In re Facebook and the Facial Identification of Users

Top News

  • EPIC Calls for Greater FTC Enforcement: In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)
  • EPIC Urges Public Comments on FTC Settlement with Uber: EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases. (Sep. 6, 2017)
  • Following EPIC Complaint, Uber Agrees To Stop Tracking Riders: Uber has ended the practice of tracking customers before and after they are picked up. In 2015, Uber announced the company would track the location of riders from the time they ordered a ride until after they had reached their destination. EPIC promptly filed a complaint with the FTC and stated that "This collection of user's information far exceeds what customers expect from the transportation service." The end to Uber's tracking of riders comes two weeks after Uber entered into a consent agreement with the FTC following a complaint filed EPIC that highlighted Uber's history of misusing customer data. But EPIC said the FTC settlement does not go far enough. "The FTC should have imposed stronger sanctions on Uber, required the company to disgorge the personal data it had unlawfully obtained, and required the company to restore the original privacy settings," said EPIC President Marc Rotenberg. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 29, 2017)
  • After EPIC Privacy Complaint, Uber Settles with FTC: After an EPIC complaint about Uber's privacy practices, Uber has entered into a consent agreement with the FTC. The agreement prohibits Uber from misrepresenting how it monitors or secures consumer information. As with most FTC privacy settlements, the agreement also requires Uber to implement a comprehensive privacy program and obtain periodic independent third-party audits. In 2015, EPIC filed a complaint with the Federal Trade Commission charging that Uber's plan to track users and gather contact details was an unlawful and deceptive trade practice. EPIC cited Uber's history of misusing customer data as one of many reasons the Commission should act. EPIC has previously pursued successful FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC recently filed an FTC complaint to stop Google from tracking in-store purchases. (Aug. 15, 2017)
  • Rep. Blackburn Proposes Online Privacy Bill, Would Preempt Stronger State Protections: Rep. Marsha Blackburn (R-TN) has introduced the The Browser Act, H.R. 2520, aimed at protecting online privacy. The Browser Act would apply to Internet ISPs as well as Internet companies, such, as Google and Facebook, and would generally require "opt-in" consent before sensitive information could be collected or disclosed. However, the bill lacks a private right of action or a remedy for violations. The bill gives enforcement authority to the FTC which has mostly failed to protect consumers online privacy. The bill lacks data breach notification, and would overwrite stronger state privacy laws that protect consumers. In comments to the FCC and elsewhere, EPIC has set out a comprehensive framework for online privacy. (May. 19, 2017)
  • EPIC, CDD Charge WhatsApp Policy Change Unlawful, Urge FTC to Act: EPIC and the Center for Digital Democracy have filed a complaint with the FTC concerning WhatsApp’s plan to transfer user data, including personal phone numbers, to Facebook. This reversal contradicts WhatsApp’s previous promises to users that their personal information would not be disclosed and would not be used for marketing purposes. EPIC said that WhatsApp change in business practices is unlawful and that the FTC is obligated to act. EPIC previously filed a complaint with the FTC over Facebook’s acquisition of WhatsApp in 2014. In response, the FTC warned the two companies they must honor their privacy promises to users. The FTC has said "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises." (Aug. 29, 2016)
  • With New Policy Changes, Facebook Tracks Users Across the Web: Over the objections of consumer privacy organizations, Facebook has implemented policy changes that allow the company to track users across the web without consent. The Dutch data protection commissioner launched an investigation after the original announcement. This week the a German privacy agency announced a similar investigation. Last year, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook's plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree for changing users' privacy settings. The consent decree resulted from complaints brought by EPIC and others in 2009 and 2010. (Feb. 4, 2015)
  • Facebook Revises Privacy Policy: Facebook has again revised its privacy policy. Despite the new graphics, Facebook continues to collect and disclose enormous amounts of user data without meaningful consent. The use of location data has expanded dramatically. "We collect information from or about the computers, phones, or other devices where you install or access our Services," states Facebook. These include "device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals." Facebook is currently under a 20 year consent decree with the Federal Trade Commission as a consequence of a complaint brought by EPIC and coalition of consumer privacy organizations when the company changed the privacy settings of users. More recently consumer organizations in the US and Europe have objected to Facebook's decision to track the web activities of users and to profile offline purchase. Privacy groups have also objected to Facebook's manipulation of user news feeds. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 5, 2014)
  • Facebook Responds to EPIC Complaint About "Emotions Study": Facebook has announced revised guidelines concerning user data the company discloses to researchers. In 2012, Facebook subjected 700,000 users to an "emotional" test by manipulating their News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In response, EPIC filed a formal complaint to the Federal Trade Commission. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has also asked the FTC to require that Facebook make public the News Feed algorithm. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, as a result of complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. The new guidelines have improved Facebook's research process, but they still raise questions about human subject testing by advertising companies. EPIC still believes the NewsFeed algorithm should be made public. For more information, see EPIC: In re: Facebook (Psychological Study) and EPIC: Federal Trade Commission. (Oct. 2, 2014)
  • European Facebook Users Privacy Lawsuit Moves Forward: A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook. (Aug. 26, 2014)

Summary of EPIC's Facebook Complaint

On June 10, 2011, EPIC and three other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint concerns Facebook's covert biometric data collection, and the subsequent use of this data for online identification. The complaint addresses the implementation of "Tag Suggestions" that converts photos uploaded by Facebook users into an image identification system under the sole control of Facebook, without user knowledge or consent.

In the complaint, EPIC asks the FTC to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to cease collection and use of users’ biometric data without their affirmative opt-in consent, require Facebook to give users meaningful control over their personal information, establish appropriate security safeguards, and limit the disclosure of user information to third parties. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Center for Digital Democracy
  • Consumer Watchdog
  • Privacy Rights Clearinhouse

Background

Facebook

Facebook is the largest social network service provider in the United States. According to Facebook, there are more than 500 million active users, with about 150 million in the United States. 50% of active users log-on to Facebook in any given day. People spend over 700 billion minutes per month on Facebook and install 20 million applications per day.

More than 3 billion photos are uploaded to the site each month. Facebook is the largest photo-sharing site in the world by a wide margin. Each day people add more than 100 million tags to photos on Facebook.

Facebook and Privacy

In September 2006, Facebook disclosed users’ personal information, including details relating to their marital and dating status, without their knowledge or consent through its “News Feed” program.Hundreds of thousands of users objected to Facebook’s actions.

In 2007, Facebook disclosed users’ personal information, including their online purchases and video rentals, without their knowledge or consent through its “Beacon” program.

Facebook is a defendant in multiple federal lawsuits arising from the “Beacon” program. In the lawsuits, users allege violations of federal and state law, including the Video Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California’s Computer Crime Law.

On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic filed a complaint with Privacy Commissioner of Canada concerning the “unnecessary and non- consensual collection and use of personal information by Facebook.” On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

On February 4, 2009, Facebook revised its Terms of Service, asserting broad, permanent, and retroactive rights to users’ personal information—even after they deleted their accounts. Facebook stated that it could make public a user’s “name, likeness and image for any purpose, including commercial or advertising.”94 Users objected to Facebook’s actions, and Facebook reversed the revisions on the eve of an EPIC complaint to the Commission.

Facebook updated its privacy policy and changed the privacy settings available to users on November 19, 2009 and again on December 9, 2009. Facebook made several categories of personal data “publicly available information,” including users' names, profile photos, lists of friends, pages they are fans of, and networks to which they belong.

By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”

EPIC's FTC Complaint

EPIC's FTC complaint is also signed by the Center for Digital Democracy, Consumer Watchdog, and Privacy Rights Clearinghouse.

This complaint concerns covert biometric data collection by Facebook, the largest social network service in the United States. The secretive collection compilation and subsequent use of facial images for automated online identification adversely impacts consumers in the United States and around the world.Facebook’s "Tag Suggestions" techniques converts the photos uploaded by Facebook users into an image identification system under the sole control of Facebook. This has occurred without the knowledge or consent of Facebook users and without adequate consideration of the risks to Facebook users.These business practices violate Facebook’s Privacy Policy, as well as public assurances made by Facebook to users. These business practices are Unfair and Deceptive Trade Practices, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of the Federal Trade Commission Act. There is every reason to believe that unless the Commission acts promptly, Facebook will routinely automate facial identification and eliminate any pretence of user control over the use of their own images for online identification.

Facebook's facial recognition technology works by generating a biometric signature for users who are tagged in photos on Facebook, i.e. using "summary data" from "photo comparisons. "This representation of biometric information, based on the user’s facial image, generated by Facebook, is available to Facebook but not to the user. Facebook routinely encourages users to “tag,” i.e. provide actual identifying information about, themselves, their friends, and other people they may recognize. Facebook "associate[s] the tags with [a user’s] account, compare what these tagged photos have in common and store a summary of this comparison." Facebook automatically compares uploaded photos “to the summary information we’ve stored about what your tagged photos have in common." Facebook gave no notice to users and failed to obtain consent prior to collecting "Photo Comparison Data," generating unique biometric identifiers, and linking biometric identifiers with individual users.

On December 15 2010, Facebook announced that it was implementing a facial recognition technology called “Tag Suggestions.” On June 7, 2011, Facebook announced that it had deployed “Tag Suggestions” technology over the last several months, and that the technology had been available internationally. Facebook did not provide users with any other notice about this facial recognition technology. Facebook admitted in a later statement that “we should have been more clear during the roll-out process when this became available to them.”47 However, as of the filing of this complaint, Facebook has made no effort to rectify that matter or to allow users to opt-in if they so choose. Facebook routinely encourages users to confirm Facebook’s indentification of facial images in user photos when users attempt to upload photos to their accounts on Faceook. Facebook automated identification of facial images would occur in the absence of any user intervention. Facebook did not obtain users’ consent before using the unique biometric identifiers generated by the "Photo Comparison Data” to identify individual users when a photograph containing their image is uploaded to Facebook.

There is no option within a user’s privacy preferences to delete or prevent Facebook’s biometric data collection. When a user wants to delete the biometric "summary" data associated with his account that can be used to pair his name to photos of him, he has to contact Facebook through a difficult-to-find link. Even after going through that process, Facebook never informs the user regarding whether or not Facebook will resume collecting biometric photo comparison data when pictures of him are manually tagged in the future. Facebook provides an option for users to disable the company’s "Tag Suggestion" technology, but this option does not disable Facebook’s collection of users’ biometric data.

The complaint also explains how Facebook has failed to establish that application developers, the Government, and other third parties will not be able to access "photo comparison data."

The complaint also addresses the ways in which Facebook's collection of biometric data for facial recognition violates user expectation, Facebook's terms of service, and Facebook's public statements.

The Significance of Facial Recognition

Facial recognition systems include computer-based biometric techniques that detect and identify human faces. The National Academy of Sciences has stated recently: "The success of large-scale or public biometric systems is dependent on gaining broad public acceptance of their validity. To achieve this goal, the risks and benefits of using such a system must be clearly presented. Public fears about using the system, including . . . concerns about theft or misuse of information, should be addressed."

There is significant controversy surrounding the use of facial recognition technology. The British police are “investigating how to incorporate facial recognition software into a new national mug shot database so they can track down criminals faster.”

The Chinese government is currently building an elaborate network infrastructure to enable the identification of people in public spaces. The “All-Seeing Eye” relies on the massive deployment of facial recognition technology.

According to documents obtained by EPIC under the Freedom of Information Act, the US Department of Homeland Security is pursuing a far-reaching program to automate the identification and tagging of individuals, both citizens and non-citizens, based upon their facial images. Among other programs, DHS is promoting face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere leading to the creation of new capabilities for government monitoring of individuals in public spaces. Facial recognition technology and its application for mass surveillance was described by Adm. John Poindexter, the architect of “Total Information Awareness.” However, several proposals for facial recognition by the US Department of Homeland Security have been scrapped after objections by local communities.

Social networking services have played a transformative role in several regions of the world, but governments also seek access to images of political organizers to obtain actual identities and to enable investigation and prosecution. In Iran, government agents have posted pictures of political activists online and used “crowd-sourcing” to identify individuals. There is also evidence that Iranian researchers are working on developing and improving facial recognition technology to identify political dissidents.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

EPIC Links

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy