Being on Facebook means being seen, and recently some users have spotted a News Feed alert describing several new face recognition features coming to the social network. The notification looks like this:
— Walt Mossberg (@waltmossberg) 27 February 2018
Facebook first announced the features back in December, and have slowly rolled them out since then. Users who opt-in for face recognition can be notified of photos they appear in, even if they haven’t been tagged, so long as the photos’ privacy settings allow it.
When we reached out to Facebook for more information on how the face recognition features work, they referred us to two blog posts from December announcing the new settings and addressing privacy concerns. Reading those statements closely can tell us a lot, but there’s just as much we don’t know. Like, just what, exactly, Facebook wants to do with our faces.
How does it work?
When you upload a photo to Facebook, its machine learning systems detect the faces that are visible and measure them. Because we all have different faces, we all have different measurements for things like our nose bridges, our eyelids, and the width of our lips. Simply put, these combined measurements become a “face print,” and since everyone’s is unique, face prints can be used to identify people. When you upload photos on Facebook and it suggests a friend to tag, it’s because Facebook has found a match between the face measurements of the person in the picture and a particular set of face prints it has on file. (With two billion users, Facebook has a lot of face prints on file.)
What do I get out of all this?
With all that face data, Facebook can (if you choose to allow it!) automatically tag you in photos you haven’t been tagged in. If you have an active account, Facebook can also tell you if another user uploads an image your face as their profile picture and flag that user for catfishing. Additionally, visually impaired users can use face recognition in conjunction with the social network’s automatic alt-text tool to identify who appears in Facebook photos. Undeniably, face prints are a powerful way to identify people and detect fraud.
Ok, I’m in, how do I turn it on?
The face recognition features haven’t rolled out to all users, and won’t be available everywhere, but you can check to see if they’re available to you by selecting “Settings” from the triangle-shaped drop-down menu at the top right of every Facebook page. If there’s a column called “Face Recognition,” simply click that and then agree to use the service.
Sounds weird, how do I opt out?
To be clear, Facebook has repeatedly said that users aren’t enrolled by default and can opt out of the new features whenever they want to (by using the same process described above). That’s potentially misleading, because while you can opt out of the new face recognition features, Facebook hasn’t said whether you can opt out of having your face measured, digitised and stored on their servers.
So what does “opt out” really mean?
According to Facebook, face templates “are deleted” when face recognition is turned off, but it’s unclear if Facebook still has your face print and still knows what untagged photos you appear in if you never agree to use these new features.
That detail may seems minor, but it has been an issue of major contention for the company. In 2012, Facebook agreed to delete face templates of European users after regulators there began investigating whether “tag suggestions” violated EU privacy laws. And just this week, a judge denied an attempt by Facebook to throw out a class-action lawsuit by users in Illinois who claim “tag suggestions” violated the state’s biometric laws.
As far as we know, this is what happens if you don’t opt in: Facebook still has your face print and still uses it in some (but not all) parts of the tagging process. We will update this post if Facebook clarifies this point. Tellingly, Facebook states that the new features aren’t available in Canada or Europe “where we don’t currently offer face recognition technology.”
What does Facebook see?
The specifics of opting out are important because, theoretically, Facebook has the power to recognise hundreds of millions of people in photos—even if we have no reason to expect them to do so. As my colleague Kashmir Hill wondered, what if you’re simply caught in the background of a photo by happenstance, would Facebook ID you? Or make some inference about you based who you were with? Facebook denies it’s using face recognition this way, but we need to be cautious about their ability to biometrically identify and catalogue scores of people in an instant.
What doesn’t Facebook see?
Biometric data is extremely precious and more people are moving to protect it. As we mentioned earlier, Facebook is currently being sued for allegedly violating Illinois’ Biometric Information Privacy Act. The plaintiffs claim that Facebook’s widespread collection of face print data violates BIPA. Facebook fired back, saying that while they do collect massive amounts of face data, face collection doesn’t actually harm anyone. Facebook tried to have the case dismissed on those grounds, but it’s still moving forward. Facebook could pay up to $5,000 for each violation.
Since Illinois passed BIPA in 2008, several other states have followed their lead, with similar laws now on the books in Texas and Washington. Those states, and countries with their own digital privacy laws, may be the only places in the world where users truly own their own faces.
Meanwhile, collection of face data by a wide array of technology companies rolls ever onward, with our faces being used for everything from identification at airports to customer reward points for free burgers. Perhaps the best summary of the high stakes involved comes from Adam Harvey, a counter-surveillance expert who spoke with Gizmodo last fall.
“When any information is co-opted for security purposes it becomes less secure to share,” Harvey said. “For example, sharing your mother’s maiden name online would not be a good idea. Likewise, Facebook’s proposed facial recognition product would make sharing your face online a security issue, even more so than it already is.”