FTC Issues Best Practices for Facial Recognition Tech

The Federal Trade Commission today released a set of guidelines for how it believes companies should implement facial-recognition technology, and the overarching theme is - get people's permission.

"Fortunately, the commercial use of facial recognition technologies is still young," the FTC said in its report. "This creates a unique opportunity to ensure that as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer."

Facial-recognition technology could be used to determine someone's age in order to serve up targeted ads or assess someone's level of engagement during a video game or movie. But - if that's not creepy enough - there are larger security concerns, like using the technology to identify anonymous individuals in public without their permission. Collected data, meanwhile, might be compromised by hackers.

The FTC, therefore, developed some "best practices" it wants companies to follow as they roll out facial-recognition tech. Ideally, these innovations will be designed with consumer privacy in mind, follow strict security guidelines, and consider the sensitivity of deploying them in certain areas - like where children might be.

Of bigger concern, however, is whether consumers know their faces are being analyzed.

The FTC "recommends that companies take steps to make sure consumers are aware of facial recognition technologies when they come in contact with them, and that they have a choice as to whether data about them is collected," the report said. "If a company is using digital signs to determine the demographic features of passersby, such as age or gender, they should provide clear notice to consumers that the technology is in use before consumers come into contact with the signs."

Facebook got into some hot water over facial-recognition tech last year, when it deployed a version of the feature to help with mass photo tagging. The company for the service in Dec. 2010, but turned it on by default without warning in June 2011, prompting concern from regulators and lawmakers. Ultimately, Facebook opted to in Europe.

In Dec. 2011, Google for photos uploaded to its Google+ social network.

The FTC said today that social networks should "provide consumers with clear notice about how the feature works, what data it collects, and how that data will be used." They should, for example, be able to turn off the use of facial-recognition technology and demand that Facebook delete any collected data.

Companies should always get permission, meanwhile, if they are using collected data for a purpose that was not explained, or if they using it to identify otherwise anonymous people.

The recommendations were adopted by a vote of 4 to 1, with Commissioner J. Thomas Rosch dissenting. He argued that the report "goes too far, too soon."

"I disagree with the adoption of 'best practices' on the ground that facial recognition may be misused," Rosch said. "There is nothing to establish that this misconduct has occurred or even that it is likely to occur in the near future. It is at least premature for anyone, much less the Commission, to suggest to businesses that they should adopt as 'best practices' safeguards that may be costly and inefficient against misconduct that may never occur."