About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline

3 Int'l Data Priv. L. 1 (2013)

handle is hein.journals/intldatpc3 and id is 1 raw text is: 


International Data Privacy Law, 2013, Vol. 3, No. 1


Face-to-data another developing privacy threat?

Christopher Kuner*, Fred H. Cate**, Christopher Millard**, and
Dan Jerker B. Svantesson***


The  constant development  of technology  gives rise to
an equally constant stream of privacy issues. One of the
most  interesting recent developments is what  we can
call face-to-data (F2D). F2D refers to at least partially
automated  processes for accessing personal information
about a person based on an image  of that person's face.
   Ground-breaking  research by a  team of researchers
from  Carnegie Mellon  University has highlighted that
advances  in  face recognition  technology, combined
with the widespread posting of images linked to names
on, for example, social media sites, and the processing
power   provided  by  advances  in  cloud  computing,
create a new set of privacy issues,' similar to, but also
distinct from, traditional privacy issues associated with
facial recognition.
   The Carnegie Mellon  University team ran a series of
experiments.  For example,  using a  search tool, they
built up a database of images and names collected from
publicly available Facebook  profiles. They then  cap-
tured  images  of consenting  students and  ran  those
images  through off-the-shelf face-recognition software,
linking in the data gained from the Facebook  profiles.
In the test, about a third of the students were identi-
fied.
   The Carnegie Mellon  work is striking because it uses
commonly   available devices (ie an iPhone) to perform
highly effective facial recognition using candid photo-
graphs, and then links those to a series of databases to
generate an  immediate  response.  So, for example,  a
person may  use a phone on  a street, take a picture, and
within seconds  have back the Social Security Number
and street addresses of the people photographed. Infor-
mation  that can then be used to, manually or through
automated   processes, extract further  personal  data
about those people.
   In light of this, the facial recognition aspect is only
one  part of the overall process of concern here, and

*  Editor-in-Chief
** Editor
*** Managing Editor
1  The highly interesting research findings have been presented by
   Alessandro Acquisti at various conferences, including IAPP Europe Data


facial recognition as such is a broader  phenomenon
than F2D.  Thus, to properly understand  the phenom-
enon  we  are dealing with, it is undesirable to discuss
F2D  merely as a facial recognition issue.
   F2D  can of course serve a variety of goals ranging
from  government  surveillance, to business use and to
satisfy personal curiosity, and it is interesting to con-
sider how  current data privacy laws address F2D. And
with  privacy laws being developed  or  changed in  so
many  parts of the world, it is even more interesting to
consider how  the next generation of data privacy laws
will address F2D.
   As is well known, the privacy regulation of today is
largely focused on data use that falls outside the private
sphere; that is, in those countries that do have some
form  of privacy regulation in place, there is typically
some  form  of exemption for data use in the context of
the 'private affairs' of individuals. This means that in
most  countries, while F2D for business purposes  may
be regulated, personal use would  typically be unregu-
lated. Furthermore,  even in those  countries, such as
within  the European   Union,  where  commercial   use
may  fall under applicable data protection schemes, it
may  be  possible to circumvent the regulatory impact
by placing a  simple notice onsite informing potential
customers  of the use of F2D at that location, and then
assuming  that their failure to object to the processing
should legitimize it.
   The  conclusion is that traditional data protection
regulation provides  limited comfort   for those con-
cerned about the impact of F2D. While  there have been
some  improvements   to the rules governing consent in
the EU  General  Data Protection  Regulation proposed
by the European  Commission   in January 2012, it seems
unlikely that even the world's most modern   and  pro-
tective legislative initiative will satisfy fully those
fearing the privacy impact of F2D.

   Protection Intensive 2012 (April 2012) and the IAPP Privacy Academy
   2012 (October 2012). For more information about the research, see:
   <http://www.heinz.cmu.edu/-acquisti/face-recognition-study-FAQ/>,
   accessed 30 October 2012.


C The Author 2012. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com


1

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Contact us for annual subscription options:

Already a HeinOnline Subscriber?

profiles profiles most