The Metadata Era

In my last few posts, I’ve been focusing on how the rise of social media has forced regulators both here and in the EU to revise their definitions of personal data. With the new emphasis on data that can be  “reasonably linked” to an individual, companies may soon have to extend their security controls over a broader range of consumer information. Interestingly, just as the amount and breadth of personal data is increasing, another almost opposite regulatory requirement is looming on the horizon.

In the FTC privacy guidelines report that I’ve been referring to recently, the agency’s Commissioners refer to a “right to be forgotten”. This is not a legal right in the US (yet). But the concept that data should have a natural shelf life and not be retained longer than necessary is reflected in the language of the report’s framework, which calls for “reasonable collection limits” and “sound retention policies”.

Translation: Companies should delete data they no longer need and also allow consumers to access the data and under “appropriate circumstances” purge or suppress it.

Keeping in mind that these are guidelines and best practices, there’s a great hypothetical case study in the FTC report for the mobile space. The Commissioners point out that GPS generated location data, which is often monitored and saved by smartphone apps, should be treated as identifying information. The reason? Geo coordinates can be used to re-identify customers when connected with other “disparate bits of information”.

In this particular example, the FTC suggests that mobile software companies should limit their retention of business data—say check-ins to a restaurant—and also their sharing of it with third parties.

As I’ve been pointing out, public data on the web — especially on social sites—actually expands the amount of corporate consumer data that would fall under the “reasonably linked” definition. And with this new FTC approach for retention, it means that more data is now a candidate for deletion as well.

Back at the EU, the right to be forgotten is an important part of the planned update to their Data Protection Directive. Unlike the US, it will have the weight of law as EU member countries implement the new rules over the next few years. It will give citizens the right to delete data on request.

In the US, the FTC report may provide clues as to what may be coming out of Congress. The McCain-Kerry Commercial Privacy Bill of Rights, which is currently stalled, does have provisions for data retention limits of personally identifiable information (PII) and other information that may be reasonably used to identify an individual. It also gives consumers some control over their data: they can request that PII and other information be made unidentifiable or not usable. This is less strong than the EU’s right to be forgotten, but it would still require US companies to at least find personal data and then corral it.

The writing is on the wall for US companies: those that implement the FTC best practices for data deletion will be in a much better position when either McCain-Kerry’s Bill of Rights or another law is passed that makes consumer data retention  limits and deletion not just a good idea for companies, but a legal obligation.

I was ready to start writing about the FTC’s recent recommendations on personally identifiable data (or PIIs), when the agency suddenly lobbed a new guideline onto the scene. Released last Monday, Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies is focused on the risks involved in not securing photographic images and data. It’s another indication that US regulatory rules will be leaning toward a broader definition of what it means to relate “anonymous” data back to an individual.

“Facing Facts” doesn’t read like a standard-issue government agency report. It opens by referencing the Speilberg movie, Minority Report, and its vision of a future where ads are served up based on scans of biometric data.

That world is not quite here yet, but the FTC’s larger point with these new guidelines–read as best practices–is that facial recognition technology has become quite sophisticated and potentially disruptive.

Not only is it possible to use non-proprietary software and hardware to pull key information out of digital images, it’s already being done on a commercial basis. Retailers now install digital signage in mall kiosks to serve up ads based on the gender, age, and other demographic information of the consumers viewing the informational screens.

Even more impressive is that existing facial recognition technology has reached a high-level of accuracy in comparing photos and finding matches. The National Institute of Standards and Technology (NIST) reports that the false reject rate–percentage of comparisons incorrectly rejected–has been cut in half every two years. At the NIST’s Face Recognition Grand Challenge in 2010, the winning company achieved a false reject rate of 2.1% while still delivering a false acceptance rate of .1%.

The FTC’s overall message for companies capturing facial data is three-fold:

1. Build privacy into products “by design”
2. Give consumers choice when capturing this information
3. Be transparent about what’s being done with the images

There are obvious and direct implications for companies in consumer retail and social networking (Facebook typically sees over 1 billion photos monthly). But the scope of this FTC announcement is larger than one might at first guess.

Once upon a time, a file directory of employee digital photos—say for badges–would not have been considered worthy of much security—it’s technically not even considered PII.  This latest FTC announcement, however, indicates a far different view of what it means to trace ostensibly anonymous data back to an individual.

One of the keys points in the FTC’s argument –one I noted in a previous post—is that easy-to-access publicly available data on social networks changes the rules. In a Carnegie Mellon study cited by the FTC, researchers were able to match a set of unidentified photos against existing tagged Facebook photos.

Here’s what the FTC had to say on how companies should now treat digital facial data:

“First, companies should maintain reasonable data security protections for consumer’s images and the biometric information collected from those images to enable facial recognition (for example, unique measurements such as size of features or distance between the eyes or the ears). As the increasing public availability of identified images online … companies that store such images should consider putting protections in place.”

Do your company’s digital photo images—headshots, events, publicity, etc.—have the appropriate access rights? Do you even know where they are?

While you’re pondering that, I’ll be giving Minority Report a second viewing.