The Obama administration's push to restrict the commercial use of facial recognition technology suffered a severe setback Tuesday when privacy groups walked away in protest.
The groups said in a statement that they saw no reason to continue the talks organized by the Commerce Department because the tech industry refused to agree to even modest limitations.
Privacy advocates worry that companies could use facial recognition technology to deliver customized advertisements or even track people as they move through public spaces. And while it's easy to change a password, credit card number, or online account, it can be impossible to alter distinguishing facial features.
"At a base minimum, people should be able to walk down a public street without fear that companies they've never heard of are tracking their every movement—and identifying them by name—using facial recognition technology," the American Civil Liberties Union, the Center for Democracy and Technology, the Consumer Federation of America, the Center for Digital Democracy, and other privacy groups said in the statement. "Unfortunately, we have been unable to obtain agreement even with that basic, specific premise."
The ability of government agencies such as the FBI to scan faces in crowds and protests has raised particular privacy concerns, but the Commerce Department's efforts have focused only on the use of the technology by private companies. Facebook, for example, already uses facial recognition software to tag users in photos.
The collapse of the government-led talks highlights the difficulty in crafting policies through voluntary negotiations with business groups instead of mandatory laws or regulations. And with consumer privacy legislation stalled in Congress, it seems unlikely that tech companies will face major new privacy restrictions anytime soon.
"I think we need to fundamentally rethink the ability of multi-stakeholder processes to produce good privacy rules," said Alvaro Bedoya, the executive director of the Center on Privacy & Technology at Georgetown University Law Center and one of the advocates who now is boycotting the discussions. "The American people need to wake up to what industry lobbying is doing to consumer privacy in Washington."
But the Commerce Department's National Telecommunications and Information Administration, which is convening the talks, isn't giving up yet. In a statement, a spokeswoman said the agency is "disappointed" in the boycott, but that that the meetings will continue with whatever groups want to participate.
"Up to this point, the process has made good progress as many stakeholders, including privacy advocates, have made substantial, constructive contributions to the group's work," the NTIA spokeswoman said. "The process is the strongest when all interested parties participate and are willing to engage on all issues."
And tech groups are vowing to forge ahead with writing a code of conduct for facial recognition software without input from the privacy groups. It is in the industry's own interest, they argue, to ensure that consumers trust their products.
"Regardless of who writes the code, I would hope that everyone could agree that it would improve consumer privacy protections," said Carl Szabo, policy counsel for NetChoice, an industry group that represents Google, Facebook, Yahoo, and other tech companies.
In early 2012, the White House unveiled a "Consumer Privacy Bill of Rights" and urged Congress to enact the protections into law. With the proposal facing long odds on Capitol Hill, President Obama directed NTIA to begin a series of "multi-stakeholder" meetings between industry groups and consumer advocates to develop privacy codes of conduct.
The codes would be voluntary, but companies that agreed to abide by them could brag to consumers about their strong privacy protections. Agreeing to a code and then violating it could result in federal enforcement for deceptive advertising.
The first area that the agency tackled was privacy on mobile apps. In 2013, consumer advocates and industry associations worked on a code for how apps should disclose the kinds of data they are collecting from users.
For the past year, the groups have been meeting to try to craft a code of conduct for facial recognition technology. But the privacy advocates became frustrated that the tech industry refused to agree that companies should have to ask permission in some cases to scan people's faces. Unnecessary restrictions could squelch promising new innovations that would ultimately be good for consumers, the industry lobbyists said.
Bedoya argued that a weak code of conduct would be worse than none at all because Texas and Illinois already have enacted strong biometric privacy rules. While Congress is unlikely to do much on the issue, he argued that privacy advocates should focus on passing more state laws to limit the use of facial recognition technology.
Szabo said he is disappointed that the privacy groups are boycotting the NTIA process and argued that there was still plenty of room for agreement. They could have worked on transparency measures or ways to give users more control over how companies can use their facial images, he said.
"Consensus doesn't mean that everyone always gets everything they want," he said. "But it means we find enough things on which we agree that we can produce something beneficial."
But the privacy advocates say they won't think much of whatever code the industry groups produce on their own.
"You can't call it a multi-stakeholder process if you only have industry stakeholders," Bedoya said.