https://ift.tt/3Fa3Z5r Clear Storage: The Ethics of Retention Policies for Stored Facial Images In spring of 2021 Walt Disney World tested...
Clear Storage: The Ethics of Retention Policies for Stored Facial Images
In spring of 2021 Walt Disney World tested facial recognition software that aimed to associate guests’ faces with their park reservations, igniting a privacy debate about data ownership
Although the topic of facial recognition is uncomfortable, hearing of its application in a place associated with child-like innocence was particularly jarring to those concerned about the Disney Company violating their privacy. It should be noted that, in Disney’s case, guests uncomfortable with facial scanners could opt for a less invasive ticket scan and there are no reports of the technology being implemented in a non-voluntary manner.
Opt In?
However, not all companies allow customers to opt out of facial data collection. In July The Verge reported that Lowe’s, Macy’s and Ace Hardware all currently employ facial recognition algorithms, while McDonalds, Walgreens and even 7–11 are considering using facial recognition in the future. Although that may sound scary, there is nothing illegal about the practice, since facial recognition techniques are unregulated in the U.S. and throughout most of the world. While legislating facial recognition is being overlooked (for now), there is a larger debate raging related to long-term data retention. When discussed together, it becomes clear that long-term storage of dynamic or static facial imagery poses both an ethical and infrastructural dilemma for organizations of any scale.
Data is often compared to oil; however, unlike fossil fuels, data is a renewable resource. It does not need to be stored and accessed indefinitely to be invaluable.
EU Retention: The Right to Be Forgotten
For U.S.-based companies, crafting a data protection and retention policy is, for the time being, optional, with the exception of California, in which businesses are bound by the California Consumer Privacy Act (CCPA) to disclose data upon a user’s request. For companies operating in or impacting users in the EU, data transparency is mandatory. The General Data Protection Regulation (GDPR) does not include a finite timeframe for how long companies are permitted to store customer data. It does, however, include specific guidelines for data retention and is, so far, the most comprehensive resource on the subject. A few highlights:
- Companies must not keep personal data longer than they need to
- Companies must be able to justify why they are keeping data
- Companies need a policy establishing retention periods
- Companies must conduct periodic reviews of how they are using data
- Companies must only retain data long-term if it is in the public interest
Finally, the GDPR assures EU citizens that they have the ultimate ownership over their data, including the right to be forgotten:
Individuals have a right to erasure if you no longer need the data — General Data Protection Regulation (GDPR)
Images and Privacy Don’t Scale
It is worth noting, however, that these laws have been conventionally applied to structured, text-based data, not unstructured image data. Infrastructure-wise, image files are often tens or hundreds of times larger than text files and will cost companies more per month to store them using a cloud-based database like those provided by Google or Amazon, especially since Google charges active storage rates by the gigabyte. Most significantly, while storage methods can work for smaller databases, scaling the storage of millions of image files can be an infrastructure challenge.
Infrastructure and costs can be anticipated and adjusted; determining the ethics of storing some of the most personal data that can be collected, an individual’s face, for years on a server, concerns those both within and outside of data-related fields. Ten years ago, researchers in medical imaging faced these issues in a pre-cloud computing world. Even prior to the widespread usage of cloud-based servers such as Google Cloud Products, these individuals recognized the challenge of storing and encrypting image data prior to a batch or streaming transfer to an off-site server.
Establishing a clear set of ethical guidelines can help AI developers and business leaders determine how to conceive, test and deploy facial recognition in a way that balances their right to collect data with consumer privacy rights. The Future of Privacy Forum, a nonprofit, suggests that organizations that leverage facial recognition must focus on privacy principles such as consent, data security and transparency. However, there are less clear guidelines when it comes to the long-term storage of this data. Consequently, many ethical dilemmas arise, especially with regard to collecting facial data from vulnerable segments of the population.
For instance, here’s a hypothetical: Should companies have a right to collect, leverage and indefinitely store facial image data collected from minors?
In an age when parents are cautious about posting photos of their young children on social media, the fact that companies can capture and forever store their facial images is a concerning and borderline dystopian thought.
The Forgotten Debate
Some days it seems as if the only ethical debate occurring related to data science is responsible AI design and usage. When it comes to facial recognition there are understandable and validated concerns of model bias and a lack of diversity in datasets. These are relevant and, frankly, intriguing discussions. Admittedly, data retention is not nearly as exciting of a topic. However, as more and more websites and applications tout opt out features, one question technology companies and data scientists will have to wrestle with is: Are we ethically sourcing, treating and protecting our data?
Slowly, we’re beginning to see companies, particularly FAANG corporations, address this issue. Recently, Google updated its BigQuery database product to include data expiration parameters to discourage users from retaining data beyond a reasonable timeframe. Google itself is leading efforts to reform data retention policies. In 2020, Google announced that it would begin to automatically delete location history, web history, and voice recordings after 18 months. The fact that Google included unstructured personally identifiable information (PII) data like voice recordings in its new data retention policy should offer some precedent for how organizations should store sensitive multimedia data.
For anyone working in the data industry, myself included, although we don’t take any kind of hippocratic oath, there is an implicit responsibility to ethically access, manipulate and store data. The idea of limiting storage abilities or regulating the industry doesn’t have to be a scary thought. Instead, regulation of data collection for PII can allow companies to build and, in some cases, regain the trust of users accustomed to surrendering their information with the hope that someone has their best interests in mind on the back end.
Clear Storage: The Ethics of Deletion Policies for Stored Facial Images was originally published in Towards Data Science on Medium, where people are continuing the conversation by highlighting and responding to this story.
from Towards Data Science - Medium https://ift.tt/3E0llAx
via RiYo Analytics
ليست هناك تعليقات