EPIC Draft FTC Complaint Vilifies Facebook's Facial Recognition

Earlier this week Facebook drew significant backlash over a feature that uses facial recognition to help users tag their friends in photos shared on the site. The feature isn’t new, but Facebook recently activated it by default for many users, drawing a wave of criticism including a probe from European Union privacy regulators (though Facebook later clarified that there isn’t a formal investigation under way). I’ve already shared my take on the issue: the EU complaints seem to have little to do with facial recognition and a lot to do with longstanding Facebook policies — and the feature in question is benign.

But plenty of people don’t share my stance, and now it looks like Facebook may be up against a challenge in the United States as well. We’ve obtained a draft copy of a complaint to the FTC penned by the Electronic Privacy Information Center (EPIC), and we hear that they’re trying to drum up support from other privacy organizations before they file the document.  We’ve contacted EPIC to clarify their intentions and will update if we hear back from them. But for now, we can still examine the complaint. Update: EPIC has written a post about the complaint here.

Parts of the document, particularly one section called ‘The Significance of Facial Recognition”, seem over the top. In it, EPIC discusses the use of facial recognition by various governments to keep tabs on people in public places, including a reference to China’s “All-Seeing Eye”. In other words, it points out that the technology can be used in scary ways, regardless of how Facebook actually intends to use it.

Likewise, some of the passages are seemingly intended to spook:

There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.


42. Facebook’s facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using “summary data” from “photo comparisons.”

“Biometric signature” sounds pretty scary. But it apparently isn’t all that accurate — Facebook says that its technology couldn’t be used to identify any of its hundreds of millions of users simply by analyzing their faces. Instead, it’s powerful enough to look at your twenty best friends on the site (typically the people you interact with most) and guess if one of them is in a given photo, which requires far less computational power and less sophisticated software.

Another portion of the document that isn’t particularly convincing involves the Facebook API. The document says that Facebook”fails to establish that application developers, the government, and other third parties will not be able to access “Photo Comparison Data”‘, and seems to imply that developers can access the data using the Graph API. Facebook says that this data is not available through the API at all, though it might be a good idea for them to put that in writing.

But while parts of the document seem overly alarmist, there are a couple of legitimate points. For instance, Facebook’s help section that details how to delete a user’s ‘Photo Comparison Data’ (in other words, your facial profile) is apparently incorrect because there’s no such button in the settings menu. Facebook explains that the data is in fact deleted when a user disables the tag suggestion feature, but it seems that the help file and the control panel don’t match.

Another valid point: Sam Odio, who is the product manager for Facebook Photos, was previously quoted as saying:

“This isn’t face recognition… Picasa and iPhoto — they’ll detect a face and say, “This is Sam,” and they’ll suggest that it’s Sam. We’re not doing that. We’re not linking any faces to profiles automatically. Right now, we want to stay away from that because it’s a very touchy subject.”

Obviously Facebook has since decided to implement the technology. And given the fact that they were aware of just how touchy a subject this is, it’s surprising that they didn’t do more to explain what was going on to users as the feature rolled out. But Odio didn’t say they weren’t doing it because they were fundamentally opposed to the idea, they just knew they’d face a backlash (and were right).

Overall, while the complaint has some legitimate concerns (Facebook should be brutally transparent about what data it stores, and when it will share it with various governments), treating Facebook’s tag suggestions as a battleground over the future of facial recognition seems like a mistake. I’m no more worried that Facebook is going to build a database of biometric facial profiles with the intention of distributing them than I am about Google building a database of all my search queries and selling those.

The reality is that facial recognition is already here, and it’s not going away — so the debate at this point should be a matter of figuring out how the technology should be used rather than if it can be created in the first place (Tim O’Reilly does a good job discussing this in this post). And, as features go, suggested photo tagging just doesn’t bother me.  I’m far more concerned about the companies I’ve never heard whose whole businesses will revolve around building and selling these biometric profiles, without users ever knowing about it.