Risk
6/8/2011
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook: We Fumbled Face Recognition Roll-Out

The low-key deployment of facial recognition technology to identify Facebook friends in pictures has once again embroiled Facebook in a privacy debate.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Without fanfare, Facebook has decided to help people recognize and tag their friends in photos added to the social website through the use of facial recognition technology. It has done so by enabling facial recognition by default; users who wish not to be identified automatically when friends tag pictures must seek out the appropriate privacy setting to opt-out of Tag Suggestions.

Facial recognition technology remains highly controversial, so much so that Google has held off deploying it in its Google Goggles visual search application for fear of potential privacy complaints. Facebook's decision to enable facial recognition for its users without asking permission is prompting just such a backlash.

Computer security company Sophos wrote an open letter to Facebook in April asking it to enable privacy by default instead of forcing users to opt-out. "Unfortunately, once again, Facebook seems to be sharing personal information by default," wrote Graham Cluely, senior technology consultant at Sophos, in a blog post. "Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission."

"What we're seeing here is another chapter in Facebook's normal playbook on this, which is to be very aggressive," said privacy advocate Lauren Weinstein, co-founder of People For Internet Responsibility, an Internet policy group. Such behavior, he said, was "in keeping with CEO Mark Zuckerberg's sensibilities about these sorts of things."

Acknowledging that making online services opt-in isn't always the answer--because many innovative services would go unused in an opt-in scenario due to consumer inertia--Weinstein nonetheless suggested that Facebook should have handled the deployment of facial recognition differently due to the fact that it affects people on both an intellectual and emotional level.

A better way to handle the roll-out, Weinstein said, would have been to present users with a page describing the technology and then ask them whether or not they wished to participate.

Facebook in fact takes this approach in its "Friends can check me in to Places" privacy setting: Where location data is concerned, the social networking site requires that the user choose "Enabled" or "Disabled" rather than enabling the setting by default.

Bloomberg has reported that Article 29 Data Protection Working Party, an European Union privacy advisory group, and Ireland's data protection authority are separately looking into Facebook photo tagging. The Register characterized the interest of E.U. data protection authorities as more informal, a discussion with Facebook rather than a formal investigation.

As it has with other features that have privacy implications, Facebook has acknowledged that it didn't handle the roll-out of this capability very well. The company said that it launched Tag Suggestions to help people tag--meaning identify and annotate--their friends in photos. Facebook users already do this using their wetware--which is to say brains--over 100 million times daily; with the assistance of Facebook's facial recognition software, the incidence of tagging is only likely to increase.

"Tag Suggestions are only made to people when they add new photos to the site, and only friends are suggested," a Facebook spokesperson said in an email. "If for any reason someone doesn't want [his or her] name to be suggested, [that person] can disable the feature in [his or her] Privacy Settings."

Facebook said that when it announced its plan to deploy facial recognition technology, it explained its intent to test the technology and to revise it based on user feedback.

"We should have been more clear with people during the roll-out process when this became available to them," Facebook said in its statement. "Tag Suggestions are now available in most countries and we'll post further updates to our blog over time."

Facebook declined to make someone from the company available to discuss the technology in greater depth.

In the new, all-digital InformationWeek supplement: Our 2011 Strategic Security Survey confronts the five biggest problems faced by midsize companies. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2013-4663
Published: 2014-12-27
git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.

CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.