Facebook’s battle with European Union regulators over the social media giant’s newest photo-sharing app highlights one major problem with the federal biometric data protection laws in the United States—there aren’t any.
Regulators blocked the roll-out of Facebook’s new Moments app in Europe last week because of its use of facial recognition technology. Moments allows Facebook users to share photos privately within a group and automatically tags all those pictured based off Facebook friend networks. To do this, Moments leverages users’ “faceprints.” Much like a fingerprint, a faceprint is made up of physical characteristics unique to an individual that can be used as an identifier. The main concern of European regulators is that because Moments doesn’t have an opt-in feature—users can only opt-out—it essentially uses an individual’s faceprint without his or her permission. As a result, Moments will be turned off in Europe until the company develops an opt-in mechanism, according to a statement Richard Allan, Facebook’s head of policy in Europe gave The Wall Street Journal.
Facebook Moments, however, launched without a hitch in the U.S. This provides a glaring example of the gap between biometric data protection laws in the U.S.versus elsewhere. The U.S. lacks a biometric data protection law at the federal level, and only two states—Texas and Illinois—have such laws on the books (both Facebook and Shutterfly face lawsuits in Illinois for allegedly violating the state’s privacy laws).
Forbes spoke with Jennifer Lynch—a senior staff attorney at non-profit advocacy group the Electronic Fronter Foundation—about the lack of biometric data protection laws in the U.S. and the concerns surrounding the use of faceprint technology.
Why people are so concerned about companies such as Facebook using “faceprint” and biometric technology?
Your “faceprint” is a biometric [identifier] and is something that is unique to you that you can’t change it. The concern with face recognition systems is that they will be used to identify people in situations that people don’t want to be identified or possibly that the identifying information will be shared with the government and used in nefarious ways. Perhaps somebody else will get a hold of that information and use it to pose as you in the future and then you won’t have any way of correcting that because unlike say, a driver’s license number or a social security number—there is no way to change your biometric identifier.
What is the state of regulation throughout the U.S. of commercial entities’ use of biometric data and faceprint technology?
Currently, Texas and Illinois are the only two states to have any laws that regulate the collection of biometric information by commercial companies. Both laws have been on the books for a handful of years now and nobody has really brought any challenges under those laws until this year. Now there is a lawsuit against Facebook in Illinois for improperly collecting facial recognition data, because the Illinois and the Texas laws both require that you be able to opt-in to the collection of your face recognition data. The same is true in Europe where you must be able to opt-in to data collection, rather than opt-out.
Currently, Facebook’s system is set up so that face recognition in the U.S. is is turned on by default. When a friend uploads a picture of you to Facebook and you are a Facebook user, Facebook will run its face recognition algorithm on that photograph and identify you to your close friends—unless you turn off that feature. In the past, it has been very complicated to figure out how to turn off that feature. Facebook has made it a little easier but it is still on by default.
Does it matter that Facebook is based in California, not Illinois or Texas?
It doesn’t matter that Facebook is not based in these states because you can bring a lawsuit against anybody where the act has occurred. So because there are probably millions of Facebook users in Illinois, any one of those users could allege in Illinois that Facebook has violated the law in Illinois. It doesn’t matter that Facebook isn’t headquartered in Illinois—you can still sue them in Illinois.
Do you think that it is likely that the laws will change in the future in the U.S.?
I am incredibly hopeful that they will change, but that change will occur at the state level. I don’t think that we will see much change at the federal level. We have seen many states over the last few years address changes in technology that are impacting our privacy. We have seen this lot with the collection of location data on our cell phones and states have started to pass laws that protect that data from your cell phone. It’s possible and I hope likely that states will address biometric data collection in the near future.
There are several privacy advocacy and watchdog groups that have tried to introduce regulations to limit how faceprint technology is used. What challenges do these groups face?
One of the biggest challenges is that we don’t have a universal privacy law in the U.S. at the federal level. We have to rely on individual privacy laws that might protect us in some situations and we have to rely on individual states’ laws. If you live outside of Illinois and Texas, there are really no laws that would protect you against the collection of your data—whether it is biometric data or other data. There are really very few restrictions on how companies collect data on you as long as they are not doing so in a way that is unfair or deceptive. So it’s sort of an uphill battle to get companies to stop collecting biometric data or to not create programs where they can collect biometric data.
How does Facebook’s facial recognition database compare in size to that of government agencies?
You can compare them in size, but they perform different functions. For instance, the Department of State has the largest facial recognition database of any government entity in the U.S. It has about 300 million images of passport holders and visa holders. But what the Department of State is trying to do with that database is take an image of a person and identify that person against all the 300 million images already in the database. Facebook is doing something different. Facebook potentially has facial recognition data for probably at least half–if not three-quarters of its users–but it is not trying to identify a face against all those users. What it is doing is checking a photo that you upload against your close friends, which might be 10 people, it might be 250 people but it’s probably not more than 500 people. So even though Facebook is maintaining a pretty enormous face recognition database, it is performing kind of a different function from what the government databases are doing.
This article was written by Abigail Tracy from Forbes and was legally licensed through the NewsCred publisher network.