This move clearly has an impact on the privacy profession and workplace by creating new challenges and raising significant concerns about trust.
"We don't have privacy laws that specifically speak to facial recognition in broad open platforms like social media," says Trevor Hughes, president of the International Association of Privacy Professionals. "In the absence of these standards, privacy professionals need to spend a lot of time thinking what the appropriate responses are when these services are launched."
It's OK to make mistakes occasionally, but what Facebook is doing is not making mistakes, but breaching trust.
Except these professionals are simply overwhelmed in an era where new technologies are pushing their expectations and considerations of privacy. With a lack of public policy to accommodate the advancement in technology, they just find themselves unable to respond to the changes ahead.
"How do you create answers? How do you move technology forward?" Hughes asks. "While still respecting what your customers expect from you, when it comes to privacy, that's a very difficult challenge."
In the workplace, social networking is very complicated, as the intersection of personal and working lives creates real challenges for these practitioners. Facial recognition only opens more avenues to create identity issues, as a person tagged to a photo may not be the right individual.
Also, privacy in the workplace is largely driven by information controlled outside the organization, so the other concern is the identity and photo database of 500 million users that Facebook has. Who will have access to this critical information? How will the data be protected? What privacy standards and laws will be applicable to ensure effective database security measures are practiced?
"Facebook has clearly not created this database to just please the users, and that bothers me being in the privacy profession," says Francoise Gilbert, a data privacy attorney and managing director at IT Law Group. "There is a trend in what Facebook is doing. They keep invading people's privacy. It's OK to make mistakes occasionally, but what Facebook is doing is not making mistakes, but breaching trust."
In this case, Facebook is changing the privacy settings of individuals without letting them know. People are on Facebook because they want to communicate with their friends and community, but they may have been careful not to put their pictures online. Now if they are at a party and someone takes their picture and tags them, that picture will go in the Facebook database with the person's name and identity.
"Facial recognition is a real sharp double-edged sword," says Mark Lobel, senior partner at PricewaterhouseCoopers and a member of ISACA's external relations committee. "Until the application's usefulness and trust is established, the effect could be damaging to security and privacy organizations.
The question of trust in the case of facial recognition will have a much broader impact on the profession. The level of trust and reliance that can be placed on the company, its application and its usage will ultimately define our future.
Also, such concerns for data privacy and protection and more are resulting in enforcement of new privacy standards globally. For instance, the European Union has implemented a revised data protection law that regulates processing and free movement of personal data and is currently investigating Facebook's feature to measure for possible privacy violations.
"It is a bewildering time for privacy professionals," Hughes says. However, his advice to online technology companies like Facebook to address few of these concerns includes:
- Ensure privacy professionals participate as an expert voice at the design stage: Facebook should include privacy professionals when the product is up on the white board for the first time to ensure privacy is not bolted on to a product afterward, but rather built into the product in the development phase. "We don't need that piece of data for the service we are planning to provide, so don't gather it. These type of intelligent interjections from privacy professionals will ultimately add value in the future."
- Ensure privacy practitioners work closely with their human resources department: Understand their organization's social networking engagement and participate in defining appropriate privacy elements in policies that govern the organization and its employees' use of social media in the workplace. "Privacy professionals need to show significant caution in any use of social media in the workplace, and make certain they understand how facial recognition intersects with it."