Content, Context, and Control: Facial Recognition and Privacy

Photographs don't just capture your laughter and tears. They can also reveal the details of your life: the people you know, the events you attend, and more. And facial recognition makes it easy to link any photo of you--even one you didn't know you were in--to your name and identity. This could make it impossible to attend a support group meeting or political rally without sharing that information with everyone. And it could allow anyone who snaps your photo on their phone to instantly learn your name, interests, and more. Businesses and lawmakers need to ensure that facial recognition services give individuals the ability to choose whether and how they participate in the service and ensure that any information collected or generated by these services is adequately protected.

A Picture Is Worth a Thousand Words

Even an old-fashioned photo can reveal a great deal about you: your friends, your passions, your travels, and more. And digital photos can reveal even more, including the exact time and place where the photo was taken, the tags or comments that you or others have attached, and even who else has viewed or "Liked" it. And that's just one photo; imagine how much more information would be exposed if every single photo with your face in it were linked directly to you?

Context Matters

There's a difference between attending a protest to show your support and having every protest you attend permanently linked to your identity and used to make decisions about you. And there's a difference between posting content on social networks for people you know and allowing anyone with a cell phone to snap a picture of you and view your profile. How would you react if your boss could easily discover everywhere you go and everything you do? What about someone you just met at a bar? Or the FBI?

Who's in Control?

Digital information is extremely hard to control once iit's exposed, so facial recognition tools need to ensure that you can choose how and whether you participate in the service. This means that privacy has to be built in from the start, not just tacked on as an afterthought or when something goes wrong.

And building in privacy is good business. Consumers and lawmakers both care about privacy, so as a business it s in your est interest to proactively address the privacy hazards of your product. This allows you to build consumer trust from the beginning and avoid public relations nightmares, lawsuits, and legislative or regulatory responses to practices that harm consumer privacy.

Here are a few questions that businesses and developers should consider when designing a facial recognition tool or service:

• How are consumers notified about the service? Does the service notify a consumer and ask permission before retaining her "faceprint" or linking to her identity? Does it provide a mechanism for notifying her each time a future match or link is made?
• Can consumers control how their information is used? Can they select who can access their "faceprint" or stored photos or use the service to link a photo to their identity?
• What information is collected or generated by the service? How long is this information retained? Are there protections in place for the data it retains?
• Can consumers manage their own information? Can they delete photos or even their entire profile? If they do so, is everything about them really deleted?
• Does the service share information with third parties? If so, does it obtain a consumer's permission before sharing her information with third parties? Does it ensure that those third parties have their own practices and safeguards to protect privacy?
• Does the service have a process in place for responding to demands for information from the government or third parties? Does it notify any affected consumers as soon as possible if information about that consumers is demanded?

Lawmakers and regulators can do their part by encouraging businesses to provide transparency and control to users through a "Privacy by Design" approach and by establishing stronger protections to ensure that any data these services do collect is adequately protected.

For more information, please see our primer for businesses, Privacy and Free Speech: It's Good for Business.

Chris Conley is the Technology and Civil Liberties Fellow with the ACLU of Northern California.