Bad News for Face Recognition (FTC)By John Honovich, Published on Oct 22, 2012
Cold water is being thrown on renewed dreams of using facial recognition and demographic analysis. This time it is coming from an unlikely source and country. The United States Federal Trade Commission has issued 'best practices' that recommend fairly stringent approaches that could have a chilling effect on the use of these emerging technologies. This is all the more surprising given that the US has a much more relaxed general stance on privacy issues than the European Union. In this note, we dig through recommendations and the ones with the most practical impact for IP camera use.
Of the dozen recommendations made in the full FTC "Facing Facts' report, three of them may apply to IP cameras.
First, the FTC recommends receiving 'affirmative express consent when collecting a person's biometric data:
"Obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data"
This could be a significant problem because in surveillance, consumers typically have no idea that facial recognition is occurring and certainly never express 'affirmative consent'. On the web, this is more straightforward to accomplish as a person is interacting with a site. However, with surveillance cameras this could result in a shutdown of facial recognition systems if followed.
Second, adding signs that disclaim the use of demographic detection is recommended:
"Companies using digital signs capable of demographic detection – which often look no different than digital signs that do not contain cameras – should provide clear notice to consumers that the technologies are in use, before consumers come into contact with the signs."
In the case study, the FTC emphasizes that the sign should be prominent:
"Depending upon the size of the store, the notice may be a prominent notice at the entrance to the store itself or at the entrance to a particular section of the store – and on or near the sign itself"
The grey area here is that the examples are for displaying live ads. Potentially a VMS or video analytics supplier could claim an exception if it is only being used to chart demographic trends
Finally, a vague practice is encouraged about retention periods:
"Should establish and maintain appropriate retention and disposal practices for the consumer images and biometric data that they collect."
However, since no quantitative metrics nor further guidelines or given, this may be easier for providers to defend or justify.
Not Relevant to Surveillance / Camera Use
A handful of other recommendations might apply but, in practice, are not typically relevant.
Sharing biometric information is against best practices:
"Companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent."
Since security applications is typically limited to only use by security this is unlikely to be an issue.
Additionally, restrictions are recommended for camera placement:
"Companies developing digital signs equipped with cameras using facial recognition technologies should consider carefully where to place such signs and avoid placing them in sensitive areas, such as bathrooms, locker rooms, health care facilities, or places where children congregate."
However, facial recognition cameras are not typically placed in such areas.
Finally, protection is recommended:
"Companies that store such images should consider putting protections in place that would prevent unauthorized scraping"
However, 'scraping' is an issue of information posted on websites whereas most network cameras are used in internal networks only.
Questions of Enforcement
However, the FTC does not have legal authority as they disclaim:
"To the extent the recommended best practices go beyond existing legal requirements, they are not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."
As such, regardless of what an organization does, they will not likely be going to jail. However, the FTC does have the power to fine plus not following these guidelines can increase litigation risks. The biggest issue will likely be a practical one as potential buyers consider what risks they take if they are seen as violating FTC best practices.