Last week, Facebook started sending a small portion of its users a new notification about its face surveillance program, which concludes with two important buttons: “keep off” and “turn on.” This is a step in the right direction: for these users, the default will be no face surveillance, unless the user gives their affirmative opt-in consent.

But as EFF recently explained, Facebook will not provide this privacy-protective default to billions of its current users, and it is unclear whether the company will provide it to its new users. Facebook should not subject any of its current or new users to face surveillance, absent their informed opt-in consent.

We have two additional objections. First, Facebook’s announcement of this new program fails to mention that the company is acting under FTC compulsion. Second, the notice Facebook is sending to some of its users lacks critical information about the privacy hazards of face surveillance, so people who opt-in will not be fully informed.

The FTC Required Facebook to Change Its Face Surveillance Settings

On July 24, 2019, the Federal Trade Commission (FTC) filed a complaint in court against Facebook for violating a 2012 privacy order by the FTC against Facebook. Much of this FTC complaint concerns Facebook’s role in the Cambridge Analytica scandal. But the FTC also alleges that, in 2018, Facebook misled 60 million of its users by telling them that the company would not subject them to face surveillance unless they chose to “turn on” the feature. In fact, the feature was on by default. According to the FTC, Facebook made this misleading statement to only some of its users: those the company had not yet moved from its original face surveillance program (which Facebook calls “tag suggestions”) to its current face surveillance program (which the company calls “face recognition”).

Also on July 24, the FTC and Facebook filed a proposed order to settle the issues raised by the FTC’s complaint. (EFF at that time objected that this settlement does not solve the problems that led to the Cambridge Analytica scandal.) Part of this FTC settlement requires Facebook, as to its users still using “tag suggestions” at the time of the settlement, to obtain consent before subjecting them to further face surveillance.

Thus, the new Facebook program is required by the FTC settlement, though the new Facebook announcement does not mention this.

Facebook’s Incomplete Description of Face Surveillance

The FTC settlement requires Facebook to provide notice, to its remaining “tag suggestions” users, of how Facebook will use and share the “facial recognition templates” of these users. The new notice from Facebook does provide such information.

Unfortunately, the FTC did not require Facebook to notify its users of the inherent privacy hazards posed by face surveillance, and Facebook did not do so on its own. As with any kind of personal information, the hazards of corporate collection include theft by outside hackers, misuse by company employees, and seizure by government officials. There also is the risk of “mission creep”—when company leaders seek new ways to profit from old data. Ominously, Facebook has applied to patent face surveillance systems that would link its users’ online profiles to their physical-world activities.

Moreover, face templates are a uniquely hazardous form of personal information: most of us cannot hide or change our faces, and the technology that tracks our faces is rapidly improving and proliferating.

In light of this gap in Facebook’s notice, users who opt-in to face surveillance might not be doing so on the basis of all the relevant information.

Conclusion

We are pleased that the FTC required Facebook to individually notify some of its users about how the company uses and shares face recognition templates, and forbade the company from applying face surveillance to these users unless they affirmatively opt-in. As we explained in our last post, however, we are disappointed that the FTC did not require Facebook to obtain consent before subjecting any of its users to face surveillance. And as we explain in this post, we are also disappointed that Facebook’s notice fails to identify the privacy hazards of face surveillance. This failure is all the more reason to enact strong consumer data privacy laws.