Regulation of facial recognition may be needed, US senator says

The growing use of facial recognition by law enforcement agencies and companies raises privacy concerns, Franken says

The U.S. Congress may need to pass legislation that limits the way government agencies and private companies use facial recognition technology to identify people, a U.S. senator said Wednesday.

The growing use of facial recognition technology raises serious privacy and civil liberties concerns, said Senator Al Franken, a Minnesota Democrat and chairman of the Senate Judiciary Committee's privacy subcommittee. Franken, during a subcommittee hearing, called on the U.S. Federal Bureau of Investigation and Facebook to change the way they use facial recognition technology.

Biometric information, including facial features, is sensitive because it is unique and permanent, Franken said.

"I believe that we have a fundamental right to control our private information," he said. "You can change your password, you can get a new credit card, but you can't change your fingerprint, and you can't change your face, unless you go to a great deal of trouble."

There are currently no U.S. laws limiting government agencies or private companies from using facial recognition, witnesses said. The FBI and the U.S. Department of Homeland Security already have huge biometric databases and are adding facial data, and Facebook users are uploading 300 million photos a day, said Jennifer Lynch, an attorney with the Electronic Frontier Foundation.

"Many Americans don't even realize that they're already in a facial recognition database," Lynch said. "Facial recognition allows for convert, remote and mass capture of identification and images."

Facial recognition allows surveillance agencies to identify a person's friends and associates in addition to identifying them, she said. She called on Congress to pass a law to regulate the use of facial recognition by law enforcement agencies.

At the hearing, Franken focused on an FBI pilot program in Maryland, Michigan and Hawaii and on a Facebook feature that tags pictures using facial recognition. The FBI and Facebook can serve as good examples to other organizations if they handle facial recognition technology appropriately, he said.

He called on Facebook to turn off its tag suggestion feature by default, instead of having it on by default, as it has in the past. But Rob Sherman, manager of privacy and public policy for the social-networking site, resisted that suggestion. Facebook has suspended the feature while it reworks it, but will bring it back soon, Sherman said.

On by default is appropriate, "because Facebook itself is an opt-in experience," Sherman said. "People choose to be on Facebook because they want to share with each other."

Facebook takes steps to limit the use of the facial data, he said. Only friends on Facebook can use the software to tag each other in photos, and Facebook users can prohibit the site from tagging them in photos, he said. In addition, the facial recognition templates are encrypted and only work with Facebook's proprietary software, limiting their usefulness to other organizations, he said.

Franken also called on the FBI to limit its use of facial recognition technology. In materials about its pilot program in three states, the agency uses pictures of political rallies as places where the technology could be used, and Franken said he's concerned that law enforcement agencies will use the technology to track people at legal protests and other gatherings.

The FBI has limited its use of facial recognition to criminal cases, said Jerome Pender, deputy assistant director of the information services branch of the FBI's Criminal Justice Information Services Division. The FBI has limited its pilot program to using facial recognition to match faces to a database of known criminals, and the database doesn't contain mug shots of law-abiding people, he said.

The FBI is moving slowly on its use of the technology to identify "grey areas" where privacy concerns may pop up, Pender said. The agency is open to making changes to the program, he said.

Franken also called on the U.S. Federal Trade Commission to require private companies to get permission before identifying a person with facial recognition.

While some witnesses at the hearing raised concerns about facial recognition, others said it's already a useful tool for law enforcement agencies. Facial recognition helps police identify criminals much more quickly than fingerprinting and it can help police and prisons avoid the mistake of releasing the wrong person, said Larry Amerson, sheriff in Calhoun County, Alabama.

Lawmakers need to strike a balance between privacy and law enforcement needs when they consider how to regulate facial recognition, Amerson said.

While Franken and the EFF's Lynch raised concerns about civil liberties, Nita Farahany, a law and genome sciences professor at Duke University, discounted concerns that the use of the technology by law enforcement agencies could violate the Fourth Amendment of the U.S. Constitution, protecting U.S. residents against unreasonable search and seizures.

Facial recognition is generally done at a distance and does not create an unreasonable search, Farahany said. U.S. courts have not protected residents from being observed at a distance, she added.

"No physical contact, proximity or detention of an individual is necessary for law enforcement to obtain a face print," she said. "A face print is a form of identifying information that is the bread and butter [of] law enforcement."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place