Sen. Franken Presses Facebook to Reconsider Potential Expansion of its Facial Recognition Program
Senator Says Proposed Expansion is Troubling, Wants to Know How Many Faceprints Facebook Has
Today, U.S. Sen. Al Franken (D-Minn.) pressed Facebook to reconsider a proposed expansion of its facial recognition program that would likely enroll many more of the site's users—including some of its least active—into the company's facial recognition database. Right now, only photos that users have been tagged in are included in Facebook's facial recognition program. The proposed plan would allow Facebook to enroll users who are not tagged in a single photo, but who have a public profile picture.
In a letter sent today, Sen. Franken said that facial recognition technology has profound implications for consumer privacy and that he is highly troubled by the proposed growth of what is likely the world's largest privately held facial recognition database. Sen. Franken also asked a simple question: "How many faceprints does Facebook have?" You can download a copy of the letter here.
"Facial recognition technology has profound implications for privacy," Sen. Franken wrote in the letter. "Facial recognition tracks you in the real world, from cameras stationed on street corners and in shopping centers, and through photographs taken by friends and strangers alike."
"Two weeks ago, Facebook proposed changes to its Data Use Policy that would expand the faceprint database to include faceprints of public profile photos—not just the photos that users have been tagged in," Sen. Franken continued. "Presumably, this would lead to a significant expansion of Facebook's faceprint database. It would also likely capture some of Facebook's least active users—those who are visible in their public profile photo but are not tagged in any other photos. These people are often less active users who may not be aware of Facebook's privacy changes. I urge Facebook to reconsider this change."
In July of 2012, Sen. Franken, Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, held a hearing on facial recognition technology. He pressed Facebook to adopt greater privacy safeguards at the hearing, saying the emerging technology can be used to ascertain personal information using nothing more than an individual's appearance on the street or in a photo. In the past several years, facial recognition technology has been used by law enforcement, social networks, and even Departments of Motor Vehicles, meaning that many—if not most—citizens are likely a part of some kind of facial recognition database. Testimony at the hearing from Facebook, the FBI, and other expert witnesses indicated that facial recognition technology is sometimes used with little regard for a citizen's privacy and that legal safeguards may not be keeping up with the quickly advancing technology.
In late 2010, Facebook enrolled all of its hundreds of millions of users into a program called "Tag Suggestions." The program allowed Facebook users to automatically find and "tag" or identify their close friends' faces in the photos they uploaded. This program did so by creating unique faceprints for these users-unique digital models of faces similar to fingerprints. In rolling out Tag Suggestions, Sen. Franken explained, Facebook likely built the world's largest privately held database of faceprints. Witnesses at the hearing testified that this database could eventually be used to find and identify a Facebook user in any photo or to identify those users in person through the use of a facial recognition mobile app. Testimony also showed that the software and database could be leased or sold to third parties for similar purposes. Facebook users are not asked to enroll in Tag Suggestions; the company automatically enrolls all users in the program.
In April 2012, Sen. Franken filed comments with the National Telecommunications and Information Administration, urging the White House-led privacy process to address the commercial use of facial recognition technology on social networks and elsewhere. Sen. Franken noted that Facebook's use of the technology had likely created unique facial recognition records for hundreds of millions of people.
You can read Sen. Franken's latest letter to Facebook below:
September 12, 2013
Mr. Mark Zuckerberg, CEO
1601 Willow Road
Menlo Park, CA 94205
Dear Mr. Zuckerberg:
I am writing to express my concern about Facebook's proposed expansion of its facial recognition program - and to ask a question about this initiative. Last July, as Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, I held a hearing on the privacy implications of facial recognition technology; Facebook was one of our witnesses. As I said then, I was concerned by Facebook's creation of what is likely the world's largest privately held facial recognition database - without its customers' express consent. The proposed expansion of this program is highly troubling, especially since Facebook has refused to promise its customers that it won't share this program or its data with third parties in the future.
Facial recognition technology has profound implications for privacy. Cookies track you across the Internet; with a little tech savvy, you can block them or delete them after the fact. Facial recognition tracks you in the real world, from cameras stationed on street corners and in shopping centers, and through photographs taken by friends and strangers alike. Unlike other biometrics such as fingerprints and iris scans, which require physical contact or proximity, facial recognition can operate at a distance, entirely without the knowledge of the person being identified. And there is no practical way for an individual person to stop it. Unfortunately, no federal law governs the commercial use of this technology. This is why last year, I asked the National Telecommunications and Information Administration to examine the use of this technology as part of their Multistakeholder Process. See generally Letter to the Honorable Lawrence Strickland at 11-14 (April 2, 2012) available at http://www.ntia.doc.gov/files/ntia/4_2_12_ sen_franken_comment.pdf.
In 2010, Facebook enrolled its then-800 million users into its facial recognition program, Tag Suggestions. This program made it easier for Facebook users to tag their friends in photos. It did so by creating "faceprints" for those users - unique digital models of faces akin to fingerprints. Over the past three years, Facebook has leveraged its now billion-strong user base - and its library of 220 billion photos - to build a truly extraordinary database of faceprints. In my filing to the NTIA, I made a conservative estimate that Facebook's faceprint database included at least one out of every twenty people on the planet. In 2011, Professor Alessandro Acquisti used a much smaller database and off-the-shelf software to successfully identify, by name, one out of every three students that happened to walk past him on the Carnegie Mellon campus.
It is easy to envision a scenario in which a company holding such a database works with third parties to identify the names of customers as they walk into a store or car showroom - or who walk past it after looking in its windows. It is also easy to envision a scenario in which this database is abused by bad actors. Last year, a company called Face.com released the first commercial-grade facial recognition application for public use. The app was supposed to work on only your Facebook friends. But soon after its release, an independent security researcher, Ashkan Soltani, revealed that the app could be hacked in a way that would appear to allow it to identify total strangers. See Ashkan Soltani, "Facepalm" (June 18, 2012), available at http://ashkansoltani.org/2012/06/18/facepalm/ ("The above attack not only allows access to non-public photos, but also lets the attacker potentially manipulate the Face.com app to automatically ‘recognize' anyone walking down the street.") As you know, in June 2012, Facebook purchased the company for $100 million.
Last year, I asked Facebook's Manager of Privacy and Public Policy, Rob Sherman, whether he could assure Facebook users that the company would not sell or share its faceprint database with third parties. His response: "It's difficult to know in the future what Facebook will look like five or ten years down the road, and so it is difficult to respond to that hypothetical." On August 29, Facebook's Chief Privacy Officer Erin Egan told Reuters: "Can I say that we will never use facial recognition technology for any other purposes? Absolutely not."
Two weeks ago, Facebook proposed changes to its Data Use Policy that would expand the faceprint database to include faceprints of public profile photos - not just the photos that users have been tagged in. Presumably, this would lead to a significant expansion of Facebook's faceprint database. It would also likely capture some of Facebook's least active users - those who are visible in their public profile photo but are not tagged in any other photos. These people are often less active users who may not be aware of Facebook's privacy changes. I urge Facebook to reconsider this change.
In light of the above circumstances, I respectfully request that Facebook answer one question regarding its facial recognition program: How many faceprints does Facebook have?
Thank you for your time. I ask that you answer my question within a month of receipt of this letter.
Chairman, Senate Judiciary Subcommittee
on Privacy, Technology and the Law
Chairwoman Edith Ramirez
Commissioner Julie Brill
Commissioner Maureen Ohlhausen
Commissioner Joshua Wright
Federal Trade Commission