Facial recognition technology is a hot topic and this recently caught my attention: German authorities have suggested that Facebook's "facial recognition" feature is illegal. From Deutsche Welle: Hamburg's data protection official Johannes Caspar claims that the software violates both German and European Union data protection laws and that Facebook users don't know how to delete the data that Facebook is gathering. "If the data were to get into the wrong hands, then someone with a picture taken on a mobile phone could use biometrics to compare the pictures and make an identification," Caspar told the Hamburger Abendblatt. "The right to anonymity is in danger."
The legal keyword appears to be "biometrics".
According to Caspar: "A normal user doesn't know how to delete the biometric data. And besides, we have demanded that biometric data be stored with the subject's express consent."
Another keyword appears to be "stored" (though… Deutsche Welle's article also states that no data can be "collected" without consent). Collected or stored biometric data, which is it?
Is on the fly facial recognition analysis legal if the data isn't retained or stored after it's used?
In any case, having several self-tagged Wall photos, I decided to test the feature with my own personal Facebook account. (Existing tagged photos is a prerequisite, even if the user hasn't opted-out. No tagged photos, no biometric data will exist.)
First, I re-enabled my "Suggest photos of me to friends" option in Facebook's privacy settings.
And then I uploaded a photo:
While Facebook's photo upload service "detected" two faces, neither of them were "recognized" and no tag suggestions where offered. So it would appear that there's no hidden biometric "faceprint" of me in Facebook's databases. Either none was collected between the time when the feature was introduced and I opted-out, or else they deleted what was stored after I disabled the feature.
I ask myself, is Facebook's biometric data really such a big deal?
Google Images recently released reverse image search. That feature is much more likely to be used in future photo comparisons than any Facebook data that falls "into the wrong hands". If you have an iPhone/Android device, try Google Goggles and then imagine the Google+ possibilities.
Then there's current camera technology to consider. My Canon S90 does a very decent job of detecting faces on its own. If a face is detected, the photo's EXIF metadata includes "SceneCaptureType – Portrait" and the faces are tagged.
And that's just a start. Some vendors, such as Samsung, have "Smart Face Recognition", as demonstrated in this video from April 2009. It's not a far leap at all before our cameras are detecting, recognizing, and tagging faces in our photos at the moment they're taken. And that includes camera phones: Apple reportedly plans to include facial recognition features in iOS 5.
Mr. Caspar may indeed have legitimate concerns regarding Facebook's current biometric practices. But what happens if (when) it's no longer a matter of analysis? If consumers upload photos that contain facial tags, can Facebook then make the suggestion?
It should be noted that Facebook currently strips EXIF metadata from uploaded images. (Kudos.)
Germany (and the EU) has excellent data protection laws. But the law itself cannot hope to forestall the issue of facial recognition forever. The technology exists and policy makers need to address the issue and seek solutions as if biometric data is already freely available.
Because even if legitimate companies can be successfully regulated from storing this type of data, criminals won't be so restrained. Computing power is cheap, and getting cheaper. The worst case scenario could be unregulated black market search engines providing facial recognition services as a service.
It wouldn't be the first time such a business model developed.