Pictures, Online Tagging, Facial Recognition and Privacy: A Study by the CNIL

 In a recent article, published by the Huffington Post, Isabelle Falque Perrotin, the President of the CNIL * , summarizes the findings of a study that the CNIL had commissioned on the use of photos in social media.

The study was conducted by TNS Sofres on a national sample of 1554 people age thirteen and up.

The CNIL had commissioned the study in light of the explosion of photo sharing on social media in recent years. For example, every day, more than 300 million photos are shared on Facebook alone. In conjunction with the development of facial recognition technologies and the searchabilty of online pictures, the stakes for privacy are high.

Here are some interesting numbers:

• More than half of internet users take pictures with the primary purpose of publishing them online.
• 58% of internet users publish pictures online, and the percentage rises to 86% among the 18-24 age group. 60% of the 18-24 age group admits searching for pictures of others online.
• 89% of the 18-24 age group has used tagging. 41% of the same age group is worried about this practice.
• 44% of internet users always ask permission of the photographed people before publishing a photo. (that leaves 56% who don’t).
• 43% of internet users have been embarrassed by a picture published online. In the age group 18-24, this number rises to 61%. For 27% of that age group, the online publication of pictures already has had negative impacts in their personal lives.
• 62% of internet users do not know who has access to their pictures, posted online.
• Two out of three internet users declare to want the option of deleting their pictures at a later date, but three out of four realize that it might be difficult. Less than 1/3^rd of internet users claim to understand the parameters that control the use of their pictures.

 

These numbers lead the CNIL to conclude that, in the absence of a clear understanding by the users of the parameters for the use of their pictures, the responsibility for the protection of privacy should not only lie with the user, but also with the platforms that publish those pictures. For example, these platforms should provide their users with clear tools to manage the life cycle and visibility of users’ pictures.

The lack of transparency in the area of online mechanisms regarding pictures echoes the general trend of lack of transparency by the largest internet players, which the CNIL has discovered for example on the occasion of its audit of Google.

The CNIL warns that, even though innovation often demands breaking with established rules, a stable business model nevertheless requires transparency of its policies and the trust of its platform’s users.

It cites the recent Instagram gaffe as an example that illustrates this point.

 

Advice for Internet Users:

The CNIL posted on its site a list of simple and practical data protection tools for pictures, posted online.

Some tips:

• Pay attention to the privacy settings of the platform on which you post your pictures.
• Use tagging with restraint and ask permission first.
• Think twice before using the automatic synchronization tools offered by online platforms: you may want to automatically share some of the pictures you take with Facebook, but certainly not all of them. Automatic synchronization will lead to sharing of all pictures, now and in the future. Once shared, these pictures may be hard to retrieve. (For example, they may have been shared onward, without your knowledge).

 

These tips may sound basic to the sophisticated privacy professional, but it is this author’s opinion, based on her personal experience online, and now reinforced by the numbers provided by the CNIL’s study, that they are not superfluous.

Kudos to Isabelle Falque Perrotin for disseminating this important information on a popular publication such as the Huffington Post.

The Recent Privacy Framework Proposals,The Internet of Things and PET

The CES (Consumer Electronics Show) in Las Vegas  just wrapped up a few days ago to an astounding success.

According to PC magazine, one of the five essential trends to emerge from the CES 2011 was the internet of things.

The internet of things can be explained as follows:

“It is foreseeable that any object will have a unique way of identification in the coming future, what is commonly known in the networking field of computer sciences as “Unique Address“, creating an addressable continuum of computers, sensors, actuators, mobile phones; i.e. any thing or object around us. Having the capacity of addressing each other and verifying their identities, all these objects will be able to exchange information and, if necessary, actively process information.”

At the CES, LG Electronics said it was launching home appliances with internet connectivity. These will include smart refrigerators, dishwashers, laundry machines and ovens.

Your refrigerator, for example, could send you a text message or email saying some of your food is about to go bad or that you need to go to the store to replace items that are just about gone.

Another smart thing, the smartphone, just got smarter:

A start-up company called Viewdle showed off their new smartphone software. Their facial recognition phone app can recognize faces in real time and automatically tag them, using either data from social networks or a user-created database from videos and photos on the phone itself.

The goal is then to link these names with social networks and other online sources, so that their latest tweet or Linked In job title can appear beneath their image.

While these new technologies will undoubtedly improve consumers’ lives, they will also pose an additional threat to consumers’ privacy, since there will be a whole new set of personal data available online for marketers, governments and corporations, employers and ediscovery attorneys to scrape. The unique addresses of the appliances will enable identification of the owners.

In the case of smart appliances, would you want your mom, friends, neighbors,colleagues, employer, insurance company, bank, complete strangers or the government to know that you leave your rotten tomatoes in the fridge for over a week, or that you regularly burn the food you cook in the oven, or that you had many clothes with blood stains in your wash on a particular day?

In the case of an app like Viewdle, the risks to privacy loss are even more evident and immediate: picture yourself at a party. A total stranger, who happens to be curious about you, surrepticiously takes a picture of you with his/her smartphone and immediately finds out all that you have ever posted online and all that others have posted online about you. And you haven’t been introduced yet. If that person is also a stalker, or unstable in any other manner, you may be in real trouble, because that person may  now know your name, your home address, your work address, your phone number, your entire list of friends, all your family members, even the names of your pets. (thank you, Facebook).

The US has started to address these issues through proposals for legislation and/or self-regulation:

The FTC has recently issued a Proposal for Protection of Consumer Privacy.

The US Department of Commerce has recently released a Draft Privacy Green Paper.

In the EU, where comprehensive data protection laws have been in place for the last fifteen years, the Commission has recently issued a Communication regarding the overhaul of the EU personal data protection framework. One of the reasons mentioned was the technological advances of the last decade.

All these proposals have in common that they rely heavily on legal concepts, such as choice, consent, transparency etc..The problems with this approach are manyfold, among others the dependence on costly and questionable enforcement for the system to actually work.

None of the US proposals mention the use of  PET ( Privacy Enhancing Technologies) as an alternative and additional tool to ensure consumer privacy.

PET, according to the Wikipedia definition, is a general term for a set of computer tools, applications and mechanisms which – when integrated in online services or applications, or when used in conjunction with such services or applications – allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by such services or applications.

“One of the most important aspects that deals with personal data is Privacy Enhancing Technologies (PETs). The term was coined in 1995 by the Commissioner of Ontario -Dr. Ann Cavoukian – with the Dutch Data Protection Authority.” - http://www.theinternetofthings.eu/content/privacy-design

While the FTC does  mention Privacy by Design, it is a different concept:

“Privacy by Design:

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.

Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.

Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.”

Privacy by Design refers to privacy practices in companies, not privacy embedded in the technology, like PET does.

The US Department of Commerce does not even mention Privacy by Design, let alone PET.

The EU Commission, on the other hand, does include PET in its Communication:

“Addressing the impact of new technologies

Responses to the consultations, both from private individuals and organisations, have confirmed the need to clarify and specify the application of data protection principles to new technologies, in order to ensure that individuals’ personal data are actually effectively protected, whatever the technology used to process their data, and that data controllers are fully aware of the implications of new technologies on data protection. This has been partially addressed by Directive 2002/58/EC (the so-called ‘e-Privacy’ Directive)5, which particularises and complements the general Data Protection Directive in the electronic communications sector6.

Promoting the use of Privacy Enhancing Technologies (PETs), as already pointed out in the 2007 Commission Communication on the issue, as well as of the ‘Privacy by Design’ principle could play an important role in this respect, including in ensuring data security.”

The Madrid Privacy Declaration on Global Standards for a Global World ( November 2009) also recommends the adoption of PETs as part of a privacy protection framework:

“(3) Reaffirm support for genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information..”

Companies will not willingly invest in technologies enhancing the privacy of their customers, unless they see a financial benefit. There must be creative ways for legislators to encourage this investment.

In light of the inevitable movement towards a world where all “things” will become smart and connected to each other and to the internet, as was showcased in the recent CES in Las Vegas, it is a pity that the US does not even consider the use of PET as a additional tool to guarantee the consumer some modicum of privacy.

The US approach, in this way, guarantees that any legislation, if and when it comes into effect, will already be lagging behind the technology, from the moment of its inception.

.