Facial recognition technology is a hot topic and
this recently caught my attention: German
authorities have suggested that Facebook's "facial
recognition" feature is illegal. From
Deutsche Welle: Hamburg's data protection official
Johannes Caspar claims that the software
violates both German and European Union data
protection laws and that Facebook users don't
know how to delete the data that Facebook is
gathering. "If the data were to get into the
wrong hands, then someone with a picture taken
on a mobile phone could use biometrics to
compare the pictures and make an
identification," Caspar told the Hamburger
Abendblatt. "The right to anonymity is in
danger."
The legal keyword appears to be
"biometrics".
According to Caspar: "A normal user doesn't know how to delete
the biometric data. And besides, we have
demanded that biometric data be stored with the
subject's express consent."
Another keyword appears to be "stored"
(though… Deutsche Welle's article also
states that no data can be "collected" without
consent). Collected or stored biometric data,
which is it?
Is on the fly facial
recognition analysis legal if the data isn't
retained or stored after it's used?
In
any case, having several self-tagged Wall photos,
I decided to test the feature with my own personal
Facebook account. (Existing tagged photos is a
prerequisite, even if the user hasn't opted-out.
No tagged photos, no biometric data will
exist.)
First, I re-enabled my "Suggest
photos of me to friends" option in Facebook's
privacy settings.
And then I uploaded a photo:
While Facebook's photo upload
service "detected" two faces, neither of them were
"recognized" and no tag suggestions where offered.
So it would appear that there's no hidden
biometric "faceprint" of me in Facebook's
databases. Either none was collected between the
time when the feature was introduced and I
opted-out, or else they deleted what was stored
after I disabled the feature.
I ask
myself, is Facebook's biometric data really such a
big deal?
Google Images recently
released reverse image search. That feature is
much more likely to be used in future photo
comparisons than any Facebook data that falls
"into the wrong hands". If you have an
iPhone/Android device, try
Google Goggles
and then imagine the Google+ possibilities.
Then
there's current camera technology to consider. My
Canon S90 does a very decent job of detecting
faces on its own. If a face is detected, the
photo's EXIF metadata includes "SceneCaptureType
– Portrait" and the faces are tagged.
And that's just a start. Some
vendors, such as Samsung, have "Smart Face
Recognition", as demonstrated in this
video from April 2009. It's not a far leap at all before our cameras
are detecting, recognizing, and tagging faces in
our photos at the moment they're taken. And that
includes camera phones: Apple reportedly
plans to include facial recognition features in
iOS 5.
Mr. Caspar may indeed have
legitimate concerns regarding Facebook's current
biometric practices. But what happens if (when)
it's no longer a matter of analysis? If consumers
upload photos that contain facial tags, can
Facebook then make the suggestion?
It
should be noted that Facebook currently strips
EXIF metadata from uploaded images. (Kudos.)
Germany (and the EU) has excellent
data protection laws. But the law itself cannot
hope to forestall the issue of facial recognition
forever. The technology exists and policy makers
need to address the issue and seek solutions as if
biometric data is already freely available.
Because
even if legitimate companies can be successfully
regulated from storing this type of data,
criminals won't be so restrained. Computing power
is cheap, and getting cheaper. The worst case
scenario could be unregulated black market search
engines providing facial recognition services as a
service.
It wouldn't be the first time
such a business model developed.