Tactical Information Systems
Biometric Identification Software

Tactical Information Systems Blog

Identity & Technology

Privacy and Face Recognition

A colleague recently sent me an article that talked about the FTC’s stance on face recognition. The FTC was cautioning companies to be careful about using face recognition in ways that would violate current privacy laws:

Even if the technology isn’t fully mature yet, it will soon be possible for the technology to match a name with a face and be able to access data about jobs, credit history and health without the user even being aware of it, according to Leibowitz.

Face recognition technology is pretty mature already. It isn’t quite as mature as Hollywood would portray in the movies, but it is plenty mature enough to start violating people’s privacy.

Here is a hypothetical example. I could easily build an “smart ad” type project that would show a Victoria’s Secret ad, along with a camera to watch people passing by.


I could register that you looked at the ad, and how long you looked at it. I could keep metrics on you over time – you looked at the ad every day between 7:30 and 8:00. At this point, I don’t know who you are, but I do know you as a unique individual – person #5634. Am I violating your privacy yet? Maybe, maybe not. It depends on your individual views on privacy.

Now, I decide to try to link that to your Facebook profile. That’s not going to be terribly successful, but it will work in some cases. I make a leader board and post it online, saying “John Smith has looked at our lingerie models a total of 20 minutes and 30 seconds this month!”  Have I violated your privacy yet? Probably true for a lot more people.

Next, let’s say my company is large database company that manages health records. I use that information to flash up a message on my billboard, saying “Hey John Smith – I bet our models can help with your ED problem!”  At this point I have probably violated the privacy of almost anybody.

The key point here is that there is no single definition of privacy that fits everyone. The FTC is primarily concerned with health records and credit information, but those are not the sole definition of privacy by any means. In the US, what you do on your workplace computer is owned by your employer, but in Germany that information is strictly protected. Some companies religiously protect your information and others sell it to anyone and everyone they can.  In terms of privacy and face recognition, we are in a bit of conundrum, though. In regular commerce, you can decide whether to give your information to a company or not. If you don’t like the company’s privacy policy, you can choose not to do business with them. Most companies post their privacy policy information, so you can easily see what their policy is, assuming you can read the legalese. Faces are a little different. The only way you can choose not to share your face is to not go outside, and that is not really fair, of course.


I sincerely believe you should have the right to control your data, even if it is data that is available in the public. If a company is going to take a picture of you, especially if they are going to use biometrics, they should be subject to the same rules that exist for any other data collection. First, they should be required to notify you (16 pt font, minimum) that they are collecting your face or face biometric. They should be required to post what they are going to do with data, how long they are going to retain it, and who they are going to share that data with.  Then, you can decide whether you want to patronize that business or not.

As an aside, I was in Kinko’s today and counted 10 separate surveillance cameras.  Next time you are bored standing in a line somewhere, count how many you can see.  They are everywhere.