By Susan L. Smith

Lecturer in Cognitive Science at Rensselaer Polytechnic Institute

A 2017 study used facial-recognition software to identify the sexual orientation of individuals and compared the rate of accuracy to that of humans. In debates about the ethical issues surrounding this study, the focus was on LGBTQ rights, racial bias, flawed data sets, etc. What was neglected was how the study’s photographs were obtained. Over 35,000 photos were taken from an online-dating app administered through Facebook. The app included photos of individuals who had voluntarily submitted their sexual orientation as part of their dating profile. Were these individuals aware that their photographs and sexuality would be used as part of a study? Should they have been?

When we post our personal pictures to Facebook and its associated applications, are we really aware of how our information could be used? We expect our “friends” to have access to these pictures. We may even expect, depending on our settings, “non-friends” to be able to view them. But what else have we “authorized” without knowing it? As internet users, we are constantly told that if we put information “out there,” we should expect others to have access to it. This model for data usage is untenable if we want individuals to be able to make free and informed decisions about their personal information.

Informed consent is comprised of three basic concepts: competency, voluntariness, and information. For a person to make a free and informed choice they must be competent, be making a voluntary and uncoerced choice to participate, and have all the information needed to understand the choice they are making.

In the Facebook study, the third party carrying out the research did not ask for permission or inform users about the possibility of their photos being used in a study. This restricts a user’s right to make a free and informed decision. Further, if a user chooses not to agree to the Facebook user agreement, then they forfeit the use of that service, which is coercive.

If someone is not aware that their likeness is being used in an experiment, they are not making an informed decision. They may have decided to submit their profile to a dating app, but they have not decided to participate in research and burying this information in a lengthy and complex document does not constitute knowing. Basic respect for a person’s autonomy requires that they are given relevant information about the consequences of their decision-making.

One might challenge that all of the information about the consequences of internet use is given in the form of a user agreement. However, signing a 16-page, or more, form full of technical jargon does not constitute understanding. In a 2012 study, one group found that reading the privacy policies of websites that an individual visited would take approximately 76 work days per year. This is an unacceptable method to properly inform users about how their information will be used.

The European Union has taken these issues seriously and enacted the General Data Protection Regulation (GDPR). This law requires companies to seek explicit consent from an individual whose information they wish to use. Further, silence does not constitute consent, consent cannot be a term of service, and a pre-checked box cannot constitute consent. This approach addresses each of the basic tenets of informed consent and allows users to control their data in an informed manner. It is time for the United States to follow the lead of the European Union to ensure the protection of internet users.