Industry Player Calls for Biometrics Regulation; Will Policymakers Jump?
July 26, 2018
In a recent blog post, Microsoft’s President Brad Smith called upon the federal government to regulate the proper use of facial recognition technology. Facial recognition, which has numerous applications including detecting and locating a face in a photo, targeted advertising, and identifying anonymous images, is just one of many types of biometric identifiers. Others include fingerprints, voiceprints, and retina/iris scans. In his blog post, Smith wrote that, because facial recognition technology “raises issues that go to the heart of fundamental human rights protections like privacy and freedom of expression,” thoughtful government regulation and the development of norms around acceptable uses are essential.
Microsoft is actively developing facial recognition technology for a variety of uses, and Smith acknowledged that “[i]t may seem unusual for a company to ask for government regulation of its products.” However, “a world with vigorous regulation of products that are useful but potentially troubling is better than a world devoid of legal standards.” To help the government develop standards and regulation for facial recognition technology, Smith called upon Congress to appoint a bipartisan expert commission to assess the complicated issues surrounding facial recognition and submit recommendations for potential legislative action.
The American Civil Liberties Union said in a statement that it supports Microsoft's call for regulation, as have other privacy advocates. Other major technology companies have not embraced the move publicly. Indeed, industry has urged the government to tread lightly, and encouraged “an open environment to allow for technology to grow and develop without the burdens of regulations.” Government officials have also expressed the need for “regulatory humility” when it comes to tech and innovation. As one scholar observed, “Innovators can, and increasingly will, move to those countries and continents that provide a legal and regulatory environment more hospitable to entrepreneurial activity.”
As for Congress, time will tell whether it will heed Smith’s call. If it does, it will not be the first time the federal government has tried to address facial recognition. In 2012, the Federal Trade Commission published a document setting out best practices for use of the technology. For example, the agency recommended that companies implement “privacy by design” by maintaining reasonable data security protections for biometric information collected from consumers’ images, establishing and maintaining appropriate retention and disposal practices for consumer images and biometric data, and considering the sensitivity of information when developing facial recognition products and services.
More recently, the National Telecommunications and Information Administration (“NTIA”) published a set of best practices that “is intended to provide a general roadmap to enable entities using facial recognition technologies [to recognize] differing objectives, risks and individual expectations associated with various applications of these technologies.” Among NTIA’s recommendations are: making available to consumers policies or disclosures describing entities’ practices for the collection, storage, and use of facial template data; and allowing individuals to control whether their facial template data can be shared with a third party. NTIA’s best practices were the result of a series of multistakeholder meetings, but consumer and privacy groups pulled out of the process over threshold disagreements and criticized the final document as “provid[ing] scant guidance for businesses and no real protection for individuals.”
Creating challenges for national and economic markets, biometrics are now being regulated by some states, including Illinois. Illinois’s law defines “biometric identifiers” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and requires a private entity in possession of such identifiers to develop a written policy establishing a retention schedule and guidelines for their permanent destruction. The law also requires clear consumer notice when biometric identifiers are collected and places restrictions on selling, leasing, or otherwise disclosing the data. The law creates a private right of action with a minimum of $1,000 in statutory damages per negligent violation, and $5,000 minimum damages for intentional/reckless violations.
The federal government has already dipped its toes in the waters of facial recognition. Now, with the call from one industry leader to jump in, policymakers will have to decide whether to take the plunge.