See this Washington Post article.
So if I turn on FR on my lab bench is that legal? I saw a bunch of you instantly quote the state-by-state rules on pulling wire, what do y'all know about legality of facial recognition? Let's say I mean "in a conventional business i.e. the corporate world". I'm not trying to start another theology debate about government/law enforcement.
So if I turn on FR on my lab bench is that legal?
In my opinion, Yes.
The problem comes when you associate a set of meta-data, (face scan, fingerprint, super-cookies) with actual named identities.
So turning on a program that identifies biometric data-points and stores or searches for them wouldn't necessarily be a privacy violation.
Background / key excerpts from the article:
"Both Illinois and Texas have laws against using such technology to identify people without their informed consent. That means that one out of every eight Americans currently has a legal right to biometric privacy."
"Texas passed a law in 2001 that restricts how commercial entities can collect, store, trade in and use biometric data. Illinois passed a similar law in 2008 called the Biometric Information Privacy Act, or BIPA. A year later, Texas followed up with another law to further regulate biometric data in commerce."
While Ari and others have Rain Man level knowledge of wire pulling laws, the bigger issue with face recognition is that extremely few are using it in production given that it typically does not work well anyway (which is my main counter to the assumptions in this article).
Here's the text of the Illinois biometrics law, key excerpts:
"No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing..."
"No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information"
The first excerpt would essentially prohibit facial surveillance, i.e., scanning the public looking for terrorists, rapists, shoplifters, etc.
The second excerpt would essentially prohibit schemes like Facewatch that want to build private facial exchanges / databases.
If everyone in your lab (in Illinois) agrees in writing beforehand, I assume you are ok. If you start doing facial recognition scans of people without telling them, it appears you might have a problem.
Things that are not Biometric Identifiers
Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color...
Things that are not Biometric Information
Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
Facebook is using information derived from excluded identifiers, i.e. photographs, so is not considered biometric information, as far as this law is concerned.
However, dusting for fingerprints in your own home might be a problem.
My lab has test patterns and toy figures and an IPVM.COM lanyard. No live subjects, generally. And I'm in California.
This isn't that far-fetched a question... in England I believe it's illegal to capture wireshark traces.
I'm waiting for some SF bar to set up FR at the door and start tweeting who's in the bar this evening so all their friends will know on Facebook.
So it is okay for the Local, State or Federal governments, but not private companies. Interesting.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
