"Many Americans don't realize they're already in a facial recognition database," Jennifer Lynch, a staff attorney with the Electronic Frontier Foundation, said Wednesday in a hearing on the technology. Addressing Senator Al Franken and the Subcommittee on Privacy, Technology, and the Law, Lynch pointed out that there is a painful disconnect between how little personal action is required to capture a face and how much personal information can be associated with it. All that, thanks to the Internet. As it is, Lynch said, "Americans can't take precautions to prevent the collection of their image."

Senator Franken called the hearing out of concern for the speed at which facial recognition technology is progressing as its use remains unregulated. Dr. Alessandro Acquisti, a professor at Carnegie Mellon University, said facial recognition could soon become a casual pursuit as computers get smaller, more powerful, and cloud computing costs come down. "Within a few years, real-time, automated, mass-scale facial recognition will be technologically feasible and economically efficient," Acquisti wrote in a statement; for companies, for friends, and for law enforcement.

Facial recognition has two characteristics that alarmed most members of the panel. First, faces (unlike other common information gatekeepers like passwords or PIN numbers) can't be changed for protection. Second, neither permission nor interaction is required for one person to capture the face of another. If they're in public, their visage is fair game. Facial recognition "creates acute privacy concerns that fingerprints do not" because of the ease of collection, Franken said.

But facial recognition itself is less of a concern than the supplementary data that drives it. Several panelists described scary and intrusive applications of facial recognition: a random person takes a photo of another and an app pulls up their address and the names of family and friends; a camera in a pharmacy recognizes your face and asks loudly whether you need more Imodium—and here's a dollar-off coupon toward your purchase. "It's the aggregation that frightens people," said Dr. Nita Farahany, a professor at the Duke University School of Law. "We don't stop the flow of information, or say certain applications are limited or permissible."

Representing the aggregation-happy end of the facial recognition spectrum was Rob Sherman, a privacy manager for Facebook. Franken took Facebook to task for its use of facial recognition, used in its "Suggested Tags" for photos. Franken pointed out that the page explaining the feature made no mention of the fact that it uses facial recognition technology, and that information was buried six clicks deeper in the Help Center. Franken asked Sherman if his reading of the Learn More and Help sections were correct. "I'm not sure about clicks," Sherman said.

"And you're the head of this?" Franken said.

Sherman insisted that while Facebook did collect facial imprints of its users for suggested tags (the feature has been taken down temporarily for maintenance), they were only used to suggest tags between people who are already friends with each other. The stakes are low. Presumably, if you upload an incriminating photo of your friend and suggested-tag them, the resulting fallout is a problem with your friendship. Facebook will have no part in it.

Sherman also stated that the files could not be read outside of Facebook's proprietary software and so they did not pose a risk to privacy. Franken asked Sherman if Facebook would consider keeping the software private in order to preserve the sensitive facial imprints of its users. Sherman said that while he couldn't make promises as to how Facebook will do its business five or ten years down the road, the company is in close communication with privacy groups like EPIC and the EFF. If Facebook makes changes that are of concern to user privacy, it's certain to hear about them, according to Sherman.

All parties at the hearing agreed that facial recognition can be used to both benefit and take advantage of consumers. But right now, there is little to prevent the advantage-taking. Data sharing settings put in place by aggregation companies have lately been coercive, positioned as take-it-or-leave it scenarios to consumers. Google, for instance, created a broad new privacy policy that gave it much more flexibility in how it collects and uses user data, where users' only way out was deleting their accounts. Facebook also changed its privacy policy in May, adding points like one that allows third-party apps to keep users' information even if the app had been deleted, unless explicitly asked to delete it.

In this environment, facial recognition technology is poised at the edge of a very slippery slope. "The risk exists that some firms may attempt to strategically use default settings, unilateral changes to interfaces and systems, and user habituation to nudge individuals into accepting more capturing and usage of facial data—creating a perception of fait accompli which, in turn, will influence individuals' expectations of privacy and anonymity," wrote Acquisti.

While the hearing was heavy with concerns, solutions or suggestions for legislating facial recognition were not forthcoming. Should it be policed like wiretaps? Should its use be limited like medical information? Franken asked the Federal Trade Commission's representative, Maneesha Mithal, if she could compel the FTC to mandate that companies make facial imprint-related services an explicit opt-in service only. All Mithal could promise was that she would take the request back to her committee for further consideration.