Facebook has auto-enrolled users into a facial recognition test in Europe

Facebook users in Europe are reporting the company has begun testing its controversial facial recognition technology in the region.

Jimmy Nsubuga, a journalist at Metro, is among several European Facebook users who have said they’ve been notified by the company they are in its test bucket.

The company has previously said an opt-in option for facial recognition will be pushed out to all European users next month. It’s hoping to convince Europeans to voluntarily allow it to expand its use of the privacy-hostile tech — which was turned off in the bloc after regulatory pressure, back in 2012, when Facebook was using it for features such as automatically tagging users in photo uploads.

Under impending changes to its T&Cs — ostensibly to comply with the EU’s incoming GDPR data protection standard — the company has crafted a manipulative consent flow that tries to sell people on giving it their data; including filling in its own facial recognition blanks by convincing Europeans to agree to it grabbing and using their biometric data after all. 

Notably Facebook is not offering a voluntary opt-in to Europeans who find themselves in its facial recognition test bucket. Rather users are being automatically turned into its lab rats — and have to actively delve into the settings to say no.

In a notification to affected users, the company writes [emphasis ours]: “You control face recognition. This setting is on, but you can turn it off at any time, which applies to features we may add later.”

Not only is the tech turned on, but users who click through to the settings to try and turn it off will also find Facebook attempting to dissuade them from doing that — with manipulative examples of how the tech can “protect” them.

As another Facebook user who found herself enrolled in the test — journalist Jennifer Baker — points out, what it’s doing here is incredibly disingenuous because it’s using fear to try to manipulate people’s choices.

Under the EU’s incoming data protection framework Facebook will not be able to automatically opt users into facial recognition — it will have to convince people to switch the tech on themselves.

But the experiment it’s running here (without gaining individuals’ upfront consent) looks very much like a form of A/B testing — to see which of its disingenuous examples is best able to convince people to accept the highly privacy-hostile technology by voluntarily switching it on.

But given that Facebook controls the entire consent flow, and can rely on big data insights gleaned from its own platform (of 2BN+ users), this is not even remotely a fair fight.

Consent is being manipulated, not freely given. This is big data-powered mass manipulation of human decisions — i.e. until the ‘right’ answer (for Facebook’s business) is ‘selected’ by the user.

Data protection experts we spoke to earlier this week do not believe Facebook’s approach to consent will be legal under GDPR. Legal challenges are certain at this point.

But legal challenges also take time. And in the meanwhile Facebook users will be being manipulated into agreeing with things that align with the company’s data-harvesting business interests — and handing over their sensitive personal information without understanding the full implications.

It’s also not clear how many Facebook users are being auto-enrolled into this facial recognition test — we’ve put questions to it and will update this post with any reply.

Last month Facebook said it would be rolling out “a limited test of some of the additional choices we’ll ask people to make as part of GDPR”.

It also said it was “starting by asking only a small percentage of people so that we can be sure everything is working properly”, and further claimed: “[T]he changes we’re testing will let people choose whether to enable facial recognition, which has previously been unavailable in the EU.”

Facebook’s wording in those statements is very interesting — with no number put on how many people will be made into test subjects (though it is very clearly trying to play the experiment down; “limited test”, “small”) — so we simply don’t know how many Europeans are having their facial data processed by Facebook right now, without their upfront consent.

Nor do we know where in Europe all these test subjects are located. But it’s pretty likely the test contravenes even current EU data protection laws. (GDPR applies from May 25.)

Facebook’s description of its testing plan last month was also disingenuous as it implied users would get to choose to enable facial recognition. In fact, it’s just switching it on — saddling test subjects with the effort of opting out.

The company was likely hoping the test would not attract too much attention — given how much GDPR news is flowing through its PR channels, and how much attention the topic is generally sucking up — and we can see why now because it’s essentially reversed its 2012 decision to switch off facial recognition in Europe (made after the feature attracted so much blow-back), to grab as much data as it can while it can.

Millions of Europeans could be having their fundamental rights trampled on here, yet again. We just don’t know what the company actually means by “small”. (The EU has ~500M inhabitants — even 1%, a “small percentage”, of that would involve millions of people… )

Once again Facebook isn’t telling how many people it’s experimenting on.

Facebook removes 1.5 billion users from protection of EU privacy law

Facebook has quietly altered its terms of service, making stricter Irish data protection laws no longer binding on the vast majority of its users. The revision was first reported Wednesday by Reuters.

Now, Facebook’s headquarters in California will be responsible for processing any relevant legal claims, and American law will be binding for those outside the EU.

Previously, CEO Mark Zuckerberg had said Facebook would implement new EU rules “everywhere.” While Facebook may claim that it is offering EU-style control globally, removing this provision in its own terms of service suggests that the company is trying to mitigate its potential legal liability.

Read 11 remaining paragraphs | Comments

Twitter doesn’t care that someone is building a bot army in Southeast Asia

Facebook’s lack of attention to how third parties are using its service to reach users ended up with CEO Mark Zuckerberg taking questions from Congressional committees. With that in mind, you’d think that others in the social media space might be more attentive than usual to potentially malicious actors on their platforms.

Twitter, however, is turning the other way and insisting all is normal in Southeast Asia, despite the emergence of thousands of bot-like accounts that have followed prominent users in the region en masse over the past month.

Scores of reporters and Twitter users with large followers — yours truly included — have noticed swarms of accounts with generic names, no profile photo, no bio and no tweets have followed them over the past month.

These accounts might be evidence of a new ‘bot farm’ — the creation of large numbers of accounts for sale or usage on-demand which Twitter has cracked down on — or the groundwork for more nefarious activities, it’s too early to tell.

In what appears to be the first regional Twitter bot campaign, a flood of suspicious new followers has been reported by users across Southeast Asia and beyond, including Thailand, Myanmar Cambodia, Hong Kong, China, Taiwan, Sri Lanka among other places.

While it is true that the new accounts have done nothing yet, the fact that a large number of newly-created accounts have popped up out of nowhere with the aim of following the region’s most influential voices should be enough to concern Twitter. Especially since this is Southeast Asia, a region where Facebook is beset with controversies — from its role inciting ethnic hatred in Myanmar, to allegedly assisting censors in Vietnam, witnessing users jailed for violating lese majeste in Thailand, and aiding the election of controversial Philippines leader Duterte.

Then there are governments themselves. Vietnam has pledged to build a cyber army to combat “wrongful views,” while other regimes in Southeast Asia have clamped down on social media users.

Despite that, Twitter isn’t commenting.

The U.S. company issued a no comment to TechCrunch when we asked for further information about this rush of new accounts, and what action Twitter will take.

A source close to the company suggested that the sudden accumulation of new followers is “a pretty standard sign-up, or onboarding, issue” that is down to new accounts selecting to follow the suggested accounts that Twitter proposes during the new account creation process.

Twitter is more than 10 years old, and since this is the first example of this happening in Southeast Asia that explanation already seems inadequate at face value. More generally, the dismissive approach seems particularly naive. Twitter should be looking into the issue more closely, even if for now the apparent bot army isn’t being put to use yet.

Facebook is considered to be the internet by many in Southeast Asia, and the social network is considerably more popular than Twitter in the region, but there remains a cause for concern here.

“If we’ve learned anything from the Facebook scandal, it’s that what can at first seem innocuous can be leveraged to quite insidious and invasive effect down the line,” Francis Wade, who recently published a book on violence in Myanmar, told the Financial Times this week. “That makes Twitter’s casual dismissal of concerns around this all the more unsettling.”

Facebook Exec Kevin Chan Defends His Access To Trudeau Cabinet

Conference workers speak in front of a demo booth at Facebook's annual F8 developer conference, in San Jose, Calif. in this April 18, 2017 file photo.

OTTAWA — A Facebook executive with ties to the ruling Liberals was grilled today about his preferential access to senior members of the Trudeau cabinet, even though no one from the social-media giant, including himself, is a registered lobbyist in Canada.

In his appearance before a parliamentary committee, Facebook Canada’s public policy head Kevin Chan was questioned by New Democrat MP Charlie Angus on why he had yet to register as a lobbyist, given the fact he’s met senior cabinet members, including Finance Minister Bill Morneau.

Chan, ex-policy director for former Liberal leader Michael Ignatieff, defended himself by saying it was unnecessary for him to register since the proportion of his lobbying activities falls short of the Lobbying Act’s 20 per cent minimum threshold.

Watch: New polls show Canadians aren’t liking Facebook in wake of data scandal

He also insists, for instance, that his meeting with Morneau strictly involved him showing the minister how to set up a Facebook Live event to broadcast a budget speech.

The testimony comes as policy-makers and regulators around the world examine how to better protect users’ online data following a scandal that allegedly saw the personal information of 87 million Facebook users — including more than 620,000 Canadians — improperly accessed for political purposes.

Chan echoed Facebook CEO Mark Zuckerberg’s acknowledgment this month that the company accepts responsibility for not doing enough to secure the platform and, despite recent changes, that more work needs to be done.

Earlier on HuffPost Canada:

The committee also heard testimony Thursday from Facebook deputy chief privacy officer Robert Sherman, who estimated that just 272 people in Canada installed an app that enabled political consultancy firm Cambridge Analytica to access information from another 622,000 Canadians.

Under questioning by MPs, Sherman said by video link from California that it’s possible users’ private messages may have also been inappropriately accessed and that there may have been other data breaches involving Facebook data.

Also on HuffPost:

Facebook Seeks Consent For Facial Recognition Tech In Canada, EU

Facebook CEO Mark Zuckerberg listens to opening statements while testifying before a Senate Judiciary and Commerce Committees joint hearing regarding the company's use and protection of user data on Capitol Hill in Washington, D.C., April 10, 2018.

Facebook users in Europe and Canada will for the first time be able to opt into the network’s facial recognition technology, which has been available in most other parts of the world for the past six years, the company says.

Facebook is enhancing privacy safeguards for users around the world as it complies with new European rules designed to make it easier for consumers to give and withdraw consent for the use of their data.

The company is introducing the new policies this week in Europe, but eventually everyone on the social network will be asked to decide whether they want to enable features like facial recognition and some types of targeted advertising, the company said in a blog post.

Watch: Facebook faces class-action lawsuit over facial recognition

“Everyone — no matter where they live — will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook,” the company said in a blog post. “We’ll begin by rolling these choices out in Europe this week.”

The announcement comes as Facebook struggles with the fallout from revelations that a data analytics firm misused personal information from as many as 87 million Facebook accounts to help Donald Trump’s 2016 presidential campaign. The European Union next month will begin enforcing its new General Data Protection Regulation, which explicitly applies to any company that uses the data of EU residents, no matter where it is based.

The privacy law is the latest attempt by EU regulators to rein in mostly American tech giants who they blame for avoiding tax, stifling competition and encroaching on digital privacy rights. The EU says the rules are the most important change in data privacy regulation in a generation as it tries to catch up with technological advances since 1995, when the last comprehensive rules were approved.

Earlier on HuffPost Canada:

The EU rules require consent forms to be written in plain language anyone can understand, as the EU targets the legalese buried in pages of terms and conditions that few users actually read before clicking “I Agree.” The regulations also require that consent must be as easy to withdraw as it is to give.

Users will also be asked whether they want to allow Facebook to use data from partners such as apps and websites to tailor the ads they see, and whether they want to share political, religious or relationship information from their profiles.

“We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook,” the company said.

Meanwhile, the European Parliament renewed its call for Facebook CEO Mark Zuckerberg to testify about the data privacy scandal, after Zuckerberg offered to send a subordinate in his place.

In a letter to Zuckerberg on Wednesday, the EU assembly’s president, Antonio Tajani, said that Europeans hit by the scandal “deserve a full and thorough explanation from Facebook’s top manager.”

Also on HuffPost:

Market power wielded by US tech giants concerns IMF chief

Christine Lagarde feels ‘too much concentration in hands of the few’ does not help economy

The head of the International Monetary Fund, Christine Lagarde, has expressed concern about the market power wielded by the US technology giants and called for more competition to protect economies and individuals.

Speaking at a press conference to mark the start of the IMF’s spring meeting in Washington, Lagarde said breaking up companies was not the solution, but added that her organisation was monitoring their impact on prosperity, financial stability and the workplace.

Related: Bitcoin tools could make finance system safer, says IMF boss

Continue reading…

Facebook moves to shrink its legal liabilities under GDPR

Facebook has another change in the works to respond to the European Union’s beefed up data protection framework — and this one looks intended to shrink its legal liabilities under GDPR, and at scale.

Late yesterday Reuters reported on a change incoming to Facebook’s T&Cs that it said will be pushed out next month — meaning all non-EU international are switched from having their data processed by Facebook Ireland to Facebook USA.

With this shift, Facebook will ensure that the privacy protections afforded by the EU’s incoming General Data Protection Regulation (GDPR) — which applies from May 25 — will not cover the ~1.5BN+ international Facebook users who aren’t EU citizens (but current have their data processed in the EU, by Facebook Ireland).

The U.S. does not have a comparable data protection framework to GDPR. While the incoming EU framework substantially strengthens penalties for data protection violations, making the move a pretty logical one for Facebook’s lawyers thinking about how it can shrink its GDPR liabilities.

Reuters says Facebook confirmed the impending update to the T&Cs of non-EU international users, though the company played down the significance — repeating its claim that it will be making the same privacy “controls and settings” available everywhere. (Though, as experts have pointed out, this does not mean the same GDPR principles will be applied by Facebook everywhere.)

Critics have couched the T&Cs shift as regressive — arguing it’s a reduction in the level of privacy protection that would otherwise have applied for international users, thanks to GDPR. Although whether these EU privacy rights would really have been enforceable for non-Europeans is questionable.

At the time of writing Facebook had not responded to a request for comment on the change. Update: It’s now sent us the following statement — attributed to deputy chief global privacy officer, Stephen Deadman: “The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users.  We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.” 

The company’s generally argument is that the EU law takes a prescriptive approach — which can make certain elements irrelevant for international users outside the bloc. It also claims it’s working on being more responsive to regional norms and local frameworks. (Which will presumably be music to the New Zealand privacy commissioner‘s ears, for one…)

According to Reuters the T&Cs shift will affect more than 70 per cent of Facebook’s 2BN+ users. As of December, Facebook had 239M users in the US and Canada; 370M in Europe; and 1.52BN users elsewhere.

The news agency also reports that Microsoft -owned LinkedIn is one of several other multinational companies planning to make the same data processing shift for international users — with LinkedIn’s new terms set to take effect on May 8, moving non-Europeans to contracts with the U.S.-based LinkedIn Corp.

In a statement to Reuters about the change LinkedIn also played it down, saying: “We’ve simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data.”

One interesting question is whether these sorts of data processing shifts could encourage regulators in international regions outside the EU to push for a similarly extraterritorial scope for their local privacy laws — or face their citizens’ data falling between the jurisdiction cracks via processing arrangements designed to shrink companies’ legal liabilities.

Another interesting question is how Facebook (or any other multinationals making the same shift) can be entirely sure it’s not risking violating any of its EU users’ fundamental rights if it accidentally misclassifies an individual as an non-EU international users — and processes their data via Facebook USA.

Keeping data processing processes properly segmented can be difficult. As can definitively identifying a user’s legal jurisdiction based on their location (if that’s even available). So while Facebook’s T&C change here looks intended to shrink its legal liabilities under GDPR, it’s possible the change will open up another front for individuals to pursue strategic litigation in the coming months.

Facebook has a new job posting calling for chip designers

Facebook has posted a job opening looking for an expert in ASIC and FPGA, two custom silicon designs that companies can gear toward specific use cases — particularly in machine learning and artificial intelligence.

There’s been a lot of speculation in the valley as to what Facebook’s interpretation of custom silicon might be, especially as it looks to optimize its machine learning tools — something that CEO Mark Zuckerberg referred to as a potential solution for identifying misinformation on Facebook using AI. The whispers of Facebook’s customized hardware range depending on who you talk to, but generally center around operating on the massive graph Facebook possesses around personal data. Most in the industry speculate that it’s being optimized for Caffe2, an AI infrastructure deployed at Facebook, that would help it tackle those kinds of complex problems.

FPGA is designed to be a more flexible and modular design, which is being championed by Intel as a way to offer the ability to adapt to a changing machine learning-driven landscape. The downside that’s commonly cited when referring to FPGA is that it is a niche piece of hardware that is complex to calibrate and modify, as well as expensive, making it less of a cover-all solution for machine learning projects. ASIC is similarly a customized piece of silicon that a company can gear toward something specific, like mining cryptocurrency.

Facebook’s director of AI research tweeted about the job posting this morning, noting that he previously worked in chip design:

While the whispers grow louder and louder about Facebook’s potential hardware efforts, this does seem to serve as at least another partial data point that the company is looking to dive deep into custom hardware to deal with its AI problems. That would mostly exist on the server side, though Facebook is looking into other devices like a smart speaker. Given the immense amount of data Facebook has, it would make sense that the company would look into customized hardware rather than use off-the-shelf components like those from Nvidia.

(The wildest rumor we’ve heard about Facebook’s approach is that it’s a diurnal system, flipping between machine training and inference depending on the time of day and whether people are, well, asleep in that region.)

Most of the other large players have found themselves looking into their own customized hardware. Google has its TPU for its own operations, while Amazon is also reportedly working on chips for both training and inference. Apple, too, is reportedly working on its own silicon, which could potentially rip Intel out of its line of computers. Microsoft is also diving into FPGA as a potential approach for machine learning problems.

Still, that it’s looking into ASIC and FPGA does seem to be just that — dipping toes into the water for FPGA and ASIC. Nvidia has a lot of control over the AI space with its GPU technology, which it can optimize for popular AI frameworks like TensorFlow. And there are also a large number of very well-funded startups exploring customized AI hardware, including Cerebras Systems, SambaNova Systems, Mythic, and Graphcore (and that isn’t even getting into the large amount of activity coming out of China). So there are, to be sure, a lot of different interpretations as to what this looks like.

One significant problem Facebook may face is that this job opening may just sit up in perpetuity. Another common criticism of FPGA as a solution is that it is hard to find developers that specialize in FPGA. While these kinds of problems are becoming much more interesting, it’s not clear if this is more of an experiment than Facebook’s full all-in on custom hardware for its operations.

But nonetheless, this seems like more confirmation of Facebook’s custom hardware ambitions, and another piece of validation that Facebook’s data set is becoming so increasingly large that if it hopes to tackle complex AI problems like misinformation, it’s going to have to figure out how to create some kind of specialized hardware to actually deal with it.

A representative from Facebook did not yet return a request for comment.