Technology developers will never stop in their quest to create what they’ve determined to be the height of convenience for their customers. While it is admirable and exciting for a consumer to always be on the cusp of the newest in technology, it comes with bumps in the road in terms of privacy rights.
The latest in technological convenience has come in the form of facial recognition. It can be used for many tasks: from opening smartphones, to checking in for airline flights, and checking out at restaurant kiosks. Amazon has even entered the game by rolling out a new “Rekognition” program that is marketed to consumers to use with their pictures and videos. The program is also available for companies to use to improve their customer’s experience or the company’s efficiency. Some suggested uses of the program include employee verification on ID badges and “sentiment analysis,” a program for retail stores that analyzes the emotions of individuals based on their facial expressions.
Amazon’s list of customer reviews has big-name companies including Motorola Solutions, Family Search, and C-SPAN endorsing the product’s efficiency and accuracy. Also among the reviewers is the Washington County Sheriff Office. The Washington County Sheriff’s Office explained that by using the program they were able to upload their entire collection of suspect photos and analyze that data. This lead to a decrease in the time it takes to identify a suspect. They even claim the software allowed them to identify the suspect of a cold case leading to an arrest “through due process.” But that begs the question: what are the constitutional implications of government officials using facial recognition data?
To understand how facial recognition technology interacts with a seemingly abstract standard of constitutional protection, a quick note about the Fourth Amendment is helpful. In a 1967 concurring opinion, Justice Harlan created the standard for determining if the Fourth Amendment protects a citizen’s private information from a search by the government. Harlan suggested the court should determine if society has a reasonable expectation of privacy and if that expectation did not exist, then the Fourth Amendment did not protect the information.
This test laid the foundation for what would become Third Party Doctrine. Third Party Doctrine is the idea that a person does not have a reasonable expectation of privacy for information they disclosed to third parties, and therefore the government has not conducted a search within the meaning of the Fourth Amendment if they obtain this information from one of these third parties without a warrant.
It seems that under the Third Party Doctrine facial recognition data collected by companies like Amazon would be fair game for government officials to access without obtaining a warrant. This may seem a little strange considering we’re talking about a reasonable expectation of privacy surrounding the use of your face, something deeply personal and unique to (almost) everyone. On the other hand, we share our faces with our friends on Facebook and followers on Instagram, so should we expect that other companies aren’t sharing this data with either each other or the government?
The Senate has proposed a separate approach to protecting citizen’s facial recognition data. The bill is called the “Commercial Facial Recognition Privacy Act of 2019”. It would “prohibit certain entities from using facial recognition technology to identify or track end users [consumers] without first obtaining the affirmative consent of the end user.” The bill also would prohibit companies from using facial recognition technology to discriminate against customers or for any other unlawful use.
One wrinkle in the bill is that while it does not prohibit government entities from collecting facial recognition data, by its text it would prevent companies from disclosing this information to the government. If adopted, the law would prohibit sharing the data with “an unaffiliated third party without affirmative consent that is separate from the affirmative consent required” to use the facial recognition data. The bill basically restricts the definition of “unaffiliated third party” to any party that isn’t also a user of the service, an employee of the company, or a party the user provided consent to receive information. This would suggest that the federal government is an unaffiliated third party and could not obtain facial recognition data without consent of the individual.
It’s not clear this was the intended purpose of the law, especially considering the bill has a carve-out for government entities that use facial recognition technology to collect this kind of information. Relatedly, the constitutional protection of the Fourth Amendment may prevent the government from obtaining this data without a warrant. The Supreme Court has held that accessing information, like the data on a U.S. citizen’s phone (Riley v. California) or a citizen’s location information (Carpenter v. U.S.), without first obtaining a warrant is a violation the citizen’s Fourth Amendment right―even though the data was technically already shared with a third party. It seems that if this constitutional question were put before the Roberts’ court today as it relates to facial recognition data, they would likely hold that obtaining this information without a warrant violates a citizen’s Fourth Amendment right. In this quickly evolving area of law and technology, only time will tell.*
*Taylor Book is Executive Editor on the Michigan Technology Review. She can be reached at brooktn@umich.edu.