«

»

In the blink of an eye, Google Glass has just shifted to the dark side

eye tapping surveillance security

By Simon Davies

Last week a California start-up – Lambda Labsannounced that it is about to release a face recognition app for Google Glass. With this simple innovation the wearable technology has been transformed from a cool gizmo into a privacy quagmire.

The extent to which Google is prepared to institute any form of privacy protection tends to hinge on where that product sits in the Google business model.

Facial recognition is a digital “biometric” technique that scans a face and turns it into an algorithm (or template) that becomes a mathematical representation of the face. When a similar algorithm is generated the system declares a “match”.

Lambda Labs says the new app will be able to recognise faces in a crowd. It will currently operate only through a central service, meaning that there will be a lag of several seconds before recognition is complete. However the app is being released for use by developers, and if married with real-time technology such as Face.com it may develop the capacity for instant face recognition using shared facial algorithms. At that point the technology will run headlong into the privacy laws of at least two dozen countries.

In response to a recent US Congressional inquiry into Glass, Steve Lee – Glass director of product management – said: “We’ve consistently said that we won’t add new face recognition features to our services unless we have strong privacy protections in place.”

This phrase “strong privacy protections” is where the rubber hits the road. Traditionally, Google’s idea of privacy protection has not matched the expectations of privacy regulators – or, indeed, of many Google users. The extent to which the company is prepared to institute any form of privacy protection tends to hinge on where that product sits in the Google business model. At this stage no-one outside Google knows where the new technology fits into this model. Google’s API policy does not prohibit face recognition.

The Bi-Partisan Privacy Caucus of Congress has put a number of key questions to Google, indicating its concern that the new technology may become a privacy threat. Among the issues raised are questions about the ability of Google to limit intrusion into the lives of third parties and the capacity for people to control information about them that is generated through Glass.

It does not help that the Google API leaves the privacy question largely to the discretion of developers.

Many people imagine that Glass is a stand-alone product – a gadget. This is far from the truth. Glass will be an interface between the user, stored data and the physical world. It will be an interoperable technology that creates a new dimension for interactivity. This means an inevitable acceleration of data collection and an expansion in the ways information can be used.

Just as significant, Glass is a platform. It will be extended by countless developers in the same way that mobile and social networking platforms evolve. Without strict and specific limitations in place early in the development phase the technology could easily become a magnet for exploitative and dangerous data operations.

It does not help that the Google API leaves the privacy question largely to the discretion of developers. It does not – for example – speak to the crucial issue of whether data collection should be opt-in or opt-out. European regulators in particular are anxious to discover what this paucity of detail will mean in practice.

Developers may soon create functionality that associates personal data with face recognition, thus creating a vast archive which is activated by input to Glass.

Indeed the wording in the API has given rise to some consternation. It merely states that a Glass app should not collect “authentication information” for “Google accounts”, and thus appears to have intentionally skirted the issue of data and biometric collection.

It may be useful to think of Glass as a gateway to data – and facial recognition as the enabler of that gateway. If Google’s API permits the broad collection of facial images and the creation of facial algorithms, the consequences for privacy could be devastating. In an opt-out framework countless facial algorithms could be amassed, perhaps ultimately linking to stored data about each target individual.

Developers may soon create functionality that associates personal data with face recognition, thus creating a vast archive which is activated by input to Glass. If facial algorithms can be generated from images in sources such as social networking sites, news sites and other “public” sources, these could be matched against “real world” algorithms generated through Glass. This would enable instant matching of the face and the associated data.

This is not science fiction. The technology already exists in piecemeal form, and Glass could be the platform that enables it. Face.com has already created the foundations for such matching.

If Google were serious about genuine privacy protection – and if it was sensitive to the concerns of Congress – it should immediately place an outright ban on non-consensual, opt-out facial recognition. If it fails to institute this limitation then we should all be prepared for a major privacy conflict.