Stakeholders Debate Biometric Industry Best Practices, Try to Identify Points of Agreement
Stakeholders argued over a biometric industry group’s facial recognition best practices, but decided they were nearing consensus on a few issues such as facial template storage and breaches of facial template data, at Tuesday’s NTIA-facilitated facial recognition technology code of conduct meeting. Stakeholders have been working to identify principles on which to base a code and issues the code must address, but faced a potential stumbling block when consumer advocates took issue with recently released best practices guidelines from the International Biometrics & Identification Association (IBIA) (CD June 24 p6).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"Our contribution document is really not a final position paper,” said IBIA Vice Chairman Walter Hamilton, presenting the document Tuesday (http://bit.ly/1lkceiP). The document involved no collaboration with other organizations and was sourced from roughly a dozen IBIA members, including 3M Cogent, Digital Signal Corporation and NEC Corporation of America, which were at the meeting.
As they did when the document was initially released, consumer advocates took issue with the document’s position that it’s “impractical” to obtain opt-in consent from individuals entering a building. Alvaro Bedoya, a staffer for Sen. Al Franken, D-Minn., and chief counsel for the Senate Judiciary Subcommittee on Privacy, Technology & the Law, also questioned the document’s assertion that having access to a facial template “does not destroy the anonymity of a person.” Bedoya agreed “there’s no destruction going on,” but pointed to research presented at a previous NTIA meeting showing individuals can use off-the-shelf software to identify those individuals.
American Civil Liberties Union Legislative Director Chris Calabrese said Google’s and Facebook’s facial recognition use policies “contrast sharply with” the IBIA document. Both companies “allow you to withdraw your consent” and place “fairly transparent” limitations on how a company will use it, he said. Those companies’ policies are a “powerful way to keep the tech under control,” he said. Google and Facebook are members of e-commerce industry group NetChoice, which has participated in the talks. After the meeting, NetChoice Policy Counsel Carl Szabo told us he appreciated Calabrese’s highlighting the work of both companies in this area. “We can use that as a basis for designing a code of conduct that can help more than just those users,” he told us.
Hamilton said the document was not meant to apply to all companies and situations. IBIA “would caution against” applying “a singular set of principles” like that of Facebook or Google to all companies, Hamilton said. He could envision a number of different sets of principles for varying situations, Hamilton said. “The ability of an industry association of technology companies to impose conduct code on its members is, of course, very limited."
The group did start to come together on some issues. It has been working on a list of 18 issues a code of conduct should address (http://1.usa.gov/1nABOy2). When the code should apply and what security standards should apply to stored data -- issues two, 11 and 12 in the document -- were mentioned as on the path to consensus. The group tended to agree that when facial detection occurs, but no template is created, the code should impose fewer restrictions. It also agreed there should be “reasonable” privacy standards for stored biometric data and security standards to prevent data breaches. “Biometric data should be protected, even though we think it’s probably down on the scale in terms of risk of harm compared to other data,” Hamilton said.
Szabo agreed after the meeting that there was a near consensus on these issues. In the meeting, Szabo suggested a security standard similar to Massachusetts’ data breach law, which is flexible and relies on evolving industry standards (http://1.usa.gov/1lNz1mS), he said. Calabrese told us after the meeting: “I do think those are areas we should be able to reach consensus on,” but the group’s not there yet. When the group gets more granular on subjects, “issues always arise,” he said. “Since we haven’t had a detailed discussion [on these topics], it’s hard to know what those are.”