Sen. Al Franken lets loose on Facebook for facial recognition

Facebook has learned what you look like, and Sen. Al Franken (D-Minn.) isn’t sure that’s for the best.

In fact, he seems pretty dang sure the company will inevitably use your “faceprint” for something sinister or at least unapproved at some point in the future — if regulators let this go unchecked.

As Facebook ramps up its facial recognition technology, regulators around the world aren’t being shy about raising their concerns. Officials in Norway have probed the use of this tech, and other EU privacy regulators have been investigating the matter as well.

In a newly released letter, Franken says that Facebook is now recognizing the faces of some of its least active users — and all likelihood without their explicit consent. As part of recent Privacy Policy changes, Facebook is now enabling facial recognition features for profiles that contain only a single picture of the user in question.

Franken noted that Facebook “won’t be waiting for [regulators] before it reaches pervasive deployment” of facial recognition technology.

“Last year,” he continued, “I pressed Facebook to assure its users that it would never share or sell this database to third parties. A Facebook representative responded, ‘It’s difficult to know in the future what Facebook will look like five or ten years down the road, and so it’s difficult to respond to that hypothetical.'”

In other words, your face is now on its way to becoming part of Facebook’s business in one form or another.

Unless Franken has something to say about it, of course.

Here’s the full text of the letter, as well as Facebook’s correspondence to Franken:

November 21, 2013
The Honorable Lawrence E. Strickling
Assistant Secretary for Communications and Information
National Telecommunications and Information Administration
U.S. Department of Commerce
1401 Constitution Avenue, N.W., Room 4725
Washington, D.C. 20230

Re: Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct

Dear Assistant Secretary Strickling:

In my April 2, 2012 submission to the NTIA, I recommended that the multistakeholder process consider the privacy implications of facial recognition technology, and seek to develop best practices on its use. As I explained in my filing, facial recognition technology can allow a stranger to identify you, by name and in secret, from a photograph taken on the street or copied from the Internet. It has serious implications for consumer privacy and personal safety. Unfortunately, our privacy laws provide no express protections for facial recognition data; under current law, any company can use facial recognition technology on anyone without getting their permission – and without any meaningful transparency. Press reports from this summer suggested that facial recognition was the likely next item for debate. I’m writing to renew my request that the NTIA take up this subject, and urge you to do so as quickly as possible.

The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database – already likely the largest in private hands. In 2010, Facebook enrolled its then-800 million users into its facial recognition program – without their express consent. In my filing, I made a conservative estimate that this database includes one-twentieth of the world’s population. Last year, in a hearing in the Senate Judiciary Subcommittee on Privacy, Technology and the Law, which I chair, I pressed Facebook to assure its users that it would never share or sell this database to third parties. A Facebook representative responded: “It’s difficult to know in the future what Facebook will look like five or ten years down the road, and so it’s difficult to respond to that hypothetical.”

Last week, Facebook finalized a new privacy policy that will expand its facial recognition program to include some of the site’s least active users – those who only had a profile photo and weren’t tagged in any other photos. Once again, Facebook refused to assure users that it would use facial recognition technology only to facilitate photo tagging. In an interview with Reuters, Facebook’s Chief Privacy Officer, Erin Egan, stated: “Can I say that we will never use facial recognition technology for any other purposes? Absolutely not.” See “Facebook considers adding profile photos to facial recognition,” Reuters, August 29, 2013.

In September, I asked Facebook: How many faceprints do you have? Facebook declined to say, indicating that “we consider the exact number of templates that we store to be commercially sensitive and proprietary information.” Facebook’s reply, along with my original letter, is enclosed.

I will be exploring legislation to protect the privacy of biometric information, particularly facial recognition technology. But I believe it would be extremely valuable for the NTIA to convene industry stakeholders and privacy advocates to establish consensus-driven best practices for the use of this technology – which won’t be waiting for us before it reaches pervasive deployment.

Thank you for your time and attention to this matter.

Sincerely,

Al Franken
Chairman, Subcommittee on Privacy,
Technology, and the Law

CC: Chairwoman Edith Ramirez
Commissioner Julie Brill
Commissioner Maureen Ohlhausen
Commissioner Joshua Wright
Federal Trade Commission

2013.10.17 Response to Franken Letter