On February 25, the National Telecommunications and Information Administration (NTIA) held the second meeting of the Facial Recognition Multi-Stakeholder Process. The IAPP’s Angelique Carson, CIPP/US, reported on the first meeting here. The ultimate goal is to develop a code of conduct consistent with the Consumer Privacy Bill of Rights that will be both voluntary and enforceable by the Federal Trade Commission (FTC).
A key outcome of the meeting is the determination that commercial entities will be covered—battles around government uses will take place elsewhere. So it is time for developers of commercial facial recognition technologies and the entities using them to “face it” and take action.
Ways To Shape the Code
The NTIA will be in fact-finding mode through the next meeting scheduled for March 25. After that, the process will turn to development of “straw man” codes of conduct.
- Submit use cases for the stakeholders to discuss to firstname.lastname@example.org. This will help the privacy advocates, industry representatives, academics, technologists and regulators distinguish between scenarios well within consumer expectations and those that raise more novel or multifaceted privacy issues. The current list of use cases is fairly narrow, but additional examples are access to secure systems including smart phones, verification for distribution of prescription medicines and photo organization.
- Share documentation or research that answers key questions posed during the meeting by advocates and policy makers, such as
- Can facial recognition biometric algorithms be reverse-engineered? If so, what safeguards are being taken to guard against this?
- What is the shelf life of a photo or unique biometric identifier, and is it different for teens?
- Does the size of the database matter?
- What other information is stored with biometric identifiers?
- Should “one to one” matching be treated differently than “one to many”?
- What role does crowd-sourced tagging or identification play?
- Are there existing standards for other biometrics that could be instructive here; e.g., fingerprints, voiceprints, DNA, iris scans, signatures?
- How are consumers informed about collection and use of facial recognition technologies today, and do they have control?
- Are there different concerns for authentication and identification?
- Participate in the upcoming meetings to ensure the future code realistically addresses the marketplace without unnecessarily restricting societal benefits. Advocates specifically called on key industry players to present their current practices at the next meeting. If organizations selling or using facial recognition technologies do not contribute, the code will likely negatively affect certain use cases. Conversely, if there is a reasonable explanation for a use case, it is likely to obtain appropriate treatment in the code.
- Be aware of input from other policy makers who are substantially invested in the facial recognition dialogue. For instance, in addition to participating in the NTIA meetings, the FTC wrote a report in 2012 on facial recognition best practices. NIST has conducted several projects related to facial recognition, the latest of which is a challenge to create useful algorithms from photos or video taken with point and shoot cameras. Sen. Al Franken (D-MN), chairman of the Senate Subcommittee on Privacy, Technology and the Law, has a longstanding interest in the issue, having recommended in April 2012 that the NTIA use the multi-stakeholder process to focus on facial recognition. He then held a hearing in his subcommittee in July 2012, and earlier this month he queried an application developer claiming to identify users from photos. Michelle Chibba, director of policy and special projects, Office of the Information and Privacy Commissioner of Ontario, Canada, was a vocal participant in the second meeting and presented in the first, including reference to a 2010 paper co-authored by Ontario Information and Privacy Commissioner Ann Cavoukian. This involvement by other policy makers and regulators provides deep context for the ongoing NTIA exercise.
Privacy advocates, industry representatives, academics, technologists and regulators will be giving input through June at meetings scheduled every few weeks. Get involved now to shape the contours of the code; it is time to “face it.”