The Office of the Data Protection Commissioner has spent the better part of 2012 surveying the operations at Facebook's Dublin headquarters and sifting through a variety of consumer privacy issues. The agency recently released a review of the social network's progress in implementing prior audit recommendations, highlighting Facebook's renewed emphasis on transparency and increased user control over key settings. The most notable revelation in the report, however, was the announcement that Facebook has decided to disable its facial recognition feature for European users until it designs a more satisfactory method of gaining their consent.
Above and beyond
"I am satisfied that the review has demonstrated a clear and ongoing commitment on the part of Facebook Ireland to comply with its data protection responsibilities by way of implementation or progress toward implementation of the recommendations of the (initial) audit report," Irish Data Protection Commissioner Billy Hawkes explained. "I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice."
Effective immediately, new users registering from European domains will no longer have access to the facial recognition features which have previously been used to identify individuals in uploaded photos and suggest that they be tagged. European users have also been assured that, by October 15, all existing data templates will be deleted.
Regulators were also quick to commend Facebook for reaching out to users across the board to foster a greater awareness of how their data is being handled. For instance, the social media giant pulled back the curtain on its advertising network to reveal how users may be targeted by certain marketers. Additionally, users were afforded more granular control over disabling or blocking a portion of these advertisements and informed of how their decisions may affect other aspects of the browsing experience.
Facebook's data protection progress also extended into issues of retention. Policies were amended to establish more explicit timetables for how long users' should reasonably expect their information to be stored, with particular attention paid to deactivated accounts. Also, users were provided with expanded power to delete friend requests, messages and tags on a per item basis.
Although Facebook Ireland did make a remarkably fast turnaround in a number of operational areas, the regulatory review did highlight some issues still in need of attention. Authorities were not yet satisfied by the details provided regarding how pervasively tracking cookies are being used and how consent is obtained. Also, the social network was encouraged to provide Android application users with a more explicit explanation of how data that has been synced between devices in the past is retained.
But in many ways, the questions surrounding Facebook's data protection progress extend far beyond the scope of the report. On the one hand, the technical implications of Facebook's decision could spill over into several segments of the market. According to The New York Times, this strike against facial recognition systems could halt the technology's momentum and inspire a broader discussion of its merits.
"This is a big deal. The development of these tools in the private sector directly affects civil liberties," University of California – Berkeley law professor and online privacy expert Chris Hoofnagle told the Times. "The ultimate application is going to be – can we apply these patterns in video surveillance to automatically identify people for security purposes and maybe marketing purposes as well?"
Finally, Facebook users and tech observers can't help but wonder if and when the events taking place in Ireland will translate to American audiences. The social network has drawn comparable criticism from the likes of Senator Al Franken and others questioning if its commercial ambitions have not outpaced its data security capabilities and violated consumer privacy expectations in the process.
Data Security News from SimplySecurity.com by Trend Micro