It’s one of those wet, gray and miserable days here in the nation’s capital. By all accounts, it looked to be a pretty dull day in privacy news. I'd just clickity-clack at this wee desk, sipping a Pumpkin tea and nursing this nasty cold I somehow caught last week.
But then some news dropped that was rather hot. Like, McDonald's coffee hot. It turns out Facebook has changed course on its facial recognition plans. As New York Times journalist Kashmir Hill said, her “jaw dropped to the floor” when she heard the news.
For privacy advocates and regulators, Facebook has proven a formidable opponent on privacy thus far. Hey, it's got the social media market cornered; there’s virtually no competition and no federal law on data privacy. Historically, it does what it wants. That’s what makes its decision to shutter its facial recognition feature — voluntarily — a big moment.
However, some don't quite trust the news.
Some context: The company introduced a feature in 2010 that allowed users to automatically identify people who appeared in their photos by clicking "tag." By Facebook's numbers, more than one-third of daily users have opted into the Face Recognition system. In 2020, the social media giant agreed to settle for $650 million for alleged violations of Illinois' Biometric Information Privacy Act. The lawsuit claimed Facebook broke the law by allowing users to tag other users without their consent.
In 2019, Facebook paid $5 billion to the Federal Trade Commission for violating users' privacy when it "misrepresented users' ability to control the use of facial recognition technology with their accounts."
Now, it will delete more than a billion people's individual facial recognition templates. In its Nov. 2 statement, Facebook said the move is "part of a company-wide move to limit the use of facial recognition in our products."
Some reacted to the news with doubts.
Hard to believe that this is actually true. They want to expand to make more profits & this means more control which means more data not less. Something doesn't add up here.— Ahmed Mo'nis (@AhmedMo2nis) November 2, 2021
Others suspected that Facebook already got what it needed out of the data: It needed to train its algorithm against the photos. Now that it's had the opportunity, the data isn't necessary for it to maintain anymore. Importantly: There are no reports that that's true so far. The company said it's shuttering the feature because of the "many concerns about the place of facial recognition technology in society."
But it is true that Facebook doesn't claim it'll ditch facial recognition technology forever. Even in its announcement that it was shuttering the "tag feature" it said that looking ahead, "we still see facial recognition technology as a powerful tool, for example, for people needing to verify their identity, or to prevent fraud and impersonation." It added that facial recognition can actually help with privacy and transparency, so it will "continue working on these technologies and engaging outside experts."
You've heard me grumbling about the perils of facial recognition technology before. And while I agree there are benefits, it's been highly documented that the risks "do not come close to outweighing the risks," as Woodrow Hartzog and Evan Selinger wrote. Face scans are precious data to have. Once a company has software trained to detect and recognize faces, they can identify them by comparing them to other faces stored in a database. But the technology is imperfect. It frequently misidentifies faces, especially when it's analyzing a person of color.
In 2018, the American Civil Liberties Union tested Amazon's Rekognition software against members of U.S. Congress. The study found that the technology "mistakenly identified 28 members" as people who had been arrested for crimes.
A 2019 study by Georgetown Law's Center on Privacy & Technology found that law enforcement agencies across the country are using facial recognition technology broadly. One in two American adults is in a law enforcement facial recognition network already. In Florida, for example, "The Pinellas County Sheriff's Office system runs 8,000 monthly searches on the faces of seven million Florida drivers—without requiring that officers have even a reasonable suspicion before running a search," the study found. And that's dangerous because there are no rules in place to regulate how and when police deploy it to detect, arrest or convict alleged criminals.
The risks of facial recognition — perhaps using it to unlock your phone if your fingers are busy -— don't outweigh the risk of an innocent person being arrested because the tech made an oops.
A couple of things need to happen here: Government needs to create rules on law enforcement and private-sector facial recognition technology. The technology needs to advance to a much lower false-positive rate before any of those agencies use it to make life-changing decisions.
But those solutions are tricky because, you know: Congress. There's a lot of pressure from law enforcement agencies to use it to fight crime or airports to alleviate gate-check bottlenecks. And that adds to the slowdown of any government action.
That's why the Facebook news today left our collective mouths agape. Lawmakers who've called Facebook to testify at Congress, privacy advocates who've protested outside Facebook's headquarters and regulators who've fined it for privacy missteps are used to feeling frustrated. That the tech giant is willing to delete billions of users' data on its own is a big win for privacy advocates. And they'll take it.
There's more on this at the link below. Enjoy reading, and I'll see you next week!
Facebook shutters facial recognition over privacy concerns
In a move privacy advocates are calling a win, Facebook is shuttering its facial recognition system this month and deleting the face scans it took of more than one billion users. The company introduced a feature in 2010 that allowed users to automatically identify people who appeared in their photos by clicking "tag." In a statement, Facebook said it's making the change because of "many concerns about the place of facial recognition technology in society."
China's privacy law is officially in effect
China's new privacy law came into effect Monday, Nov. 1. The law created rules for how Chinese consumers' data is collected, used and stored, ZDNet reports. It applies to China-based companies and foreign businesses that process Chinese consumers' data. Fines for noncompliance with the Personal Information Protection Law could be as high as 50 million yuan ($7.5 million) or 5% of the company's annual turnover the previous year.
Yahoo officially leaves China, citing 'operating environment'
Yahoo is the latest foreign tech company to exit China, AP News reports. The company cited its commitment to user rights and a free and open internet. "In recognition of the increasingly challenging business and legal environment in China, Yahoo's suite of services will no longer be accessible from mainland China as of Nov. 1," the company said in a statement.
Mozilla implements Global Privacy Control
Last week, Mozilla announced it's "the first major web browser" to implement Global Privacy Control (GPC), ZDNet reports. The California Consumer Protection Act requires GPC, and it allows users to signal to websites not to share or sell their personal data. In its statement, Mozilla said it was an early supporter and founding member of GPC because it "gives more control to people over their data online and sets a path for the enforcement of their privacy rights."
Coalition asks FTC to create rules on data privacy, online abuse
A group of civil rights, democracy and consumer advocacy groups wrote to Federal Trade Commission (FTC) Chair Lina Khan asking that her agency create rules to safeguard privacy and civil rights online. Meanwhile, The Wall Street Journal reports on the challenges facing the FTC as it embarks on its plan to protect consumer privacy, including budget, personnel and "potential legal pushback."