privacy Archives : Conferences That Work

Concerns about using facial analysis at events: part two

Monday, January 22nd, 2024 by Adrian Segar

My January 15, 2024 article “Concerns about using facial analysis at events” generated much discussion. (See, e.g., this thread on LinkedIn which has, at the time of writing, four thousand impressions.)

[You can also read part 1 and part 3 of this series.]

Five days later, Panos Moutafis, co-founder & CEO of Zenus, the “ethical facial analysis” company, responded.
I find his response inadequate, and this post explains why. I’ve included portions of Moutafis’s response, quoted in red, together with my comments. I conclude with a summary if you want to skip the details.

Here we go.

After an introduction …“Ignorance can be bliss, but it can also be dangerous.” Moutafis begins:

Ethical AI by Zenus: A Summary

“Data from our ethical facial analysis service cannot be used to identify individuals. This is not an opinion. It is an indisputable fact.”

If the “Zenus AI” system is, in fact, completely unhackable, this statement may well be true. But it’s misleading because it does not address attendee privacy concerns. Why? Because, as I explained in my original post, combining Zenus facial analysis data with other attendee identification technology allows event owners to associate Zenus data with individual attendees.

Moutafis now admits this is possible, as his response now includes statements about how the Zenus system should be used. As far as I know, Zenus has not made these statements publicly before.

“If someone wants to use other technologies to identify individuals and combine the data [emphasis added], they need to obtain explicit consent first.

This is true of hotels, convention centers, event organizers, technology companies, etc. Otherwise, they are exposing themselves to liabilities.

A legal review takes place before starting to use a new service in this manner. People who work in the corporate sector and associations are familiar with these processes. This is not the Wild Wild West.”

The crucial phrase here is “and combine the data“. Moutafis is saying that when combining attendee tracking data with data supplied by the Zenus system, attendees must provide explicit consent. That means attendees must be informed about this in advance. And they must give explicit consent for event owners to use real-time continuous data from Zenus’s system to provide additional information on each attendee.

In my original post, I noted that Moutafis tries to put all the responsibility for such consent on the event owner and/or supplier of the attendee identification technology rather than his company. We’ll see why he needs to do this shortly.

GDPR and Data Privacy Regulations

Different regions and implementations have different requirements.

The European Data Protection Board, in particular, has clearly noted that facial analysis alone does not fall under Article 9.

See section 80 in the Guidelines adopted on January 29, 2020 [link].

“However, when the purpose of the processing is for example to distinguish one category of people from another but not to uniquely identify anyone the processing does not fall under Article 9.”

See section 14 in the Guidelines adopted on April 26, 2023 [link].

“The mere detection of faces by so-called “smart” cameras does not necessarily constitute a facial recognition system either. […] they may not be considered as biometric systems processing special categories of personal data, provided that they do not aim at uniquely identifying a person […] .”

In simple words. Are you using the service alone? Great.

Are you combining it with identifying information? Obtain consent or face the consequences. The pun is totally intended.

This section restates that the Zenus technology satisfies European Data Protection Board guidelines only when used in isolation. It confirms that clients combine Zenus analytics “with identifying information” “you” must “Obtain consent or face the consequences.” Again, the “you” is any entity but Zenus.

In addition, to bolster his case, Moutafis does a selective quote of section 14 in the Guidelines adopted on April 26, 2023. Here’s the entire section 14 with the portions Moutafis omitted in bold:

“The mere detection of faces by so-called “smart” cameras does not necessarily constitute a facial recognition system either. While they also raise important questions in terms of ethics and effectiveness, digital techniques for detecting abnormal behaviours or violent events, or for recognising facial emotions or even silhouettes, they may not be considered as biometric systems processing special categories of personal data, provided that they do not aim at uniquely identifying a person and that the personal data processing involved does not include other special categories of personal data. These examples are not completely unrelated to facial recognition and are still subject to personal data protection rules. Furthermore, this type of detection system may be used in conjunction with other systems aiming at identifying a person and thereby being considered as a facial recognition technology.“

Wow! Moutafis omits the “important questions in terms of ethics and effectiveness” raised by facial analysis. And, tellingly, he cuts the last key sentence entirely:

“Furthermore, this type of detection system may be used in conjunction with other systems aiming at identifying a person and thereby being considered as a facial recognition technology.“

This, of course, is exactly what Moutafis admits happens if clients use Zenus technology with any other tech that identifies individuals.

So the European Data Protection Board guidelines say that Zenus’s system effectively becomes a facial recognition system under these circumstances.

That’s not what Moutafis implies. I’d describe this section of Moutafis’s response as deliberately misleading.

Our AI badge scanning reads attendee IDs

I have little to say about this. Badge scanning tech is common at meetings. If attendees give informed consent and can opt out of badge scanning, I don’t have a problem with it. But perhaps this is a place to point out the significant difference between technology (badge scanning) that identifies attendees only at discrete attendee-determined points in time, and technology (Zenus plus attendee identification data from a separate system) that continually accumulates attendee data all the time attendees are in sensor range.

Legal vs Moral Considerations. Consent vs Notice

“People often conflate face recognition (identification) with facial analysis (anonymized data). In a similar way, they conflate legal and moral considerations.”

That’s quite a comparison! It’s saying being confused about the definitions of two types of technology is similar to being confused about legal and moral concerns of the use of such technologies.

“It might not be legally required to provide notice about the use of facial analysis in many settings. But we still think it is morally a good idea to do so in the spirit of transparency and education.

Therefore, we ask our clients to post signage on-site, talk about the use of our service in their marketing communications, and include it on their online terms and conditions.

According to the people I’ve spoken to who attended the association meetings described in my original post where Zenus technology was used, there was no “signage on-site, talk about the use of our service in their marketing communications” or notification in the meetings’ “online terms and conditions“. Perhaps the folks I talked to overlooked this “advance notice”, or these meetings were the exceptions rather than the rule. But from this limited data, it doesn’t seem that Zenus’s clients pay attention to what Zenus says it asks them to do.

What about consent versus notice? Advance notice we love. Consent defeats the purpose of anonymity.

How could one exclude a person from the anonymous analysis (if they opt-out) without identifying them? They cannot.”

Finally, we get to why Zenus continues to insist that their technology does not require consent while trying not to mention that when it is used in conjunction with attendee identification technology it does require consent. There is no way for Zenus data to remain anonymous if attendees are given the right to not consent, i.e. to opt out of being included in Zenus’s aggregated analytics! That would require the identities of attendees who have opted out to be injected into Zenus’s internal systems, which would then need to perfectly exclude them from the data fed to clients. This obviously can’t be done in a way that satisfies privacy laws. Consequently, Zenus’s whole “no consent needed” house of cards collapses!

Aggregate vs Individual Analysis

“The chances that one would analyze a person’s face or body language and infer their psychological state are slim.”

This is a strange statement. Human beings have evolved to be exquisitely sensitive to other humans’ psychological states. Most of us do such analysis unconsciously every day, whenever we are together with other people. We look at someone’s face or body language and think “They look upset/happy/worried/tired”. We might well say to them: “Are you OK?“, “Wow, you look happy!”, “You look worried about something”, “Want to take a rest?”, etc. I’d say that inferring the emotional state of someone we’re with is default behavior, rather than a slim probability.

Of course, this statement allows Moutafis to pivot to his marketing pitch:

“…analyzing a room of people multiple times per second and combining this with survey and attendance data can be insightful.”

Because that’s what Zenus has designed its technology to do.

Concluding Remarks

“Our ethical facial analysis brings organizations valuable and actionable data without crossing the line into collecting personally identifiable information.”

One more time. When you don’t include any meaningful safeguards to prevent combining your data with that of other systems that clients are free to employ, clients can easily use Zenus technology to “[cross] the line into collecting personally identifiable information“.

“It is a rare example of technology using restraint. It is an example of building proactive privacy safeguards by default. It is an example to follow.”

Sadly, it’s not. While I admire the efforts that Zenus has made to create an “ethical facial analysis service”, as I’ve now outlined in these two posts, the company has not succeeded.

Conclusions

Zenus claims that its system when used in isolation at an event doesn’t supply data about individual attendees. Maybe so. But when used in conjunction with additional tech (XYZ) that identifies individual attendees, event owners can use Zenus data to create a continually updated real-time dataset of analytics of identified individual attendees. Zenus deflects any legal or ethical company responsibility for this surveillance by saying it’s the event owner’s and/or XYZ’s to inform attendees and obtain their explicit consent to be tracked and their facial analysis used.

Crucially, Moutafis says two contradictory things.

The use of Zenus technology doesn’t need explicit consent.
The combination of Zenus technology with other attendee identification technology does require explicit consent. But that’s the legal and ethical responsibility of the event owner or the tracking technology company. Not Zenus.

Because Zenus does not require their clients to forswear using additional attendee identification technology, this, therefore, creates a fatal contradiction for the company. Why? Because, as Motafis admits, when attendees are allowed to opt out from its use—which is their right under privacy laws—there is no way for the Zenus technology to work without excluding the attendees who have opted out. To do this, the Zenus system must be able to identify individual attendees! Consequently, Zenus’s whole we-don’t-identify-individuals and no-consent-is-needed house of cards collapses!

Two unanswered criticisms from my original post

First, Moutafis was quoted as saying publicly that “some of his clients…will monitor [using Zenus AI] in real-time, and if a speaker is killing the mood they will just get him off the stage”. I said I was pretty sure that most event professionals would agree this is a highly inappropriate way to use Zenus’s technology. Or, as the Harvard Business Review put it, “AI Isn’t Ready to Make Unsupervised Decisions“. Moutafi did not respond to this.

Second, it’s important to note that Moutafis didn’t respond to a key critique of Zenus technology that I shared in my original post.

Namely, how useful is Zenus’s technology anyway? Kamprath and I gave examples of how often the most impactful sessions at meetings—impactful in the sense of changing future behavior rather than entertaining an audience—can be somewhat uncomfortable for participants at the time. Not all sessions are a “success” when people express “positive sentiment.”

One more thing…

OK, that’s two thousand more words from me on this topic, on top of four thousand last week. Hopefully, that’s enough for now. But I’d be happy to meet in a public moderated discussion with Zenus. If anyone would like to host such a discussion, don’t hesitate to get in touch!

Tags: consent, ethics, facial analysis, facial recognition, informed consent, privacy, Zenus| Posted in Event design | No Comments »

Concerns about using facial analysis at events

Monday, January 15th, 2024 by Adrian Segar

Should the event industry embrace facial analysis — a technology that promises to offer new analytic data to event stakeholders?

In this post, I’ll explain why I’m concerned. I’ve included:

An introduction to facial recognition and facial analysis;
A timeline of recent public experiences and responses to the use of facial analysis at events;
Why I think the use of this technology is misguided, ethically and legally dubious; and
My conclusions.

An introduction to facial analysis and facial recognition

You might be wondering what facial analysis is, and how it differs from facial recognition. Here’s a short introduction to these technologies, and how the meeting industry is starting to use them.

Facial recognition and analysis technologies capture information from images and videos of human faces. They have been available since the 1960s. But in the last decade, the use of facial recognition has exploded. In 2017, Apple introduced Face ID to unlock its phones and authenticate payments. Many manufacturers have since incorporated this form of biometric authentication. Governments have adopted biometric systems to meet security concerns. Such systems are appearing in public arenas like airport gate check-ins too.

So it’s not surprising that companies have developed facial technologies to provide new forms of data to event owners.

Facial recognition

Facial recognition matches a camera-captured human face against a database of known faces to identify/authenticate/track a person. Using facial recognition has obvious privacy concerns. Meta built a database of over a billion user face scans before deleting it in 2021. Over a dozen U.S. cities have banned police use of facial recognition. Clearview AI, an American facial recognition company, maintains a database of 20 billion matchable facial photos, many scraped from social media networks, which until 2022 was available not only to government agencies but also private companies. (You’re almost certainly in it.) As I write this, the European Parliament is close to outlawing facial recognition in public spaces, though negotiations on the final wording are still underway.

Facial recognition in the event industry

In the event industry, companies have developed facial recognition systems to streamline event registrations. Some can also track attendee movement inside a venue. These systems work by matching a pre-event registered attendee photograph, provided by the attendee, to the attendee’s face as they arrive at the event. If a match is found, the attendee is admitted without having to show proof of registration.

In a July 2023 post, Miguel Neves, editor-in-chief of Skift Meetings, describes “The True Risks of Using Facial Recognition for Events“. He includes an incident where an event required thousands of attendees to upload scans of their passports to attend in person. This led to a €200,000 fine by Spain’s data protection agency. Incidents like this may have led Zenus to focus on facial analysis rather than facial recognition.

Facial analysis

Facial analysis claims to overcome such privacy concerns by avoiding the collection of individuals’ data. The concept is that a collection device collects and analyzes incoming video data. In theory, only aggregated group statistics are provided to clients. Thus personally identifiable information is, hopefully, not directly available from the system.

The aggregate data provided by these systems typically includes “impressions” (the number of people present over time), demographics (sex and age group), “happiness”, and dwell time (how long people stay in a given area and/or how much attention they are paying to what is going on).

Illustration from Zenus website showing "Sentiment Analysis" data — Illustration from Zenus website showing “Sentiment Analysis” data

Companies developing facial analysis for the events industry include Zenus and Visage Technologies.

A timeline of public experiences and responses to the use of facial analysis at events

February – March 2023

Controversy about facial analysis at events began when Greg Kamprath, after attending PCMA‘s Convening Leaders 2023, made excellent arguments against using the technology at meetings in a February 2023 LinkedIn post “You Shouldn’t Use Facial Analysis At Your Event“. He wrote the post after attending a session titled “AI, Biometrics and Better, More Targeted Experiences”. There he “was surprised a few minutes in when they told us we were being watched at that moment by cameras which were analyzing our age, gender, and emotions”.

A March 2023 Skift Meetings post “The Ethics of Facial Analysis for Events” by Dylan Monorchio covered the issues involved.

In response, Panos Moutafis, co-founder & CEO of Zenus, the “ethical facial analysis” company mentioned and quoted in both articles, posted “Is facial analysis inherently wrong?” on Medium. He said it was “a rebuttal to properly inform people about technology as opposed to this fearful approach to anything new“.

Keep reading to learn why I don’t find Moutafis’s arguments convincing.

November – December 2023

Despite the critical articles by Kamprath and Monorchio, the adoption of facial analysis technology by the meeting industry continues.

Adam Parry‘s 49-minute November 2023 video interview of Panos Moutafis, co-founder & CEO of Zenus, the “Ethical facial analysis” company mentioned and quoted in both these articles and Oli Bailey, interaction designer at IMEX, glosses over Kamprath’s concerns or Monorchio’s coverage of pertinent issues.

As does Rob Carey‘s report December 2023 MeetingsNet post “Facial Analysis at Events Moves Forward” where he shares that yet another industry association, the International Association for Exhibitions and Events, used facial analysis at its December 2023 Expo! Expo! event

To summarize, 2023 started with criticism of using facial analysis at events and continued with a rebuttal, followed by continued adoption of this technology by major industry associations.

Concerns about using facial analysis at events

First, read Kamprath’s post, including the accompanying comments, and Monorchio’s commentary.

Here are my responses to Moutafis’s rebuttal, listed under the same headings he uses. Afterward, I’ll add some concerns that he doesn’t address.

Concern 1: I don’t want to be analyzed

“When the analytics obtained from a service (any service) cannot be tied to a specific individual, it does not infringe on their data privacy.”
—Moutafis’s first sentence after this heading

Unfortunately, this statement is misleading and wrong.

Let’s assume that the Zenus facial analysis system is indeed perfect and unhackable in any way. Consider the system running at an event in a room with only one person in it. The system works perfectly, so the data it provides accurately characterizes that person, but does not include any information that allows their identification.

If this perfect Zenus system is the only attendee data acquisition system in use, then that person’s data privacy isn’t infringed.

But what if an additional attendee data acquisition system is being used in the room? For example, here’s a screenshot from a Zenus video “Zenus AI: Ethical facial analysis at IMEX” uploaded to YouTube on November 13, 2022, and still, as I write this, publicly available.

January 2023 screenshot from Zenus YouTube video "Zenus AI: Ethical facial analysis at IMEX" https://www.youtube.com/watch?v=iU2MPjacpjI showing an attendee's sentiment analysis and badge information — January 2023 screenshot from Zenus YouTube video “Zenus AI: Ethical facial analysis at IMEX” https://www.youtube.com/watch?v=iU2MPjacpjI showing an attendee’s sentiment analysis and badge information

Zenus technology identified the attendee along with his sentiment analysis! (And, as I write this, still does—see below.)

This is certainly at odds with Zenus’s claim of “ethical facial analysis”.

Even if Zenus stops doing this, there’s nothing to prevent an event owner from using an additional system that does identify individual attendees. The information from Zenus’s system can then be added to the lone identified individual in the room. The same kind of process can also be used with groups. See, for example, the Electronic Freedom Foundation’s “Debunking the Myth of ‘Anonymous’ Data” for more information on how “anonymous data rarely stays this way”.

What Zenus does

The European Data Protection Board is the European Union body responsible for creating and administering Europe’s General Data Protection Rules (GDPR). GDPR gives individuals certain controls and rights over their personal information. Here is an extract from the GDPR guidelines on the use of facial recognition technology in law enforcement. Note that these are guidelines for the use of such technologies by governments and public entities.

“The mere detection of faces by so-called “smart” cameras does not necessarily constitute a facial recognition system either. While they also raise important questions in terms of ethics and effectiveness, digital techniques for detecting abnormal behaviours or violent events, or for recognising facial emotions or even silhouettes, they may not be considered as biometric systems processing special categories of personal data, provided that they do not aim at uniquely identifying a person and that the personal data processing involved does not include other special categories of personal data. These examples are not completely unrelated to facial recognition and are still subject to personal data protection rules. Furthermore, this type of detection system may be used in conjunction with other systems aiming at identifying a person and thereby being considered as a facial recognition technology.” [emphasis added]
— European Data Protection Board Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement • Version 2.0 • Adopted on 26 April 2023

As I write this, the Zenus worldwide privacy policy states:

“Zenus also provides a separate, unrelated QR code service for attendee tracking at events. In this service, the customer or reseller can include a unique QR code on each event attendee’s badge. When the Zenus IoT device scans a QR code at the event, Zenus will receive a record that the QR code was scanned by a particular scanning device at a particular date and time. Zenus then makes that data available to the customer or reseller. Zenus has no ability to link the QR code with a particular individual’s real identity, as Zenus does not accept any other information about the individual. Only the customer or reseller holds data that allows them to make that linkage. Zenus uses the QR code data solely to serve that particular customer or reseller as the customer’s or reseller’s “service provider” within the meaning of the California Consumer Privacy Act (“CCPA”) and “processor” within the meaning of the General Data Protection Regulation (“GDPR”) and similar laws.”

In other words, Zenus provides a service that allows customers to track individual attendees! Zenus says this is OK because Zenus doesn’t have access to individual attendee information. But Zenus clients do! Unless each attendee consents to being tracked, this is a violation of GDPR.

“Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element ‘free’ implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid.”
—extract from GDPR Consent definition

Moutafis ends this section by saying that “events are spaces of high visibility”, where attendees wear badges with their names, agree to be photographed, and provide information to registration systems. The implication is that, therefore, attendees have no reason to object to automated systems that vacuum up their visible behavior.

This is like saying that people in a public space who are talking to each other shouldn’t object if systems with sensitive microphones pick up all their conversations and make use of them. Just because you can do something, doesn’t mean you should.

Concern 2: Advance notice about the service

I’m glad that Moutafis says “We advocate for advance notice because it is the best way to build trust in the community”. Even though the company claims that “Consent is not required”.Whether event owners actually give advance notice is, however, an important question. I’m inclined to judge people and organizations on what they do, rather than what they say. And, as Kamprath noted in his LinkedIn post, in February 2023, PCMA Convening Leaders (PCMACL) did not inform attendees in advance that facial analysis would be used and he saw no signage at at the event. In his rebuttal, Moutafis says, “CCTV systems exist in all public spaces, along with disclosures about camera surveillance [italics added].” So? Zenus and PCMA apparently did not provide advance notice!

Fortunately for both these organizations, PCMACL 2023 was held in Ohio, which does not currently have a law protecting privacy. If the event had been held in California, for example, their failure to give advance notice would be a violation of the California Consumer Privacy Act, and the California Attorney General or the California Privacy Protection Agency could take legal action against both organizations.

Providing a facial analysis system to anyone who wants to use one and merely suggesting that they let the subjects know it is operating is unethical, in my opinion. A sticker on a tiny camera is simply inadequate. Providing advance notice via visible and plentiful signage should be a requirement for obtaining and using this technology. It would be even better to prominently include advance notice in written communications to attendees when registering.

Privacy protections in other U.S. states

I don’t know the U.S. states where such a failure to adequately inform in advance would currently violate state law. But as I write this:

California, Colorado, Connecticut, Utah, and Virginia have privacy laws currently in effect;
Florida, Montana, and Oregon will have privacy laws in effect by the end of 2024; and
Delaware, Indiana, Iowa, Tennessee, and Texas will have privacy laws in effect by January 1, 2o26.

More details on state laws can be found at DataGuidance.

Concern 3: The system does not do what we are told

Moutafis seems to include two issues under this heading. The first is his claim that Zenus’s system provides accurate information about “aggregated statistics on impressions, dwell time, age, biological sex, and positive sentiment, among other metrics”. The second is that people worry that the Zenus devices might be hacked.

I can’t evaluate the accuracy of the data provided by Zenus’s system. However, research indicates that

“most commercial facial analysis systems are biased against certain categories of race, ethnicity, culture, age and gender.”
—Investigating Bias in Facial Analysis Systems: A Systematic Review, IEEE Access, Ashraf Khalil et al

Moutafis says that the Zenus service “complies” with GDPR rules. While fully anonymized data is not subject to GDPR rules, combining Zenus’s data with data from other systems can, as we’ve seen, lead to Zenus’s customers adding Zenus data to an individual’s data. Without advance notice and consent, this situation is a violation of GDPR and other privacy laws.

There are countless real-world examples of networked cameras being hacked. (E.g., see “Over 380 thousand IP cameras might be easily accessible worldwide, with the US and Germany in the lead“.) I suspect that Zenus’s devices are harder to hack than most because they do not share a video stream outside the Zenus AI device. I’m not competent to determine whether they’re hackable, and I’m happy to assume that they are “secure enough“.

But, again, the overall security of any technology is defined by its weakest component. As described above, if an event owner adds a system that does identify and/or track individual attendees, whether Zenus’s stand-alone technology obeys “GDPR rules, [survives] third-party penetration tests, [or meets] SOC 2 standards” becomes irrelevant, as its output may now add to the data captured by the weaker system.

Concern 4: Decisions shouldn’t be made with AI

Kamprath quotes Moutafis as saying at the PCMA Convening Leaders session: “[Moutafis] said some of his clients…will monitor in real time and if a speaker is killing the mood they will just get him off the stage”. Moutafis’s rebuttal says: “In these instances, there is nothing wrong with trusting the data to make informed adjustments in real time.”

Really? How many event professionals have been using or are going to use Zenus AI in this way? Not too many…I hope.

Why? Because, as Kamprath points out:

“What if a session’s content is important, but it doesn’t cause facial expressions a computer would categorize as “positive sentiment?” Imagine a speaker who is presenting a difficult truth – someone from a disadvantaged group describing a hardship, or a worker conveying the situation on the ground to leadership. AI facial analysis would show the audience wasn’t happy and so maybe those presenters aren’t invited to speak again. (Or god forbid given the boot in real time)

Important decisions (like event programming) shouldn’t be assigned to an algorithm.”

Exactly. Some of the most important and impactful experiences I’ve had at meetings have been uncomfortable. Moutafi doesn’t seem to realize that not all events are a “success” only when people express “positive sentiment”.

Moutafis tries to dilute his message by adding that “users consider multiple sources of information, including surveys.” But again, how he marketed his technology at PCMACL 2023 tells us more about how he implements Zenus facial analysis than what he says in print.

Concern 5: Cameras may get hacked

I’ve already commented on camera hacking above. Again, I’m happy to assume that the Zenus AI units are “secure enough“. But I will add that Moutafis’s response to reasonable concerns about hacking is, well, hyperbolic.

“With this fearful logic, organizers should start collecting attendees’ phones at the entrance and remove the CCTV equipment from venues. They should also terminate AV companies that stream content, including pointing cameras at the audience and drop all registration companies. After all, hacking a registration company is more damaging than gaining access to aggregated and anonymized data.”
—Moutafis

Concern 6: The scope of surveillance will increase

Moutafis says:

“…it is safe to use products with built-in privacy safeguards.

One of the worries expressed was about other computer vision solutions, such as our new badge scanning solution. It detects QR codes up to 6–7 feet from the camera. The service requires explicit consent before data is tied to a specific individual. There are also easy opt-in/out mechanisms to offer peace of mind. It is no different than RFID and BLE used in events for decades. It is no different than manual badge scanning for lead retrieval, access control, and assigning CEU credits.”

The problem with this is that Zenus’s privacy policy makes no mention of requiring “explicit consent before data is tied to a specific individual“! Zenus’s privacy policy only refers to “personnel of our past, present and prospective customers, business partners, and suppliers.”

This is important. Event attendees are not Zenus’s customers!

Zenus is avoiding any legal or contractual responsibility to attendees about how its systems impact their privacy. The organizations that buy Zenus’s systems are, apparently, free to do whatever they like with Zenus’s devices. That includes combining their devices’ output with Zenus’s badge-scanning solution or any other attendee-tracking system. When they do this, the scope of surveillance will indeed increase.

Concern 7: Informed consent

Moutafis says:

“Some people call for mandatory consent requirements for all services — even the ones that do not collect personally identifiable information. But that will result in an effective ban on numerous technological advancements. And the rhetorical question is — to what end? If one insists on that (opinions are a right for all), they should also suggest an alternative solution to offset the cost with an equal or greater benefit. Until then, there is consensus among institutions and practitioners that this is unnecessary because there is no risk to data privacy.”

This is an example of the straw man fallacy. What the vast majority of attendees want is reassurance that their privacy rights will be respected, they are informed about the impact of new technology on their activities, and they have the right to provide or reject consent to that technology being used when it does not respect their privacy rights. Moutafis distorts this into an all-or-nothing demand for “mandatory consent requirements for all services — even the ones that do not collect personally identifiable information”. However, given the failings I’ve listed above, attendees do not currently have the assurance that Zenus’s systems respect their privacy rights in the real world. That’s why his statement is a strawman.

I’ll end by pointing out that Zenus’s privacy policy includes this section:

“7. Protection of Information

To help protect personal information, we have put in place physical, technical, and administrative safeguards. However, we cannot assure you that data that we collect under this Privacy Policy will never be used or disclosed in a manner that is inconsistent with this Privacy Privacy.”

In other words, “even though we insist our technology doesn’t collect personally identifiable information we can’t guarantee it won’t.”

Good to know.

Conclusions

Whew, this turned into a much longer post than I expected! During my research on the appropriate use of facial analysis, I found three perspectives on the ill-defined legal status of facial analysis that don’t quite fit into my response to Moutafis’s post. I’ve included them here, followed by a summary of my conclusions.

Three perspectives on the legal status of facial analysis

Unfortunately, the legal status of facial analysis remains unclear. The Global Privacy Assembly, “the premier global forum for data protection and privacy authorities for more than four decades”, points this out in an October 2022 report.

“…many data protection authorities have called for a ban on other forms of facial analysis not related to verification and identification, such as the inference of emotional state.”
—44th Closed Session of the Global Privacy Assembly, October 2022, Resolution on Principles and Expectations for the Appropriate Use of Personal Information in Facial Recognition Technology

Access Now is an international organization that “defends and extends the digital rights of people and communities at risk”. In this submission to the European Data Protection Board, the EU body responsible for creating and administering the GDPR, they say:

“…paragraph 14 [of the European Data Protection Boardʼs guidelines 05/2022] states that facial detection and facial analysis, including emotion recognition, are not types of facial recognition. This goes against the common use of the term facial recognition as an umbrella term for a range of processes, including detection, verification, identification and analysis/categorisation/classification. Arbitrarily excluding detection and analysis from the term facial recognition will only give credence to the problematic line often taken by industry that when they are performing facial analysis, for example, they are ‘not doing facial recognition.’ [emphasis added]”
—Access Now submission to the consultation on the European Data Protection Boardʼs guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement, 27 June 2022

Finally, Nadezhda Purtova, Professor of Law, Innovation and Technology at Utrecht University is skeptical that facial analysis will “withstand legal scrutiny”.

“A relatively recent case of such technological development is face detection and analysis used in ‘smart’ advertising boards. Unlike with facial recognition where one’s facial features are compared to pre-existing facial templates to establish if a person is known, face detection and analysis do not recognize people but ‘detect’ them and, in case of smart billboards, classify them into gender-, age-, emotion-, and other groups based on processing of their facial features to display tailored ads. The industry that develops, sells, and employs the technology argues that facial detection does not involve processing personal data, eg because the chance of establishing who a person before the ‘sensor’ is close to null. In part this is due to the ‘transient’ nature of the processing, where raw data of an individual processed by the detection ‘sensors’ is discarded immediately. The technology does not allow tracking a person and recognizing him or her over time either. To be clear, as will become apparent from further analysis, these industry arguments do not necessarily withstand legal scrutiny and it is highly likely that personal data will be processed in these contexts, if the proposed interpretation of identification is adopted. Yet, there is no uniform position on the interaction of face detection and data protection across the EU Member States. For instance, the Dutch data protection authority considers face detection in the context of smart billboards as processing of personal data, while its Irish and reportedly Bavarian counterparts are of the opposite view.” [emphasis added]
—Nadezhda Purtova, International Data Privacy Law, 2022, Vol 12, No. 3, From knowing by name to targeting: the meaning of identification under the GDPR

Final comments

12 years ago, I wrote, “Who gets your information when you register at an event?” The following year, I wrote, “Whom is your event for; the organizers or the attendees?” It’s revealing that those who are in favor of facial analysis technology are the technology suppliers and show owners. Those who are critical of it are attendees.

There is no win-win here. What’s good for show owners and the suppliers whose services they buy is bad for attendee privacy and openness. Show owners are using facial analysis with zero notification. And if attendees are told in advance that their faces will be analyzed, they may be deterred from attending such events or expressing their opinions freely. Or they may have no choice but to attend for business reasons without the option of consenting or opting out.

I don’t see how facial analysis technology can address these concerns. We should worry when Moutafis says that Zenus addresses them when in reality they don’t. That’s why I agree with Kamprath when he says You Shouldn’t Use Facial Analysis At Your Event.

The meeting industry has an ethical responsibility to do the right thing.

Just because you can do something, doesn’t mean you should.

P.S. And wait, there’s more! This epic isn’t over! Panos Moutafis, the CEO of Zenus, responded to this post, and I’ve shared my response to his in this post.

Tags: consent, ethics, facial analysis, facial recognition, informed consent, privacy, Zenus| Posted in Event design, Technology | 2 Comments »

Privacy issues in meeting apps

Monday, April 14th, 2014 by Adrian Segar

There are privacy issues in meeting apps. I’ve written before about the lack of information about who has access to attendee information, and I’m concerned about the ramifications of the growing trend for meeting apps to offer login via one of the established social media networks, typically Twitter, Facebook, and LinkedIn.

Perhaps you should be too. Social check-in is touted as a plus for event attendees, allowing them to:

discover friends, contacts, followers, and followees who are also attending the meeting;
provide in-app social network functionality; e.g. the ability to tweet from inside the app; and
be notified (in some apps) when social network contacts are in the vicinity.

These features are, indeed, potential pluses for an attendee. But there are downsides too, which are rarely mentioned.

Potential for abuse

When you authorize an app to access your personal social network information, you are allowing the company that created the app access to that information. At a minimum, this includes read access to your social media contacts in that app, which may (e.g. Twitter) or may not (e.g. FaceBook, LinkedIn) be public. If the app also requests write access, it can, in principle, do things like sending tweets from your account.

There’s potential for abuse here. An app developer can copy all the information that you expose to them and keep it forever, even if you de-authorize the app from access to the network later. Some questions that come to mind:

What will you do with the information I make available to your app?
Who will have access to it? For example, unless you pay LinkedIn big bucks you do not have access to every member’s information. But an app can (and in one case I’ve seen, does) expose every attendee’s LinkedIn profile to all other attendees.
For how long will you make that access available?
Will the app developer eventually destroy the information retrieved during the event?
What are the consequences if someone breaches the app’s security? Can the attacker take over the compromised social media accounts?

Clear answers to these questions are rarely given before you’ve (perhaps reluctantly) given the app permission to access your social media account(s).

Give participants a choice

In addition, some apps don’t give you a choice; you can only use them if you provide the app login via one of your social media networks. And if you want to share other social media IDs with attendees, e.g. your Twitter ID, you can’t just add the ID into a data field for your information but have to give the app access to your entire Twitter account.

I understand there are more stringent data protection standards in Europe, but the state of affairs I’ve described above is common in many of the U.S. apps I’ve seen.

There shouldn’t be privacy issues in meeting apps. I think it behooves app developers to provide clearer answers to these questions and allow us to opt-out of providing forced access to our social media accounts when we use a meeting app.

What do you think?

Photo attribution: Flickr user michellzappa

Tags: data protection, meeting apps, privacy, social check-in, social media| Posted in Event design | 2 Comments »

Breaking: Government concerned about privacy concerns of “eyes”

Friday, May 17th, 2013 by Adrian Segar

Dateline Washington, DC. May 17, 2013: Congressional representatives today raised concerns about citizens’ ability to see what is going on by using their “eyes”, two organs buried inside most people’s heads.

“Forget Google Glass,” said Rep Joe Barton, “what if the average US Citizen obtains the ability to ‘see’ what is going on in their immediate vicinity? All hell could break loose. The privacy implications of this ‘vision thing’ are staggering and must immediately be addressed by a high-level governmental commission with the authority to put a stop to it.”

Rep Joe Barton then proceeded to tie a bright red bandana around his “eyes” which he said would stay in place “until the emergency is over.”

Photo attribution: Flickr user briananthonyadams

Tags: eyes, noticing, privacy, satire| Posted in Satire | No Comments »

Why The Revolution Will Not Be Televised

Friday, October 15th, 2010 by Adrian Segar

A number of people have asked whether EventCamp East Coast (EC²) will be livestreamed. The answer is a qualified “no”, and since this is a different choice from those made at the original EventCamp in New York City and EventCamp Twin Cities I thought I’d explain why.

We’re concentrating on the face-to-face experience of the local audience at EC² for three reasons. Two of these factors are straightforward, while the third requires clarification.

The first reason is philosophical. The conference organizers—Traci Browne, Lindsey Rosenthal, and I—want to create an effective, uncomplicated event. Serving a remote audience well, as was done at the recent EventCamp Twin Cities, adds a significant level of complexity, not only to the organizer’s workload but also to the demands on presenters and the local audience to integrate the two audiences successfully.

The second reason is a matter of logistics. We three organizers enjoy busy professional lives, and possess a limited amount of time to make EC² the best conference we can. Creating an excellent remote audience experience (we wouldn’t be satisfied with anything less) would significantly shift our focus from other important components of EC².

The final reason is event design related and, perhaps, the most fundamental. The Conferences That Work design that we are using adds a default requirement of confidentiality to what happens during the conference. Let me explain what this means and why we’re doing this.

The thought of providing confidentiality at a conference may seem strange or counterproductive, especially these days where event sessions are routinely streamed and videoed for anyone who wants to watch. But in fact, there’s always been a need at some meetings for a commitment to confidentiality.

The classic example for a need for confidentiality is diplomatic meetings, where, to make best progress, participants need to be sure that what is said isn’t broadcast to the world. In this case, the reason for off-the-record conversation is to benefit relationships between the institutions that the diplomats represent.

But there’s another reason why confidentiality can be useful when people meet face to face; the personal benefit of the participants.

Perhaps the most well known example of events that provide this kind of environment are the 30 years of Renaissance Weekends, where participants “CEOs, venture capitalists, business & social entrepreneurs, Nobel Laureates & Pulitzer Prize-winners, astronauts & Olympians, acclaimed change-makers of Silicon Valley, Hollywood, Wall Street & Main Street, Republicans, Democrats & Independents” agree to the following policy:

All participants are expected to respect Renaissance Weekends®’ tradition of the candid and welcome exchange of diverse opinions, safeguards for privacy, confidentiality, and non-commerciality, and family ethos. Comments, behavior, or public references which could compromise the character of Renaissance Weekends® are unacceptable.

In my experience, all peer groups can benefit from this kind of environment. For example: more than once I’ve been told by different doctors I know that they regularly meet with a small group of their peers to confidentially discuss professional issues. In each case, the doctor I was talking with said, in effect, “There are some things that I can only talk about with other doctors.” The Conferences That Work format extends this kind of possibility to any peer group, and I believe that providing this opportunity can be important to any group of people with a common interest.

At every Conferences That Work event I’ve run, there are some sessions where the attendees decide not to share the proceedings publicly—in a few cases not even with other participants at the event. A common example is a frank discussion of the pros and cons of commercial tools and services available to attendees. And it’s not uncommon for a session or two to delve into work- or industry-related issues where attendees are looking for support and advice from their peers. Although these sessions are in a minority, it’s impossible to reliably predict in advance whether a specific session will turn out to require confidentiality.

All sessions at Conferences That Work have a recorder assigned to them, who makes notes or otherwise records the session. Because of the default requirement of confidentiality, unanimous agreement of the session’s attendees at the end of the session is needed for the recording to be made public.

In conclusion, it’s likely that the recordings of most of the sessions at EventCamp East Coast will be made available publicly, but they won’t be streamed live. So if you’re interested in fully experiencing EC², please join us on site in Philadelphia! I hope this article has explained why we’ve made these event design choices, and I welcome your comments and questions.

Tags: confidentiality, east coast, Event design, eventcamp, hybrid events, privacy, Renaissance| Posted in eventcamp, NoRepost | No Comments »

“Dear Valued AT&T Customer”

Sunday, June 13th, 2010 by Adrian Segar

“Dear Valued AT&T Customer”. I received this email from “AT&T Chief Privacy Officer” <[email protected]>. It’s a good example of a weasel apology.

The letter

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that we didn’t expose any other information and have resolved the matter. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.

Sincerely,

Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T

Please do not reply to this email.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Four comments

Has AT&T invented mind-reading software that can determine peoples’ intent?

The email asserts that the people who obtained the email addresses and ICC-ID “maliciously exploited” AT&T’s failure to secure private information, “deliberately went to great efforts”, and “distributed it for their own publicity”. Smearing people by assigning them ulterior motives for which you have no evidence is an old propaganda trick. It helps to deflect attention from your own culpability.

“Culpability”

Speaking of culpability, AT&T apologizes “for the incident and any inconvenience it may have caused ” but not for their negligence in setting up a system that allowed public access to private information in the first place. Come on now, AT&T, you can do better than that. How about: “AT&T apologizes for the lapse in our security that allowed this information to be obtained”? That’s what a proper apology looks like.

What are the consequences?

AT&T provides no explanation as to the consequences of publicizing my ICC-ID. I don’t care about my exposed email address, since anyone can easily find it on the internet. (Though I imagine that some people are not pleased that AT&T exposed their email address.) But I have no idea what the ramifications are of exposing my ICC-ID to all and sundry. What should I look out for? Telling me to “be alert to scams that could attempt to use this information to obtain other data” is useless pap.

Breaking trust

We should judge people and organizations by what they do, not what they say. Those who say things at odds with actual actions, break trust. I don’t expect perfection, but the fact that AT&T avoids admitting that they screwed up makes me skeptical that “AT&T takes your privacy seriously.” Or that I can “Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.” Well, AT&T, I’m not assured.

Frankly, receiving this email reduced my trust and opinion of AT&T. It would have been better for them if they had never sent it.

#fail.

Tags: #fail, apology, AT&T, iPad, privacy, trust| Posted in Technology | 1 Comment »

The Stranger on the Airplane

Sunday, June 6th, 2010 by Adrian Segar

Ah, the stranger on the airplane.

Long ago, when I was a British college student, I would set off to explore Europe each summer. There were no budget flights in those days, so I traveled by train. Some of my trips lasted days, but I loved the journey because of the people I met. I still remember the G.I. returning from Vietnam, now a Denver judge. The Belgium cabinet minister who tried for several hours to convert us to communism. And the cute Irish postgraduate student who…well never mind.

Now I live in the U.S. where trains are a rarity, at least in my part of the world. So I fly when it doesn’t make sense to drive. And I still enjoy striking up conversations with the stranger(s) sitting next to me. I’m not pushy—some people don’t want to talk, and that’s fine—but, more often than not, we end up exploring each other’s lives for a few hours. Over the last few years I remember, among others, the French airline executive who kissed me on both cheeks when we parted, the nun who visited prisoners and showed me years of correspondence, the fascinating sales director of a major internet hosting company, the lay ministry provider of counseling support for military families, and the British basketball agent who also owned a debt collection agency.

Some of these people shared intimate things about their lives during our time together. Things I doubt they shared with most of the people they worked with every day. They did this because we were never going to meet again. For a few hours, they were with the Stranger on the Airplane. And, of course, they were my Strangers on the Airplane, and sometimes I told them intimate things as well.

The Stranger on the Airplane during Conferences That Work

I’ve seen a similar thing happen at Conferences That Work. The intimacy is not as deep initially, because, I think, attendees are aware that they may meet another time if the conference is held again. On the other hand, if they do meet a sharer again, attendees have an opportunity to go deeper. I find it strange, yet enjoyable, to meet people once a year and expand my connection on each occasion in unforeseen ways.

In my experience, the majority of people (on airplanes and at conferences, at least) enjoy talking quite freely with strangers who they trust. Because the ground rules support a confidential, safe environment this potential of intimacy is present at Conferences That Work. I like that. How about you?

Image attribution: flickr user davitydave – creative commons share alike 2.0 generic

Tags: airplane, connectedness, connection, flying, ground rules, intimacy, privacy, strangers, train, travel| Posted in Uncategorized | 4 Comments »