No one knows your face as well as your iPhone does. All the unique variances of your face that make it yours and yours alone, these are all data points that your iPhone uses to unlock your phone using a face in place of a thumbprint. This same data that the iPhone collects can be used by the underlying tech—facial recognition technology—in a vast array of applications, from border control to photo tagging to law enforcement. But is this data (the measurement of the space between the eyes, the texture of the skin, etc.) open data? Or do individuals have a right to protection of an image of their face?
Some senators think so. On March 14, the Senate introduced a new bill—the Commercial Facial Recognition Privacy Act—aimed at regulating use of consumers’ data for facial recognition technology. The bill, sponsored by Senators Brian Schatz (D-HI) and Roy Blunt (R-MO), prohibits commercial companies from using facial recognition technology to identify or track an end user without obtaining affirmative consent from the user. Speaking about the bill, Sen. Schatz said, “Our faces are our identifies. They’re personal.”
While one’s face is certainly a very personal possession, it’s unclear whether an image of that face is subject to the same rights of possession. What if an image of a face is publicly posted on the internet? What if an image of a face is captured while in public? As of now, companies developing or utilizing facial recognition technology seem to be able to use images of faces without much restriction. Regulation such as the newly introduced bill is unknown territory, and its impact on the advancement and applications of facial recognition technology may be significant. Particularly as the tech depends on having data from as many diverse images of faces as possible—the more diversity it captures, the better it can identify a unique face—any limitation on the ability of companies to acquire and use images of faces may have unintended detrimental consequences.
The proposed Commercial Facial Recognition Privacy Act’s specific provisions are broad. First, the bill makes it unlawful to “use facial recognition technology to collect facial recognition data” unless the company obtains affirmative consent from the user and notifies the user that facial recognition technology is present. Second, the bill makes it unlawful to “use the facial recognition technology to discriminate against an end user in violation of applicable Federal or State law.” Third, companies cannot “repurpose facial recognition data for a purpose that is different from those presented to the end user” as part of the notification that the user’s facial recognition data is being collected. Finally, the bill prohibits sharing of facial recognition data with a third party without affirmative consent.
The new bill specifically excludes government and law enforcement agencies. It also carves out exceptions for use of the technology in “personal file management or photo or video sorting or storage,” identification of “public figures for journalistic media created for public interest,” identification of “public figures in copyrighted material for theatrical release,” or “if there is an emergency involving imminent danger or risk of death or serious physical injury.”
It will be interesting to see how the bill fares. Regulations of facial recognition technology could set a new tone of regulation of a whole host of personal/biometric data, including those already regularly used such as fingerprints, retinal scans and voice recordings, as well as more esoteric things such as a person’s grip or hand geometry or heartbeat—all of which may eventually be used to unlock your iPhone.