The Washington PostDemocracy Dies in Darkness

The government’s plan to regulate facial recognition tech is falling apart

Systems analyst and co-administrator of the facial recognition program for the Pinellas County Sheriff's Office, Scott McCallum, displays a method of facial mapping used to set criteria for image searches of faces.  <br/> (photo by Edward Linsmier for the Washington Post)

Facial recognition is being used by the government and big tech companies free of federal regulation. Now, the government process trying to craft a voluntary code of conduct to govern the technology appears to be falling apart.

Privacy groups are dropping out of the multi-stakeholder meetings organized by the Department of Commerce's National Telecommunication and Information Administration (NTIA), they said in a letter obtained by The Washington Post that will be sent Tuesday.

"At this point, we do not believe that the NTIA process is likely to yield a set of privacy rules that offer adequate protections for the use of facial recognition technology," the letter says. "We are convinced that in many contexts, facial recognition of consumers should only occur when an individual has affirmatively decided to allow it to occur. In recent NTIA meetings, however, industry stakeholders were unable to agree on any concrete scenario where companies should employ facial recognition only with a consumer’s permission."

NTIA has hosted 12 meetings on the issue since February 2014. But the tipping point was at the most recent meeting, on Thursday. First, Alvaro Bedoya, the executive director of Georgetown University's Center on Privacy and Law, asked if companies could agree to making opt-in for facial recognition technology the default for when identifying people -- meaning that if companies wanted to use someone's face to name them, the person would have to agree to it. No companies or trade associations would commit to that, according to multiple attendees at the meeting.

Then Justin Brookman, the director of the Center for Democracy  & Technology's consumer privacy project, asked if companies would agree to a concrete scenario: What if a company set up a camera on a public street and surreptitiously used it identify people by name? Could companies agree to opt-in consent there? Again, no companies would commit, according to several attendees.

"This is a pretty remarkable opposition to a core privacy concept that's already in state laws on this issue," Bedoya said in an interview.

Some on the business side argue that privacy advocates "drew a line in the sand" and weren't willing to negotiate. Privacy advocates blame the industry for the impasse. "Trade associations have successfully blocked any expansion of privacy rights since 2009, and here they are successfully shutting down a process that could have given consumers more control," Bedoya said.

Others go even further, blaming the Obama administration's ties with Silicon Valley. "The White House staff are veterans from Google and Facebook -- they see this sector as vital to the American economy and they used data mining techniques in elections, so it is no surprise that they are ambivalent about protecting privacy, to say the least," said Jeff Chester, the executive director of the Center for Digital Democracy.

Members of the administration disputed that description. "This process is being spearheaded by people who come out of the public interest community," said John Morris, associate administrator and director of Internet policy at the NTIA.

But, he agreed, there are few federal standards for how companies can collect information about consumers right now. Most of what little protection people have at the national level stems from the Federal Trade Commission's ability to go after companies that engage in unfair or deceptive practices.

"We're trying to work on facial recognition without legislation," Morris said. "Consumers and companies need to know what the rules are for this technology and we think stopping the discussion at this point doesn't get clarity that's needed."

The NTIA process was a major part of the White House's draft proposal for comprehensive consumer privacy legislation, which received a chilly reception from the privacy community and even the FTC when it was released this spring. The NTIA meetings were designed to bring the private sector and privacy advocates together to help develop "legally enforceable codes of conduct" based on concepts in the White House's 2012 Privacy Bill of Rights Blueprint for use in the real world.

The approach was first used to come up with rules for mobile app data, but the process was grueling and few companies have adopted the code of conduct that resulted from it, according to privacy advocates. And now representatives from the consumer advocacy world are pulling out of the facial recognition meetings. They include representatives from the Electronic Frontier Foundation, the Consumer Federation of America, the American Civil Liberties Union, the Center for Digital Democracy and the Center for Democracy & Technology.

Privacy advocates believe their decision to withdraw could be a significant blow to the legitimacy of proceedings. "Without the consumer and privacy groups there is no multi-stakeholder process," Chester said.

But the meetings will continue, the agency said. “NTIA is disappointed that some stakeholders have chosen to stop participating in our multistakeholder engagement process regarding privacy and commercial facial recognition technology," an agency spokesperson said. "A substantial number of stakeholders want to continue the process and are establishing a working group that will tackle some of the thorniest privacy topics concerning facial recognition technology. The process is the strongest when all interested parties participate and are willing to engage on all issues.”

Industry representatives also have committed to continuing with the process. "It is disappointing that some stakeholders have chosen to stop participating, but we’ll continue to engage with the goal of building guidelines that help people enjoy the benefits of this technology while protecting their privacy.” a Facebook spokeswoman said in a statement.

At this point, consumers are better off turning to state legislatures for protection from facial recognition technology, Bedoya said. Two states, Texas and Illinois, have biometric data privacy laws on the books that may already provide some protection against the use of facial technology without informed consent, he said.

Under the Illinois law, companies must tell users whenever biometric information is collected, why it's being collected and how long the companies will keep it. Consumers then must provide “written release” that they consent to the data collection. Facebook is being sued over its image tagging feature, which relies on facial recognition technology. The case will decide if the feature triggers the Illinois law -- and if so, if clicking through the terms and conditions when signing up counts as adequate consent.