When I heard about SceneTap and the hoo-haa it caused in the US, the movie Minority Report came to mind (just to be clear: SceneTap is not like the technology which is portrayed in the movie. I will try to explain that further down). Anyway, back to the movie: Tom Cruise walks past a wall of interactive advertisements, the retinal scans identify him, and the displays call out his name, and serve up customised advertisements. Hollywood always gets it early. For those who can't remember the scene, here is the clip from Youtube.
Now, we are being told that the facial detection technology deployed by SceneTap and the bars which are partnering with SceneTap does not identify individuals (it just makes its best guess on whether you are male or female and your age, and the data collected does not seem to be able to identify you as an individual) and does not store images of individuals. It is not facial recognition, it is facial detection. You can read SceneTap's CEO's open letter to San Francisco where he explains this.
The fact that SceneTap got a lot of heat for this is probably a reflection of where we are now in the privacy discussion (i.e. general distrust of companies among consumers, and companies not doing enough to bring privacy awareness to their customers - hence customers are caught by surprise, and generally no one likes to be caught by surprise in a bad way). That said, there is probably a ton of facial recognition done by government and police agencies around the world which we are probably not aware of. We know that Britain does this. Singapore is going to adopt facial recognition at its immigration checkpoints, and so is Japan. Expectedly, in both instances, the salespitch for facial recognition was faster passport control and, of course not surveillance. Want to get through immigration faster? Come get your face scanned. How many of you would choose the shorter immigration line which has facial detection?
And we can probably all see where this is going to end up. Once facial recognition gains acceptance (and it will eventually as you should never underestimate the ingenuity of companies in incentivising you to give up your personal data, and greed or ignorance in human nature in taking the bait), and facial recognition is deployed in a public and commercial setting, it would have to pass the various requirements of data protection regimes. That would include:
- if facial recognition is deployed (for example in a store), the individual will need to be informed of the deployment and use, and the purpose for which the images are collected and processed. Imagine having to read or listen to a list of things which the store will do with your images. On that note, I can't see facial recognition on billboards a la Minority Report working within current data protection regimes. How would you be informed of the purpose if you are just walking down a hallway?
- for some countries, collection and processing would also require the consent of the individual and one would have to consider whether consent must be expressed or deemed. For example, does walking into the store, being informed of the use of facial recognition, and continuing to shop in that store after being informed constitute deemed consent? Or imagine having to opt-in when you walk into a store. Perhaps to incentivise you, the store will give you an additional discount off your purchase if your face is scanned.
- The collection and processing must be lawful and not beyond the purpose for which the images and information were collected. Imagine if the store sold cosmetics and took an image of you, noticed the existing blemishes, wrinkles and dark spots on your face, and that store then aged that image for an additional 5, 10 or 20 years so that they can customise their direct marketing efforts at you with appropriate beauty products in 5, 10 and 20 years time (on that point, ageing the image might run into the data protection obligation to maintain accurate personal data).
- how long will the store be able to retain the images? Most data protection regimes limit the retention of personal data to a reasonable period or no longer than is necessary. Would the store need to delete the images once you left the store? How about the details about the date and time of your visit (currently, they would only know about our visits when we actually make a purchase in-store)?
Now, only if they can get the teleporter right.