Risk
6/8/2011
02:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook: We Fumbled Face Recognition Roll-Out

The low-key deployment of facial recognition technology to identify Facebook friends in pictures has once again embroiled Facebook in a privacy debate.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Without fanfare, Facebook has decided to help people recognize and tag their friends in photos added to the social website through the use of facial recognition technology. It has done so by enabling facial recognition by default; users who wish not to be identified automatically when friends tag pictures must seek out the appropriate privacy setting to opt-out of Tag Suggestions.

Facial recognition technology remains highly controversial, so much so that Google has held off deploying it in its Google Goggles visual search application for fear of potential privacy complaints. Facebook's decision to enable facial recognition for its users without asking permission is prompting just such a backlash.

Computer security company Sophos wrote an open letter to Facebook in April asking it to enable privacy by default instead of forcing users to opt-out. "Unfortunately, once again, Facebook seems to be sharing personal information by default," wrote Graham Cluely, senior technology consultant at Sophos, in a blog post. "Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission."

"What we're seeing here is another chapter in Facebook's normal playbook on this, which is to be very aggressive," said privacy advocate Lauren Weinstein, co-founder of People For Internet Responsibility, an Internet policy group. Such behavior, he said, was "in keeping with CEO Mark Zuckerberg's sensibilities about these sorts of things."

Acknowledging that making online services opt-in isn't always the answer--because many innovative services would go unused in an opt-in scenario due to consumer inertia--Weinstein nonetheless suggested that Facebook should have handled the deployment of facial recognition differently due to the fact that it affects people on both an intellectual and emotional level.

A better way to handle the roll-out, Weinstein said, would have been to present users with a page describing the technology and then ask them whether or not they wished to participate.

Facebook in fact takes this approach in its "Friends can check me in to Places" privacy setting: Where location data is concerned, the social networking site requires that the user choose "Enabled" or "Disabled" rather than enabling the setting by default.

Bloomberg has reported that Article 29 Data Protection Working Party, an European Union privacy advisory group, and Ireland's data protection authority are separately looking into Facebook photo tagging. The Register characterized the interest of E.U. data protection authorities as more informal, a discussion with Facebook rather than a formal investigation.

As it has with other features that have privacy implications, Facebook has acknowledged that it didn't handle the roll-out of this capability very well. The company said that it launched Tag Suggestions to help people tag--meaning identify and annotate--their friends in photos. Facebook users already do this using their wetware--which is to say brains--over 100 million times daily; with the assistance of Facebook's facial recognition software, the incidence of tagging is only likely to increase.

"Tag Suggestions are only made to people when they add new photos to the site, and only friends are suggested," a Facebook spokesperson said in an email. "If for any reason someone doesn't want [his or her] name to be suggested, [that person] can disable the feature in [his or her] Privacy Settings."

Facebook said that when it announced its plan to deploy facial recognition technology, it explained its intent to test the technology and to revise it based on user feedback.

"We should have been more clear with people during the roll-out process when this became available to them," Facebook said in its statement. "Tag Suggestions are now available in most countries and we'll post further updates to our blog over time."

Facebook declined to make someone from the company available to discuss the technology in greater depth.

In the new, all-digital InformationWeek supplement: Our 2011 Strategic Security Survey confronts the five biggest problems faced by midsize companies. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.