Hacker News new | comments | ask | show | jobs | submit login
Facebook has auto-enrolled users into a facial recognition test in Europe (techcrunch.com)
440 points by Ours90 10 months ago | hide | past | web | favorite | 187 comments

To save time, they can already put out the PR release saying that they're sorry, that they didn't expect this, that anyway everything is very clear in paragraph 2.4.5.C.& of the Terms & Conditions, and that it won't happen again.

And 99.999% of Facebook users won't care. Most of those that do, can't leave Facebook because of "events." The rest of us will keep preaching to each other about how we're in a better place having never been of Facebook or having deleted our accounts.

And most importantly, they don't sell user data, so you can sleep tight.

Exactly, giving it away to anyone who signs up isn't _selling_ it.

and that they are only doing this to provide even more meaningful value for the Facebook community

'Our mission is to give people the power to build community and bring the world closer together. People use Facebook to stay connected with friends and family, to discover what's going on in the world, and to share and express what matters to them.'

We believe these changes further our goal of creating a product that is used and loved by the world, and that the best way to do that is for a price everyone can afford -- free.

and to "compete with China" according to the recent hearing.

But at least it will make the world more connected.

Could it be automated? that would really save time... for Facebook.

Can I apply to YC if I turn this text into a template? Fortune 500 company right here.

sure, I'll take 0.001% if you don't mind.

Right... And don't forget the part about how your privacy is important to them and they think about it a lot.

The tech industries proverbial "thoughts and prayers"

Most of the HN community despises regulations against tech companies, but it seems like nothing short of strong regulations and severe financial penalties will rein in the bad actors. We can't expect the companies and their CEOs to act out of the goodness of anything save for their pocketbooks. We've lost the presumption of good faith

I think bad PR and vicious backlash from the consumers against foul play is a stronger deterrent than some one time fines.

Yes, but the mechanism need not be "voting with your wallet". Instead, I put forward the mechanism "voting by voting". That is, such vicious backlash gets picked up by politicians, who act on it with regulation.

It's arguable whether bad PR and vicious backlash are working, or happening. As evidence I present... well, here we are.

Edit: added a word

I think there are no 'obvious' repercussions to the privacy and security issues that are affecting the general public.

For example, lots of companies have been hacked(Target, Equifax), and AFAIK there hasn't been credit card fraud on massive scale that has been reported in the media. It kinda makes people think that media is over inflating the issue(which it lots of time does), and just not care. We have been hearing about how this data will be used to say deny loans etc. but nothing has happened.

I mean even Snowden spying scandal just revealed the extensive spying. What exactly are the agencies doing with the data and how that negatively impacts me is not really clear for a general person. And I am speaking as somewhat tech literate person. Why exactly would an average person care?

Giving up privacy has, I think, almost become 'normal'

When it did work, like when Bill O'Reilly was pushed out of Fox News, the PR and public outrage aligned with a large faction within the company. It's a lot easier to push out or target individual bad actors than to reform the whole corporate structure.

How do you out-PR Facebook which is the biggest PR machine, in the long run?

The worst PR issue Facebook has in Zuckerburg.

Worst case scenario, he steps away and they hire a new likable CEO with a higher EQ. That's exactly what Uber did.

Why not both?

Nothing happened last 100 megabreaches, why would now be any different? The public doesn't care. Only media cares and only because Trump benefited.

Mark "hears you". He has it on a note to always remember it.

And the part where HN folks start complaining about it's super obvious and everyone who uses any internet service should clearly know that all of their data is going to be used for any and all nefarious purposes we could imagine, you moron.


This really annoys me. That was well over a decade ago. There is so much to criticize FB for right now. Do we really need to be so petty and oversensitive to always bring up an offhand remark he made as a college student?

Given that we don't know what his private conversations look like now, and that his actions still seem to support that position -- it's at least relevant. Deleting all Facebook executive messages by exception alone makes me think this wasn't the worst thing that could have been found.

> Given that we don't know what his private conversations look like now

I don't get it - he knows what our private conversations look like. Why don't we know his?

Now you're getting it!

He also spent 43 million dollars buying all his neighbor's houses, in order to tear them down, and tapes his webcam. For a guy who supposedly believes privacy is dead, he sure does value it.

Don't forget his Hawaiian privacy retreat, which last I heard he was building a massive wall around.

When people like Zuckerberg preach about radical transparency and privacy being an outdated concept, they're referring to the type of radical transparency where they themselves remain opaque, while the rest of the world becomes transparent to them.

I feel exactly the opposite. Yes, the recent scandals are much worse, both in severity as magnitude.

However, pointing to this "offhand" bragging remark he made long ago is actually very useful, because it clearly shows that his attitude to privacy and lack of respect for his users is a persistent problem with his moral compass.

That tune of "your privacy is very important to us" they've been singing for over a decade as well, it wasn't very believable then, when they kept changing privacy options that you basically had check your profile settings every few days to see if there was a new opt-out option you had to disable. I had a FB profile for a few months back then, before it creeped me out too much and I deleted it.

Today we find that Mark has a special superpower feature that allows him to delete private messages from other people's mailboxes. They try to cover this up by saying it's an upcoming feature to be rolled out to the public. Just to make sure, are there any people here that actually believed that excuse?

Normally I'd be in complete agreement with your point. I don't think it's right to judge people for stuff they did when they were young and stupid and arrogant. I said some cringe worthy stuff when I was young and arrogant too (though my moral compass was quite solid, I just lacked the experience to apply it well).

Mark Zuckerberg probably grew and learned too. But it seems he mainly learned that he shouldn't brag about these things in offhand remarks. Not much else.

Pointing to this remark therefore actually serves a very important purpose: The attitude displayed by Zuckerberg's actions is still the same as 10 years ago, he just sharpened his skills on getting away with it (until now), and it's foolish to assume he'll be better, it's foolish to assume they're really sorry (except for being found out).

Given the subsequent actions of the company, there is no evidence to suggest his views have changed. Or if they have changed, he has certainly taken no steps to right the ship.

Not that it won't happen again, but that "if we can't make sure we can make people's data be safe, we don't deserve the to be our customers".

The GDPR states you can only offer opt in and NOT opt out. This is not an opt in method, no matter how Facebook spins it. I hope the EU pulls them on this :)

Going by http://techblog.bozho.net/gdpr-practical-guide-developers/ anyway

GDPR doesn't go into effect until May 25. The article states that this is a test that will become opt-in at that time.

Jesus christ how evil can Facebook get? "We'll just sneak in this test to identify everyone before we have to make them opt into it."

What's even the point of opting out after that? That's some evil genius machinations.

Brings up a question about the GDPR: do you have to delete any data on someone, or just data they entered? If they get the facial recognition working so they can recognize people in instagram photos and whatnot, then they'll be able to have data on you even if you're not a user. It's part of why I never liked people "tagging" me in photos.

There is another big problem with the GDPR for international companies. I mean, how do we know you comply?

I work in the public sector in Denmark mind you, we have quarterly audits and despite having had a law that was pretty much GDPR levelalready, we’ve passed all audits. I don’t think we should have, I won’t go into details on this, but how do you audit 300+ systems, some of which the central IT department doesn’t even know exist because some rogue manager bought them? I have no idea, and I have even less of an idea on how you’d audit the cloud.

GDPR doesn't actually require that you delete date about anyone, it requires that you be able to dereference a user from their data after a defined period of time when you specifically request that your data is deleted.

This can include you having to directly contact the company in a way that isn't clearly visible within the app itself.

You're responsible for the data you store and have access to that can be linked to an individual.

The GDPR is quite clear on this.

do you have to delete any data on someone, or just data they entered?

A discussion of derivative data and models was sadly and sorely missing from Zuck's recent Congressional testimony.

GDPR is red herring. Current laws already require opt-in when collecting biometric data. From 2011:

> The Hamburg data protection authority on Tuesday ruled that Facebook’s facial recognition feature, which attempts to identify people in photos uploaded to the site, violates German privacy laws.

> Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.

> Mr Caspar has given Facebook two weeks to respond. If the company is unable to make changes, Mr Caspar said the Hamburg authority would consider bringing legal action against it.

???? nobody and nothing has made fb or google move about this like GDPR. Local laws are made to be broken. If a court in Hamburg tells fb to do something then they can easily play it along.

GDPR enforces fines of 4% of their global revenue so that's the only reason for them to respect it.

Of course penalties for non-compliance have gone up. But collecting biometric data without explicit and informed opt-in, is already against the laws of many EU member states, and has been for nearly a decade. Facebook is walking on thin ice.

It seems they ask for permission, so the title that users are auto-enrolled may be misleading. But if they do auto-enroll: It is against the privacy laws already, no need to wait for GDPR.

About respecting local laws, I find this a difficult issue. What to do with draconian local laws that forbid ridiculing a president? But if it has to be a yes-no: I'd say, yes, obey local laws when you serve users there. Remove comments from Turkish IPs that slander their president, but keep comments from German IPs that ridicule Turkey's leader.

Protip: wait until 25th May to delete your Facebook account (if you're in the EU).

I doubt that will magically cause any laws to become retroactively applicable. Why would it matter?

GDPR includes the "Right to Erasure"/"Right to be Forgotten." After May 25, they are actually required to delete your data, not just a "soft delete."

They'll be required to do this after May 25th regardless of when you deleted the account. All personal information is in scope of the law, not just personal information of people who were customers after the enforcement date.

Who will be auditing Facebook to do this though?

Is the EU going to hire the Big4 in the U.S. to do this? Who is going to pay for that?

FWIW, Zuckerbot said before congress that if you request deletion, your data will actually be deleted, and I doubt he would dare lie to congress.

Then again, it's American congress, and what's the stat, how many of those congresspeople has he "donated" to?

Google ‘Zuckerberg lie to congress’.

You’ll find that there were plenty of statements that were on the line, crossed it or omitted key detail. Saying ‘I don’t know’ is also a lie if you do know, and there was a lot of that.


Eh, you can choose to believe Zuckerberg here. I personally have no faith Facebook will voluntarily permanently delete someone's data when they close an account. They have shown very little prior behavior that would lead me to find his statements on this to be trustworthy.

> I doubt he would dare lie to congress

He wasn't under oath so the stakes for lying aren't too bad.

May 25 at 12:01am - Facebook violates GDPR, and the EU has no way of knowing it or enforcing it.

The more I hear about this, the more the "GDPR" seems like mere "PR."

What's more likely, that the EU wants good PR and hopes that nobody will notice they're not accomplishing anything, or that they're representing their constituents by making widely popular policies and putting the onus on violators to supply them with evidence of compliance?

One whistleblower could do the trick. Plenty of FB staff in Europe.

Why not both?

Why? Does the GDPR mandate that Facebook treat the deletion request differently?

Yes, currently there is nothing forcing them to delete all the data, after GDPR takes effect if you send them a deletion request under the GDPR they are forced to do so within a month (or 90 days if there are special circumstances).

Does GDPR consider data in training sets and trained deep learning models as your data? It's kind of a small snapshot of your expected responses to some stimulus right, it's arguably more your data than anything...

If it's personally identifiable, yes. You also need opt-in (not opt-out or buried deep in a TOS) permission to use personal data in that way before feeding it to your learning model (since that use-case is basically never the primary purpose that the data was given for).

If you use any sort of automated system to make decisions about a EU customer that impacts their life in a significant way (like whether to ban them or not) you will also need to have some sort of appeals system where they can appeal to have the decision looked at by a human and potentially have it reversed.

>You also need opt-in (not opt-out or buried deep in a TOS) permission to use personal data in that way before feeding it to your learning model (since that use-case is basically never the primary purpose that the data was given for).

Huh, now _that's_ interesting. Do you have a source for that? I know some guys at work that'll be upset if I can prove that to them, given that their pet project is a MI personalisation system making heavy use of just watching everything everyone does in an identifiable manner.

(I'll be honest, part of the draw is being able to say 'I told you so'~)

A general point of the GDPR is that when you collect data, consent is given for a business purpose. The user has the ability to opt-in to different business use-cases if they so choose. Data collected cannot be used for a business case that was not consented to by the user.

This area is one that gets more legal-y than other parts of the GDPR, because in some cases you can use data without consent if it's legitimately required to provide the service the user asked for, and as far as I can tell there's not a lot of guidance on what counts as being a different business use. But yeah, personalization is usually not a strictly necessary feature of most platforms, so you're gonna need the user to opt-in to using their data that way.

This guidance is kinda spread out over the GPDR, but one area of relevance:


Pay attention specifically to (3), but also (1)(c) and (2). Part (3) quoted below:

  Where the controller intends to further process the
  personal data for a purpose other than that for which 
  the personal data were collected, the controller shall 
  provide the data subject prior to that further 
  processing with information on that other purpose and 
  with any relevant further information as referred to in 
  paragraph 2.

I think these are the relevant parts:

> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

From https://gdpr-info.eu/art-7-gdpr/ paragraph 4

And the definition of consent is here:

> ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

From https://gdpr-info.eu/art-4-gdpr/ paragraph 11


'specific' and 'unambiguous' in combination seem to disallow the "bury it in the TOS" cop-out.

'informed' and 'specific' in combination seem to disallow the opt-out cop-out (since a opt-out permission is never specific, and basically never informed).

Article 7 paragraph 4 (the first quote) seems to disallow the usage of data unless it is necessary for the service.

Of course this is still all pretty untested in the courts, and IANAL but to me it seems pretty clear. If your primary service is not building a machine learning model based on your own users data you will need to get your users to opt-in for that specific use-case.

The data subject also has the right to know what the basis of the automated decision was, too.

Relevant GDPR text available at: https://gdpr-info.eu/recitals/no-162/

In short, aggregated data or statistical summaries is not constrained in the same way. I think you still need consent into to perform the aggregation/summarization, and said processing needs to ensure "statistical confidentiality," but such results are not PI.

(IANAL, and I'm still trying to understand this myself.)

So basically, the training set is under the GDPR if it includes PI, but the resulting model is not (unless you can extract PI from it), and you need user permission to use PI for training in most cases, right?

(Also IANAL, and also trying to understand)

A lot of this type of thing isn't clear yet and will be worked out when GDPR is enforced.

At my previous employer, we took a pretty comprehensive view and tried to play it safe, so at the very least any non-anonymous data in training sets would qualify. That does, however, already beg the question of why on Earth you'd need to train a model with non-anonymized data in the first place!

Trust me, Facebook will claim that they are special.

Even if they do, I can live with them having it for 90 more days after the 25:th. If enough people complain about them saying they're "special" to their countries data protection agencies I'm guessing it will lead to some inquiries as to how special they really are.

I think facebook, google and all the other big tech companies have already "war-gamed" this out and I think that they will comply without saying that there are special circumstances as much as possible, so that they can save that card for when they really want to use it.

I wonder how much of a difference that would make - after the gdpr is effective, if I ask them to, they'll have to delete their data on me, regardless of whether I have or had an active account in the then-past.

If you delete your account now, you will have to ask them directly after that. How do you directly contact Facebook (reliably)? It'll certainly be possible, but I imagine it will take a lot of time and effort

I'm confused, didn't you opt in when you clicked the checkbox to agree to Facebook's T&C?

A big thing in GDPR is that consent must be sufficiently specific and explicit. Long and generic T&C might no longer pass. Ultimately, I imagine the regulation will make a lot of lawyers richer as this kind of stuff gets hammered out in practice.

With GDPR, blanket "opt-ins", I.e. clickwrap, won't suffice. People need to give informed consent, meaning key uses of personal data must be explained in plain language. Hopefully this will lead to a lot less abuse of I Agree to Everything and any Future Changes type of TOS.

Yes, you did. This is just another clickbait headline. GDPR - when it becomes active - will outlaw the opt-out strategy. But there is nothing legally wrong with it today.

No, the existing privacy legislation already requires opt-in for processing of biometric data; GDPR makes many things stricter, but much of it is already a legal requirement.

Apparently Facebook's well-trained legal team disagrees with your assessment of European law. Facebook isn't stupid; they wouldn't have done this if it weren't legal.

You have to give consent to every use of your personal data. You can't agree to them using your data for 47 different purposes at the same time.

What if they claim people opted in? How can anyone prove or disprove that without a signed piece of paper really?

This will be forced with a challenge. With clickwrap super-generic consent being disallowed under GDPR, it's only going to take a single challenge where FB doesn't have the explicit consent for gov to start levying fines.

Anyone can pull up a piece of data to claim they have consent, you need something like a signature otherwise it is words against each other. There is no way to verify consent with some click through, anyone can click a link in someone else's name or create a record in a db that says so.

Makes sense. Think of all of the spam e-mail messages you get with tiny text at the bottom reading something like "You are receiving this e-mail because you signed up for {$web_site_you_never_heard_of_before}."

you can always opt out by moving out of europe /s

Yeah, let's see one of those "4% of global revenue" fines they were talking about. Would be about $1.6 billion based on Facebook's 2017 financials.

This was originally misreported, and has now been updated. It appears users have not been auto-enrolled.

Article title is now "Facebook starts its facial recognition push to Europeans".

From the correction:

"This article was updated with a series of corrections after Facebook confirmed the notifications are in fact the rollout of its new consent flow, not part of the earlier tests. It has also told us categorically that no users were auto-enrolled in facial recognition tech in Europe — even in the test. So we’ve updated this article accordingly."

Opt-in doesn’t take effect until May 25, so there’s nothing legally wrong here. It’s also not disingenuous for Facebook to explain the benefits of the service to the user so that they understand the impact before they disable it.

TechCrunch has been one of the leaders of the anti-Facebook bandwagon recently, so it must be serving them well. I’d imagine they are getting lots of clicks to these articles, and, ironically, are making substantial amounts of money from showing lots of highly targeted ads on them. They are also undoubtedly using just as many if not more third party tracking tools than the sites they like to skewer for this practice. One would be wise to read their anti-Facebook articles with the understanding that they have an economic incentive to play to their audience by placing a negative spin on everything the company does.

> there’s nothing legally wrong here

This attitude is mirrored at Facebook, in Zuckerberg and throughout its culture: Abuse the user to (and past) the limits of the law. It is why nothing will change until the EU or the DoJ break Facebook up.

Has there been a proven (in court) accusation that Facebook has “abused users” “past” the limits of the law?

> Has there been a proven (in court) accusation that Facebook has “abused users” “past” the limits of the law?

Many times. The FTC consent decree [1], the violations of Belgian law [2] and the violations of German law [3] come to mind. (In each case, a court ruled or supervised a settlement. In each case, Facebook continued breaking the law.) There are many more.

Facebook's culture is broken. The precedence for such lawless cultures is they get broken up or they go Enron.

[1] https://www.ftc.gov/news-events/press-releases/2011/11/faceb...

[2] https://www.reuters.com/article/us-facebook-belgium/facebook...

[3] https://www.cbsnews.com/news/germany-facebook-court-case-pri...

With regard to the FTC, the agreement with them was reached specifically to keep it out of court. No judge or jury ruled on the merits of the allegations. A judge may have been involved, but only to approve the terms of the settlement. To my knowledge no US court has ever made the kind of finding you were implying they have.

With regard to the European countries, I guess I should have been more specific in my question in limiting it to the US. Finding of fault by European courts/governments against large US corporations is nothing new and doesn’t imply any illegal intent on the part of the accused. Cash-starved, often socialist governments found throughout Europe will always find ways to use their broadly written laws to obtain badly needed government revenue from US corporations. In fact GDPR is just a massive expansion of this strategy.

Convenient that all the courts and regulators, acting under court supervision, that have ruled against Facebook are illegitimate. First time, too, I've heard of modern Germany being referred to as lawless.

I didn’t refer to Germany as lawless. In fact they have gone the other direction - they have laws on the books that are so broadly written that any foreign corporation can be caught up in them without intent to violate them. It’s also rather convenient that with GDPR, Europe has created a sweeping regulation that happens to disproportionately affect and is sure to generate massive fines from deep-pocketed corporations based outside of Europe. Do you think that is a coincidence?

> Do you think that is a coincidence?

Facebook broke laws, was fined by courts and regulators in multiple countries, kept breaking laws, made a mess on both sides of the Atlantic, lied about what happened and then tried to throw it under the rug. Meanwhile, leaks from inside show zero repentance or even cognizance among employees of something having gone wrong.

The EU is addressing this failure with regulation; we'll solve it more decisively by breaking Facebook up.

we'll solve it more decisively by breaking Facebook up.

Good luck with that. Facebook is not based in a socialist country. In Europe, by now they’d have undoubtedly been broken up or even taken over by the government, with revenues either flowing directly to the government or collected through high tax rates, fees, and fines.

That is not the case here, where Facebook is based. I barely use Facebook for personal purposes, but I respect their right to exist, innovate, and make a profit. I also have a sense of logical personal responsibility that seems to be missing the the anti-Facebook folks. When I share something publicly, I fully expect that it will be...shared publicly. When I agree to be bound by the terms of conditions of a website...I agree to be bound by their terms and conditions. Somehow that is lost on all the people whining about it. How can anybody do business with or even employ people that publicly state that they do not recognize contract law?

>> In Europe, by now they’d have undoubtedly been broken up or even taken over by the government, with revenues either flowing directly to the government or collected through high tax rates, fees, and fines.

Large companies based in Europe that haven't been "broken up and taken over" by "the government":

  Royal Dutch Shell (UK & Netherlands)
  BP (UK)
  Total (France)
  Volkswagen (Germany)
  Daimler (Germany)
  BNP Paribas (France)
  Carrefour (France)
  Banco Santander (Spain)
  Fiat (Italy)
  BMW (Germany)
etc. etc. etc.


I think you're implying that the GDPR is a money-grabbing scheme that the poor, cash-strapped EU pulled to fill its coffers with much needed cash.

Well, the EU is the second largest world economy, by GDP. Maybe some destitute developing world nation might need such a trick to bring in some cash. The EU? Not so much.

>> Do you think that is a coincidence?

What is certainly an amazing coincidence is that this kind of legislation was passed in the EU and not, say, the US, China, or Saudi Arabia, or some other nation with their impeccable human rights record. It's almost as if the EU is actually trying to protect the rights of its citizens.

I think you're implying that the GDPR is a money-grabbing scheme that the poor, cash-strapped EU pulled to fill its coffers with much needed cash.

The EU as a whole is the world’s second largest economy. However, the GDPR is up for unique enforcement strategies and legal interpretations in the courts of 28 different EU countries. Having users intentionally set up a company to be subject to fines under such a broadly written law is a trivial matter.

Picture this: A local government attorney simply looks for technical violations of GDPR according to their own country’s strict interpretation of it that even the corporation themselves couldn’t have envisioned. Then they simply have a government agent sign up for the site and take screenshots as proof of the “violation” that the specific country has invented. They put the matter in front of a patriotic local judge who is aware of how much his town could use a new park and is tired of reading about how rich US internet entrepreneurs are getting. Boom, instant millions - they might even name the town’s new park after the judge.

The poor EU countries will use this to suck up as much revenue as they can from what to them are faceless US corporations. The larger ones will use this to give local competitors a leg up by fining international competitors to death. It’s a smart strategy I suppose, but as with most heavy-handed government attempts to control and exploit the free market, it is quite likely to backfire.

The final arbiter of EU law is the court at Strasbourg. US companies are free to take up the matter with the Court, if they don't like the way particular countries spin the GDPR.

I assume next we'll be talking about Strasbourg judges pocketing a cut of the fines imposed on Facebook etc?

Strasbourg court does not override local highest courts, they have different kind of work to do - they override laws that are against EU regulations. Strasbourg court is there to determine if an implementation of a regulation is in line and might overrule it (the law), but if it is in line, then they will not (and can not) help the company at all. And since GDPR is very broad, it's very easy to come up with absurdly strict laws that are perfectly in line with the regulation, and even the poorest EU governments have an extreme abundance of legal resources compared to even the biggest companies. Strasbourg court is not the highest court instance (that's the local highest/constitutional court), there is no such thing in the EU, the EU is not a state.

The way it goes is that cases cannot be appealed directly to the ECJ, rather the local courts can refer questions of EU law to the ECJ at their discretion.

That normally happens when a case has been appealed all the way to the highest national court. So for this little money-grabbing scheme we're discussing to work out, the higher courts of -some? all? many?- member states of the EU must all be in on it. This, in a region of the world with some of the lowest corrpution globally.

I don't want to say the words "conspiracy theory" but that's where this whole discussion has been heading to, from the get go.

I'm not supporting this "conspiracy theory", I'm just saying that the Strasbourg court isn't an "ordinary" highest court like it is in other parts of the world or within local jurisdictions.

If the local implementation is in line with the regulation (and as I said, GDPR is extremely broad and allows extremely strict implementations), the Strasbourg court will say that it's perfectly OK - there is no need for other countries to be in on it. They might feel like it's bad, but they can do nothing, their job is to judge whether it's against the regulation or not, nothing else. If they wish to change it, they have to go through the usual route of gaining support in EU commission and EU parliament - and that change will not be retroactive.

What you're saying would be needed if the strict implementation was against the regulation - then it would require a change of the regulation and yes, that needs cooperation of other countries; but the regulation already is broad, there is no need to change it if someone wanted to make this "conspiracy theory" a reality.

And lastly, we're speaking about money making schemes of the poorest or most indebted EU governments, you're talking about low corruption, but in these countries, it's the exact opposite - they have much higher corruption indexes than the average: https://en.wikipedia.org/wiki/Corruption_Perceptions_Index - see stats of e.g. Macedonia, Greece, Italy.

Macedonia is not in the EU, and it will not be allowed in until it resolves its name dispute with Greece and sorts out its finances and political issues.

So we're talking about malicious action by higher court judges in Italy and Greece, specifically and only in those two countries? Or are there more countries that have high enough corruption that their higher order judges might think to make a bit on the side by applying the GDPR too broadly?

How many poor EU countries are we talking about here? And which ones exactly? Greece, Italy- who else?

I'm not sure why you're talking about judges making money on the side when the original "conspiracy theory" was about governments making money, not about corrupt people making money for themselves. We're talking about action by a government against a corporation. I'm not even sure why are we talking about corruption, this has nothing to do with it.

This is not about judges applying GDPR. The lawmakers will apply it, and then the state could sue a corporation for breaking laws. Local highest court will then eventually look into the intent of the local implementation and see that yes, this was the intent - and the corporation will need to pay up, because the court can't change laws, they can only cancel them in a few special cases (specifically if a law is ruled unconstitutional by a majority of the country's constitutional judges). The corporation then has an opportunity to go to Strasbourg, but since GDPR is very broad, its chances would be very slim - and most probably none.

About Makedonia - you're right. Croatia is entering the EU though.

>> The lawmakers will apply it, and then the state could sue a corporation for breaking laws.

The GDPR is a directive- it doesn't need to be passed into national law.

Are you talking about national laws that implement regulations similar to, but distinct to the GDPR?

>> I'm not sure why you're talking about judges making money on the side when the original "conspiracy theory" was about governments making money, not about corrupt people making money for themselves.

For the government to make money, the judges will need to find against the various companies. But why will the judges sit idly by and watch the government making money out of a racket they themselves make possible, without asking for a cut?

Or, to be more precise- what is the incentive for the judges to do the government's favour and interpret the GDPR in the broad manner required for the conspiracy to work?

>> About Makedonia - you're right. Croatia is entering the EU though.

So it's three countries- Italy, Greece and Croatia? Is that right?

> The GDPR is a directive- it doesn't need to be passed into national law.

Not true, it's not optional.

> Are you talking about national laws that implement regulations similar to, but distinct to the GDPR?

The GDPR is a directive - it sets sort of a framework that the local implementation have to be based upon. It sets some boundaries, but in case of GDPR, the boundaries are very broad (compared to other directives).

> For the government to make money, the judges will need to find against the various companies. But why will the judges sit idly by and watch the government making money out of a racket they themselves make possible, without asking for a cut?

No. The public prosecutor will fight (and for these guys, it's about the ideology that the law must be followed, most of the time), the judge will just... judge. Their job is to judge whether someone follows the law, they would be doing their job. Are judges (or public prosecutors) asking for cuts from compensations to road crash victims?

> Or, to be more precise- what is the incentive for the judges to do the government's favour and interpret the GDPR in the broad manner required for the conspiracy to work?

None, because that's not their job and no one is asking them to do that. It's the lawmaker's job to implement the directive and the output of that job is a law - and judge's job is to judge whether a person (legal or not) follows the law - as in the local implementation, not the GDPR directive itself.

This works like this: Countries are required to implement EU directives into their local laws, but the directive itself is not a law - if the country doesn't implement a directive, even if someone violates it (inside the country, cross-border is another issue), the company will not be persecuted (but the government will be - by the EU).

> So it's three countries- Italy, Greece and Croatia? Is that right?

I don't know, it's not my "conspiracy theory". I'm just talking about the inner workings of the EU and have said that not every EU country is pristine clean. But I suppose you could add some of the Baltic states, Romania, Hungary and maybe Poland (if they continue their way down with PiS). We will have to see what happens in Slovakia, for a while it looked really bad but now it seems like they're back on track. In the Czech Republic, the German/Austrian corporate owners wouldn't allow it.

>>> The GDPR is a directive- it doesn't need to be passed into national law.

>> Not true, it's not optional.

Actually, I was wrong. The GDPR is not a directive, it's a regulation (the R in the name is for "Regulation"). As such it requires no national legislation to be passed and is immediately applicable in all member states:

A regulation is a legal act of the European Union[1] that becomes immediately enforceable as law in all member states simultaneously.[2][3] Regulations can be distinguished from directives which, at least in principle, need to be transposed into national law. Regulations can be adopted by means of a variety of legislative procedures depending on their subject matter.


So it seems like the conspiracy theory is dead in the water. The local governments can't legislate as they wish and the local judges can't interpret as they want. I hope we're all happy now that justice won't be perverted?

>> I don't know, it's not my "conspiracy theory". I'm just talking about the inner workings of the EU and have said that not every EU country is pristine clean. But I suppose you could add some of the Baltic states, Romania, Hungary and maybe Poland (if they continue their way down with PiS). We will have to see what happens in Slovakia, for a while it looked really bad but now it seems like they're back on track. In the Czech Republic, the German/Austrian corporate owners wouldn't allow it.

OK, it's not your conspiracy theory- but all this is wild speculation and it is your wild speculation. There is absolutely no reason why you would expect the countries you list to do the kind of things you say they would. And these are not the "inner workings of the EU". It's all just fantasies.

>> Cash-starved, often socialist governments found throughout Europe will always find ways to use their broadly written laws to obtain badly needed government revenue from US corporations.

Which one is Germany? "Cash-starved" or "socialist"? And Belgium?

It's not legally wrong, but in the light of recent public outcry it comes off a slap in the face. A legal one, true. Maybe techcrunch has some incentive in pushing this content and should disclaim it, but it doesn't change the opinion that users can have of that action.

There is something legally wrong in multiple EU member states: Collecting biometric data without user consent was ruled illegal.

> Facebook has introduced this [facial recognition] function in Europe without informing users and acquiring the necessary consent. Unambiguous consent from those affected is required by the European as well as the German data protection law.

> For users whose biometric facial characteristics have already been incorporated into the database operated by Facebook, this consent needs to be acquired retrospectively.

> The preliminaries for legal action are now being prepared,

-- The Hamburg Commissioner for Data Protection and Freedom of Information, 2011.

As for the current bandwagon of hate, this is basic news cycle stuff, and it would be hard to single out anyone. In my opinion, Facebook deserves this extra negative scrutiny, and has to make up for this lost trust with better privacy controls and privacy-friendly PR pushes. This latest breach of the EU data protection laws is not helping users and public perception (but probably helps Facebook gather data while it can).

I still have a Facebook account (which I'm slowly backing away from), here's how I (hopefully) poisoned their facial recognition data.

My profile photos have always been untagged group photos or me in a Halloween costume, etc.

Upload stock photos:

1. Go to https://www.shutterstock.com/search?searchterm=person+model&... Play with the search terms to get people sort of like you.

2. Download a few dozen images (or more). The site gives you the options of finding other photos of the same model. I figure it's probably good to have the poison data be somewhat self-consistent.

3. Upload them to Facebook and tag yourself and your friends in them. I kept them in a non-public album, so I wouldn't spam my feed with this stuff. I suppose I could make them public later, once they're a little old.

4. I've also done this on my girlfriend's account, as well as a couple close friends.

Reverse tag:

When I used to upload and tag real group photos, I'd swap the tagging (e.g. tag a friend as myself and myself as my friend).

I also try to keep the volume of poison photos far larger than real ones. I don't personally upload and tag any photos of myself anymore.

I've always kept the facial recognition stuff like this turned off, but I don't trust Facebook to not to reverse the setting just because it wants to. Eventually I want to delete my account, but I can't just yet due to event invites.

You're likely just putting a lot of effort into helping them test an edge case where tagged photos really don't match. You're probably doing them more of a service than all the normal account users.

I'm not so sure. If that was really a case they cared about, it would be easy for them to generate their test cases themselves.

Seems like a lot of effort to correctly identify a microscopic portion of their users.

I try to equally tag my face and my wife's face (50/50).

That way (even though she's still tied to me), their system can't determine which is hers vs mine - thus it probably has some really funky results. I no longer appear in auto-tags for reference.

Why are you even using Facebook at this point? Your putting this much effort into “confusing” Facebook yet you still share images of you and your wife. I don’t understand.

It's still an easy way to share images of oneself and ones's spouse. The people citilife is interested in sharing those photos with probably are friends with both citilife & citilife's wife, so they come through fine.

Also, leaving Facebook doesn't do much to remove pictures of you. On my feed, most people are posting pictures of their family and friends (& pets & sometimes food) moreso than of themselves. To get your face off of facebook you need to get your friends & family off of facebook. (& your pets since evidently they can have accounts and post pictures).

Might want to add a step where you make sure to strip any information that allows them to find the source, they might look at EXIF data or even do a reverse image lookup to identify false positives.

Disclaimer: I have almost no understanding of how machine learning works under the hood.

Couldn't this potentially assist in their facial recognition software improving?

My understanding is the current crop of machine learning algorithms depend heavily on good training data ("gold data"). If they're training a model to recognize my face, they need accurate training data for my face.

I am glad, I do not need to worry that much about these things, thanks to my /etc/hosts file[1].

[1] One of many versions: https://gist.github.com/thomasbilk/1506210/2d20f47bbcca75b2f...

If the bits going through your router were the only way Facebook gathered data about you, that would make sense. But it's only one way. You don't even need to have a Facebook account to have a Facebook profile.

So how is Facebook filling up my profile with no input data? They might create a profile based on data my friends publish, but they won't be able to connect it with my IP or my identity.

There's a whole Google full of information on this.

I found none, that's why I'm asking. There is technologically no way to connect me (my browser/phone that sends no information to FB) and my "profile" made up by a few photos of me that my friends have uploaded.

I had tried to implement similar blocks through uBlock Origin and similar browser addons, but this seems to be the most robust method as I use multiple different browsers on my primary computer.

Also, editing a hosts file does nothing on FB's end (which is what this article/discussion covers).

You can use also a local DNS server for your whole home network. If you think it is too much work you can use something ready-made like pi-hole [1]. The nice part is that it will work also for your phone while you're on wifi.

[1] https://pi-hole.net

I'm in Europe (England) and when i fired up facebook on my phone this morning, i got the option to opt out of this. The accept it button was the default and obvious button to click on though.

To be fair it wasn't default. It was just blue while the other was grey. I found the process to be quite easy however at the end the had "see my other options" in grey writing and I accidentally clicked away before I saw it so they certainly abuse dark patterns.

The "see my other options" link at the end leads to a page that explains that there's no way to use Facebook without consenting to the requests on the last page, gives you a button to download all your data and one to delete your account.

Overall, I found the UI pretty good, the buttons for the alternatives (non-consent) were clearly labeled, and they explained well what they were going to do with the data.

Yeah thats what i meant. The coloured in button to catch your eye if you're in a hurry. I was quite surprised to see being asked for such things. Whether that actually makes a difference or not i guess we'll never know.

So I guess we can expect to be asked this once a week in an increasingly deceptive way until people either by accident click yes or they click yes just to get rid of the popup.

Does GDPR apply in the UK post-Brexit?

Yes, it’s already been passed into uk law

If UK participates in EHP Norway-style, then yes.

We've got at least a year before that happens.

Cultural rot, combined with an unrepentant leader, means the company can’t be saved.

Am I the only person who is getting annoyed at these increasingly hysterical articles shrieking about Facebook’s supposedly deceptive practices?

Because for christs’ sake, Facebook is one of the most OPEN and transparent tech companies around when it comes to data privacy. Many companies out there are far shadier when it comes to this stuff.

Let’s face it, no one wants to pay for Facebook. Personal data for advertising is pretty much the only way Facebook can exist.

The news media has a way of using the "wave". The barrage of articles with FB caught with it's hands in the "cookie jar" will contiue piling up. And a lot of them are just trying to get on in the action but some - like this one here - are genuinely upsetting and need to be reported.

The issue here is not the business model of FB but the sneaky ways it tries to make it seem something completely else. While the audience here at HN and similar forums are more than aware of the business model, I'm pretty sure if I asked my mum about it, she'd draw a blank or would not be completely informed. It's to a population like this who are most likely to fall for dark UX patterns and other shady ways FB uses for getting an uninformed consent.

And that's not right. I think, the outrage is not about the business model as much as it is about (un)informed consent. Sometimes - like in this story - almost while cocking a snook in the face of regulatory authorities.

>> Am I the only person who is getting annoyed at these increasingly hysterical articles shrieking about Facebook’s supposedly deceptive practices?

I don't know about that, but a few years back, when joining Facebook was all the rage, I, personally, was getting very annoyed at every other article in the press reporting what happened on Facebook and having everyone I met asking me, first for my facebook, then why I don't have one, then looking at me as if I was an alien when I explained I didn't want to hand over my personal data to some internet company.

From my point of view, this is not hysteria, it's a backlash brought on by the adoption of a fad by people who never considered the consequences of their actions and who only now start to wake up to them.

And I fervently hope that the current fad, of dissing facebook, will keep for at least as long as the fad of joining it has kept on.

i’d pay for a facebook that didn’t track me everywhere for advertising, reorder friends’ posts in order to “maximise engagement”, and generally had a user experience that was driven by... yknow... user experience

taken another way, why would you pay for email when you have gmail? well there are plenty of people that do! i’m one of them, because it provides a far superior experience, and you know exactly where they get their funds from

What's with the clickbait title? The title from the article is:

"Facebook starts its facial recognition push to Europeans"

Did it change? Please change. @dang @sctb

Is this a joke? Is Facebook becoming a parody of itself? Are the inmates running the asylum?

Irrespective of the legality, it's bizarre that they would roll out some creepy, facial recognition right now...especially in Europe.

There are way too many emotions and little facts provided in this article, it's a really hard read tbh.

"Art. 7 GDPR Conditions for consent

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

A question to ask of Facebook is whether collection of such personal data as facial recognition is necessary to provide the service the user wants.

For example, if the user wants to keep in contact with a friend through Facebook, is facial recognition necessary for Facebook to provide that service?

If it is not necessary, and Facebook asks for consent anyway, then should the user be able withhold consent and still receive the service she wants.

If not, under Art 7(4) is there an argument that consent was not freely given.

Facebook could try to argue that facial recognition is "required" to provide the service, but what if the existing user only wants the service she enjoyed in the past (without ever having to consent to facial recognition).

In sum, is it possible for users to reject new "features" and still receive the service they want, if those "features" are not necessary in order to provide the service.

Are facial recognition "necessary" to provide the service to users that users want or is it necessary to provide service to advertisers that advertisers want.

Who wants facial recognition? Is it the users choice.

   Do you want to turn on facial recognition?

   [ ] Yes
   [ ] No

This doesn't sound substantially representative of my experience of being presented with this earlier today.

As far as I can recall, I was presented with two options: enable facial recognition; and reviewing my other options (which I clicked), which were something like confirming my decision to decline, and downloading my data and closing my account. It was a fairly brief process, so my memory isn't precise. I do recall that I wasn't automatically enrolled into facial recognition, though - I had to make a conscious choice either way, and although it was obvious that Facebook were encouraging me to opt in, it didn't feel like I was being tricked or coerced (perhaps save for the example of safeguarding my identity).

The process I went through in my desktop browser was not the same as the one I've seen for screenshots of the mobile process.

Not only is the tech turned on, but users who click through to the settings to try and turn it off will also find Facebook attempting to dissuade them from doing that — with manipulative examples of how the tech can “protect” them.

Facebook is such a bad actor, I hope that politicians figure out that they could make a name for themselves kicking them in the teeth. Hopefully GDPR can come in and hurt them too. I realize that the default attitude of many in tech is that most people don’t know or care about this, but I think they’re wrong. People do care, but it takes time and repetition to make the point stick. Helpfully Facebook only has two speeds: scumbag, and turbo-scumbag.

All around the world, we need to start electing politicians who understand technology, know what dark patterns are, and can intelligently fight for us.

> I realize that the default attitude of many in tech is that most people don’t know or care about this, but I think they’re wrong.

I agree, and I think the actual problem is that a majority of people don't know why they should care, or even know that they should in the first place. "I have nothing to hide" is something I hear far too common, after all.

It's actually a bit worse than just that, and something akin to tragedy of the commons.

The people who actually do have nothing to hide (by which we mean, "the dirt on the individual is so pedestrian that even if it takes zero effort to find it, nobody wants it") stand to benefit from the features and interactions these tools enable. Those who do have something to hide become second-class citizens, forced to do things the slow, manual way that other people can automate away by trading out their privacy.

We head into a techno-underclass dystopia if we let individuals decide to adopt privacy-compromising technologies, because those with worthless privacy can gain the benefits and will not refrain from doing so to the relative detriment of those who cannot.

Personal opinion: "It's not my problem you can't participate fully in our society because X" is a very American opinion, which is why I think there is such culture clash between Silicon Valley corps and the EU.

You just gave me another way of thinking about it, thanks. Although I also think the benefits of social media might be overstated.

> "I have nothing to hide" is something I hear far too common, after all.

That phrase always bugs me. Especially with its origin and connection to oppressive government regimes. How did a phrase used to illustrate tyranny and used by Nazis become a catchphrase for the public?


I don't understand why this is getting downvoted. It seems to be a genuine statement.

It appears that many people on Hacker News don't like the idea of politicians knowledgeable enough to counter bad behavior by tech companies. It's pretty entertaining when Senators ask stupid questions during the Facebook hearings ... and it also decreases the chances of Congress doing anything useful.

Great point about electing politicians who understand technology. Shahid Buttar (who's running for Congress in SF) talked about this in a short video last week - https://www.youtube.com/watch?v=94IC5JVA_MU

This cascade of privacy scandals seems quite well timed on Facebook's part; if all the blatant issues get publicized then "resolved" just before GDPR's May 25th start then they can extract the maximum value while facing no penalties. How annoying!

Facebook is categorically in-capable of cleaning up their mess. There is no way they will get all their blatant issues out of the way in the next 35 days.

Logging in today, from europe, I received a modal about some updates.

It stated that there are some updates i'll need to review:

One of them, the facial recognition feature.

""" Here's what we'll ask you to review: An option for turning on face recognition """

Full modal can be seen here: https://img1.picload.org/image/dogcpgci/selection_122.jpg

Clicking Get Started I received some information on GDPR and their data usage:



Clicking "Manage Data Settings" I was given some examples on data usage:


Clicking "Continue" I received this modal, with 3 datapoints that are used.


Obviously, Facebook processes more data than these three. It has never really been a dating app and that is definitely not one of their main focuses.

Anyway, I went on to remove my "Interested in" datapoint. Prompting an "are you sure" modal:


After clicking remove this single datapoint was removed:


I expected this flow to continue, but looks like that was it. I decided to stop here and not "Accept with changes". There was NO chance to opt-out of the facial recognition program:


They're obviously trying to go with "these three groups of data are protected and need opt-in". The rest, yeah - we need that to provide the service.

I also have another tab open, that works, so I'm not really blocked from using the site. At-least for now.

Edit: opening Facebook in new tabs, no longer starts this modal, even though I haven't accepted the new changes.


Edit 2: Went looking, and googling, trying to opt-out of the facial recognition program.

Here are the options I have under Privacy:


Here are the options I have under "Your Facebook information":


Clicking "view" under Managing your information I get this very (un)helpful help page:


Choosing Facebook I get these options:


Choosing "Change my face recognition settings", the send button is still disabled, but I get this very helpful link to "also edit your face recognition settings", the link points to "https://www.facebook.com/settings?tab=facerec", but actually takes me back to my "General Account Settings":


As far as I can understand, there is no way to change face recognition settings in the flow I received from the A/B testing gods. Might have something to do with me not agreeing to the changes in the first modal.

In Europe after all the stuff they just went through implementing the new privacy stuff for them? Someone must have missed the memo.

You assume someone missed a memo and it wasn't intentional.

Facebook is very good at missing memos. It makes them quite a bit of money.

am I the only one who is cynical enough to think that they might be doing the face recognition already for a while. its that with GDPR they may have to disclose it so they are making a pretext that we just enabled it please feel free to opt out now that we have trained our models anyways.

I had a huge in-you-face, fixed notification in messenger telling me about new terms, and it asked me about face recognition and I had to answer if they were allowed to look for my face, with no default answer chosen.

This did not feel like they were trying to trick me into anything.

Who will be auditing Facebook to ensure they actually comply with GDPR?

E.g., I live in the EU and send over a delete request. How do I ensure my account's data was actually deleted? Am I supposed to just trust Facebook?

yes. how would you enforce that? fb can keep your data in a server in hawaii that nobody knows about.

I sincerely hope Facebook continues making stupid moves like this, because they've spent over a decade earning the right to be the first company to be "made an example of" via the GDPR. It would be a shame to see their years of effort go to waste.

It would not surprise me in the least if Facebook was the primary example used by GDPR creators while crafting the regulation.

“In general” this would be something Zuck’s team can look at.

Have we reached peak facebook yet? Is there a name for these serial outrages that pop up every 2 months? I get it, it's good clickbait but does it need to follow us here in HN?

facebook is the next AOL, geocities, friendster, myspace etc. You never hear anyone saying I'm going to cancel my 'Search' account. The kinds of things you are seeing now happen with 'social media', not algorithmic search companies.

> You never hear anyone saying I'm going to cancel my 'Search' account.

Today I saw a fellow DuckDuckGoer in the wild. That's effectively someone who, like me, cancelled their Search account.

To be clear, I agree with the sentiment that search and "social networks" are fundamentally different. I just don't agree that search is immune from blowback from hightened privacy awareness.

i m referring to outrages. before facebook it was net neutrality, before that, something i dont remember. it has become a media pattern.

Good. That's generally the only way the general public can counteract the abusive behavior of entrenched and powerful organizations.

A common tactic used by large businesses is to stay silent and ignore public outrage, because the public usually doesn't have the time, money, or energy to maintain the pressure of the public voice against a single target. By ignoring the outrage most of the time the public moves on to the next scandal and the original abusive behavior can continue unchallenged as the "new normal".

If you're seeing a pattern of outrage, that's a sign that people are very angry and might - if luck is on their side - actually force one change in the public interest.

For a longer explanation of this topic, I recommend Jim Sterling: https://www.youtube.com/watch?v=a6lvDL4cNdM (strong language)

Why is it ok to be filmed and face recognized by surveillance cameras on train station but it is wrong when Facebook does it?

In my opinion I don’t need to use facebook and give them my data voluntarily but I kinda need to use the train and nobody is asking me for right to do face recognition.

Who said it was OK to be face-recognized at train-stations? I don't think that is/should be right either

Germany did yet you don’t see people making a fuss about it. As much as I hate Facebook I think a lot of people just complain about it cos it so high profile. But if you don’t care about privacy everywhere, what does make Facebook special case?

People certainly made a fuss about the face recognition trial in the train station.

But we Germans seem to be irrationally against data collection by companies compared to government data collection. Google street view was another case that made this apparent.

Exactly my point, personally i am much more worried about government surveillance, my point was that facebook is an optional thing and very little people really need it (places where facebook is internet) as compared to real environment around you in which you live.

And to me that is really surprising, GDPR allow government almost free hands when it comes to data collection, which for me is the scary part.

i might be going around this the long way but english is not my strong side.

The requirement to use facebook is not a legal one, but a social one defined by friends and family members who insist on using it (a.k.a. the networking effect).

In theory, governments can define and implement draconian checks on how collected data is processed by itself. People seem to trust that theoretical ability more than companies claiming to implement rigorous standards, but can do so without direct outside oversight or control. This is independent of whether it is actually true.

I wouldn't doubt if Palantir explored this avenue. I'm not saying I support the so-called panopticon, but this is definitely happening at some level. I wouldn't doubt if the disconnect between governments (with tools like Palantir) and people is even larger than that between companies and people.

Other people (aka your friends and family) are uploading your data to Facebook regardless. You don't have a choice both times and both are bad.

uploading my images, specially taken on public ground, is not in any way illegal. And i am unable to influence if someone will put them on facebook or upload them to porn sites or use them as meme on 9gag...

if my picture ends up on random site and gets picked up by robot that does face recognition what can i do about it?

Whataboutism. Both are wrong.

whataboutism? sorry, what? i thought taking precedents was standard practice in law...

This isn't about law. It's about what people consider acceptable.

Also precedence is really only a thing in common law countries (mostly the english speaking world) and not most countries in the world.

I was not talking about the law, but about similar cases where face recouia used without consent...

FindFace in Russia had a feature where you could take a photo of anyone and it would look up their VKontakte profile. Would be nice if Facebook did this. http://www.dailymail.co.uk/sciencetech/article-3595026/The-e...


Ok, so I now have the following question: what if I’m evil (that kind of evil person none can imagine would exist on Facebook), and I impersonate for example someone else - like my ex for example. Will I get notified about every photo they upload of „me“? Isn’t this decision going to be a total privacy clusterf* even beyond what is currently imagined? Or won’t they show me pictures of „me“ that were uploaded privately by others at all - then this feature doesn’t make sense. Please help me understand

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact