Yesterday, stakeholders met for the sixth in their series of meetings organized by the National Telecommunications and Information Administration (NTIA) in hopes of creating a voluntary code of conduct on facial recognition technology. This meeting aimed to look at the risks and issues the process’ participants identified since last month’s meeting. It also looked at a list of drafted definitions the not-yet-existent code could include.
The meeting followed a familiar narrative in this process: The technology is so new that it’s sometimes difficult to imagine the ways in which it’s currently being and will be used. So creating rules that would govern those real and imaginary uses is pretty difficult.
The most passionate debate yesterday centered around what the code should say about government access to raw images and what standards should apply to requests by governments to gain access to such information. The stakeholders—a group of representatives from government, the ACLU, the Consumer Federation of America, NetChoice and the Application Developers Alliance (ADA), among others—were divided on whether to even address the issue.
Tim Sparapani, representing the ADA, suggested the group not even go there.
“I’m loathe to take on the federal government unless you can do something significant and meaningful,” he said. However, he argued, the code needs to address what to do in the case that the government is a customer of a commercial entity.
The NTIA’s John Morris said he thought the code would be for consumer-facing products and services. If it’s the case that the government would be covered, the code would face an uphill battle.
“I don’t think those with government customers would participate,” he said. “My view, the NTIA’s view, is the same as it was six or eight months ago, which is to say that government use of this technology, we view as out of scope. We don’t think the FTC is going to be exerting jurisdiction over how the government uses this technology.”
That’s a nightmare for developers, Sparapani said. Whatever the code says, it shouldn’t apply differently to those with government customers and those without.
“A startup is going to want to do it once and well and have the same set of rules apply to all of their customers they can anticipate coming through the door,” he said. “I don’t think it’s a small question. I think people would prefer one unified system.”
Joni Lupovitz of Common Sense Media said looking at how to handle the government-as-customer now would halt progress. Push forward with the code as it relates to consumer-facing and commercial uses of data, and then maybe circle back later.
That subject exhausted, discussion turned to semantics. At what point should notice and consent happen?
The ACLU’s Chris Calabrese said “enrollment should be the lynchpin,” but NetChoice’s Steve DelBianco said that doesn’t work. Notice should be given when metadata is added to a facial recognition template, making it identifiable. And it’s at that point that the individual should be given the opportunity to opt out of enrollment in a facial recognition database.
Say, for example, you want to monitor entrance into a building and you use facial recognition templates to ensure proper access. Identification and verification are different than database enrollment and sharing.
“Enrollment could be to ensure the same delivery guy comes in every day at 2 p.m. so enrollment is like saving (an image),” DelBianco said. “The user of the system took a template and enrolled it. That’s different from saving. They might have compared it with other residents of the building to see if they should be able to get in. What level of transparency do we give to the subject about those two activities?”
Susan Grant of the Consumer Federation of America said she thought “storage” was the same as “enrollment,” and that the group had decided that as soon as storage happened, consent should be required.
Calabrese said his concerns revolve around when a person is enrolled into a database—regardless of whether the image is shared.
“For my mind, if I’m taking an image, I’m turning it into a template,” he said. “That raises all these issues at that point. That’s the logical use for notice, consent and transparency.”
NetChoice’s DelBianco said it may be logistically impossible to be completely transparent at the time of “enrollment.” How do you notify every image subject that their image has been taken at the time of the capture?
“Practically speaking, that’s going to be very challenging,” he said.
The group discussed defining terms, including “personally identifiable information,” “encryption” and “authentication.”
Bill Baker of Wiley Rein said he’s nervous about using the term “personally identifiable information” in the code because it’s defined differently in every state statute across the U.S.
Finally, there was something of an end-around: Walter Hamilton said the International Biometrics Industry Association, the group he was there to represent, is two weeks away from publishing a best practices code for the stakeholder group to review.
That was good news to Bill Long, who said this code-drafting process needs more voices.
“I think it’s great that biometrics are involved,” he said. “We need users. We need Home Depot, Sears and the International Association of Shopping Malls” for the business perspective.
Carl Szabo of NetChoice proposed the group spend one more meeting fleshing out details and then get down to writing a code.