Thursday, May 16, 2019

Facebook: Holding User Accounts Hostage

A Facebook “challenge” asking users to post a current photo and one from a decade earlier went viral in early 2019. Even though it is unlikely that the company was behind the “challenge” going viral, that the company had been working on facial recognition technology had users being suspicious on the motive behind the “challenge.”[1] A writer for Wired wrote at the time, “Imagine that you wanted to train a facial recognition algorithm on age-related characteristics and, more specifically, on age progression (e.g., how people are likely to look as they get older). Ideally, you’d want a broad and rigorous dataset with lots of people’s pictures. It would help if you knew they were taken a fixed number of years apart—say, 10 years.”[2] Why would Facebook want to track how a person is likely to look years later? Some users may put up an old picture of themselves or simply not update the existing photo, but why would Facebook want to know what those users are likely to look currently? Perhaps Facebook wanted to be able to identify those users in current pictures uploaded by others. So why did the company deny using the “challenge” for such a legitimate purpose as connecting people socially? Nonetheless, the company insisted that it had no benefit from the “challenge” going viral. This statement seems suspicious, especially given the company’s earlier lapses on user privacy. I contend that an even more toxic subterfuge existed at the time at Facebook—a cloak that held user accounts hostage until a clear facial picture could be supplied.
Perhaps because of the company’s track record since Cambridge Analytica on user privacy, the company’s statement also sought to reassure users by reminding them that they “can choose to turn facial recognition on or off at any time.”[3] While technically true, the company could freeze any user’s account supposedly for security reasons—to protect the user—until a current picture that clearly shows the face is supplied.
In spite of the fact that no legitimate security concerns could be raised a month or so after I created a user account, I discovered one day that Facebook’s computer had blocked my account until such time as I could verify the phone number I had used in setting up the account (when verification on the number was successfully made). I followed through nonetheless the second time, only to find days later that a current picture clearly showing my face was needed “for security reasons.” Until then, I could not use my account to protect my security. That I had not used the account for anything remotely suspicious, not to mention trolling or spam, led me to view the “security” rationale as fake, or at least as excessive. In demanding a face picture from me, the company indicated that the picture will not go on my profile, but this differentiation makes no difference in the company being able to use facial recognition software on me for the company’s internal uses (and even those of external stakeholders like the FBI) from then on. Facebook’s work on facial recognition AI for the previous two years had included such uses as tagging users in other users’ photos even if the photographed user does not know the photographer. Under the subterfuge of a “security need” for a current picture that other users will not see, the picture can still be used in tagging the user without his or her awareness.
I contend, therefore, that Facebook’s demand for a clear face photo is unethical. Besides the company’s horrendous track record on safekeeping user privacy, having users’ accounts held ransom nonetheless can seem presumptuous, like a bad child nonetheless demanding that his parents take him to Disneyland. The unethical verdict is also due to the felt-vulnerability that is natural (even among innocent people!) in handing a face picture to unknown people, even if they have a good reputation in securing privacy. For a company to dismiss the vulnerability and go so far as to demand a clear face picture can be reckoned as a harm (even as passive aggression) that is unjustifiable ethically.  Furthermore, the lying, such as in Facebook’s claim that it had no benefit from the treasure-trove of before-and-after pictures, and the subterfuge that a user can always turn facial-recognition off (even as the company uses it under the lie of a security need to connect a face to an account) are themselves unethical. Anticipating the future revelations on the privacy breaches, I wrote a booklet, Taking the Face off Facebook, on the unethical management at the company. It may therefore be that I’m on a “make problems for” list at Facebook, but other users have complained of having their accounts held hostage too, so I suspect the problem was still with the company’s managers, including its CEO. 


2. Ibid.
3. Ibid.