Feeds

Facebook's facial recog bots can't eat your face without your say-so

EU watchdog: Software must obtain consent to process your image

High performance access to file storage

Social networking sites need to obtain users' "informed consent" before suggesting to other users that those individuals feature in photos that they are uploading to the site, an EU privacy watchdog has said.

The Article 29 Working Party said, though, that the networks can process the images legitimately without the consent of those featured in the photos under EU data protection laws in order to assess whether that consent has been given. However, it said that sites processing images in order to verify consent must delete that information "immediately after" that processing is complete.

"Only those registered users who have a reference template enrolled in the identification database will match against these new images and therefore have a tag suggested automatically," the Working Party said in an opinion on facial recognition in online and mobile services (10-page/53KB PDF).

"If the consent of the individual was to be considered as the only possible legitimate basis for all processing the entire service would be blocked as, for example, there is no means to gain consent of non-registered users who may have their personal data processed during face detection and feature extraction," the watchdog said.

"Furthermore it would not be possible to distinguish between the faces of registered users who had and had not consented without first performing facial recognition. Only after identification has taken place (or a failure to identify) would a data controller be able to determine whether or not they have the appropriate consent for the specific processing," it said.

Facebook is one social network that uses facial recognition technology automatically to suggest the names of people featured in photos uploaded by users.

Users can 'tag' themselves and their friends in photos they upload to the site. The tag labels the pictures with pop-up captions to enable people who view the photos to identify who is in the shot by hovering their cursor over the picture. The company launched the feature in 2010 for users in the US and it is now widely available to users in most countries.

Social networks need consent from users in the first place in order to store "templates" of images that can be used to verify users' identity, the Working Party said.

The group said that the social networks must have the consent of the "image uploaders" in order for processing of those images to "take place for the purposes of facial recognition." Registered users must be "clearly informed" that images they upload "will be subject to a facial recognition system" before they upload them.

Under the EU's Data Protection Directive personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and generally it can only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".

Organisations must either obtain "unambiguous consent" from individuals before processing is lawful or satisfy one of a number of other conditions instead. One of those conditions is if the processing "is necessary for compliance with a legal obligation to which the [data] controller is subject".

The Working Party, which is a committee featuring representatives of all the EU's national data protection regulators, said that social networking sites "must take appropriate steps to ensure the security" of images as they are being uploaded to the site. "This may include encrypted communication channels or encrypting the acquired image itself. Where possible, and especially in the case of authentication/verification, local processing should be favoured," it said.

"Technical controls" should also be installed to "reduce the risk that digital images are further processed by third parties for purposes for which the user has not consented to", whilst users of social networking sites should have access to "tools" in order to "control the visibility of their images that they have uploaded" if settings automatically restrict third parties' access to the content, the watchdog said.

Social networking sites must also ensure that image "templates" they create do not contain more information about individuals than is "necessary" in order for those individuals to be identifiable during facial recognition processing.

Users of social networks also have to be given "appropriate mechanisms" in order to "exercise their right of access" to both the images and their templates, the Working Party said.

Social networks probably would need to store templates in order to use them to authenticate and verify individuals' identities, but they must ensure that this information is kept securely, the Working Party said.

"The data controller must consider the most appropriate location for storage of the data," it said. "This may include on the user’s device or within the data controller’s systems."

"The data controller must take appropriate steps to ensure the security of the data stored. This may include encrypting the template. It should not be possible to obtain unauthorised access to the template or storage location. Especially for the case of facial recognition for the purpose of verification, biometric encryption techniques may be used; with these techniques, the cryptographic key is directly bound to the biometric data and is re-created only if the correct live biometric sample is presented on verification, whereas no image or template is stored (thus forming a type of 'untraceable biometrics')," the Working Party said.

Facebook was the subject of an audit by the Irish data protection regulator last year over its privacy practices and polices. In its audit report the Office of the Irish Data Protection Commissioner said the company's decision to introduce facial recognition technology on an 'opt-out' basis should have been handled "in a more appropriate manner". In response Facebook Ireland said it would notify users up to three times in order to give users more information on adjusting their settings for the feature.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

3 Big data security analytics techniques

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.