Microsoft has issued a call for regulation of facial recognitiion. It relies on the principles of fairness, transparency, accountability, nondiscrimination, notice and consent and lawful surveillance. Details of these principles will follow in a further Microsoft piece. Generally teh current post posits that regulation should start now due to the large risk that facial recognition poses while recognizing the benefits it offers. The argument is not unlike that of the Governor of the Federal Reserve that I wrote about previously.
A few thoughts came to mind.
First, what are the consequences? Where the risks can lead to severe outcomes for an individual as the article suggests, what consequences will be applied to a breach? If the consequences are not severe, will the regulation deter anyone? And if the consequences are too severe, will this deter good faith attempts in the technology?
Second, some of the particular oversight suggestions seemed difficult. For example, the requirement to maintain meaningful human review. While a good idea, is this practical? Could humans keep up in a meaningful way with all uses of facial recognition? The post suggests that this be applied to “consequential use cases” where risk of bodily harm, freedom, fundamental rights or personal freedom may be impinged. But what if the technology is applied at first instance where none of these would appear to be impinged but later use of the first collected data still leads to such harm? Presumably the verification of initial facial recognition data back to the root event, so to speak, could not be done by humans given the number of such data collection events.
Third, the protection of privacy goal is of course important. But in so many cases the breach of privacy has not been by the good faith corporate actor but by a malfeasant third party. In order to protect privacy, notice and consent are critical but so must be securing data in a way that it cannot be accessed by bad actors. Consequences for failing to so secure data must be significant.
Lastly I would suggest that I am far less wary of corporations collecting data as they have done for years than I am of governments having access to data collection such as facial recognition beyond voluntary facial recognition (for example for deliberate identification verification in cross border movements). Widespread use of facial recognition by governments and police authorities really just doesn’t seem like the best idea at all. I say we just ban them from using it completely.