|
FaceFirst TRUST Model
TRUST - the Five
Essential Rules of Consumer Privacy in the Age of Face Recognition
 By
Peter Trepp,
CEO, FaceFirst
We live in a world in which the concepts of privacy, security and convenience
are often in opposition to each other. When conflicts occur, both consumers and
companies can suffer greatly. One of the best examples of this paradox was
Netflix’s infamous years-long contest to create a recommendation algorithm.
Launched in 2006, the goal of Netflix’s contest seemed logical enough: use
customer viewing and review data to personalize recommendations that would
create happier customers and improve customer retention. Sounds like a win/win,
right?
Unfortunately, the contest – which had more than 50,000 contestants – ended in a
privacy scandal that might have sunk a less robust company. Netflix took a wrong
turn when it sent more than 100 million “anonymous” (but real) customer movie
ratings, subscriber identification numbers and more data to all its contestants
to play with. The idea of releasing such a massive database out into the world
raised eyebrows even before the ensuing privacy lawsuit, Doe v. Netflix,
was filed.
In 2007, two researchers from The
University of Texas at Austin identified individual Netflix customers by
matching the data sets with film ratings on IMDb. The plaintiff in the lawsuit
was an in-the-closet lesbian mother who claimed that the data had not been
sufficiently anonymous. Netflix settled, paying $9 million to a fund that
benefited privacy groups. The company also agreed to change its data retention
policies. Years later, after the company transitioned to a mostly streaming
platform, and Netflix wisely added additional features that allowed customers to
delete viewing history, thereby enabling them to self-govern their own data.
The lesson in this story is that customers
want convenience, but only if reasonable precautions are taken to protect
privacy and security. For instance, facial recognition (which is becoming
increasingly popular in public settings to increase security or even on your
smartphone to unlock without typing) can make boarding a plane faster and with
less hassle at the gate. However, travelers will want to know where and how
their face images are being stored, and what they can be connected to later,
before they opt in.
In the digital age, the concept of privacy is dynamic and increasingly difficult
to define. So how can companies deliver amazing experiences on demand without
violating privacy?
A new set of rules is needed for any company doing business in the 21st century.
I propose a new set of guidelines called TRUST:
- Training
- Responsible Data Handling
- Un-Enrollment
- Self-Regulation
- Transparency
The TRUST model
is general and flexible enough to be adapted by virtually any business, but
it’s especially fit for companies handling biometrics and personally
identifiable information.
TRAINING
 Every
situation is different, but companies should adopt ongoing privacy training
just as they have for topics like sexual harassment and fire safety. When
people aren’t trained properly in the use of powerful technologies, the door
for abuse is left wide open. When applicable, this should also include
compliance with local, state, federal – and in the case of things like GDPR
– recommended global practices.
At my own company, we have adopted a set of best practices for proper
training and responsible data-handling for anyone who uses facial
recognition services. Compared to databases used by insurers, hospitals,
banks or even many marketing departments, biometric databases contain
relatively little sensitive personally identifiable information. With that
said, we take the storage of biometric data seriously. All customers undergo
extensive training on proper data handling, including how to set up data
security permission-levels in the system and how to audit the database. We
also provide customers with a knowledge base containing educational content
about proper data handling.
RESPONSIBLE DATA HANDLING
The nightmare scenario for any consumer is what happened to some Uber
customers when employees, in 2016, used location data to routinely spy on
them, including certain politicians and even Beyonce. When creating data
handling policies, companies should begin by asking themselves these
questions: how many people truly need access to customer data? How can we
create data layers that can further restrict access to certain types of
information to a very specific set of employees? Once these policies are
decided, then technological firewalls need to be put in place to make
enforcement possible.
But every situation is different. For facial recognition, we have, through
product design, attempted to prevent discriminatory profiling by race, age,
gender or national origin. Customers using the product for security purposes
are unable to report on demographics, by design.
UN-ENROLLMENT
While not enforceable outside Europe, GDPR has raised awareness about the
importance of the total deletion of personal data upon request. This has
caused a lot of anxiety for companies, since virtually any tracking
technology, ranging from websites to Internet browsers, tracks “anonymous”
visitors and attempts to eventually marry this data with personally
identifiable information. While this data is sometimes helpful, it is
typically not critical, and could be used to identify someone eventually.
In facial recognition, we refer to all non-matched “unknown” individuals on
camera as anonymous. We automate the routine purging of this type of data,
as often as nightly, depending on the circumstance. This is an example where
the technological delta between old-school video surveillance and face
recognition actually makes it possible to make surveillance less intrusive
for ordinary citizens.
SELF-REGULATION
When industries don’t adequately respect consumer privacy, government steps
in with regulations. To date, for example, there is very little government
oversight of social media data handling, principally because to some degree,
the largest providers have gradually rolled individual controls into the
platforms. While even Mark Zuckerberg admits that some government regulation
may still be needed, the industry has already done a lot to lead by example.
My company and companies like ours are working in a cross-industry capacity
with law enforcement, retailers and other security vendors to establish
reasonable data security standards, including a certification process.
Considering that only three states and one Canadian province currently have
biometric surveillance regulations, this isn’t just good stewardship – it’s
also very practical work that benefits both the community and industry.
By the way, self-regulation isn’t always in lieu of government regulation.
There are times when government is absolutely needed. However, industry can
often lead the way by beginning governance efforts before regulations are
put into place.
TRANSPARENCY
More corporate privacy scandals are due to a lack of transparency than any
other reason. A recent example is MoviePass, which shocked its customer base
when its CEO announced that the company was using its mobile app to track
user activities before and after movies. When it comes to everyday consumer
applications, going transparent is far easier than it is for the security
industry.
With that said, whenever practical, organizations should disclose the use of
biometric surveillance. We recommend customers to disclose that face
recognition is in use to safeguard the public, including signage and help
with public disclosures, to help encourage this in actual practice. However,
in some very unique cases, such as government intelligence, security issues
prevent overt signage. Certain conditions may prevent those tasked with
protecting public spaces from disclosing that they are using biometric
surveillance, as a clandestine approach may make it easier to catch
dangerous criminals.
Still, we believe that it’s vital that all of us – in every industry – help
lead our customers into a state of greater transparency. I’m convinced that
our society is moving toward transparency, as brands like Jet Blue,
CaliBurger and many more have announced their use of face recognition.
Outside the biometric industry, Whole Foods is set to become the first
grocery retailer to offer full GMO transparency, while Zappos invites
customers into its headquarters, and at times, even into departmental
meetings.
Whatever business you find yourselves in, if possible, encourage
transparency. Building a in a black box, especially in regards to data
handling, inevitably leads to consumer backlash. At the end of the day, the
best way to encourage brand loyalty is through an authentic social contract
built on TRUST. It’s the right thing to do.
 Peter
Trepp is the CEO of FaceFirst, a provider of face recognition technology. As
an executive leader, investor and entrepreneur, Peter has helped numerous
technology companies achieve successful exits, including ServiceMesh’s
purchase by CSC, BlackLine’s sale to Silver Lake Sumeru, and RedHat's
acquisition of Inktank. He earned his MBA at the UCLA Anderson School.
This article was originally published on
securitymagazine.com
|
