Consumer Cases
In re Facebook and the Facial Identification of Users
Summary of EPIC’s Facebook Complaint
On June 10, 2011, EPIC and three other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint concerns Facebook’s covert biometric data collection, and the subsequent use of this data for online identification. The complaint addresses the implementation of “Tag Suggestions” that converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook, without user knowledge or consent.
In the complaint, EPIC asks the FTC to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to cease collection and use of users’ biometric data without their affirmative opt-in consent, require Facebook to give users meaningful control over their personal information, establish appropriate security safeguards, and limit the disclosure of user information to third parties.The following organizations signed onto the complaint:
- The Electronic Privacy Information Center
- The Center for Digital Democracy
- Consumer Watchdog
- Privacy Rights Clearinhouse
Background
Facebook is the largest social network service provider in the United States. According to Facebook, there are more than 500 million active users, with about 150 million in the United States. 50% of active users log-on to Facebook in any given day. People spend over 700 billion minutes per month on Facebook and install 20 million applications per day.
More than 3 billion photos are uploaded to the site each month. Facebook is the largest photo-sharing site in the world by a wide margin. Each day people add more than 100 million tags to photos on Facebook.
Facebook and Privacy
In September 2006, Facebook disclosed users’ personal information, including details relating to their marital and dating status, without their knowledge or consent through its “News Feed” program.Hundreds of thousands of users objected to Facebook’s actions.
In 2007, Facebook disclosed users’ personal information, including their online purchases and video rentals, without their knowledge or consent through its “Beacon” program.
Facebook is a defendant in multiple federal lawsuits arising from the “Beacon” program. In the lawsuits, users allege violations of federal and state law, including the Video Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California’s Computer Crime Law.
On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Privacy Commissioner of Canada concerning the “unnecessary and non- consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.
On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users’ personal information—even after they deleted their accounts. Facebook stated that it could make public a user’s “name, likeness and image for any purpose, including commercial or advertising.”94 Users objected to Facebook’s actions, and Facebook reversed the revisions on the eve of an EPIC complaint to the Commission.
Facebook updated its privacy policy and changed the privacy settings available to users on November 19, 2009 and again on December 9, 2009. Facebook made several categories of personal data “publicly available information,” including users’ names, profile photos, lists of friends, pages they are fans of, and networks to which they belong.
By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”
EPIC’s FTC Complaint
EPIC’s FTC complaint is also signed by the Center for Digital Democracy, Consumer Watchdog, and Privacy Rights Clearinghouse.
This complaint concerns covert biometric data collection by Facebook, the largest social network service in the United States. The secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world.Facebook’s “Tag Suggestions” techniques converts the photos uploaded by Facebook users into an image identification system under the sole control of Facebook. This has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.These business practices violate Facebook’s Privacy Policy, as well as public assurances made by Facebook to users. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act. There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.
Facebook’s facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using “summary data” from “photo comparisons. “This representation of biometric information, based on the user’s facial image, generated by Facebook, is available to Facebook but not to the user. Facebook routinely encourages users to “tag,” i.e. provide actual identifying information about, themselves, their friends, and other people they may recognize. Facebook “associate[s] the tags with [a user’s] account, compare what these tagged photos have in common and store a summary of this comparison.” Facebook automatically compares uploaded photos “to the summary information we’ve stored about what your tagged photos have in common.” Facebook gave no notice to users and failed to obtain consent prior to collecting “Photo Comparison Data,” generating unique biometric identifiers, and linking biometric identifiers with individual users.
On December 15 2010, Facebook announced that it was implementing a facial recognition technology called “Tag Suggestions.” On June 7, 2011, Facebook announced that it had deployed “Tag Suggestions” technology over the last several months, and that the technology had been available internationally. Facebook did not provide users with any other notice about this facial recognition technology. Facebook admitted in a later statement that “we should have been more clear during the roll-out process when this became available to them.”47 However, as of the filing of this complaint, Facebook has made no effort to rectify that matter or to allow users to opt-in if they so choose. Facebook routinely encourages users to confirm Facebook’s indentification of facial images in user photos when users attempt to upload photos to their accounts on Faceook. Facebook automated identification of facial images would occur in the absence of any user intervention. Facebook did not obtain users’ consent before using the unique biometric identifiers generated by the “Photo Comparison Data” to identify individual users when a photograph containing their image is uploaded to Facebook.
There is no option within a user’s privacy preferences to delete or prevent Facebook’s biometric data collection. When a user wants to delete the biometric “summary” data associated with his account that can be used to pair his name to photos of him, he has to contact Facebook through a difficult-to-find link. Even after going through that process, Facebook never informs the user regarding whether or not Facebook will resume collecting biometric photo comparison data when pictures of him are manually tagged in the future. Facebook provides an option for users to disable the company’s “Tag Suggestion” technology, but this option does not disable Facebook’s collection of users’ biometric data.
The complaint also explains how Facebook has failed to establish that application developers, the Government, and other third parties will not be able to access “photo comparison data.”
The complaint also addresses the ways in which Facebook’s collection of biometric data for facial recognition violates user expectation, Facebook’s terms of service, and Facebook’s public statements.
The Significance of Facial Recognition
Facial recognition systems include computer-based biometric techniques that detect and identify human faces. The National Academy of Sciences has stated recently:”The success of large-scale or public biometric systems is dependent on gaining broad public acceptance of their validity. To achieve this goal, the risks and benefits of using such a system must be clearly presented. Public fears about using the system, including . . . concerns about theft or misuse of information, should be addressed.”
There is significant controversy surrounding the use of facial recognition technology. The British police are “investigating how to incorporate facial recognition software into a new national mug shot database so they can track down criminals faster.”
The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The “All-Seeing Eye” relies on the massive deployment of facial recognition technology.
According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of “Total Information Awareness.” However, several proposals for facial recognition by the US Department of Homeland Security have been scrapped after objections by local communities.
Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution. In Iran, government agents have posted pictures of political activists online and used “crowd-sourcing” to identify individuals. There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.
FTC Authority to Act
The FTC’s primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce.” This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
Legal Documents
- EPIC’s FTC Complaint in In re Facebook and Facial Recognition (filed June 10, 2011)
- EPIC’s Previous FTC Complaint in In re Facebook (filed May 5, 2010).
- EPIC’s Previous FTC Complaint in In re Facebook (filed December 17, 2009).
- EPIC’s Previous Supplemental Complaint in In re Facebook (filed January 14, 2010).
- Federal Trade Commission, FTC Charges Deceptive Privacy Practices in Google’s Rollout of its Buzz Social Network. (March 30, 2011).
- Federal Trade Commission, Online Data Broker Settles FTC Charges Privacy Pledges Were Deceptive (September 22, 2010).
- Federal Trade Commission, Twitter Settles Charges that it Failed to Protect Consumers’ Personal Information; Company Will Establish Independently Audited Information Security Program (June 24, 2010).
- Federal Trade Commission, LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False (March 9, 2010).
- Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (December 6, 2006).
- United States v. ChoicePoint, No. 06-CV-0198 (N.D. Ga. Feb. 10, 2006).
- Federal Trade Commission, Microsoft Settles FTC Charges alleging False Security and Privacy Provisions (August 8, 2002).
- In re Microsoft Corp. (Fed. Trade Comm’n Dec. 20, 2002).
- Federal Trade Commission: Section 5 Enforcement Actions
EPIC Links
- In re Facebook
- In re Facebook II
- Facebook Privacy
- Federal Trade Commission
- In re Google Buzz
- Social Networking Privacy
- Facebook Places
News Stories and Blog Items
- Bill Snyder, Facebook Facial Recognition: Why It’s a Threat to Privacy, PC Advisor (June 20, 2011).
- Jeff Balke, Five Reasons Facebook’s Facial Recognition Feature is a Bad Idea, HoustonPress Blogs (June 16, 2011).
- Beth Wellington, What Facebook Fails to Recognize, The Guardian (June 14, 2011).
- Richard Adhikari, Privacy Orgs Take Facebook Facial Face-Off to FTC”, TechNews World (June 14, 2011).
- Brendan Lynch, U.S. Rep. Ed Markey Seeks Probe Over Privacy, Boston Herald (June 14, 2011).
- Kara Reeder, Privacy Groups File Complaint Over Facebook Facial Recognition, IT Business Edge (June 14, 2011).
- Facebook Photo Tagging: Cool or Creepy? Reuters Blog (June 14, 2011).
- EPIC Warns of Facebook “Biometric Data Collection”, International Business Times (June 14, 2011).
- Chloe Albanesius, Privacy Groups Request FTC Probe of Facebook Facial Recognition Tech PC Magazine (June 13, 2011).
- Sharon Gaudin, Privacy Groups Push for U.S. Facebook Probe, Computer World (June 13, 2011).
- Ed Oswald, Privacy Advocates Ask Feds to Stop Facebook Facial Recognition, PCWorld (June 13, 2011).
- Cecilia Kang, Privacy Groups Urge Investigation of Facebook Facial Recognition Tool, The Washington Post Tech Blog (June 13, 2011).
- Editorial, Facebook’s Face Problem, The L.A. Times (June 11, 2011).
- Liz Gannes, Facebook Facial Recognition Prompts EU Privacy Probe, CNET (June 8, 2011).
- Stephanie Bodoni, Facebook to be Probed in EU for Facial Recognition in Photos, Business Week (June 8, 2011).
- Chloe Albaneseius, Regulators Eyeing Facebook Facial Recognition, PC Magazine (June 8, 2011).
- Sarah Jacobsson Purewal, Google Won’t Dabble in Facial Recognition Search System, PCWorld (May 19, 2011).
- Hamid Tehrany, Iranian Officials Crowd Source Protester Identities Online, Global Voices (June 27, 2009).
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate