In re Facebook and the Facial Identification of Users

Top News

  • In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites: In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)
  • Facebook's Response to Congress Provides More Evidence of Consent Order Violations: Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
  • EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices: EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)
  • US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices: EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
  • At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order: In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)
  • EPIC Urges Senate Committee to Focus on Consent Order with Facebook: EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)
  • Facebook Overrode Users’ Privacy Settings And Allowed Device Makers To Access Personal Data: Facebook had secret arrangements with at least 60 device makers granting them access to users' personal data, according to a report by the New York Times. Facebook overrode users privacy settings to allow companies to access sensitive information that users' had explicitly set to private. These arrangements directly contradict Facebook's previous statements that it cut off third party access to user data in 2015. Facebook is already under FTC investigation for violating a 2011 Consent Order that EPIC and consumer privacy organizations obtained. The Order bars Facebook from disclosing data to third parties without explicit consent. EPIC recently urged the FTC to enforce the Consent Order following revelations that Facebook allowed Cambridge Analytica to access the data of 87 million users. In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jun. 5, 2018)
  • EPIC Obtains Partial Release of 2017 Facebook Audit: EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)
  • Senator Blumenthal Calls On FTC To Enforce Consent Order Against Facebook: Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway. (Apr. 20, 2018)
  • EPIC Urges Senate to Focus on FTC Consent Order with Facebook: In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)

Summary of EPIC's Facebook Complaint

On June 10, 2011, EPIC and three other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint concerns Facebook's covert biometric data collection, and the subsequent use of this data for online identification. The complaint addresses the implementation of "Tag Suggestions" that converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook, without user knowledge or consent.

In the complaint, EPIC asks the FTC to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to cease collection and use of users’ biometric data without their affirmative opt-in consent, require Facebook to give users meaningful control over their personal information, establish appropriate security safeguards, and limit the disclosure of user information to third parties. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Center for Digital Democracy
  • Consumer Watchdog
  • Privacy Rights Clearinhouse

Background

Facebook

Facebook is the largest social network service provider in the United States. According to Facebook, there are more than 500 million active users, with about 150 million in the United States. 50% of active users log-on to Facebook in any given day. People spend over 700 billion minutes per month on Facebook and install 20 million applications per day.

More than 3 billion photos are uploaded to the site each month. Facebook is the largest photo-sharing site in the world by a wide margin. Each day people add more than 100 million tags to photos on Facebook.

Facebook and Privacy

In September 2006, Facebook disclosed users’ personal information, including details relating to their marital and dating status, without their knowledge or consent through its “News Feed” program.Hundreds of thousands of users objected to Facebook’s actions.

In 2007, Facebook disclosed users’ personal information, including their online purchases and video rentals, without their knowledge or consent through its “Beacon” program.

Facebook is a defendant in multiple federal lawsuits arising from the “Beacon” program. In the lawsuits, users allege violations of federal and state law, including the Video Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California’s Computer Crime Law.

On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Privacy Commissioner of Canada concerning the “unnecessary and non- consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users’ personal information—even after they deleted their accounts. Facebook stated that it could make public a user’s “name, likeness and image for any purpose, including commercial or advertising.”94 Users objected to Facebook’s actions, and Facebook reversed the revisions on the eve of an EPIC complaint to the Commission.

Facebook updated its privacy policy and changed the privacy settings available to users on November 19, 2009 and again on December 9, 2009. Facebook made several categories of personal data “publicly available information,” including users' names, profile photos, lists of friends, pages they are fans of, and networks to which they belong.

By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”

EPIC's FTC Complaint

EPIC's FTC complaint is also signed by the Center for Digital Democracy, Consumer Watchdog, and Privacy Rights Clearinghouse.

This complaint concerns covert biometric data collection by Facebook, the largest social network service in the United States. The secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world.Facebook’s "Tag Suggestions" techniques converts the photos uploaded by Facebook users into an image identification system under the sole control of Facebook. This has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.These business practices violate Facebook’s Privacy Policy, as well as public assurances made by Facebook to users. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act. There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.

Facebook's facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using "summary data" from "photo comparisons. "This representation of biometric information, based on the user’s facial image, generated by Facebook, is available to Facebook but not to the user. Facebook routinely encourages users to “tag,” i.e. provide actual identifying information about, themselves, their friends, and other people they may recognize. Facebook "associate[s] the tags with [a user’s] account, compare what these tagged photos have in common and store a summary of this comparison." Facebook automatically compares uploaded photos “to the summary information we’ve stored about what your tagged photos have in common." Facebook gave no notice to users and failed to obtain consent prior to collecting "Photo Comparison Data," generating unique biometric identifiers, and linking biometric identifiers with individual users.

On December 15 2010, Facebook announced that it was implementing a facial recognition technology called “Tag Suggestions.” On June 7, 2011, Facebook announced that it had deployed “Tag Suggestions” technology over the last several months, and that the technology had been available internationally. Facebook did not provide users with any other notice about this facial recognition technology. Facebook admitted in a later statement that “we should have been more clear during the roll-out process when this became available to them.”47 However, as of the filing of this complaint, Facebook has made no effort to rectify that matter or to allow users to opt-in if they so choose. Facebook routinely encourages users to confirm Facebook’s indentification of facial images in user photos when users attempt to upload photos to their accounts on Faceook. Facebook automated identification of facial images would occur in the absence of any user intervention. Facebook did not obtain users’ consent before using the unique biometric identifiers generated by the "Photo Comparison Data” to identify individual users when a photograph containing their image is uploaded to Facebook.

There is no option within a user’s privacy preferences to delete or prevent Facebook’s biometric data collection. When a user wants to delete the biometric "summary" data associated with his account that can be used to pair his name to photos of him, he has to contact Facebook through a difficult-to-find link. Even after going through that process, Facebook never informs the user regarding whether or not Facebook will resume collecting biometric photo comparison data when pictures of him are manually tagged in the future. Facebook provides an option for users to disable the company’s "Tag Suggestion" technology, but this option does not disable Facebook’s collection of users’ biometric data.

The complaint also explains how Facebook has failed to establish that application developers, the Government, and other third parties will not be able to access "photo comparison data."

The complaint also addresses the ways in which Facebook's collection of biometric data for facial recognition violates user expectation, Facebook's terms of service, and Facebook's public statements.

The Significance of Facial Recognition

Facial recognition systems include computer-based biometric techniques that detect and identify human faces. The National Academy of Sciences has stated recently: "The success of large-scale or public biometric systems is dependent on gaining broad public acceptance of their validity. To achieve this goal, the risks and benefits of using such a system must be clearly presented. Public fears about using the system, including . . . concerns about theft or misuse of information, should be addressed."

There is significant controversy surrounding the use of facial recognition technology. The British police are “investigating how to incorporate facial recognition software into a new national mug shot database so they can track down criminals faster.”

The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The “All-Seeing Eye” relies on the massive deployment of facial recognition technology.

According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of “Total Information Awareness.” However, several proposals for facial recognition by the US Department of Homeland Security have been scrapped after objections by local communities.

Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution. In Iran, government agents have posted pictures of political activists online and used “crowd-sourcing” to identify individuals. There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

EPIC Links

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.