The Federal Trade Commission has issued best practices
guidelines for facial recognition software, including that consumer privacy
be baked into the design, that reasonable security measures be developed and
used, and that digital signage that uses the technology not be set up where
FTC points out that the software can be used to determine
gender and age for targeted ads or gauging their reaction to a video game or movie.
The guidelines also recommend that consumers be informed of
when facial recognition is being used and have a choice as to whether that data
is collected or not, including making that choice an opt-in when they use the
data collected for a purpose other than that originally stated, and when they
use it to identify a consumer to someone who could not otherwise identify them
without that data.
"Fortunately, the commercial use of facial recognition
technologies is still young. This creates a unique opportunity to ensure
that as this industry grows, it does so in a way that respects the privacy
interests of consumers while preserving the beneficial uses the technology has
to offer," the report says.
The fact that the technology is so new was one reason that
commissioner J. Thomas Rosch dissented. "I disagree with the adoption of
'best practices' on the ground that facial recognition may be misused. There is
nothing to establish that this misconduct has occurred or even that it is likely
to occur in the near future. It is at least premature for anyone, much less the
Commission, to suggest to businesses that they should adopt as 'best practices'
safeguards that may be costly and inefficient against misconduct that may never
occur," he said.
Rosch was also concerned that the staff recommended that
facial recognition fall under the "unfairness" prong, rather than the
"deception" prong, of the FTC's consumer protection rules. That prong is
generally reserved for "substantial injury," which he says the report
does not justify.
"In summary, I do not believe that such far-reaching
conclusions and recommendations can be justified at this time."
The FTC report makes clear that the guidelines, to the
extent that they extend beyond what is currently enforceable under FTC rules,
are "not intended to serve as a template for law enforcement actions or
regulations under laws currently enforced by the FTC."
Information Technology & Innovation Foundation senior
analyst Daniel Castro had concerns about the direction the report was taking.
"Policymakers should not create technology-specific rules for facial
recognition," he said in a statement. "Facial recognition technology
belongs to a larger class of biometric technology that should be treated the
same. In addition, facial recognition has many benefits, from improving
security to automating tasks to personalizing transactions."
"Rather than attempting to create rules based on false
assumptions about anonymity, the FTC would be more effective if it promoted a
robust harms-based approach to the use of biometric information that works to
identify and close any potential gaps in current law. This would help ensure
that individuals are fully protected against potential abuses, while not
creating roadblocks to innovation for new technology."