Focusing public attention on emerging privacy and civil liberties issues

In re Facebook and the Facial Identification of Users

Top News

  • Facebook Timeline Changes User Privacy Settings. Again.: Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy. (Dec. 15, 2011)
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)
  • FTC Releases Agenda for Facial Recognition Workshop: The Federal Trade Commission has announced the agenda and panelists for a workshop exploring the privacy and security issues raised by the increased use of facial recognition technology. The workshop will be held December 8, 2011 at the FTC Conference Center, and will feature diverse panelists with consumer protection, privacy, business, international, and academic backgrounds. EPIC Senior Counsel John Verdi will speak on the panel "Facial Detection & Recognition: Exploring the Policy Implications." EPIC has a complaint pending before the FTC over Facebook's use of facial recognition technology to build a secret database of users' biometric data and to enable the company to automatically tag users in photos. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 22, 2011)
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint : The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)
  • Sen. Rockefeller Requests FTC Report on Facial Recognition Technology: Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)
  • Facebook Makes Some Changes, Privacy Complaints Still Pending: In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy. (Aug. 29, 2011)
  • Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out: In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users. (Jul. 27, 2011)
  • Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint: Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy. (Jun. 14, 2011)
  • EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques: Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy. (Jun. 10, 2011)
  • Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers: Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy. (Mar. 2, 2011)

Summary of EPIC's Facebook Complaint

On June 10, 2011, EPIC and three other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint concerns Facebook's covert biometric data collection, and the subsequent use of this data for online identification. The complaint addresses the implementation of "Tag Suggestions" that converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook, without user knowledge or consent.

In the complaint, EPIC asks the FTC to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to cease collection and use of users’ biometric data without their affirmative opt-in consent, require Facebook to give users meaningful control over their personal information, establish appropriate security safeguards, and limit the disclosure of user information to third parties. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Center for Digital Democracy
  • Consumer Watchdog
  • Privacy Rights Clearinhouse

Background

Facebook

Facebook is the largest social network service provider in the United States. According to Facebook, there are more than 500 million active users, with about 150 million in the United States. 50% of active users log-on to Facebook in any given day. People spend over 700 billion minutes per month on Facebook and install 20 million applications per day.

More than 3 billion photos are uploaded to the site each month. Facebook is the largest photo-sharing site in the world by a wide margin. Each day people add more than 100 million tags to photos on Facebook.

Facebook and Privacy

In September 2006, Facebook disclosed users’ personal information, including details relating to their marital and dating status, without their knowledge or consent through its “News Feed” program.Hundreds of thousands of users objected to Facebook’s actions.

In 2007, Facebook disclosed users’ personal information, including their online purchases and video rentals, without their knowledge or consent through its “Beacon” program.

Facebook is a defendant in multiple federal lawsuits arising from the “Beacon” program. In the lawsuits, users allege violations of federal and state law, including the Video Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California’s Computer Crime Law.

On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Privacy Commissioner of Canada concerning the “unnecessary and non- consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users’ personal information—even after they deleted their accounts. Facebook stated that it could make public a user’s “name, likeness and image for any purpose, including commercial or advertising.”94 Users objected to Facebook’s actions, and Facebook reversed the revisions on the eve of an EPIC complaint to the Commission.

Facebook updated its privacy policy and changed the privacy settings available to users on November 19, 2009 and again on December 9, 2009. Facebook made several categories of personal data “publicly available information,” including users' names, profile photos, lists of friends, pages they are fans of, and networks to which they belong.

By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”

EPIC's FTC Complaint

EPIC's FTC complaint is also signed by the Center for Digital Democracy, Consumer Watchdog, and Privacy Rights Clearinghouse.

This complaint concerns covert biometric data collection by Facebook, the largest social network service in the United States. The secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world.Facebook’s "Tag Suggestions" techniques converts the photos uploaded by Facebook users into an image identification system under the sole control of Facebook. This has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.These business practices violate Facebook’s Privacy Policy, as well as public assurances made by Facebook to users. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act. There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.

Facebook's facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using "summary data" from "photo comparisons. "This representation of biometric information, based on the user’s facial image, generated by Facebook, is available to Facebook but not to the user. Facebook routinely encourages users to “tag,” i.e. provide actual identifying information about, themselves, their friends, and other people they may recognize. Facebook "associate[s] the tags with [a user’s] account, compare what these tagged photos have in common and store a summary of this comparison." Facebook automatically compares uploaded photos “to the summary information we’ve stored about what your tagged photos have in common." Facebook gave no notice to users and failed to obtain consent prior to collecting "Photo Comparison Data," generating unique biometric identifiers, and linking biometric identifiers with individual users.

On December 15 2010, Facebook announced that it was implementing a facial recognition technology called “Tag Suggestions.” On June 7, 2011, Facebook announced that it had deployed “Tag Suggestions” technology over the last several months, and that the technology had been available internationally. Facebook did not provide users with any other notice about this facial recognition technology. Facebook admitted in a later statement that “we should have been more clear during the roll-out process when this became available to them.”47 However, as of the filing of this complaint, Facebook has made no effort to rectify that matter or to allow users to opt-in if they so choose. Facebook routinely encourages users to confirm Facebook’s indentification of facial images in user photos when users attempt to upload photos to their accounts on Faceook. Facebook automated identification of facial images would occur in the absence of any user intervention. Facebook did not obtain users’ consent before using the unique biometric identifiers generated by the "Photo Comparison Data” to identify individual users when a photograph containing their image is uploaded to Facebook.

There is no option within a user’s privacy preferences to delete or prevent Facebook’s biometric data collection. When a user wants to delete the biometric "summary" data associated with his account that can be used to pair his name to photos of him, he has to contact Facebook through a difficult-to-find link. Even after going through that process, Facebook never informs the user regarding whether or not Facebook will resume collecting biometric photo comparison data when pictures of him are manually tagged in the future. Facebook provides an option for users to disable the company’s "Tag Suggestion" technology, but this option does not disable Facebook’s collection of users’ biometric data.

The complaint also explains how Facebook has failed to establish that application developers, the Government, and other third parties will not be able to access "photo comparison data."

The complaint also addresses the ways in which Facebook's collection of biometric data for facial recognition violates user expectation, Facebook's terms of service, and Facebook's public statements.

The Significance of Facial Recognition

Facial recognition systems include computer-based biometric techniques that detect and identify human faces. The National Academy of Sciences has stated recently: "The success of large-scale or public biometric systems is dependent on gaining broad public acceptance of their validity. To achieve this goal, the risks and benefits of using such a system must be clearly presented. Public fears about using the system, including . . . concerns about theft or misuse of information, should be addressed."

There is significant controversy surrounding the use of facial recognition technology. The British police are “investigating how to incorporate facial recognition software into a new national mug shot database so they can track down criminals faster.”

The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The “All-Seeing Eye” relies on the massive deployment of facial recognition technology.

According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of “Total Information Awareness.” However, several proposals for facial recognition by the US Department of Homeland Security have been scrapped after objections by local communities.

Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution. In Iran, government agents have posted pictures of political activists online and used “crowd-sourcing” to identify individuals. There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

EPIC Links

News Stories and Blog Items