A group of privacy and consumer advocates has pulled the plug after 16 months of negotiations with the data industry over standards limiting the use of consumers' "faceprints" -- facial recognition data that the advocates say are far too sensitive to be governed by anything less than a strict "opt in" standard.
The advocates say that biometric data are more sensitive than other kinds of consumer data whose use and handling have raised major concerns about both privacy and security. "You can change your password and your credit card number; you cannot change your fingerprints or the precise dimensions of your face," the advocates said in a statement scheduled for release Tuesday.
"Companies are saying they don't want to have to get people's permission to enroll somebody in a facial-recognition database," said Alvaro Bedoya, executive director of the Center on Privacy & Technology at Georgetown University's law school and one of nine advocates quitting talks underway since February 2014. He said such businesses "are refusing to give consumers a choice about how this powerful technology is used on them."
"At a base minimum, people should be able to walk down a public street without fear that companies they've never heard of are tracking their every movement – and identifying them by name – using facial recognition technology," the advocates said. "Unfortunately, we have been unable to obtain agreement even with that basic, specific premise. The position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law."
Bedoya said the talks, conducted under the auspices of the Commerce Department's National Telecommunication & Information Administration (NTIA), involved large companies such as Facebook and Microsoft as well as industry groups such as the Interactive Advertising Bureau and NetChoice, which bills itself as "an association of eCommerce businesses and online consumers." The joint statement said all the privacy and consumer groups involved in the negotiations -- including the Electronic Frontier Foundation, Center for Digital Democracy, the Consumer Federation of America, and the American Civil Liberties Union -- were ending their efforts to negotiate a voluntary standard.
The group said:
We believe that people have a fundamental right to privacy. People have the right to control who gets their sensitive information, and how that information is shared. And there is no question that biometric information is extremely sensitive. You can change your password and your credit card number; you cannot change your fingerprints or the precise dimensions of your face. Through facial recognition, these immutable, physical facts can be used to identify you, remotely and in secret, without any recourse.
At this point, we do not believe that the NTIA process is likely to yield a set of privacy rules that offers adequate protections for the use of facial recognition technology. We are convinced that in many contexts, facial recognition of consumers should only occur when an individual has affirmatively decided to allow it to occur. In recent NTIA meetings however, industry stakeholders were unable to agree on any concrete scenario where companies should employ facial recognition only with a consumer's permission.
At a base minimum, people should be able to walk down a public street without fear that companies they've never heard of are tracking their every movement – and identifying them by name – using facial recognition technology. Unfortunately, we have been unable to obtain agreement even with that basic, specific premise. The position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.
We have participated in this process in good faith for 16 months. We have joined working groups and offered constructive suggestions to build towards consensus. People deserve more protection than they are likely to get in this forum. Therefore, at this point, we choose to withdraw from further deliberations.
We hope that our withdrawal signals the need to reevaluate the effectiveness of multistakeholder processes in developing effective rules of the road that protect consumer privacy – and that companies will support and implement."
The advocates said that both Microsoft and Google currently require consumers to opt into use of faceprint technology, but that their stance didn't seem to guide other companies -- or even to inform their own position on broader standards.
Jeff Chester, of the Center for Digital Democracy, said that one of the reasons for the walkout was that Microsoft said at meetings that it "supports opt in for facial recognition for its products" but opposes setting an industry standard - a straddle-the-line position that he said Google also seemed to take via NetChoice, the trade group representing Google in the talks.
"What digital hypocrisy," Chester said. "For the data collection industry, opposing a consumer's right to control their own personal information is seen as good business."
Bedoya said the NTIA talks' failure reflected the power of business lobbyists to keep federal privacy protections weak. .
"This should be a wake-up call to Americans: Industry lobbyists are choking off Washington's ability to protect consumer privacy," he said in an emai.
Bedoya added: "The message sent is clear: If you are a consumer, and you want better privacy laws, you should call your state legislator and head to your state capitol. Just don't come to Washington, DC."