You’re probably already familiar with face recognition technology through security surveillance or Facebook photo tagging, but the next person you see wearing Google Glass may well be using it too – despite Google’s claims it would never allow it to happen.
Privacy weaknesses clouding Google Glass – a small heads-up display which can show emails, text messages, and take pictures or record video – have attracted the attention of regulators worldwide and, predictably, the hacker community.
Facial recognition Glass software (or “Glassware”), which Google maintains will be blocked from being installed on Glass unit, has already been developed and is usable, well ahead of Glass’s expected public launch later this year.
In a Google post in June, Google sent out the following reassuring message:
[W]e won’t be approving any facial recognition Glassware at this time.
But despite this declaration, a 23-year-old American hacker recently announced facial recognition software is already possible on Glass – and he could prove it.
Stephen Balaban, co-founder of software company Lambda Labs, circumvented Google’s facial recognition app block by building his own, non-Google-approved operating system.
He then installed Glassware that scans faces and generates a summary of what that person and the Glass wearer has in common, such as mutual friends and interests.
Should we be surprised that Google’s “block” has already been bypassed? Probably not.
The initial distribution of Glass to testers (called “Glass Explorers”) at the start of this year allowed any potential weaknesses to be identified prior to public release.
But the face recognition hack provides a good platform to examine any other potential privacy weak points that may be prone to exploitation, and how Google says it will keep people’s private lives private.
Google’s response last month directed to the US Congress’ letter is predictably nebulous. Texan Congressman Joe Barton expressed disappointment in that the questions were not adequately answered – and some not answered at all.
Let’s look at some of these questions and Google’s reply.
The myth of informed consent?
According to the US Congress letter:
… we would like to know how Google plans to prevent Google Glass from unintentionally collecting data about the user/non-user without consent?
Based on their response, Google has:
built Glass to put users in control.
which effectively places the accountability for how Glass is configured and used squarely in the hands of the user. The fundamental question remains whether the average user, for all practical purposes, is fully aware of the full range of options and settings on the device, and more importantly what they mean.
Would the default “out of the box” settings be configured for maximum privacy? Chances are that the factory settings will be configured not to disadvantage Google’s best commercial interests.
Even if the user studiously reads Google’s privacy and usage policies, the fact that Google reserves the right to change its policies at any time and without notice, implies that the concept of perpetual, full and informed consent is impractical.
This, combined with the fact the vast majority of consumers pay little to no attention to the terms and conditions associated with their internet usage, raises the question of whether users' behaviour will be any different when using wearable technology.
Sorry, forgot the name, but recognise the face
Facial recognition appears to be one of the key sticking points. The third question from Congress included:
When using Google Glass, is it true that this product would be able to use Facial Recognition Technology to unveil personal information about whomever … the user is viewing?
Google’s response to this vexed question of facial recognition capabilities being incorporated into wearable technology remains vague.
Stating they will not be adding facial recognition at “this time” implies the situation could change at any time. Additionally, in its letter to Congress, Google says it:
won’t add face recognition features to our own services unless we have appropriate privacy protections in place.
The emphasis is on the phrase “our own services” which does not preclude any one of the large number of independent Google developers from writing operating systems and apps to fill this gap, as Balaban did recently.
A key tenet of facial recognition is that the image appearing in the screen of Glass has to be matched to a database of faces. The question is: which local and overseas institutions would have access to, or ownership of this database of faces?
Third parties in the frame
US Congress’ letter sought a reply to the question whether Google would:
place limits on the technology and what type of information it can reveal about another person?
More than once, Google’s response states that:
Protecting the security and privacy of our users is one of our top priorities.
That’s all well and good, but the primary concern relates to the privacy of parties other than that of the user. In principle, this is no different to the sale of other consumer technology products.
The responsibility for the appropriate use of the product rests with the user. The user is subject to the laws of the land in which the product is used, one example of which being the Surveillance Devices Act 2004 (Australia) that prohibits recording a private conversation without the consent of the parties involved.
That doesn’t mean people are not in breach of the law every time they record a video in a busy street on their smartphone, where the conversations of strangers may be accidentally recorded. Products such as Glass just make this issue more topical, for the moment at least.
Setting the standards
Eyes are on Google to set a standard of good practice for wearable technology.
Its biggest challenge will be to balance the opportunities for the technology and those keen to explore it, with those who see insurmountable problems with a more invasive technology that has implications for the people that come into contact with it as well as the person wearing it.