In re Facebook and the Facial Identification of Users

Top News

  • Court Rules D.C. Attorney General's Lawsuit Against Facebook Will Proceed: The D.C. Superior Court denied Facebook's motion to dismiss the complaint filed by D.C. Attorney General over the privacy practices that led to Cambridge Analytica. The D.C. Attorney General alleged that Facebook failed to monitor third-party use of personal data and failed to ensure users' data was deleted. The lawsuit seeks financial penalties, and an injunction to establish safeguards to protect users' data. The court ruled that the case could proceed because "District of Columbia residents' widespread utilization of, and repeated exchange of personal information through Facebook's online social networking service, constitute 'transactions.'" EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC. (Jun. 3, 2019)
  • Facebook Anticipates $3B-$5B Fine: According to news reports, Facebook has budgeted $3 billion for in its first-quarter earnings report, saying it expected the FTC to fine the company between $3-$5 billion. In January, EPIC and a coalition of consumer and civil rights groups sent a letter to the FTC calling on the Commission to enforce the order against Facebook by 1) imposing substantial fines; 2) establishing structural remedies; 3) requiring compliance with Fair Information Practices; 4) reforming hiring and management practices; and 5) restoring democratic governance. Also, EPIC's Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (Apr. 26, 2019)
  • Senator Blumenthal Calls on FTC to Unwind Big Tech Mergers: In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. (Mar. 7, 2019)
  • Senators Urge FTC to Act Against Facebook: In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009. (Jan. 18, 2019)
  • In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites: In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)
  • Facebook's Response to Congress Provides More Evidence of Consent Order Violations: Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
  • EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices: EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)
  • US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices: EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
  • At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order: In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)
  • EPIC Urges Senate Committee to Focus on Consent Order with Facebook: EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)

Summary of EPIC's Facebook Complaint

On June 10, 2011, EPIC and three other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint concerns Facebook's covert biometric data collection, and the subsequent use of this data for online identification. The complaint addresses the implementation of "Tag Suggestions" that converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook, without user knowledge or consent.

In the complaint, EPIC asks the FTC to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to cease collection and use of users’ biometric data without their affirmative opt-in consent, require Facebook to give users meaningful control over their personal information, establish appropriate security safeguards, and limit the disclosure of user information to third parties. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Center for Digital Democracy
  • Consumer Watchdog
  • Privacy Rights Clearinhouse

Background

Facebook

Facebook is the largest social network service provider in the United States. According to Facebook, there are more than 500 million active users, with about 150 million in the United States. 50% of active users log-on to Facebook in any given day. People spend over 700 billion minutes per month on Facebook and install 20 million applications per day.

More than 3 billion photos are uploaded to the site each month. Facebook is the largest photo-sharing site in the world by a wide margin. Each day people add more than 100 million tags to photos on Facebook.

Facebook and Privacy

In September 2006, Facebook disclosed users’ personal information, including details relating to their marital and dating status, without their knowledge or consent through its “News Feed” program.Hundreds of thousands of users objected to Facebook’s actions.

In 2007, Facebook disclosed users’ personal information, including their online purchases and video rentals, without their knowledge or consent through its “Beacon” program.

Facebook is a defendant in multiple federal lawsuits arising from the “Beacon” program. In the lawsuits, users allege violations of federal and state law, including the Video Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California’s Computer Crime Law.

On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Privacy Commissioner of Canada concerning the “unnecessary and non- consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users’ personal information—even after they deleted their accounts. Facebook stated that it could make public a user’s “name, likeness and image for any purpose, including commercial or advertising.”94 Users objected to Facebook’s actions, and Facebook reversed the revisions on the eve of an EPIC complaint to the Commission.

Facebook updated its privacy policy and changed the privacy settings available to users on November 19, 2009 and again on December 9, 2009. Facebook made several categories of personal data “publicly available information,” including users' names, profile photos, lists of friends, pages they are fans of, and networks to which they belong.

By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”

EPIC's FTC Complaint

EPIC's FTC complaint is also signed by the Center for Digital Democracy, Consumer Watchdog, and Privacy Rights Clearinghouse.

This complaint concerns covert biometric data collection by Facebook, the largest social network service in the United States. The secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world.Facebook’s "Tag Suggestions" techniques converts the photos uploaded by Facebook users into an image identification system under the sole control of Facebook. This has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.These business practices violate Facebook’s Privacy Policy, as well as public assurances made by Facebook to users. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act. There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.

Facebook's facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using "summary data" from "photo comparisons. "This representation of biometric information, based on the user’s facial image, generated by Facebook, is available to Facebook but not to the user. Facebook routinely encourages users to “tag,” i.e. provide actual identifying information about, themselves, their friends, and other people they may recognize. Facebook "associate[s] the tags with [a user’s] account, compare what these tagged photos have in common and store a summary of this comparison." Facebook automatically compares uploaded photos “to the summary information we’ve stored about what your tagged photos have in common." Facebook gave no notice to users and failed to obtain consent prior to collecting "Photo Comparison Data," generating unique biometric identifiers, and linking biometric identifiers with individual users.

On December 15 2010, Facebook announced that it was implementing a facial recognition technology called “Tag Suggestions.” On June 7, 2011, Facebook announced that it had deployed “Tag Suggestions” technology over the last several months, and that the technology had been available internationally. Facebook did not provide users with any other notice about this facial recognition technology. Facebook admitted in a later statement that “we should have been more clear during the roll-out process when this became available to them.”47 However, as of the filing of this complaint, Facebook has made no effort to rectify that matter or to allow users to opt-in if they so choose. Facebook routinely encourages users to confirm Facebook’s indentification of facial images in user photos when users attempt to upload photos to their accounts on Faceook. Facebook automated identification of facial images would occur in the absence of any user intervention. Facebook did not obtain users’ consent before using the unique biometric identifiers generated by the "Photo Comparison Data” to identify individual users when a photograph containing their image is uploaded to Facebook.

There is no option within a user’s privacy preferences to delete or prevent Facebook’s biometric data collection. When a user wants to delete the biometric "summary" data associated with his account that can be used to pair his name to photos of him, he has to contact Facebook through a difficult-to-find link. Even after going through that process, Facebook never informs the user regarding whether or not Facebook will resume collecting biometric photo comparison data when pictures of him are manually tagged in the future. Facebook provides an option for users to disable the company’s "Tag Suggestion" technology, but this option does not disable Facebook’s collection of users’ biometric data.

The complaint also explains how Facebook has failed to establish that application developers, the Government, and other third parties will not be able to access "photo comparison data."

The complaint also addresses the ways in which Facebook's collection of biometric data for facial recognition violates user expectation, Facebook's terms of service, and Facebook's public statements.

The Significance of Facial Recognition

Facial recognition systems include computer-based biometric techniques that detect and identify human faces. The National Academy of Sciences has stated recently: "The success of large-scale or public biometric systems is dependent on gaining broad public acceptance of their validity. To achieve this goal, the risks and benefits of using such a system must be clearly presented. Public fears about using the system, including . . . concerns about theft or misuse of information, should be addressed."

There is significant controversy surrounding the use of facial recognition technology. The British police are “investigating how to incorporate facial recognition software into a new national mug shot database so they can track down criminals faster.”

The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The “All-Seeing Eye” relies on the massive deployment of facial recognition technology.

According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of “Total Information Awareness.” However, several proposals for facial recognition by the US Department of Homeland Security have been scrapped after objections by local communities.

Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution. In Iran, government agents have posted pictures of political activists online and used “crowd-sourcing” to identify individuals. There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

EPIC Links

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

EPIC Mueller Report book