Risk
6/8/2011
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook: We Fumbled Face Recognition Roll-Out

The low-key deployment of facial recognition technology to identify Facebook friends in pictures has once again embroiled Facebook in a privacy debate.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Without fanfare, Facebook has decided to help people recognize and tag their friends in photos added to the social website through the use of facial recognition technology. It has done so by enabling facial recognition by default; users who wish not to be identified automatically when friends tag pictures must seek out the appropriate privacy setting to opt-out of Tag Suggestions.

Facial recognition technology remains highly controversial, so much so that Google has held off deploying it in its Google Goggles visual search application for fear of potential privacy complaints. Facebook's decision to enable facial recognition for its users without asking permission is prompting just such a backlash.

Computer security company Sophos wrote an open letter to Facebook in April asking it to enable privacy by default instead of forcing users to opt-out. "Unfortunately, once again, Facebook seems to be sharing personal information by default," wrote Graham Cluely, senior technology consultant at Sophos, in a blog post. "Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission."

"What we're seeing here is another chapter in Facebook's normal playbook on this, which is to be very aggressive," said privacy advocate Lauren Weinstein, co-founder of People For Internet Responsibility, an Internet policy group. Such behavior, he said, was "in keeping with CEO Mark Zuckerberg's sensibilities about these sorts of things."

Acknowledging that making online services opt-in isn't always the answer--because many innovative services would go unused in an opt-in scenario due to consumer inertia--Weinstein nonetheless suggested that Facebook should have handled the deployment of facial recognition differently due to the fact that it affects people on both an intellectual and emotional level.

A better way to handle the roll-out, Weinstein said, would have been to present users with a page describing the technology and then ask them whether or not they wished to participate.

Facebook in fact takes this approach in its "Friends can check me in to Places" privacy setting: Where location data is concerned, the social networking site requires that the user choose "Enabled" or "Disabled" rather than enabling the setting by default.

Bloomberg has reported that Article 29 Data Protection Working Party, an European Union privacy advisory group, and Ireland's data protection authority are separately looking into Facebook photo tagging. The Register characterized the interest of E.U. data protection authorities as more informal, a discussion with Facebook rather than a formal investigation.

As it has with other features that have privacy implications, Facebook has acknowledged that it didn't handle the roll-out of this capability very well. The company said that it launched Tag Suggestions to help people tag--meaning identify and annotate--their friends in photos. Facebook users already do this using their wetware--which is to say brains--over 100 million times daily; with the assistance of Facebook's facial recognition software, the incidence of tagging is only likely to increase.

"Tag Suggestions are only made to people when they add new photos to the site, and only friends are suggested," a Facebook spokesperson said in an email. "If for any reason someone doesn't want [his or her] name to be suggested, [that person] can disable the feature in [his or her] Privacy Settings."

Facebook said that when it announced its plan to deploy facial recognition technology, it explained its intent to test the technology and to revise it based on user feedback.

"We should have been more clear with people during the roll-out process when this became available to them," Facebook said in its statement. "Tag Suggestions are now available in most countries and we'll post further updates to our blog over time."

Facebook declined to make someone from the company available to discuss the technology in greater depth.

In the new, all-digital InformationWeek supplement: Our 2011 Strategic Security Survey confronts the five biggest problems faced by midsize companies. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?