On Tuesday, Facebook announced that it will shut down the facial recognition it uses in its platform. Going forward, Facebook users who have opted into facial recognition will no longer experience automatic recognition in video and photo content. Facebook also plans to delete data related to the faces of over 1 billion users. The company expects the entire process to be complete by the end of 2021.
Companies use facial recognition for a wide range of use cases, ranging from payments to boarding a plane to tagging people in photos, but usage of it introduces privacy challenges related to the collection and storage of biometric data, something Andras Cser and I explored in our recent Forrester podcast. Facial recognition also notoriously suffers from algorithmic bias, with significantly higher error rates classifying images of people of color.
In recent months, Facebook has been under increasing scrutiny from regulators in both the US and across the EU over a range of safety and privacy issues, and this move is likely in response to this pressure. This is what we see as most relevant about this news, specifically as it pertains to Facebook:
- Facial recognition provides diminished returns for Facebook. While Facebook has faced increased attention from regulators and paid out billions in fines and penalties to authorities, Facebook may be conceding on facial recognition because it has experienced diminished returns on it. Our trust research shows that consumers who trust a brand are willing to try new products and services from the brand they trust, even if these services and products are different from what consumers use from the brand. Given the growing consumer distrust of Facebook, the social media giant may have determined that the costs of keeping facial recognition outweighed its projected benefits.
- Shutting down its face recognition system does not solve all of Facebook’s trust issues. Yesterday’s announcement helps distract the market from all the recent negative press surrounding Facebook, but it does nothing to address the proliferation of misinformation on its platforms that is eroding public trust in institutions. Consumer trust doesn’t come from sunsetting features. It arises from having clear brand values and consistently adhering to them. Between canceling facial recognition and changing its name to Meta, this suggests that Facebook believes its problems lie on its face when in reality they go much deeper — to its very core. For further details, please read this other post.
- This does not end Facebook’s usage of facial recognition. Facebook’s official statement only stated that “[W]e will delete the facial recognition template used to identify them” and added that facial recognition has “ … potential to enable positive use cases in the future.” This means that while the photo tagging feature of facial recognition is ending, Facebook is not completely quitting on the tech. Using facial recognition for other tasks such as identity verification and user onboarding is still in scope, so while this announcement is a win for privacy advocates, it is not the end of facial recognition on the Facebook platform — future misuse of the tech is still possible. Furthermore, Facebook’s announcement is only targeting the photo tagging aspect of facial recognition. The announcement did not clarify if it will stop use of facial recognition on its own internal content moderation systems.
- This supports the metaverse vision. As Facebook’s demographic gets older, and Facebook seeks new growth engines, removing facial recognition could be a deliberate attempt to grow the metaverse. If the future vision is to own the representation of the individual in the form of an avatar, something more valuable and “sticky” than facial recognition, then giving up facial recognition is an easy decision. While we haven’t seen any statements confirming this point of view, given what we have seen with the metaverse, this is a definite possibility — especially given increasing pushback from regulators, users, and privacy advocates over the last year.
While yesterday’s decision does not signal the death knell of facial recognition or other biometrics, it shows that certain market forces will constrain and restrict adoption of facial recognition over the next two to three years, including:
- Increased regulatory scrutiny of facial recognition. In the US, legislation governing the collection and storage of biometric data has been largely done at the state level. In early 2020, Facebook agreed to a $550 million settlement arising from a class-action lawsuit based on Facebook’s collection of biometric data with user consent relating to Illinois’ 2008 Biometric Information Protection Act. This is in addition to other fines Facebook has paid to the Federal Trade Commission over the last three years. This week, Australian regulators also found that Clearview AI violated privacy laws related to facial recognition, which follows a ban from Canada and other US cities against using Clearview. These moves indicate that regulators are wise to facial recognition abuses and will likely be more aggressive in enforcing abuses of biometric data collection, either through new regulations or via litigation and fines against existing regulations. If your firm is currently collecting biometric data, now is a good time to assess your collection and consent procedures to ensure that your practices do not put your organization at risk with regulators.
- Increased demands for user acceptance and regulations around acceptable usage. This announcement is raising awareness about facial recognition in users’ posts containing pictures and videos and will lead to users demanding more transparency from facial technology providers and organizations that use facial recognition. Many solutions provide decent protection of biometric data: They do not centrally store facial or fingerprint images; instead, they compare parameters of the image captured at recognition/authentication time with parameters of the image captured at registration time with end-to-end encryption. This approach, along with explicitly required user consent for specific use cases (e.g., tagging of posts, identity verification, authentication, etc.) of facial recognition and biometrics, will become the norm, not the exception, going forward.
Organizations considering collecting biometric data must adhere to privacy-by-design approaches and provide proper disclosure (including use cases for biometrics), consent, and opt-out requirements, as well as pay attention to this increasingly complex legislative environment to ensure that they carry out biometric data collection and retention in accordance with these emerging laws.