Risk
6/8/2011
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook: We Fumbled Face Recognition Roll-Out

The low-key deployment of facial recognition technology to identify Facebook friends in pictures has once again embroiled Facebook in a privacy debate.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Without fanfare, Facebook has decided to help people recognize and tag their friends in photos added to the social website through the use of facial recognition technology. It has done so by enabling facial recognition by default; users who wish not to be identified automatically when friends tag pictures must seek out the appropriate privacy setting to opt-out of Tag Suggestions.

Facial recognition technology remains highly controversial, so much so that Google has held off deploying it in its Google Goggles visual search application for fear of potential privacy complaints. Facebook's decision to enable facial recognition for its users without asking permission is prompting just such a backlash.

Computer security company Sophos wrote an open letter to Facebook in April asking it to enable privacy by default instead of forcing users to opt-out. "Unfortunately, once again, Facebook seems to be sharing personal information by default," wrote Graham Cluely, senior technology consultant at Sophos, in a blog post. "Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission."

"What we're seeing here is another chapter in Facebook's normal playbook on this, which is to be very aggressive," said privacy advocate Lauren Weinstein, co-founder of People For Internet Responsibility, an Internet policy group. Such behavior, he said, was "in keeping with CEO Mark Zuckerberg's sensibilities about these sorts of things."

Acknowledging that making online services opt-in isn't always the answer--because many innovative services would go unused in an opt-in scenario due to consumer inertia--Weinstein nonetheless suggested that Facebook should have handled the deployment of facial recognition differently due to the fact that it affects people on both an intellectual and emotional level.

A better way to handle the roll-out, Weinstein said, would have been to present users with a page describing the technology and then ask them whether or not they wished to participate.

Facebook in fact takes this approach in its "Friends can check me in to Places" privacy setting: Where location data is concerned, the social networking site requires that the user choose "Enabled" or "Disabled" rather than enabling the setting by default.

Bloomberg has reported that Article 29 Data Protection Working Party, an European Union privacy advisory group, and Ireland's data protection authority are separately looking into Facebook photo tagging. The Register characterized the interest of E.U. data protection authorities as more informal, a discussion with Facebook rather than a formal investigation.

As it has with other features that have privacy implications, Facebook has acknowledged that it didn't handle the roll-out of this capability very well. The company said that it launched Tag Suggestions to help people tag--meaning identify and annotate--their friends in photos. Facebook users already do this using their wetware--which is to say brains--over 100 million times daily; with the assistance of Facebook's facial recognition software, the incidence of tagging is only likely to increase.

"Tag Suggestions are only made to people when they add new photos to the site, and only friends are suggested," a Facebook spokesperson said in an email. "If for any reason someone doesn't want [his or her] name to be suggested, [that person] can disable the feature in [his or her] Privacy Settings."

Facebook said that when it announced its plan to deploy facial recognition technology, it explained its intent to test the technology and to revise it based on user feedback.

"We should have been more clear with people during the roll-out process when this became available to them," Facebook said in its statement. "Tag Suggestions are now available in most countries and we'll post further updates to our blog over time."

Facebook declined to make someone from the company available to discuss the technology in greater depth.

In the new, all-digital InformationWeek supplement: Our 2011 Strategic Security Survey confronts the five biggest problems faced by midsize companies. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.