Tuesday, April 10, 2012

EU, Facebook, FaceRec & Consent


Facebook's facial recog bots can't eat your face without your say-so
(The Register)
They can taste it, though...
Social networking sites need to obtain users' "informed consent" before suggesting to other users that those individuals feature in photos that they are uploading to the site, an EU privacy watchdog has said.

The Article 29 Working Party said, though, that the networks can process the images legitimately without the consent of those featured in the photos under EU data protection laws in order to assess whether that consent has been given. However, it said that sites processing images in order to verify consent must delete that information "immediately after" that processing is complete.
The above article makes an interesting technical point and hints at an interesting point about privacy.

In order to biometrically determine whether or not someone is in a particular database — such as the database of people who have given consent to be "tagged" — a biometric search must be undertaken. The Art.29 Data Protection Working Party has acknowledged the difference between the search and enrollment functions and probe vs. database images. This is good because, as implied in the article, to fail to make these distinctions would make it impractical to find out if someone had consented to something in the first place without making them express their consent all over again.

There's also an interesting privacy point — Facebook's knowledge about non-facebook users (such as your humble scribe). The sly "spam your friends" button that sends an email to everyone in a new user's email contact list is one way Facebook collects personal information (email addresses) of non-facebook users and begins to turn that data into information when the same email address turns up in multiple Facebook users' contact lists.

The photo tagging feature also allows/encourages Facebook users to add information about non-users to Facebook's database. The Art.29 Data Protection Working Party has recommended a technical solution to the photo-tagging feature's ability to collect information on non-consenting individuals for Facebook's use, which is great. But a 100% solution is as much social as technological.

There's an etiquette to these things. Facebook makes it very, very easy for users to tell Facebook about people who don't use Facebook, but it seems impossible that Facebook could police its users in such a way as to prevent them from violating the privacy of other people. Facebook collects information on non-users, and Facebook can be used to communicate information about non-users without consent. These are two separate issues.

In a final twist, Facebook's very existence may depend upon its users' discretion and restraint in choosing what to post and tag, and Facebook's agility in handling the information. A user may love the facial recognition tagging feature but hate to be outed as the Key West Spring Break wet T-shirt contest winner.