No Consumer Groups Join NTIA Facial Recognition Efforts, but Industry Will Plow On
No consumer groups agreed to take part in NTIA’s facial recognition multistakeholder process, despite industry's hopes that some advocates will take up the slack left by all privacy advocate participants jumping ship (see 1506160041). Citing an email sent to participants from NTIA Privacy Initiatives Director John Verdi, NetChoice Policy Counsel Carl Szabo said two groups interested in engaging in the dialogue to potentially come up with voluntary standards include the Future of Privacy Forum (FPF) and the Online Trust Alliance (OTA), but while FPF said it may get engaged, OTA said it's not taking part. And others said that without a will to work a compromise on both sides, such advocate-industry conversations won't bear fruit. At a Phoenix Center event Tuesday, FTC Commissioner Maureen Ohlhausen said for a multistakeholder process to work there has to be some common ground. Privacy advocates had said industry wouldn't agree to making opt-in the default condition for facial recognition, a dealbreaker for the groups. NTIA had no comment.
President Craig Spiezle said OTA isn't continuing in the process. After the consumer groups' departure Tuesday, OTA decided to join the others and is no longer participating, he said. Parties involved in the multistakeholder meeting aren't making a sincere effort to make a change and trade organizations are dominating the process, Spiezle said.
FPF represents stakeholders in both advocacy and industry. While FPF has been monitoring the NTIA facial recognition process, the group hasn’t been “deeply engaged,” said Executive Director Jules Polonetsky. Now that the meetings seem to have hit a bit of a rut, he said, FPF may get more involved in the process because the issue is “too important to be left unaddressed.” The reality is “privacy is an area with a lot of disagreements,” Polonetsky said. FPF is exploring whether there’s “opportunity to bridge the gap in industry and advocacy views,” he said.
The nine consumer groups that “abandoned” the multistakeholder process don't represent the entire universe of consumer groups, Szabo said. “We would like to continue on,” said Alex Propes, senior manager-public policy at the Interactive Advertising Bureau. In 2012, the FTC held a workshop of facial recognition software and recommended companies give notice to consumers. Szabo said the group reviewed the FTC’s work on facial recognition and has used some of it, but the commission produced high-level concepts “and we’re trying to convert that into actionable items.”
Center for Digital Democracy Executive Director Jeff Chester has said if the FTC had been tasked with moderating the multistakeholder process instead of NTIA, things would have happened differently (see 1506110039). Besides CDD, other groups that pulled out included the American Civil Liberties Union, Common Sense Media, the Consumer Federation of America, Consumer Watchdog and the Electronic Frontier Foundation.
The multistakeholder process is fundamentally flawed, Consumer Watchdog Privacy Project Director John Simpson wrote in a blog post last week. “Privacy-protecting laws that establish formal rule-making authority are the way to go,” Simpson said. “Anything short of that is at best meaningless window dressing.” NTIA’s multistakeholder process was “nothing more than a justification" for the department to tell Europeans it’s doing something to protect consumers' privacy, Simpson said.
Consumers Represented?
Some fret that whatever happens with the NTIA-convened discussions, consumers won't be front and center, contending industry holds too much sway in such processes.
“It has been clear for some time now that this forum was not likely to agree on meaningful protections,” wrote Center for Democracy and Technology Consumer Privacy Project Director Justin Brookman in a blog post last week. Part of the problem is that there weren’t any incentives for industry to adopt binding and legally enforceable codes of conduct, Brookman said. “The United States is going to have to adopt privacy legislation to require meaningful transparency about privacy practices and to empower individuals to make choices about how their personal data is collected and used -- instead of just hoping for industries to self-regulate in response to emerging privacy threats.”
Consumer groups that left the multistakeholder process said their absence makes the meetings an industry stakeholder process. Szabo said that wasn't accurate, because the process remains open to everyone. “There are privacy groups still at the table and there are stakeholders who are invested and spent hundreds of hours on this,” he said. Just because an outcome may not have been what consumer groups wanted doesn’t mean it wasn’t the right thing for consumers, Szabo said.
“Two states -- Illinois and Texas -- require opt-in for commercial face recognition systems,” EFF Senior Staff Attorney Jennifer Lynch wrote in a blog post last week. “However, the companies participating in the NTIA process would not even agree that an opt-in system was appropriate in the most extreme scenario -- where companies that a consumer has never heard of use face recognition to identify and track people walking down public streets,” Lynch said. “This position is not only at odds with consumer expectations, current industry practices, and existing state law, it calls into question whether companies -- on their own -- will ever agree to any limitations on their ability to use technology to track consumers.”
Illinois’ law was passed in 2008 and is a general biometric privacy law, Szabo said. It’s a great law for attorneys, because anyone who has ever tagged a face will have to get a privacy policy, issue the policy and obtain express written consent even when using a private service like Shutterfly, he said. When applied to real life, Illinois’ law doesn’t work as any state resident who tagged a friend in a photo without prior written consent or releasing a privacy policy could be in violation, he said. As for Texas’ law, Szabo said the law doesn’t have a default for consent and doesn’t match what the groups that walked out are saying. If privacy groups think these laws are the right approach, “they are out of touch with consumers,” he said.
Outlook
OTA has recommended that an equal number of representatives from advocacy groups and industry go into a room for a few days to hammer things out, similar to what happens with labor and other contract negotiations, Spiezle said. Propes said it’s still early in the process because participants started drafting text only in the last two meetings. “For this to end here would be a real letdown,” he said. The White House has called facial recognition an issue it wants to tackle, and products using facial recognition are going to be important and could help consumer safety and security, Propes said.
NTIA is working with stakeholders on scheduling the next meeting, an official said. Consumer groups have said they're disappointed the process is continuing without anyone to speak for consumers. Propes disagreed industry wouldn’t be considerate of consumer privacy. Companies care about consumer privacy because customers who don’t feel their privacy is being treated as they believe it should be will leave, he said. Competitors are happy to take that market share, Propes said.
Szabo questioned how express consent would work in the real world, rhetorically asking if he would have to sign a form before walking down the street or have to obtain a permission slip before taking a photo. While Szabo thinks the consumer groups' walkout was “incredibly dramatic,” he said he hopes the groups return to the process so the discussion can continue about when cool technologies cross the line and become creepy. Spiezle said he hopes consumer groups’ absence is temporary and that if expectations are “reset” on both sides of the spectrum, all stakeholders may be able to return to the negotiating table.
Multistakeholder processes are complex by their nature, and neither side of the spectrum can expect to be totally satisfied, said Hunton & Williams attorney Lisa Sotto, who focuses on privacy and cybersecurity. Stakeholders should stay engaged and try to reach a fair consensus, Sotto said. Rogue players will take advantage of facial recognition software, but those companies aren't sitting at the negotiating table, she said.