Stakeholders Split Over Level of Consent Needed for Facial Recognition Code
Stakeholders at an NTIA-backed facial recognition code of conduct discussion split over three major issues at a Tuesday meeting: whether a biometric template should count as encryption; whether the code should focus on prior consent or preventing harmful uses; and whether a code might infringe individuals’ First and Fourth Amendment rights. The discussions reflected the differing opinions among proponents of the wide-ranging, high-level principles submitted last week to the NTIA (CD May 20 p13).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Privacy and consumer interest groups have pushed for a code of conduct requiring affirmative consent and opt-in notification for nearly any use of facial recognition technology. “Prior consent is the cornerstone of this document,” said American Civil Liberties Union (ACLU) Legislative Counsel Chris Calabrese. With such a tenet, NetChoice Policy Counsel Carl Szabo asked Calabrese, “How do we overcome the shoplifter or known sex offender if it requires written and specific consent when they walk into a store or walk near a school?” NetChoice represents e-commerce businesses, including tech companies such as Facebook and Google. Calabrese acknowledged, “We will have to flesh out the idea of consent slightly” to accommodate such examples. But he doesn’t see those exceptions as “that burdensome” and thought they can still be incorporated into a document with prior consent at its core.
"I'm troubled,” said App Developers Alliance Vice President-Law Policy and Government Affairs Tim Sparapani. “I have always been challenged by the idea of getting consent for the capture of an image in a public setting where someone is either an invitee or chooses to enter in a private dwelling owned by or operated by another entity,” he said. This could infringe on First Amendment rights “about the capture of images of people when they're in a public space,” he said.
There’s a difference between a law prohibiting behavior and a voluntary code of conduct that does so, Calabrese countered. The ACLU will defend racist and homophobic speech, but won’t condone it, he said. “There are times simply when we'll say we encourage good behavior.” Sparapani said he was worried, however, that other countries without First Amendment protections might model laws after a U.S. code of conduct.
The stakeholders also resurfaced the debate of whether a biometric template is encrypted, failing to come to a conclusion. The Marketing Research Association (MRA) submitted a principle that said taking a biometric template should count as a form of encryption. The principle helps address the questions, “Are [biometric templates] something that can be recombined elsewhere and does it become personally identifiable information [PII]? Does it open you up for abuse?” asked MRA Director of Government Affairs Howard Fienberg. “I think there is a direct benefit to the categorization of it as encryption,” Szabo said. “When you look at the state data breach laws, most of them do have, and encourage, encryption standards."
"Encryption would be a layer on top of” simply making a biometric template, said Alvaro Bedoya, a staffer for Sen. Al Franken, D-Minn., and chief counsel for the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Defining a biometric template as encryption “will make ourselves a laughing stock among all those in the security community,” said a representative who phoned in from the office of Ontario Privacy Commissioner Ann Cavoukian. The same argument dominated the group’s second meeting.
The Interactive Advertising Bureau (IAB) also defended its “harm based” approach to the code of conduct, which privacy and consumer interest advocates opposed in the meeting. “Harm-based approaches are the norm in the U.S.,” said IAB Executive Vice President-General Counsel Mike Zaneis in an email. “For example, the FTC generally uses a harm-based approach towards enforcing their unfairness authority. We believe this well established standard is the right approach for a voluntary standards process.” At Tuesday’s meeting, Bedoya expressed a different view of the FTC’s best practices regarding facial recognition, saying the commission stressed “affirmative express consent.”