Posted on October 26th, 2012 in Reports by Simply Security | Be the first to comment | Tags: Reports
New FTC guidelines detail the responsible use of facial recognition technologies.
Facial recognition technology transitioned from science fiction storyline to mass market reality when Facebook rolled out its semi-automated photo-tagging feature in mid-2011. Since then, companies have been striving to develop the next great application of the technology while regulators and civil liberties advocates have been weighing in on the personal privacy implications. Following its December 2011 workshop dedicated to these issues, the Federal Trade Commission issued a new report detailing recommended best practices for balancing innovation and data protection when working with facial recognition technologies.
A nascent market
Although Facebook may have gained the most notoriety for its take on facial recognition, it is hardly the only company hoping to commercialize the innovation. Social networks, mobile applications and digital signs have all been popular contexts for the technology in recent months, and it is being used for an endless array of novel purposes. Facial feature detectors have been called upon to determine gender and age demographics that inform targeted ad campaigns, match faces held in databases and even assess emotional responses to video content.
Yet as the technology's popularity expands, so too do the privacy risks associated with the information being gathered. Critics have expressed their concerns that individuals may not know that their biometric data is being collected, and that it could be compromised by hackers or misappropriated by overzealous law enforcement officials.
"Fortunately, the commercial use of facial recognition technologies is still young," the FTC report stated. "This creates a unique opportunity to ensure that as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer."
Safe from the start
Three primary principles underlie the FTC recommended practices, including privacy by design, simplified consumer choice and overall transparency.
The first concept speaks to the fact that mobile application developers or any other innovators working with facial recognition technology should hardwire privacy protections into their products and policies. By designing features with consumer privacy and the end-user experience already top of mind, companies can avoid a number of dangerous complications down the road.
One example provided by the report detailed an eyeglass manufacturer who allows consumers to upload photos of themselves and superimpose graphics to preview how certain frame styles might look on their face. Although the functionality and appeal of this service is clear, some of the first questions asked should be how and where these photos will be stored and protected, and how long will they be retained.
Consumers voluntarily supply their biometric data in the eyeglass scenario, but an alternate example provided by the FTC involving a beverage manufacturer's supermarket display signs better captures the complexity and significance of individual choice and consent.
First and foremost, advertisers working with demographic detection applications should ensure their signage is not placed in potentially sensitive areas such as bathrooms, healthcare facilities or locations "where children congregate." The supermarket scenario achieves this initial step, but the much trickier part involves informing consumers that their information is being captured and explaining how it is being used.
"At minimum, a notice should clearly state the purpose of the technology and indicate how consumers can find more information about the technology and the practices of the company operating the signs in that venue," the report stated. "A consumer who does not wish to have their data used in this manner is then able to choose not to shop at this particular store or avoid the location where the sign is placed."
FTC officials conceded that the guidelines are not legally binding, and in several ways actually go above and beyond current expectations. However, companies considering working with facial recognition technology would do well to take the recommendations under advisement.
Data Security News from SimplySecurity.com by Trend Micro
