statute will cover the Tag Suggestions data that Facebook derives from photographs. If the law does apply, Facebook could be on the hook for significant financial penalties. This case is one of the first applications of the Illinois law to facial recognition, and it will set a hugely important precedent for consumer privacy.

Why biometric privacy laws?

Biometric information like face geometry is high-stakes data because it encodes physical properties that are immutable, or at least very hard to conceal. Moreover, unlike other biometrics, faceprints are easy to collect remotely and surreptitiously by staking out a public place with a decent camera.

Anticipating the importance of this information, Texas passed a law in 2001 that restricts how commercial entities can collect, store, trade in and use biometric data. Illinois passed a similar law in 2008 called the Biometric Information Privacy Act, or BIPA. A year later, Texas followed up with another law to further regulate biometric data in commerce.

The Texas laws were passed with facial recognition in mind. Brian McCall, now chancellor of the Texas State University system, introduced both Texas bills during his tenure as a state representative.

“Legislation is seldom ahead of science, and in this case I felt it was absolutely necessary that legislation get ahead of common practice," McCall explained. "And in fact, we were concerned about how the market would use personally identifiable information.” Sean Cunningham, McCall’s chief of staff, added the use of facial recognition by law enforcement at the 2001 Super Bowl in Tampa helped bring the issue to their attention. However, it appears that the Texas statute has not been used very often to litigate the commercial collection of facial identification information.

On the other hand, the Illinois law was galvanized by a few high-profile incidents of in-state collection of fingerprint data. Most notably, a company called Pay By Touch had installed machines in supermarkets across Illinois that allowed customers to pay by a fingerprint scan, which was linked to their bank and credit card information. Pay By Touch subsequently went bankrupt, and its liquidation prompted concerns about what might happen to its database of biometric information. James Ferg-Cadima, a former attorney with the ACLU of Illinois who worked on drafting and lobbying for the BIPA, told me that “the original vision of the bill was tied to the specific issue that was presenting itself across Illinois, and that was the deploying of thumbprint technologies…”

“Oddly enough,” Ferg-Cadima added, “this was a bill where there was little voice from the private business sector.” This corporate indifference might be a thing of the past. Tech companies of all stripes have grown more and more interested in biometrics. They’ve become more politically powerful, too: For instance, Facebook’s federal lobbying expenditures grew from $207,878 in 2009 to $9,340,000 in 2014.

Testing the Illinois law

The crucial question here is whether the Illinois and Texas laws can be applied to today’s most common uses of biometric identifiers. What real-world business practices would meet the standard of informed consent that Illinois law requires for biometric data collection?

When asked about the privacy law cited in the Licata case, Jay Edelson, the managing partner of the firm representing the plaintiff, said, “The key thing to understand is that almost all privacy statutes are really consent statutes.” The lawsuit stands to determine precisely what kind of consent the Illinois law demands.

If the court finds that Facebook can be sued for violating the Illinois biometrics law, and that its opt-out consent framework for Tag Suggestions violated the law, it may upend the practices of one of the world’s largest Internet companies, one that is possibly the single largest user of commercial facial recognition technology. And if the lawsuit fails for one reason or another, it would emphasize that regulation of facial recognition needs to take place on a federal level if it is to happen at all. Either way, there’s a chance this lawsuit will end up shaping the future of facial recognition technology.