Yesterday, stakeholders met for the sixth in their series of meetings organized by the National Telecommunications and Information Administration (NTIA) in hopes of creating a voluntary code of conduct on facial recognition technology. This meeting aimed to look at the risks and issues the process’ participants identified since last month’s meeting. It also looked at a list of drafted definitions the not-yet-existent code could include.

The meeting followed a familiar narrative in this process: The technology is so new that it’s sometimes difficult to imagine the ways in which it’s currently being and will be used. So creating rules that would govern those real and imaginary uses is pretty difficult.

The most passionate debate yesterday centered around what the code should say about government access to raw images and what standards should apply to requests by governments to gain access to such information. The stakeholders—a group of representatives from government, the ACLU, the Consumer Federation of America, NetChoice and the Application Developers Alliance (ADA), among others—were divided on whether to even address the issue.

Tim Sparapani, representing the ADA, suggested the group not even go there.

“I’m loathe to take on the federal government unless you can do something significant and meaningful,” he said. However, he argued, the code needs to address what to do in the case that the government is a customer of a commercial entity.

The NTIA’s John Morris said he thought the code would be for consumer-facing products and services. If it’s the case that the government would be covered, the code would face an uphill battle.

“I don’t think those with government customers would participate,” he said. “My view, the NTIA’s view, is the same as it was six or eight months ago, which is to say that government use of this technology, we view as out of scope. We don’t think the FTC is going to be exerting jurisdiction over how the government uses this technology.”

That’s a nightmare for developers, Sparapani said. Whatever the code says, it shouldn’t apply differently to those with government customers and those without.

“A startup is going to want to do it once and well and have the same set of rules apply to all of their customers they can anticipate coming through the door,” he said. “I don’t think it’s a small question. I think people would prefer one unified system.”

Joni Lupovitz of Common Sense Media said looking at how to handle the government-as-customer now would halt progress. Push forward with the code as it relates to consumer-facing and commercial uses of data, and then maybe circle back later.

That subject exhausted, discussion turned to semantics. At what point should notice and consent happen?

The ACLU’s Chris Calabrese said “enrollment should be the lynchpin,” but NetChoice’s Steve DelBianco said that doesn’t work. Notice should be given when metadata is added to a facial recognition template, making it identifiable. And it’s at that point that the individual should be given the opportunity to opt out of enrollment in a facial recognition database.

Say, for example, you want to monitor entrance into a building and you use facial recognition templates to ensure proper access. Identification and verification are different than database enrollment and sharing.

“Enrollment could be to ensure the same delivery guy comes in every day at 2 p.m. so enrollment is like saving (an image),” DelBianco said. “The user of the system took a template and enrolled it. That’s different from saving. They might have compared it with other residents of the building to see if they should be able to get in. What level of transparency do we give to the subject about those two activities?”

Susan Grant of the Consumer Federation of America said she thought “storage” was the same as “enrollment,” and that the group had decided that as soon as storage happened, consent should be required.

Calabrese said his concerns revolve around when a person is enrolled into a database—regardless of whether the image is shared.

“For my mind, if I’m taking an image, I’m turning it into a template,” he said. “That raises all these issues at that point. That’s the logical use for notice, consent and transparency.”

NetChoice’s DelBianco said it may be logistically impossible to be completely transparent at the time of “enrollment.” How do you notify every image subject that their image has been taken at the time of the capture?

“Practically speaking, that’s going to be very challenging,” he said.

The group discussed defining terms, including “personally identifiable information,” “encryption” and “authentication.”

Bill Baker of Wiley Rein said he’s nervous about using the term “personally identifiable information” in the code because it’s defined differently in every state statute across the U.S.

Finally, there was something of an end-around: Walter Hamilton said the International Biometrics Industry Association, the group he was there to represent, is two weeks away from publishing a best practices code for the stakeholder group to review.

That was good news to Bill Long, who said this code-drafting process needs more voices.

“I think it’s great that biometrics are involved,” he said. “We need users. We need Home Depot, Sears and the International Association of Shopping Malls” for the business perspective.

Carl Szabo of NetChoice proposed the group spend one more meeting fleshing out details and then get down to writing a code.

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»