The commercial use of facial recognition technology
for security, access, marketing and customer service is rapidly growing. Privacy advocates argue that widespread use
of the technology will allow businesses to identify and track almost anyone in
public without their consent or even knowledge.
Businesses argue that individuals should not expect complete privacy in
public and that some loss of privacy is outweighed by the benefits the
technology offers consumers and businesses.
Multiple privacy, government and industry organizations have listed best
practices regarding the commercial use of biometric technology, but the
recommendations often conflict and no consensus has been reached.
Should businesses be required to obtain a person’s
consent, express or implied, before using facial recognition technology?
I would not argue that a firm should be required to obtain an individual's consent before using some form of facial recognition technology. There are certain degrees of privacy, especially in public settings, that must be forfeited with the progression of technology. There are already examples of this today, most notably in online settings, such as social media, where the individual implicitly relinquishes such privacy rights in order to participate. I think it logically follows that on the designated material property of a company that a company has the right to use facial recognition technology in order to protect said property and their assets.
ReplyDeleteA stipulation I might recommend would be a posted notice of the use of such technology, just as organizations typically make such posts about the use of video surveillance today. Where I think the use of such technology might go too far would be implementation in settings that are owned publicly, such as in the street, parks, etc. However, considering the above question concerning private businesses, I hold no major objection.
While my inner privacy advocate would love for there to be a system in place for consent before facial recognition technology is used on an individual, I do not see it as a practical or even necessary actions. Currently, I do think that individuals have a reasonable expectation of privacy in certain places in public, such as public restrooms or changing rooms. Other than that, the reasonable expectation of privacy is gone. With that being said, I do think it would be very appropriate for there to be mandates for businesses to identify that they are using facial recognition technology by way of a sign or some other informing tactic so that people are aware of what is being collected. In many ways the use of the facial recognition can actually enhance the safety of our public interactions if the information is used to identify dangerous persons.
ReplyDeleteI disagree with Joe and Diana. I think that businesses should require a person's written consent before using facial recognition technology. I do not subscribe to the idea that there are "...certain degrees of privacy...that must be forfeited with the progression of technology". That is only true if we roll over and give up our privacy rights. Diana says that in public a "...reasonable expectation of privacy is gone". I think that is true because in public we are often surrounded by other people but we do not expect our very faces to be used for marketing data. As for security measures, I do think that facial recognition would aid in improving public safety, but I do not think privacy should be sacrificed for safety. I am very worried about where the facial recognition, along with other biometric data, would be stored as well as who would have access to it. We live in a society that is incredibly concerned with safety, and perhaps rightfully so, but I don't think that means we should forfeit our privacy rights. Anyway, I am extremely wary of facial recognition technology and other biometric data.
ReplyDeleteWhile I feel that in an ideal world our express permission would be asked every time our image is captured or used, but this is neither practical nor will it ever be implemented. In lieu of express permission, a compromise can be made in terms of implied permission by informing those who enter stores that facial recognition is being used in the store. The store should also make available the privacy policy for their facial recognition system – where is the data stored, how is it protected/encrypted, how long is data retained, what is the system being used for – in a place that is accessible without being subject to the software, such as an atrium without the tracking system or video cameras. This gives consumers the ability to decide not to use a store in order to avoid the facial recognition system without being exposed to the system. It also implies that the person is giving the store permission to use the software because they are choosing to enter the store knowing that the system is in use. Further down the road, if the vast majority of businesses used facial recognition, this method could severely limit the areas that someone avoiding the systems could use. However, a system of implied consent in this manner is a viable solution given the degree of usage of this system (unless it is much more widespread than I think).
ReplyDeleteI do not think it is uncommon these days for government, businesses, etc. to claim public safety, or protection from terrorism in exchange for less privacy. I agree with what Tara said that this is a potentially slippery slope. I realize that with how technology is changing, there are certain compromises that have to be made, like the example we gave on one of the first days of class with photography. Reasonably, one can expect that they could be recorded or photographed at nearly any time when out in public. However, these advantages should not supersede more specific privacy rights. I think that, as mentioned above, there should be some kind of notice of a business' use of facial recognition technology in public places. Additionally, I feel that if a company was to do anything with this technology, they should obtain expressly stated consent.
ReplyDeleteIt is one thing if a business uses the technology to provide security measures or something of a private nature for their specific business/entity (as employees of the company would give consent, expressed or implied), but obtaining facial recognition information simply from public places and also using it should be considered a breach of privacy.
I do believe that businesses should obtain express permission before using facial recognition technology, however, I do not think it would ever happen. It would be extremely difficult to regulate. It seems like just entering a store with that technology is "implied" consent. As a minimal effort, I think that businesses should put up a warning that facial recognition is in place at their establishment.
ReplyDeleteI don't think that any one who is out in public has a reasonable expectation of privacy. I also don't think that the use of the technology is in any way the disclosure of private facts, It just says where you go and what you are buying. Further more, it is acquiring those facts so it can best marketing for you, in no way casting you is a false light. It also does not misappropriating your image. I think it is no was an invasion of privacy.
ReplyDeleteI geek out way too much at the leaps that facial recognition technology has made in recent years, and for me the amazing implications of what we could do with the technology nearly completely supersede privacy concerns. Imagine walking into a store and having personalized suggestions for where to go in the store for products that you'll be interested in based on your shopping history. You could tie the data to anonymized ids so that there would be no log of your real name. This would certainly have its faults, namely, imagine walking into a grocery store with a friend where you once bought something you wished to keep private and being berated with ads for it. Still the advances in statistics, crime fighting and marketing outweigh the costs. Especially if the system is required not to store your actually image, just a match profile.
ReplyDeleteI believe that this should be modelled somewhat after the internet cookies policy that was enacted a few years ago. It required sites that use cookies (packets of information stored by the site on your computer) to state to their users that by using the site, they agree to the site's implementation of cookies. In the same way, I think that businesses should be required to expressly state to their customers that they use facial recognition or other biometric technology. In other words, I'm in favor of implied consent, but only on privately owned property such as business property.
ReplyDeleteAt the same time, however, I think the issue of how the data is stored plays a huge factor in my ultimate decision. I believe that an individual has the right to control their own data, and while this matter isn't wholly a privacy issue, it definitely runs parallel to privacy. I like what Sheyne mentioned about a "match profile" and the use of "anonymized IDs so there would be no log of your real name." To expound on that, I would suggest that there be a way to opt out of the transactional side of the system so you can control whether you want personalized ads or not, similar to parts of the web. The biometric technology would still be sensing you, but only delivering the types of results that you have previously specified. That way businesses can be more secure and the consumer can feel more in control.
I think it would be a good thing for businesses to obtain consent but it'd be hard in general to implement. On online services like Facebook, FB probably has something in their TOS which allows them and their computers to use the tags that you and your friends put on the photos to generate a facial recognition profile for you. In this case, the there is an explicit consent, whether you've actually read the TOS or not, that's a different issue.
ReplyDeleteHowever, there are also different ways that business can use facial recognition without any consent. I think this is worrying but hard to regulate. The business may see this as a positive and maybe some customers will too. Say you walk into a store for the first time and a facial recognition profile is attached to you. The next time you go into the store, you have a list of personalized selection products that the algorithm thinks you may want or need. This kind of targeted advertising is good, but the privacy implications are kind of scary.
Absolutely. I agree with Alekh's suggestion about having a system similar to the EU's cookies requirement, with clearly posted signs to get implied consent, and Stefi's suggestion of a publicly posted privacy policy. I also believe that, similar to what Alekh said, you should be in control of your advertisement profile. Some people will argue that, since it's a public place, you can't really expect any real privacy. However, there is a distinct possibility that some of the ad suggestions (or various other data), was collected in a private setting. As such, the application of this data in a public space could be construed as the publication of private facts. As a solution to this, I assert that we should be able to edit our own advertising profiles if we wish, to determine what we wish to be displayed. To be honest, I see this as a win-win for data brokers and private consumers. The consumer gets to actively determine what ads are catered to them, and avoid potential breaches of privacy, and the broker gets arguably more accurate data that comes directly from the person being advertised to.
ReplyDelete