It may be time to move beyond Facebook’s assurance of its trustworthiness and specifically restrict the company’s use of face recognition. Changes within Facebook Europe would seem to suggest so.
For gullible (and now disgruntled) investors Facebook is a machine that made several billion dollars disappear. For Facebook enthusiasts it is a cornucopia of good things, connecting friends and families across the world, linking people with employment opportunities, health services and retailers.
For privacy analysts and some regulators, Facebook is an information black hole, a vortex that sucks personal information from more than 800 million people across the globe.
That information collection is problematical because Facebook’s terms and conditions are volatile and difficult to interpret.
They can and do change without your agreement, affecting information that you – or your friends, unintentionally acting on your behalf – have gifted to the social network service and its partners.
We think of Facebook as a way of sharing experiences with friends. But it’s also the world’s largest personal photo library. It contains hundreds of millions of photographs of faces, all supplied by the owners of those faces or their friends and associates.
The Facebook experience is about sharing those images with Facebook … and with Facebook’s friends, some of whom might not be as well-behaved as you or I.
Facebook can put names to the faces, either by inference (such as when a Facebook user uploads portrait photos on his/her profile) or through tagging by friends and acquaintances of photos uploaded by another party.
Using the social graph – identifying an individual’s consumption patterns and affinities by mapping that person’s associates – it’s easy to engage in large-scale and often accurate profiling of cohorts.
Facebook has gone a step further, using biometric tools to recognise the photos that appear on its service. As those tools become more accurate it’s increasingly possible for Facebook to identify individuals even without your friends obligingly dobbing you in.
A range of businesses and public sector agencies have expressed interest in using that information, whether for unbeatable retail offers or for the war against crime, terror and copyright infringement.
One US developer aims to integrate Facebook photos with images from CCTV cameras in shopping centres or check-in counters.
Enough is enough
Last Friday, regulators in Europe took a small step towards saying “enough”. Facebook’s European operation, which accounts for around a third of the group’s revenue, is located in Ireland. It is thus subject to the Irish Data Protection Commissioner, the counterpart of the Privacy Commissioner within the Office of the Australian Information Commissioner.
The Irish agency has heeded expressions of concern by a range of national and provincial privacy and consumer protection bodies across Europe, including the intergovernmental Article 29 Working Party that has increasingly emphasised notions of transparency and consent in questions about biometrics and “privacy in the cloud”.
Some of those bodies, such as the provincial regulator in Hamburg, have been strongly critical of Facebook.
That is in contrast to Ireland’s stance, which reflects a tradition of light-touch regulation founded on Dublin’s hope that the Celtic Tiger would become the Silicon Valley of Europe.
The Data Protection Commissioner last year launched a review of Facebook’s privacy practices. Unsurprisingly it was not very impressed. In a report released last Friday it referred to “months of detailed engagement” and “robust” discussions.
Those discussions were apparently so robust that “we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion” and that there is a “clear need” for “ongoing engagement”.
What does that mean for the world’s largest “face print” collection? Facebook Europe has preempted regulation in European jurisdictions outside Ireland by turning off face tagging for new users in the EU.
Templates for existing users will be deleted by October 15. The Commissioner hails that agreement as Facebook “sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance”.
Facebook has not announced a global turn-off. Indeed it has signalled that facial tagging may be reintroduced. If Mr Zuckerberg and other Facebook executives have a profound commitment to “best practice” it is surprising no-one has announced tagging will stop and that there will be a mechanism for individuals to stop recognition of their faces.
A corporate reluctance to embrace best practice founded on transparency, consistency and consent means consumers should be wary about gifting Facebook with information about themselves and their friends or associates.
It also means that regulators need to be vigilant, rather than assuming businesses in the cloud can be left to manage themselves. If those regulators have their heads in the clouds they must remember to keep their feet on the ground.
Australian senator Gary Humphries last week commented on data offshoring. In a refreshing analysis he noted that borders are of less importance than how information is managed.
In building on that analysis we may need to move beyond taking Facebook’s word on its trustworthiness and restrict its use of face recognition.
If you don’t manage information it will be used to manage you.