NSA Revelations Revive Debate Over Facial Recognition Code’s Scope
Revelations about the NSA’s facial recognition database forced back open the debate of the scope of the NTIA-backed facial recognition code of conduct during a Tuesday meeting. Months ago, NTIA had essentially decided, over some dissent, that the code of conduct would cover only commercial use of facial recognition technology because of the Commerce Department’s jurisdiction. Tuesday, the group discussed ways the code could tangentially control government use of the tech -- such as when the government is the customer of a private company, or when it’s requesting facial recognition information from a privacy company.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The New York Times reported Sunday the NSA was intercepting roughly 55,000 facial recognition quality images per day for its database (http://nyti.ms/1jJxgSr), saying the program has ramped up quickly over the past four years. Without discussing details, Director Mike Rogers acknowledged Tuesday the NSA used facial recognition tech as part of its surveillance programs. (See separate report above in this issue.)
"The revelations from this weekend are so significant and not surprising that we have to consider what, if anything, we can get done if we do not attempt to do some work to limit how the federal government collects data,” said Application Developers Alliance Vice President-Law Policy and Government Affairs Tim Sparapani at Tuesday’s meeting. Sparapani lamented the inability to implement such restrictions in last year’s NTIA-backed code of conduct, for mobile app transparency (http://1.usa.gov/1jqTrSL). “I am loath to take on the federal government unless you can do something important and meaningful,” he said.
The group discussed the results of two working groups: One that delineated the major issues a code of conduct should answer, and another that laid out preliminary definitions. Several of the issues -- listed as questions -- might allow the group to address government access to facial recognition data in a few ways, said Sparapani and others.
The first question asked: “To what type of entities should each provision of the code appropriately apply?” Suggestions ranged from “vendors” to “operators of security systems” to “end users of the facial recognition data.” A facial recognition tech firm might sell a security system to the government, putting it potentially under the code of conduct, said Sparapani and NetChoice Executive Director Steve DelBianco.
The final question more explicitly addressed the issue: “What should the code say about government (e.g., law enforcement) access to raw images, facial templates, or algorithms obtained by the commercial sector?” It’s ambiguously worded, DelBianco said. It’s either interpreted as addressing how the NSA uses the tech, or as addressing what commercial entities do when faced with a government request for facial recognition data, he said. DelBianco suggested rewording the question to address how companies respond to a request for data -- which “we know is within our scope” -- and create another question that may be “aspirational” and expands to government use of facial recognition tech.
"Personally, I'm just skeptical about whether that is a successful way to advance consumer privacy,” said John Morris, NTIA director-Internet policy. The facial recognition technology companies that sell to the government aren’t adequately represented in the room, he said. And if the group were to move in these directions, tech companies selling to the government would either “just leave the room” or never even show up, he said. “They wouldn’t participate in the process."
The group should concentrate on the commercial sector, and table the government discussion, said Morris. “There’s an awful lot of work to be done” on commercial entities, and “if you make [government use] a core focus now, I'm concerned it would derail the forward progress I perceive,” Morris said. Sparapani disagreed: “We're going to miss an important opportunity to speak to privacy principles and add it to our scope."
Tuesday’s meeting brought no definitive end to the debate. The working groups will continue refining both the list of issues and list of definitions, focusing on exactly when transparency and notice requirements should kick in for facial recognition tech and how to define “user” and “subject.” NTIA Director-Privacy Initiatives John Verdi noted some consensus over tying transparency and notice requirements to the moment a facial template is enrolled, or saved, in a database. “It’s not speak now or forever hold your peace,” he said. Verdi set a July 24 meeting to follow the group’s June 24 gathering. The group will then recess for August, Verdi said.