Facebook intros automated photo-tagging; creates social networking risk says security researcher

The automated photo tagging feature of the social networking site allows users to auto-tag pictures of other people, even if they not on Facebook or do not wish themselves to be identified in a picture online.

According to Paul Ducklin, head of technology with Sophos' Asia-Pacific operation, unlike graffiti tagging, where you spray-paint your name onto someone else's property, Facebook lets you paint other people's names onto your pictures.

And now, he explained in his security blog, you won't need to select or group the photos yourself. Facebook will use facial recognition to match the people in your photos with other images in which they appear.

"It's not yet completely automatic – the tags are just suggestions – but it sounds creepy nevertheless", he said.

The good news, Infosecurity notes, is that users can opt out of auto-suggestions, but Ducklin says that it sounds as though this feature is going to be enabled by default, since Facebook's announcement advises that "you will be able to disable suggested tags in your privacy settings".

And, he notes, you will be notified whenever you're tagged, but only in case you want to untag yourself, not in order to confirm that you want to be tagged in the first place.

The new facility seems to work online between friends – or rather, as the Sophos AsiaPac security specialist notes, "what Facebook calls friends".

Whilst this limits the creepiness somewhat, Ducklin says this, nonetheless, means that once you've been identified to Facebook by one friend, you run the risk of being identified by Facebook to other friends – even those very loose friends who might not otherwise have remembered you, let alone your name.

"If that's not something you're comfortable with, then be sure to watch out for this new feature, which is coming to US users first, and turn it off", he said.

"Perhaps, indeed, like the vast majority of readers in our recent poll on this issue, you think that Facebook features should by opt-in by default, rather than opt-out", he added.

What’s Hot on Infosecurity Magazine?