23 September 2012

Facing the regulators

The NY Times reports that Facebook has "promised European regulators that it would forgo using facial recognition software and delete the data used to identify Facebook users by their pictures".
The agreement comes as Facebook is under pressure from Wall Street to profit from its vast trove of data, including pictures, and also from regulators worldwide over the use of personal information.
The decision in Europe applies to the “tag suggestion,” a Facebook feature that deploys a sophisticated facial recognition tool to automatically match pictures with names. When a Facebook user uploads a photo of friends, the “tag suggestion” feature can automatically pull up the names of the individuals in the image. ... The company quietly and temporarily pulled the plug on “tag suggestion” for all Facebook users several months ago. The company said on Friday it was to “make improvements to the tool’s efficiency” and did not say how soon it would be restored. However, the company promised European regulators on Friday that it would reinstate the feature on the Continent only after getting their approval.
Facebook declined to say under what circumstances the “tag suggestions” would be back online in the United States or elsewhere.
Facebook’s promise to the European regulators is part of an investigation into whether the company’s data collection practices comply with European privacy rules. It was made with regulators in Ireland, where the company has its European headquarters.
“We will continue to work together to ensure we remain compliant with European data protection law,” Facebook said in a statement.
The Times comments that
Photo tagging is important for Facebook in the sense that it allows the social network to better analyze with whom its users interact in the real world.
In addition to scrutiny from European regulators, Facebook has also come under fire from consumer protection groups and lawmakers in the United States over its use of facial recognition technology. At a hearing on Capitol Hill last July, Senator Al Franken, Democrat of Minnesota, described Facebook as the “world’s largest privately held database of face prints — without the explicit consent of its users.” [PDF]
On Friday, Mr. Franken said in an e-mail statement that he hoped Facebook would offer a way for American users to opt in to its photographic database.
“I believe that we have a fundamental right to privacy, and that means people should have the ability to choose whether or not they’ll be enrolled in a commercial facial recognition database,” he said. “I encourage Facebook to provide the same privacy protections to its American users as it does its foreign ones.” ...
Last year Franken commented
I want to be clear: there is nothing inherently right or wrong with facial recognition technology. Just like any other new and powerful technology, it is a tool that can be used for great good. But if we do not stop and carefully consider the way we use this technology, it may also be abused in ways that could threaten basic aspects of our privacy and civil liberties. 
I believe that we have a fundamental right to control our private information - and biometric information is already among the most sensitive of our private information, mainly because it is both unique and permanent. You can change your password. You can get a new credit card. But you can’t change your fingerprint, and you can’t change your face. Unless I guess you go to a great deal of trouble. 
Indeed, the dimensions of our faces are unique to each of us — just like our fingerprints. And just like fingerprint analysis, facial recognition technology allows others to identify you with what’s called a “faceprint,” a unique file describing your face. 
But facial recognition creates acute privacy concerns that fingerprints do not. Once someone has your fingerprint, they can dust your house or your surroundings to figure out what you’ve touched. 
Once someone has your faceprint, they can get your name, they can find your social networking account and they can find and track you in the street, in the stores you visit, the government buildings you enter, and the photos your friends post online. Your face is a conduit to an incredible amount of information about you. And facial recognition technology can allow others to access all of that information from a distance, without your knowledge and in about as much time as it takes to snap a photo. 
People think of facial recognition as something out of a science fiction movie. In reality, facial recognition technology is in broad use today. If you have a drivers’ license, if you have a passport, if you are a member of a social network, chances are good that you are part of a facial recognition database.
In the latest coverage the Times states that
Personal data is Facebook’s crown jewel, but how to use it artfully and profitably is arguably its biggest challenge. Facebook has access to a tremendous amount of information about its one billion users, including the photos they upload every day. Marketers have pushed for greater access to that data, so as to tailor the right message to the right customer. Consumers and lawmakers have resisted, to different degrees in different countries around the world. ...
Several independent application developers are experimenting with how to use facial recognition technology in the real world, and have sought to use pictures on Facebook to build products of their own.
For example, one company in Atlanta is developing an application to allow Facebook users to be identified by cameras installed in stores and restaurants. The company, Redpepper, said in a blog post that users would have to authorize the application to pull their most recent tagged photographs. The company said its “custom-developed cameras then simply use this existing data to identify you in the real world,” including by offering special discounts and deals.
Ireland's Office of the Data Protection Commissioner at the same time published the 186 page outcome of its Review of Facebook Ireland’s (FB-I) implementation of recommendations made in the Office’s December 2011 audit.

The Office is significant because Facebook's European operations are based in Ireland, a lite-touch privacy regime.

The Review was concerned with a comprehensive assessment of Facebook’s compliance with Irish Data Protection law and by extension EU law.

The Irish Data Protection Commissioner stated
I am particularly encouraged in relation to the approach [Facebook] has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice. This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent. By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance.
The Deputy Commissioner stated that
the outcome reflects months of detailed engagement between Facebook Ireland and this Office. The discussions and negotiations that have taken place, while often robust on both sides, were at all times constructive with a collective goal of compliance with data protection requirements. There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of 4 weeks for these matters to be brought to a satisfactory conclusion.
It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site. The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I.
People who are familiar with officialspeak will notice the reference to "robust", "at all times  constructive", "months of detailed engagement" and the clear need for "ongoing engagement".

We might ask why Facebook hasn't switched off facial recognition everywhere.