Why the U.S. needs federal regulation of facial recognition — and how to get it right
Elizabeth Rowe likes the convenience of unlocking her phone without typing in a passcode — but not enough to use the phone’s face identification. As a legal scholar who studies facial recognition technology, she knows that few restrictions govern what’s done with the data it captures.
“It’s the Wild West,” said Rowe, a professor at the University of Florida Levin College of Law. “Companies are not required to report how, when or where this technology is being used.”
While potential problems with facial recognition in law enforcement are well documented, consumers and policymakers are less aware of issues in the private sector, Rowe says. That’s scary for consumers, but it’s also bad news for innovation, because companies can’t predict how regulation will affect them in the future.
“Without federal regulation, what we have is patchwork regulation from various states. That’s not a good fit in an economy where companies do business nationally,” Rowe said.
For a glimpse of how a “faceprint” might be used in the private sector, she looks to China, where facial data informs everything from loans (is the applicant responding honestly?) to insurance (do they smoke?).
“All these data points are being put together to draw conclusions, which is concerning given the technical problems with accuracy, particularly for women and people of color,” she said.
If decisions are made on flawed or biased data, those groups could be negatively affected, Rowe says. She also worries how facial recognition might affect children.
“With all of the pictures parents put online, they’re creating a lifelong profile of their kids without their knowledge or consent. Given the inaccuracies of the technology for young people as they grow and their faces change, we want to make sure kids aren’t at higher risk.”
The good news? The federal government has shown interest in regulating facial recognition, and “these kinds of issues tend to be bipartisan,” Rowe said. But speed matters. “When the law lags behind, solutions are created retroactively. The lack of regulation is a hindrance all around. It’s important to get this right the first time.”
She recommends that Congress borrow an existing legal framework: trade secrecy. If companies regard their facial data as something as valuable to protect as a secret recipe or algorithm, the standards of trade secrecy can be applied: What steps have they taken to keep the data safe? Did they do everything they could to keep it secure? The trade secrecy approach is one of the recommendations in Rowe’s new article in the Stanford Technology Law Review, which also suggests providing precise and practical rules for storage, use, collection and sharing of facial information; and applying a differentiated approach (what works for fingerprints might not work for faces, for example).
In the meantime, Rowe suggests treating your faceprint like your Social Security number: When you’re asked to use facial recognition, find out if there’s an alternative, since, for now, you can’t predict or control how the data will be used. But because facial data collection is often invisible, “it’s hard for an individual consumer to have any real say. The businesses have all the bargaining power.”
That’s where federal standards should come in, Rowe says.
“Even if you’re not big on regulation, there has to be somebody who steps in to level the playing field a bit for the consumer.”