Risk
6/8/2011
02:35 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook: We Fumbled Face Recognition Roll-Out

The low-key deployment of facial recognition technology to identify Facebook friends in pictures has once again embroiled Facebook in a privacy debate.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Without fanfare, Facebook has decided to help people recognize and tag their friends in photos added to the social website through the use of facial recognition technology. It has done so by enabling facial recognition by default; users who wish not to be identified automatically when friends tag pictures must seek out the appropriate privacy setting to opt-out of Tag Suggestions.

Facial recognition technology remains highly controversial, so much so that Google has held off deploying it in its Google Goggles visual search application for fear of potential privacy complaints. Facebook's decision to enable facial recognition for its users without asking permission is prompting just such a backlash.

Computer security company Sophos wrote an open letter to Facebook in April asking it to enable privacy by default instead of forcing users to opt-out. "Unfortunately, once again, Facebook seems to be sharing personal information by default," wrote Graham Cluely, senior technology consultant at Sophos, in a blog post. "Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission."

"What we're seeing here is another chapter in Facebook's normal playbook on this, which is to be very aggressive," said privacy advocate Lauren Weinstein, co-founder of People For Internet Responsibility, an Internet policy group. Such behavior, he said, was "in keeping with CEO Mark Zuckerberg's sensibilities about these sorts of things."

Acknowledging that making online services opt-in isn't always the answer--because many innovative services would go unused in an opt-in scenario due to consumer inertia--Weinstein nonetheless suggested that Facebook should have handled the deployment of facial recognition differently due to the fact that it affects people on both an intellectual and emotional level.

A better way to handle the roll-out, Weinstein said, would have been to present users with a page describing the technology and then ask them whether or not they wished to participate.

Facebook in fact takes this approach in its "Friends can check me in to Places" privacy setting: Where location data is concerned, the social networking site requires that the user choose "Enabled" or "Disabled" rather than enabling the setting by default.

Bloomberg has reported that Article 29 Data Protection Working Party, an European Union privacy advisory group, and Ireland's data protection authority are separately looking into Facebook photo tagging. The Register characterized the interest of E.U. data protection authorities as more informal, a discussion with Facebook rather than a formal investigation.

As it has with other features that have privacy implications, Facebook has acknowledged that it didn't handle the roll-out of this capability very well. The company said that it launched Tag Suggestions to help people tag--meaning identify and annotate--their friends in photos. Facebook users already do this using their wetware--which is to say brains--over 100 million times daily; with the assistance of Facebook's facial recognition software, the incidence of tagging is only likely to increase.

"Tag Suggestions are only made to people when they add new photos to the site, and only friends are suggested," a Facebook spokesperson said in an email. "If for any reason someone doesn't want [his or her] name to be suggested, [that person] can disable the feature in [his or her] Privacy Settings."

Facebook said that when it announced its plan to deploy facial recognition technology, it explained its intent to test the technology and to revise it based on user feedback.

"We should have been more clear with people during the roll-out process when this became available to them," Facebook said in its statement. "Tag Suggestions are now available in most countries and we'll post further updates to our blog over time."

Facebook declined to make someone from the company available to discuss the technology in greater depth.

In the new, all-digital InformationWeek supplement: Our 2011 Strategic Security Survey confronts the five biggest problems faced by midsize companies. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio