What Facial Recognition Technology Means for Privacy and Civil Liberties

Abstract

Although the collection of biometrics — including face recognition-ready photographs — seems like science fiction; it is already a well-established part of our lives in the United States. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) each have the largest biometrics databases in the world, and both agencies are working to add extensive facial recognition capabilities. The FBI has partnered with several states to collect face recognition-ready photographs of all suspects arrested and booked, and, in December 2011, DHS signed a $71 million dollar contract with Accenture to incorporate facial recognition and allow real-time biometrics sharing with the Department of Justice (DOJ) and Department of Defense (DOD). State and local law enforcement agencies are also adopting and expanding their own biometrics databases to incorporate face recognition, and are using handheld mobile devices to allow biometrics collection in “the field.” The scope of government-driven biometrics data collection is well-matched by private-sector collection. Facebook, which uses face recognition by default to scan all photos uploaded to its site, states that its users uploaded more than 300 million photos every day in the three months ending on March 31, 2012. And Face.com, which developed Facebook’s face recognition tools and was recently acquired by the company, stated in March that it had indexed 31 billion face images. Other companies, from large technology companies like Google and Apple to small smartphone app providers, also provide face recognition products to their customers, and private companies are using biometric identification for everything from preventing unauthorized access to computers and corporate facilities to preventing unauthorized access to the gym. Face recognition is here to stay, and, though many Americans may not realize it, they are already in a face recognition database. Facebook refuses to say how many face prints it has in its database and whether it creates a face print for photos of non-Facebook users. However, given that Facebook has approximately 170 million active monthly users in the United States alone, at least 54% of the United States population already has a face print. Face recognition technology, like other biometrics programs that collect, store, share and combine sensitive and unique data poses critical threats to privacy and civil liberties. Biometrics in general are immutable, readily accessible, individuating and can be highly prejudicial. Face recognition, though, takes the risks inherent in other biometrics to a new level because Americans cannot take precautions to prevent the collection of their image. Face recognition allows for covert, remote and mass capture and identification of images — and the photos that may end up in a database include not just a person’s face but also how she is dressed and possibly whom she is with. This creates threats to free association and free expression not evident in other biometrics. Americans cannot participate in society without exposing their faces to public view. Similarly, connecting with friends, family and the broader world through social media has quickly become a daily (and some would say necessary) experience for Americans of all ages. Though face recognition implicates important First and Fourth Amendment values, it is unclear whether the Constitution would protect against over-collection. Without legal protections in place, it could be relatively easy for the government or private companies to amass a database of images on all Americans. This presents opportunities for Congress to develop legislation that would protect Americans from inappropriate and excessive biometrics collection. The Constitution creates a baseline, but Congress can legislate significant additional privacy protections. As I discuss further below, Congress could use statutes like the Wiretap Act and the Video Privacy Protection Act as models for this legislation. Both were passed in direct response to privacy threats posed by new technologies and each includes meaningful limits and protections to guard against over-collection, retention and misuse of data. This testimony will discuss some of the larger current and proposed facial recognition collection programs and their implications for privacy and civil liberties in a democratic society. It will also review some of the laws that may govern biometrics collection and will outline best practices for developing effective and responsible biometrics programs — and legislation to regulate those programs — in the future.