September 12, 2013
Mr. Mark Zuckerberg, CEO
1601 Willow Road
Menlo Park, CA 94205
Dear Mr. Zuckerberg:
I am writing to express my concern about Facebook's proposed expansion of its facial recognition program - and to ask a question about this initiative. Last July, as Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, I held a hearing on the privacy implications of facial recognition technology; Facebook was one of our witnesses. As I said then, I was concerned by Facebook's creation of what is likely the world's largest privately held facial recognition database - without its customers' express consent. The proposed expansion of this program is highly troubling, especially since Facebook has refused to promise its customers that it won't share this program or its data with third parties in the future.
Facial recognition technology has profound implications for privacy. Cookies track you across the Internet; with a little tech savvy, you can block them or delete them after the fact. Facial recognition tracks you in the real world, from cameras stationed on street corners and in shopping centers, and through photographs taken by friends and strangers alike. Unlike other biometrics such as fingerprints and iris scans, which require physical contact or proximity, facial recognition can operate at a distance, entirely without the knowledge of the person being identified. And there is no practical way for an individual person to stop it. Unfortunately, no federal law governs the commercial use of this technology. This is why last year, I asked the National Telecommunications and Information Administration to examine the use of this technology as part of their Multistakeholder Process. See generally Letter to the Honorable Lawrence Strickland at 11-14 (April 2, 2012) available at http://www.ntia.doc.gov/files/ntia/4_2_12_ sen_franken_comment.pdf.
In 2010, Facebook enrolled its then-800 million users into its facial recognition program, Tag Suggestions. This program made it easier for Facebook users to tag their friends in photos. It did so by creating "faceprints" for those users - unique digital models of faces akin to fingerprints. Over the past three years, Facebook has leveraged its now billion-strong user base - and its library of 220 billion photos - to build a truly extraordinary database of faceprints. In my filing to the NTIA, I made a conservative estimate that Facebook's faceprint database included at least one out of every twenty people on the planet. In 2011, Professor Alessandro Acquisti used a much smaller database and off-the-shelf software to successfully identify, by name, one out of every three students that happened to walk past him on the Carnegie Mellon campus.
It is easy to envision a scenario in which a company holding such a database works with third parties to identify the names of customers as they walk into a store or car showroom - or who walk past it after looking in its windows. It is also easy to envision a scenario in which this database is abused by bad actors. Last year, a company called Face.com released the first commercial-grade facial recognition application for public use. The app was supposed to work on only your Facebook friends. But soon after its release, an independent security researcher, Ashkan Soltani, revealed that the app could be hacked in a way that would appear to allow it to identify total strangers. See Ashkan Soltani, "Facepalm" (June 18, 2012), available at http://ashkansoltani.org/2012/06/18/facepalm/ ("The above attack not only allows access to non-public photos, but also lets the attacker potentially manipulate the Face.com app to automatically "recognize' anyone walking down the street.") As you know, in June 2012, Facebook purchased the company for $100 million.
Last year, I asked Facebook's Manager of Privacy and Public Policy, Rob Sherman, whether he could assure Facebook users that the company would not sell or share its faceprint database with third parties. His response: "It's difficult to know in the future what Facebook will look like five or ten years down the road, and so it is difficult to respond to that hypothetical." On August 29, Facebook's Chief Privacy Officer Erin Egan told Reuters: "Can I say that we will never use facial recognition technology for any other purposes? Absolutely not."
Two weeks ago, Facebook proposed changes to its Data Use Policy that would expand the faceprint database to include faceprints of public profile photos - not just the photos that users have been tagged in. Presumably, this would lead to a significant expansion of Facebook's faceprint database. It would also likely capture some of Facebook's least active users - those who are visible in their public profile photo but are not tagged in any other photos. These people are often less active users who may not be aware of Facebook's privacy changes. I urge Facebook to reconsider this change.
In light of the above circumstances, I respectfully request that Facebook answer one question regarding its facial recognition program: How many faceprints does Facebook have?
Thank you for your time. I ask that you answer my question within a month of receipt of this letter.
Chairman, Senate Judiciary Subcommittee
on Privacy, Technology and the Law
Chairwoman Edith Ramirez
Commissioner Julie Brill
Commissioner Maureen Ohlhausen
Commissioner Joshua Wright
Federal Trade Commission