Consumer Privacy

Facial Recognition Faceoff

Phillip Nones Business, Government, Security, Social Commentary, Social Media , , , , , , , ,

Facebook has been resisting outside efforts to rein in its “faceprints” facial recognition initiative – and mostly losing.

I’ve blogged before about the concerns many people have about facial recognition technology, and the troubling implications of the technology being misused in the wrong hands.

Facebook would claim to be the “right hands” rather than wrong ones when it comes to the database of “faceprints” it’s been compiling over the past decade or so. But its initiative has run afoul of an Illinois biometric privacy law passed in 2008.

The Illinois measure, which prohibits companies from collecting or storing people’s biometric data without their consent, is one of the strongest pieces of legislation of its kind in that it also allows individual consumers to sue for damages – to the tune of up to $5,000 per violation.

And that’s precisely what’s happened.  A class-action suite was filed in 2015 by a group of Illinois residents, alleging that Facebook has violated the Illinois privacy law through its photo-tagging function which draws on a trove of “faceprint” photos to recognize faces and suggest their names when they appear in photos uploaded by friends on Facebook.

Facebook has vigorously resisted efforts to rein in its faceprint initiative, arguing that any such lawsuits should be dismissed because users haven’t actually been injured by any alleged violations of the state law.

That stance has been rejected – first in U.S. district court and then in the court of appeals. Undaunted, Facebook appealed to the U.S. Supreme Court which turned down the appeal in late January.

Rebuffed at all legal levels, Facebook has now decided to settle the suit for a reported $550 million, including payments of ~$200 each to claimants in the Illinois class-action suit.

Facebook has lost, but the whole notion of facial recognition technology could well be like playing a game of whack-a-mole. As it turns out, another firm has developed similar functionality and is busily selling facial recognition data to police departments across North America.  According to a recent investigative article publishing in The New York Times, a company called Clearview AI has mined billions of photos from Twitter, Facebook and other social platforms.  (Clearview is now being sued in Illinois for allegedly violating the same biometric privacy law that was at the center of the Facebook suit.)

And indeed, the efforts to rein in facial recognition activities may be a little too little, a little too late: According to a recent report from Business Insider, the faces of more than half of all adults in America have already been logged into police or government databases.

… Which brings us to a parallel response that appears to be gaining traction: figuring out ways to fool facial recognition software.  A number of entrepreneurs are developing intriguing methods to beat facial recognition software.  Among them are:

  • Clothing designers have begun to target weaknesses in the ability of facial recognition software to process overlapping or unusual shapes, as well as deciphering multiple similar images appearing in close proximity. One such example is a pair of goggles fitted with near-infrared LEDs that interfere with the ability to scan facial features.
  • Headscarves decorated with different faces “confuse” the software by overloading it with excessive amounts of data in the form of numerous facial features.
  • So-called “adversarial patches” – a graphic print that can be added to clothing – exploit the vulnerabilities in facial recognition scanning by making a person “virtually invisible for automatic surveillance cameras,” according to creators Simen Thys, Wiebe Van Ranst and Toon Goedemé.

Will the two-front attack on facial recognition technology from the legal as well as technology standpoint succeed in putting the facial recognition genie back in the bottle? It’s debatable.  But it’s certainly making things more of a challenge for the Facebooks and Clearviews of the world.

Going up against Goliath: The latest privacy tussle with Facebook.

Phillip Nones Business, Marketing Communications, Security, Social Commentary, Social Media , , , , , , , , , ,
Is that Maria Callas? Check with Facebook -- they'll know.
Is that Maria Callas? Check with Facebook — they’ll know.

It had to happen eventually:  Facebook’s “faceprints” database activities are now the target of a lawsuit.

The suit, which has been filed in the state of Illinois, alleges that Facebook’s use of its automatic photo-tagging capability to identify people in images is a violation of Illinois’ state law regarding biometric data.

Facebook has been compiling faceprint data since 2010, and while people may choose to opt out of having their images identified in such a way, not surprisingly, that option is buried deep within the Facebook “settings” area where most people won’t notice it.

Moreover, the “default” setting is for Facebook to apply the automatic photo-tagging feature to all users.

Carlo Licata, the lead individual in the class-action complaint filed in Illinois, contends that Facebook’s practices are in direct conflict with the Illinois Biometric Information Privacy Act.  That legislation, enacted in 2008, requires companies to obtain written authorization from persons before collecting any sort of “face geometry” or related biometric data.

The Illinois law goes further by requiring the companies gathering biometric data to notify people about the practice, as well as to publish a schedule for destroying the information.

Here’s how the lawsuit states its contention:

“Facebook doesn’t disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them.  With millions of users in the dark about the true nature of this technology, Facebook [has] secretly amassed the world’s largest privately held database of consumer biometrics data.”

The response from Facebook has been swift – and predictable.  It contends the lawsuit is without merit.

As much as I’m all for of individual privacy, I suspect that Facebook may be correct in this particular case.

<em>Brave New World:</em> Biometrics
Brave New World: Biometrics

For one thing, the Illinois law doesn’t reference social networks at all.  Instead, it focuses on the use of biometrics in business and security screening activities — citing examples like finger-scan technologies.

As Eric Goldman, a professor of law at Santa Clara University notes, the Illinois law is “a niche statute, enacted to solve a particular problem.  Seven years later, it’s being applied to a very different set of circumstances.”

And there’s this, too:  The Illinois law deals with people who don’t know they’re giving data to a company.  In the case of Facebook, it’s commonly understood user data is submitted with consent.

That may not be a particularly appealing notion … but it’s the price of gaining access to the fabulous networking functionality that Facebook offers its users – all at no expense to them.

And of course, millions of people have made that bargain.

That being said, there’s one nagging doubt that I’m sure more than a few people have about the situation:  The folks at Facebook now aren’t the same people who will be there in the future.  The use of faceprint information collected on people may seem quite benign today, but what about tomorrow?

The fact is, ultimately we don’t have control over what becomes the “tower of power” or who resides there.  And that’s a sobering thought, indeed.

What’s your own perspective?  Please share your thoughts with other readers here.

Internet privacy legislation: What are the implications?

Phillip Nones Uncategorized , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Internet privacyThe issue of online privacy – the degree to which publishers are allowed to capture and use information derived from consumer online behavior – has been an undercurrent of concern since the very early days of the Internet. What is the right balance that allows the web to be used for marketing and commerce … but that also allows for an acceptable degree of consumer privacy?

The privacy issue has gathered steam in recent years. Today, proposed legislation affecting EU countries would dictate that web cookies (snippets of computer code) cannot be placed on a user’s computer unless it is strictly necessary for the purposes of enabling the use of a service explicitly requested by the user.

If such legislation is enacted, the implications for web publishers would be far-reaching. After all, cookies are currently used for many purposes, including web analytics, session management, content management, personalization, managing preferences, and calculating advertising revenues.

Cookies are the means by which all of these functions give the web its commercial foundation and functionality. Without them, the web would be little more than another broadcast medium for viewing non-customized information on a computer screen instead of on paper or on a TV screen.

And now those same privacy discussions are beginning to happen among U.S. lawmakers. Legislation is being crafted in Congress that may restrict the use of cookies along with other forms of “personally identifiable” information.

Is this a good development, or not?

It’s certainly true that some unscrupulous web sites and publishers have used cookies as a means to engage in nefarious behavior. But in an attempt to eliminate those exceptions, is it wise for legislation to wipe away all of the very real benefits web users derive from services that utilize cookies as the means to deliver them?

It’s pretty clear that one of the obvious impacts privacy legislation would have is on publishers who earn revenues from advertising. The inability to utilize cookies when serving online ads would affect the way the ads perform. Without cookies, ad servers are unable to perform the most basic functions such as fraud analysis and frequency capping (limiting the number of ads shown to a viewer).

In addition, publishers would lose the ability to measure “conversion” rates – tracking specific actions tied to ad revenue calculation such as downloading a white paper or to make a purchase – that is the foundation for many ad compensation packages. Or to serve a specific ad to someone who has expressed prior interest in a topic or product.

The data that these and other cookie-enabled actions provide is the basis of most online advertising programs. Without cookies, advertisers would have to purchase far more impressions served to swaths of people who may or may not be interested. Web analytics would also become more challenging; third-party services such as Web Trends and Google Analytics tap into cookies as a way to provide information and answers.

The claim that without legislation, people don’t have ways to limit the proliferation of cookies on their computers is just not accurate. Not only do many publishers provide ways for consumers to opt out of targeting techniques, surveys show that a significant proportion of Internet users — perhaps one third — routinely delete cookies from their computers. And ~10% have them permanently blocked.

It’s good for lawmakers to be looking at the privacy implications of the Internet. After all, the web continues to evolve at a quick pace, with new functionalities coming to the fore every day that may have implications on consumer privacy. But at the same time, it’s important to really think through the full ramifications of laws that, while well intentioned, would have negative consequences on everyone if enacted.