In a policy statement on the use of biometric information and how it relates Section 5 of the Federal Trade Commission Act (FTC Act), the Federal Trade Commission (FTC) stated concerns about “deep fakes,” fraud, and discrimination as these technologies become more widespread.
Without clear disclosures and meaningful choice for consumers, the FTC stated consumers are afforded very few ways to avoid the risks or unintended consequences.
Over the last ten years, the FTC has analyzed the collection and use of biometric information and the significant advances made during that time. Its research on facial recognition, starting in 2012, saw that technology become 20 times better at finding a matching photograph from a database over just four years, between 2014 and 2018. Other tools like it have seen similar improvements and continue evolving.
“Consumers, businesses, and society now face new and increasing risks associated with the collection and use of biometric information,” the FTC stated. “For example, biometric information can be used for the production of counterfeit videos or voice recordings (so-called “deepfakes”) that would allow bad actors to convincingly impersonate individuals in order to commit fraud or to defame or harass the individuals depicted.
“Large databases of biometric information may also be attractive targets for malicious actors because of the information’s potential to be used for other illicit purposes, including to achieve further unauthorized access to devices, facilities or data. These issues pose risks not only to individual consumers, but also to businesses and society.”
Besides the risks of fraud and “deep fakes,” the FTC voiced concerns about biometric technology and its role in discrimination. It specifically referred to facial recognition technology that may perform differently across different demographic groups. One study the agency cited revealed significantly more false positives for individuals of African and East Asian descent than those of Eastern European. The rate of false positives was also more prevalent in women than in men, and in the elderly and children compared with middle-aged adults.
FTC stated these technologies may also be prone to error when the subject of the analysis has a disability. When biometric tools are used for security surveillance, this risk of false positives can lead to individuals being falsely accused of crimes, subjected to searches or questioning, or even be denied access to the premises.
In light of these observations, the agency cautioned biometric technologies’ use can lead or contribute to harmful or unlawful discrimination and could violate Section 5 of the FTC Act’s prohibition on unfair or deceptive acts or practices in or affecting commerce. To help entities determine whether their biometric technology use is compliant, the FTC provided a non-exhaustive list of practices it will consider when doing its analysis. These included:
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information.
- Deceptive statements about the collection and use of biometric information.
- Collecting, retaining, or using consumers’ personal information in ways that cause or are likely to cause substantial injury, or disseminating technology that enables others to do so without taking reasonable measures to prevent harm to consumers.
- Failure to assess foreseeable harms to consumers before collecting biometric information or promptly addressing known or foreseeable risks.
- Engagement in surreptitious and unexpected collection or use of biometric information.
- Failure to evaluate the practices and capabilities of third parties.
- Failure to provide appropriate training for employees and contractors.
- Failure to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information,
“The commission notes that a practice need not be equally likely to harm all consumers in order to be considered unfair,” the FTC stated. “In determining what constitutes reasonable practices to protect consumers from potential harms associated with the use of biometric information, therefore, the commission will – and businesses should – consider the practices from the perspective of any population of consumers that is particularly at risk of those harms.”