Aside from obligatory shots of the Grand Canyon or the Leaning Tower of Pisa, many photos that consumers want to keep feature the faces of friends and family. Using a service like Everalbum’s Ever app to store photos and videos in the cloud is one way to free up space on consumers’ devices. But what was Everalbum doing behind the scenes after consumers entrusted the company with those images? A proposed FTC settlement suggests that Everalbum’s default use of facial recognition technology flew in the face of promises it made to customers.
From 2015 until September 2020, San Francisco-based Everalbum offered Ever, a photo storage and organization app that let people upload photos and videos from their mobile devices, computers, social media services, and elsewhere to the company’s cloud servers. In February 2017, Everalbum launched its “Friends” feature, which allowed users to tag people in their photos by name so that all photos similarly tagged could be grouped together. When Everalbum launched the feature, it enabled face recognition by default for all app users and didn’t offer a way for people to turn off or disable the feature.
Then, in May 2018, Everalbum began serving up a pop-up message for users in Texas, Illinois, Washington, and the European Union that said, “Ever uses facial recognition technology to automatically create albums of you and your friends. Do you want Ever to do this? Yes or No Thanks.” So for people in Waco, Waukegan, Walla Walla, and Würzburg, Everalbum disabled the Friends feature – and facial recognition – unless those consumers affirmatively clicked Yes. The company also modified its app so that users in Texas, Illinois, Washington, and the EU could turn facial recognition on and off.
A short time later, Everalbum posted on the HELP page of its website an article entitled “What is Face Recognition?” Here’s what the company told consumers:
When face recognition is enabled, the technology analyzes the photos and videos that you upload to create a string of numbers that we call a “face embedding.”
* * * *
When face recognition is turned on, you are letting us know that it’s ok for us to use the face embeddings of the people in your photos and videos, including you, and that you have the approval of everyone featured in your photos and videos.
But according to the complaint, the problem was that while that was true for consumers in Texas, Illinois, Washington, and the EU, it wasn’t true for the rest of Everalbum’s millions of users. In other words, despite the company’s representation that it wasn’t using face recognition technology unless the user enabled it, Everalbum was using facial recognition for most consumers’ photos and videos and didn’t offer them a way to change that default setting. According to the FTC, the company continued to provide inaccurate information to those consumers until at least April 2019, when it changed its policy and served up the same pop-up to offer all users a choice.
That’s only part of the story because separate and apart from the Friends feature, for a two-year period, Everalbum put consumers’ personal photos to another use. Initially, the company used publicly available facial recognition technology, but then began to develop its own technology, using customers’ photos as part of the “raw material.” According to the complaint, the company combined millions of images it extracted from users of its Ever app with other images it got from publicly available datasets to help in the development of face recognition technology, including technology that it ultimately marketed to other businesses through its enterprise brand, Paravision.
The proposed order requires Everalbum to delete all facial recognition models and algorithms it developed using Ever users’ photos or videos, all photos and videos uploaded by users who requested deactivation of their Ever accounts, and all facial recognition data derived from images uploaded by users who did not affirmatively consent to the use of facial recognition. The proposed order also prohibits misrepresentations related to – among other things – the collection, use, disclosure, maintenance, deletion, privacy, and security of information from or about individual consumers and consumers’ ability to control any of those actions. In addition, for any future consumer-facing products, Everalbum must get consumers’ affirmative express consent before it either derives facial recognition data from their images or uses those images to develop facial recognition models or algorithms. Once the settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
As the proposed settlement makes clear, companies need to face up to their obligation to substantiate their claims about facial recognition or other information collection practices.
Your company’s facial recognition practices may be highly material to consumers. Are consumers concerned about facial recognition? Two developments suggest they are. First, since Everalbum began to offer people a choice about whether they would like the Ever app to use facial recognition, approximately 25% of users who made a selection chose to turn the feature off. Second, in addition to Texas, Illinois, Washington, and the EU, additional jurisdictions in the U.S. and globally are considering limitations on the use of biometric data. Prudent companies are treading carefully in how they implement facial recognition technology and how they explain their practices to consumers.
Honor your promises throughout the lifecycle of data. We’ll keep saying it ‘til we’re blue in the face, but companies must live up to their information promises from initial collection all the way through to secure disposal. When companies claim that data will be permanently deleted, consumers have every right to rely on that representation. Making the information inaccessible to consumers while maintaining it on the company’s system won’t suffice.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.