406 comments

[ 6.6 ms ] story [ 312 ms ] thread
If it can't be fooled by a picture found online (but not uploaded to facebook) then that must mean facebook is indexing images across the internet and analysing all the faces they find... and if it can, what's the point (edit: from a user point of view)?
To have the world's best biometric registry that is constantly updated and optimized by it's users.
Yes, I should have been more accurate in my original post - what's the point for the user :-)
This doesn't exist to benefit the user. This exists solely to benefit Facebook.
That’s not a captcha, that’s used when you’re locked out of your account and they need to verify if it’s you. Like when they ask for your ID card.

I assume this only happens if you’ve uploaded pictures of yourself in the past, so they can compare them.

Sounds pretty weird. So if I want to steal someones account I just either A) take a picture of them or B) download a picture of their face from facebook? What's the point exactly?

Seems as silly as uploading your nekid pics so facebook can prevent them from being distributed. If they really wanted to protect you they would just let you download an app that could analyze the files and upload just enough to detect similar video/pictures.

What has facebook done in the past to earn such trust? Seems just the opposite. Isn't it crazy to assume facebook will keep anything you upload secure?

Uh, the article disagrees.

> In a statement to WIRED, a Facebook spokesperson said the photo test is intended to “help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads.”

They're basically training people to provide PII/biometrics on-demand as the price of using their service.

(comment deleted)
Is anyone concerned enough with their facebook profile security to want to be verified on this level?

why not a normal 2fa? it seems like there is a hidden agenda behind collecting and analyzing users facial characteristics.

Knowing fb, this is for their benefit, not the users i.e, they're trying to catch spammers and fake accounts, not see if you're the one accessing your own account or not.
I fear it's much more insidious than that. Facebook has a tendency to start doing some invasive stuff and then announce it to the world only 5 years later.

They probably plan to use your facial profile for a number of things, none of which have to do with authenticating you to the Facebook website. I even see them sharing the profiles with the DHS to build more accurate facial recognition at airports, and other stuff like that. But of course they wouldn't admit it now, because it would mean everyone refusing to use it from day one.

No wonder Facebook's attempt at getting people to give them their credit cards to enable ecommerce on the platform has been such an utter failure. The most popular searches on Google on this issue are whether or not you can trust Facebook with your credit card data.

That's happening for a reason - Facebook has consistently tried to build a reputation of "shady-as-fuck" company throughout the years, and it's going to pay the price for it, either through stuff like people rejecting its ecommerce platforms, which means fewer billion-dollar monetization opportunities for Facebook in the long-term, or simply stopping using it when they get tired of the company's practices.

> I fear it's much more insidious than that. Facebook has a tendency to start doing some invasive stuff and then announce it to the world only 5 years later.

> They probably plan to use your facial profile for a number of things, none of which have to do with authenticating you to the Facebook website. I even see them sharing the profiles with the DHS to build more accurate facial recognition at airports, and other stuff like that. But of course they wouldn't admit it now, because it would mean everyone refusing to use it from day one.

This validates my little project of uploading a ton of stock photos to my Facebook account and tagging myself in them.

make something automatable with browser plugin on github .. that does sounds interesting.
> Facebook has consistently tried to build a reputation of "shady-as-fuck" company throughout the years, and it's going to pay the price for it

Unfortunately, I think the fact that many people don't realize platforms like Instagram and WhatsApp belong to Facebook will allow them to avoid paying the price.

Last I checked 2fa on Facebook REQUIRES a phone number to be provided so that your phone is an sms based backup method. Apparently all the talented engineers at Facebook didn't think "oh, let them download a few spares backup codes like ever other service" or that sms based backups are a stupid idea.
Backup codes are available, once you've enabled 2FA:

https://www.facebook.com/help/148104135383285?helpref=search...

Well... I don't want to legitimize their "need" for my phone number (which granted they already figure out through contact books of others, they don't even hide that they've inferred it). Phones and 2fa are not dependent upon one another.
Does google voice # work?
Don't know, I think google voice is only available in US/Canada, no? (I'm not in either of those countries)
I will never do this. I don't even post photos of myself on FB, or use "Messenger" or their mobile app, so it probably wouldn't work anyway, but I have no doubt they're looking to monetize the feature and that businesses and governments are their target markets.
They still have your face from scanning your friends' photos and contacts. Combine datestamp, location, messages, and posts over years and Facebook knows who was together for a photo whether or not you've uploaded any or been tagged. Facebook knows the face of everyone who is on Facebook or who knows a few people who are.
I can pull a fingerprint off the subway stair rails but that doesn't mean I can identify who it is. We anonymously reveal ourselves everyday but the danger comes from confirming which data is ours. The goal is to make it difficult not impossible.
They don't need you to confirm it. This isn't a criminal case. They just need to be reasonably confident. Your face is in a picture with four other people. They can see that phones belonging to four people, who regularly chat with each other, were all at the same location at the time the photo was taken. They are now reasonably confident that your face is one of those four. Do that five or six times and their robots will know your face. Whether you confirm it or not doesn't really matter.

  They can see that phones belonging to four people, who regularly chat with each other, were all at the same location at the time the photo was taken.
How would they "see" your phone without the facebook app installed?
They buy/rent that data from google or any of a thousand other companies that might have access to your phone's location.
Thing is: Grabbing fingerprints from the subway doesn't scale. Machine learning does.
No, not really. There are not many of photos of me on the web and any that are were taken from a distance and too low res to id me.

I've been stingy about that for a long time. FB doesn't have my phone number and I disabled the email address I used to sign up. I delete all my cookies often and use different browsers and turn off and reset my modem to get a new IP address.

I have no apps on my phone, don't use iCloud, and don't use the native "Contacts" app, I made my own for that.

I know I'm still being tracked, but not as much as most and I don't think FB could ID me right now with photos they have.

> FB doesn't have my phone number

If anyone who has you in their contact list uses Facebook, I can pretty much guarantee they have your number.

Yeah this is the real rub; even if you yourself do not give Facebook information, it's been proven that they collect profiles on you. Anyone who has messaged you, has you in their contacts, sent you invites, added you to groups, all this gets added to a hidden profile. You are being tracked whether you gave out info or not.
>don't use the native "Contacts" app, I made my own for that.

That's a good idea. You could then grant other apps permission to see your contacts, but have the app optionally return fake or empty data.

This. Fake data should always be returned, unless explicit permission is granted for real data.
I doubt iOS lets a custom contacts app respond to a request from another app for contacts though. It'll presumably respond empty data (since they have no contacts in the native app), but with no option to give it the actual contacts if you wanted to.
I'm pretty sure it is about training their users to surrender biometrics on demand. FB wants their feedstock comfortable with the idea.
I wonder if they are using their camera permissions in Messenger to automatically grab an image when someone opens the app...is there any way to verify that?
Perhaps a workaround would be to pick a random celebrity, somebody with a lot of photos online, and upload one of those.

Facebook would have no way of knowing that it's not you, and they aren't likely to complain that you look like somebody else, since facial recognition will likely always pick up loads of duplicates when used on a global scale.

Alright, they are using it when you've been locked out of your account to verify that you are who you say you are.

You'd have to seed the account in advance by uploading some photos and identifying them as yourself, and you'd have to be able to find photos that haven't been uploaded to Facebook previously.

Accounts using celebrities as a profile picture may actually be easier to hack, since the hacker can just upload another picture of that celebrity when challenged.
I'm sure the biometric data harvested from these pictures won't be abused by three letters agencies.
I mean you need to pick your poison here. You either give facebook more data to validate your authenticity or you allow botnets to influence the social networks. It seems impossible to have it both ways, although I'm willing to hear alternatives in the general case.
Authenticity validation could be completely external from Facebook, and if they gave a shit about your privacy they would not only be OK with it but even push for it.

Many countries already have crypto-secure solutions for verifying their identity when submitting things like tax forms. Facebook just needs to start using them, but they won't, and it's obvious why.

> and it's obvious why.

Because most countries don't have crypto-secure identity verification, which means Facebook would still need something like this? I suppose they could contract out to Experian (or other local providers) and ask you to answer some questions from your credit report, but I'm not sure that's really a good solution either.

I thought it was clear enough that I mean't that it's obvious why [Facebook will never implement it even in countries where it already exists]. It's not in their interest to do so, because it's not in their interest to protect the privacy of their users.
Just because you could only think of a sarcastic reason why Facebook doesn't want to do it doesn't mean that other reasons for it don't exist. That's precisely what the GP is saying—FB needs to come up with systems that work for literally the whole world.
How is my reason sarcastic? I'm being completely serious. And yes, of course it needs to work world-wide but I think it's naive to think that's the primary reason FB would be doing it. They'd be doing it because they want complete control of the authentication ecosystem.
No. This is the absolute wrong direction and would likely help push for a Government Internet ID. This would complete destroy online anonymity.
The US isn't the world. "Government Internet IDs" already exist, and there is nothing inherent in them existing that eliminates online anonymity, it just removes it on Facebook (which is exactly the point).
Imagine having to use your government ID to even connect to the internet. Having all your data logged and cataloged to your ID. At one point in time that is what the US government wanted to do. It starts by normalizing the action. Not a world I want to live in.
You're completely de-railing the discussion and trying to respond to this nonsense in any constructive way would only de-rail it further. No amount of strawmen and US-centric "the government wants to enslave us all" propaganda will make me think that the now existing, well working digital ID systems available in the world (not the US) are the work of the illuminati, should be abolished, and/or will be surgically inserted into my brain in the near future.

I made a point that there are already ways for Facebook, in certain countries, to verify the identity of their users, if they so please; and that Facebook will never use these because they'd rather control the system of verification themselves (prioritizing profit, not privacy and integrity of users). They could use the systems already in place and say "you know what, the state of Estonia is telling us this guy is who he says he is, we'll accept that". What you're doing is arguing against government-backed digital identification in any broad definition of the term, and you can have that opinion but it's off topic.

Third option: delete your Facebook account.
I prefer posting only articles critical of Facebook to my feed until I get locked out of my account for some reason.

I won't create a new one, but I might as well use the one I have to do some good.

> I prefer posting only articles critical of Facebook to my feed

You realize Facebook's algorithm is most likely keeping those posts well hidden from your "friends", right?

> You realize Facebook's algorithm is most likely keeping those posts well hidden from your "friends", right?

Yes, but not completely. I do get a handful of likes/comments on them and one friend commented in person about how often I post them. If they're suppressed by the algorithm, they're not getting suppressed too much.

In any case, I don't put a ton of effort into them. They're just articles I've discovered naturally with a pull quote or short summary.

> You either give facebook more data to validate your authenticity or you allow botnets to influence the social networks

My basic logic/truth table says there's another (possibly more likely scenario): that you give FB more (intimate) data AND botnets still influence your social networks.

I mean, a bot could simply designate using a given stock image for each of their imposter personas, non?

alternative is don't use FB. you can use some more privacy focussed social nets like ello instead.
> The process is automated, including identifying suspicious activity and checking the photo. ... The Facebook spokesperson said the photo test is one of several methods, both automated and manual, used to detect suspicious activity.

So I don't get if this "captcha" process is automated or manual (...or both)? Somewhere else in the article it says that users are apparently locked out of their accounts until the pic is verified. Seems odd that there should be a lock-out period if the process is automated (as the first sentence of the above quote implies).

ALSO, for a captcha, isn't this dead easy for bots? Get a DeepDream/Generative Adversarial Network instance to generate faces for you. Bam. This is not a barrier.

Couple things.

1.) The face verification is automatic. It is among other processes that are automatic and some other processes that are manual.

2.) Lock out periods are to prevent repeated attempts.

3.) The face has to match the face of the account, so generating a new face won’t work.

> The face has to match the face of the account, so generating a new face won’t work.

It quite easily could work well if the account has, or is tagged in, any public images and those are used as input to the generation process. (Or if it's associated with a person of whom there are public images in other sources, off of Facebook.)

I'm assuming the process is sophisticated enough that you can't just post an existing public Facebook image of the user without modification, but that may be too generous.

Where was it specified that lock-outs are to prevent repeated attempts? It is a plausible reason but the premise of my question (and confusion as to whether this process is automatic or not) stems from:

> ...users are locked out of their accounts _while the photo is being verified_. A message said, “You Can’t Log In Right Now. We’ll get in touch with you _after we’ve reviewed your photo_. You’ll now be logged out of Facebook as a security precaution.”

Emphasis mine.

"after we've reviewed your photo" --> FB can autotag people as pictures are uploaded. Surely they can verify face similarity instantly?

Facebook already locked me out of my account asking for it and since I'll never send it I guess I can finally stop using it... thanks facebook
maybe this is how skynet starts
Skynet is entertainment. A real ASI will be much more proficient at removing threats.

Both nanobots and a genetically engineered super virus, for example, would be very well suited to extinguish humanity in a timeframe that makes resistance / retaliation impossible.

Now if I as a dumb human can come up with that, just imagine what a being incredibly smarter than anything we could imagine could come up with.

This doesn’t seem too weird considering the service is called “face” book, and the point is to upload photos of your face. They have been using facial recognition for years now, this is a natural extension of that.

I am not a user, but I see the value. It’s creepy as hell, yes, but I see the value.

I should write a blog post about this, but to those thinking about deleting Facebook,

My experience deleting it 5 years ago is summarized as: my friend count went way down, my friend quality went way up.

Your results may vary, but the purpose of my comment is not to immediately be worried that Facebook is a mandatory lifeline for your social life.

To add to this, you can always /try/ deleting your facebook account and see if it's for you.

It's not like facebook is a nightclub that will refuse re-entry once you leave or anything.

My account went inactive and eventually was disabled. To get back into the "nightclub" now, I must submit a copy of my photo ID to verify my identity. No thanks to the Facebook bouncer thugs guarding the entrance...
One has to assume anyone on facebook is ok with that though, it is the nature of the service these days, even if you joined before it was like that.
I had a similar experience, but submitted a picture of my congressman (who was standing in front of a billowing American flag) which was accepted without comment by Facebook.
A few years ago I walked away from Facebook. Three months later, I got a phone call from my mother (who's not online) because she heard through the grapevine that I was dead. My stupid Facebook "friends" took my silence for something sinister and jumped to conclusions.

I ended up returning to Facebook and purging my "friend" list down to just a dozen actual friends.

Really? Wow.

I always wondered what my Facebook acquaintances thought when I left.

I figured they didn’t care Id left to give it much thought or that I was being a prick and had deleted them.

Most of my facebook "friends" didn't even noticed I've quit some months ago. For those that ask, I say that it consumed too much battery..
Why are they stupid? All of a sudden, with no warning or explanation you stopped posting and responding? If I had a friend like that I might be concerned and reach out to friends or family to see if everything is okay. To me that signifies that they care about you, not that they're stupid. It's not like they filed a police report or anything.
Can confirm. I've commented about this a few times. Life's a little less noisy, too.

I'd add that the lessened noise contributes to a sense of clarity which in turn contributes to an ability to think critically on the spot.

> my friend count went way down, my friend quality went way up.

This is an important distinction. FB has programmed us to believe quantity is the goal, when quality probably should be. How many FB "friends" does the average user have meaningful relationships with? I'd speculate not many more than it's possible to maintain offline/without FB's "help".

I'm not sure how true that is; virtually everyone I've encountered distinguished unqualified “friends” from “Facebook friends”, the two groups being distinct, usually overlapping, categories. There are certainly people who treasure their number of social media followers, just as there have always been people who treasure the offline equivalent, and social media like Facebook makes it easier to quantity and compare than the offline world. But I don't think it's really that common for people to conflate social media network sizes with genuine friendship.
It's just a tempting, low-hanging way for HNers to feel superior to others.

"I bet all these idiots cannot tell the difference between real friends and the Facebook friend counter like I can. ;) BTW I've deleted my Facebook because I had a crippling addiction to it."

> my friend count went way down, my friend quality went way up.

I too quit around then, and I think I feel that most on my birthday. I only hear from probably a tenth the people but now when they remember on their own and text/call it means a lot more.

I may be exceptionally bad at attracting and maintaining friendships. But my experience is that my time between friends is not fungible, and the strength of my friendships are not constant.

For example, my best friends are on the opposite coast. It's not financially realistic for us to hang out in person frequently. The 5 hours a week I could spend sending them letters or calling are not the same as 5 hours I could be spending turning acquaintances who live next door into good friends. Maybe even best friends. It's not theoretically a zero-sum game, of course, but we all know that's not how life actually works and that for one friend to have more of your time/attention means that another loses some time and attention.

What FB has helped me do is to remain easily connected to good friends and acquaintances everywhere. When moving to a new town, finding acquaintances who live there who have common interests with FB is much easier than calling those acquaintances out of the blue and hoping they'll hang out. Most of these acquaintances remain acquaintances, but some become friends -- and the cost of making those friends was substantially lowered.

For remote best friends, FB gives us a way to passively share our lives beyond calling and writing letters. Even if I had unlimited time to spend creating and sending scrapbooks and doing FaceTime, my other friends may not. It's not as good as being together, but I love the option to browse a friend's albums of past recent events on my own time, and then being able to at least experience those memories in a small way.

So I guess I see Facebook has being a very interactive rolodeck. It's not where I conduct my friendships (although I do, to some degree), it just makes maintaining friendships much more efficient. To the point that I keep connections that I would've otherwise dropped, because Facebook has reduced the long-term "maintenance cost". But since it's ultimately a rolodeck to me, I find it easy to ignore and not care what anyone is doing if I don't feel like it, and I have lowered expectations of what I should be getting from FB

Straw, meet camel's back.

I'll give up Facebook before I give up that level of privacy.

Apart from possible biometrics collection, it is Facebook that now decides how do you behave and what to grant you for your behavior. Like Santa for adults.

Maybe it’s time to open your eyes and see that there is no Santa since 1984?

I want to create a library for generating photos of computer-generated faces
https://petapixel.com/2017/11/07/ai-creates-photo-realistic-...

Tadaa. Another pointless privacy invasion that only affects the fair and honest.

Hmm, this wouldn't help you defeat the system at all, unless I'm missing something. What you need is a model to generate photos of your face.
FB is most likely trying to ward off spammers with this idea. Generating unique faces per spam-bot is easy now, for sophisticated spammers, then for every spammer in a few months. The poster is trying to say that this FB effort won't work well and is already only adversely affecting the most stupid and trusting.
Good point, I was only considering the case where FB uses this technique to verify an existing user's identity using facial recognition (which seems like a "logical" use case).

I missed the part where they said they might use it for account creation as well (which makes less sense and seems like a pretty baroque, intrusive and ineffective captcha).

Facial verification, together with cell phone number, which requires an ID to purchase, has been the standard practice for internet companies in China for a while now, e.g. for WeChat, Alipay, etc.
Last paragraph of the article:

"The new authentication scheme is the second in recent weeks that relies on photos. Earlier this month, Facebook asked users to upload nude photos to Facebook Messenger, as part of an effort to prevent revenge porn. Facebook said it would use the nude photos to create a digital fingerprint against which to compare future posts."

Wait what? I had to check whether today was April 1st.

I couldn't believe it. This is the most absurd thing I have ever heard.
It really does seem like something an elite private club would do to get a laugh out of fooling the proles while smoking a cigar and browsing the pictures.
> they "trust me" ... dumb f*cks
It's more like oblivious high-paid product managers and devs who can't fathom why people wouldn't trust Facebook or that Facebook might not be a purely beneficial organization.
I think you've completely missed the point here.

Teenagers who have naked photos in the possession of their peers need a solution for preventing dissemination.

And so if you're in this situation trusting Facebook is by far the lesser of two evils.

How is Facebook legally able to solicit child pornography? Because it sounds like that's what they're doing.
Sexting is quite common about young adults and so is the subsequent sharing of those photos. Being able to stop that from happening is incredibly valuable.

I am just surprised Facebook didn't instead look at a way of running these image hashing algorithms on the device instead.

I think they look for modifications of the photo as well so a cropping/tilt/text overlay/etc would still be flagged. Their model might require per-processing beyond what they can or want to deploy on-device.
There is a much better way to stop it happening.
And that would be what, exactly ?
Not sure how I feel about it still, but this article doesn't really accurately portray the service. From the source linked by the Wired article [1], this is specifically intended to prevent a nude photo from being shared maliciously when a user has reason to believe that it will be. They then voluntarily upload the image to Facebook which uses the digital fingerprint to prevent it from being reposted either in its original form or with slight modifications. It's always completely voluntary, Facebook is certainly not requiring or even really encouraging average users to upload their nudes.

[1] - https://www.theverge.com/2017/11/9/16630900/facebook-revenge...

I don't see how that makes it better.
Presumably, you would do this after Facebook already has a copy of the nude -- uploaded by the attacker/malicious ex.

If you want Facebook's computers to automatically take down any copies of the photo, yes, you're going to have to trust them with a copy of it.

Automated DMCA takedowns of copyrighted music and movies work in very much the same way.

> yes, you're going to have to trust them with a copy of it.

No. They could have you compute a fingerprint locally without uploading the image itself, preferably through some audited open source software, without auto-updates. They only don't do that because they want to guard their image hashing as corporate secrets.

No, Facebook's side needs to verify that the image is you, and that you're not just hashing a photo of the McDonald's logo.
they can verify that after they have found a match.

if there is no match you gave them no data of interest. if there is a match then they already have that image anyway and you didn't make your privacy situation worse, except maybe telling them that you claim that is you, now allowing them to associate more images was you, but that's probably an acceptable tradeoff if there is actual revenge porn of you out there.

It's not a simple hash. From Alex Stamos: “There are algorithms that can be used to create a fingerprint of a photo/video that is resilient to simple transforms like resizing.” That doesn't make it clear that they are making use of the powerful classifiers that Facebook has, but it's clearly not md5, either.

Regardless, I think your point stands.

They could also combine locally computed perceptual hashes of the unwanted images with face recognition of already uploaded regular images on the profile. That combination makes it even less necessary to send nudes to facebook.
If they already have the image, then you don't need this system.

If they don't have it, but are doing verify-after, then the image won't actually be blocked right away. The proposed system would be of pretty marginal value. Some value, yes, but low enough that facebook decided it wasn't worth building that system.

You can't avoid having a tradeoff somewhere.

Presumably it’s both; hashing like this is fairly trivial to break if you can access the code.
If the recognition is done by autoencoder network as I suspect, then generative adversarial network could break it easily.
> compute a fingerprint locally

one downside: i think this could allow a bad actor to directly observe the fingerprinting and assist in developing a method to defeat it.

Trusted third parties.

That's what is missing from the internet, generally speaking. Services like public notaries. That's kindof what CAs provide. But there are a lot of similar services that could exist for things like this.

Or the attacker could just post the image elsewhere.
Or presumably an attacker could just slightly modify the image, and trick whatever CNN Facebook is trying to use into thinking it's not the same photo.
…a process which would be much easier given a local copy of the fingerprinting algorithm.
This is aimed at non-technical users. If we're lucky, maybe like 1% of users will be able to figure out how to do that. Not to mention all of the other issues with it mentioned below.
Well in that case it actually makes sense. They can fingerprint the photo and then automatically remove it.

Though really would be better to fingerprint all removed photos and automatically prevent any matching photos from being uploaded.

Do you have a better idea? I don’t.
Hash your copy of the nude image client side, and upload the hash only? Seems like a way better idea to me.
A hash would only match an identical file, right? It sounds like image recognition is used here to catch derivatives of the original file, which a hash wouldn't catch.
I think it would be easy to create multiple hashes (reverse, flipped, etc...) and upload them all and look for matches. Provide the users with image recognition signature creating software (which is exactly what they are going to do) and let the users do it, vs uploading extremely personal and potentially embarrassing images to strangers on the internet.
How about recompressed, resized, photoshopped, format-converted... a filter against trivial transformations like transposition is worthless.
tough problem sure, but sending nude photos to a morally questionable company is not remotely close to the best solution to this problem.
If someone has your nudes and intends to share them I think blocking them only on Facebook and not anywhere else is not productive.

You should just post the nudes yourself IMHO and be done with it.

^High School (and below) sure would be interesting /s

I imagine for most people in most situations regarding their* unwanted explicit media being published, the opposite is true i.e. Facebook(social media) is the worst place for it to be

then don't send them, but don't complain about facebook allowing your nudes to be posted. I don't think Facebook is going to open source their image recognition algorithm just because you want it to.

You do have a choice, use the service or not. If I ever found out a nude picture of me was leaked, I'd definitely trust FB more than whoever took it and leaked it in the first place. The whole point of the service is pretty much: your picture is already or about to be out there.

It's called a perceptual hash, and there is a lot of research in this area.
There are specific (non-cryptographic) hashes which are built to compare equal for equal data, and to be similar for similar data (for different metrics of similarity). It's a somewhat esoteric subject, but it's a thing.
The "hash" would have to be non-reversible. When we compare images based on content, afaik we transfer them into a vector space and measure distance. Do we really have tech to make and compare such a content representation in a non-reversible way? That sounds like a lot to ask for tech that seems still in active development.
All hashes are non-reversible. Being one way is one of the characteristics of a hash. Depending on how effective it is, there may be collisions possible. This is kind of happened with previously common hashes like md5 where people were able to break it by generating collisions.

But basically saying “as long as it is unreversable” is redundant unless you think there’s some reason to think the hash sucks.

If your hash is smaller than the (compressed) image itself, then you have information-theoretical loss; there is no possible way to reverse the operation. And these hashes are usually much smaller than the original.
Good thing most people know how to make a hash.
We have "día de los inocentes" here, but it ain't that day either!
There was a thread about this on HN -- too lazy to look it up now or repeat some of the longer comments about it. But going into this assuming that FB has no ill-intentions, FB's proposal seems by far the best solution in a world of ugly and terrible solutions.

For starters, it's intended for victims of revenge porn, which is a fairly extreme category and one in which the harassment is distinctively aggressive and virulent. Because if it weren't, the way FB deals with abusive content generally would seem to be good enough. If you come into this thinking that FB is asking everyone to upload their nudes for "safekeeping", then you've missed the point.

Secondly, it's hard to think of an implementation that wouldn't create a potential disaster that justifies doing anything special for revenge porn victims. Using the Facebook app is the most secure channel for sending FB the photos because it is a secure app that all FB users know how to use. Having the user hash on their own requires either an external app or website.

I don't think it needs to be said how such ancillary applications can be spoofed. Even if only 0.5% of users are dumb enough to fall for these spoofs, each incident would be a complete fucking disaster, for the victims and for Facebook.

As for the prospect of FB owning people's nudes. Again, in the case of revenge porn victims, the horse is already far from the barn. If we assign the worst of motives to FB, that it's a way to secretly collect nudes from users. Again, horse, barn. This secret process would be less efficient by magnitudes compared to what FB can already do today.

FB has a no porn policy so wtf do you have verify you are you to get a revenge porn picture removed?

"We remove photographs of people displaying genitals or focusing in on fully exposed buttocks. We also restrict some images of female breasts if they include the nipple, but our intent is to allow images that are shared for medical or health purposes. We also allow photos of women actively engaged in breastfeeding or showing breasts with post-mastectomy scarring. We also allow photographs of paintings, sculptures, and other art that depicts nude figures. Restrictions on the display of sexual activity also apply to digitally created content unless the content is posted for educational, humorous, or satirical purposes. Explicit images of sexual intercourse are prohibited. Descriptions of sexual acts that go into vivid detail may also be removed." https://www.facebook.com/communitystandards#nudity

It might prevent them from being sent in the first place. If it matches a fingerprint photo, the message stops. It's especially important in revenge porn scenarios where you don't want it seen by anyone, and even the short amount of time between report and take down can have a lot of views.
This is for FB messenger, not FB posts. Messenger has no such rules for no pornography. Plus, this allows them to be proactive, rather than waiting for people to report posts.
I've never been a revenge porn victim but I think you might oversimplify the problem. For instance, if a former lover of mine has nude photos of me and distributes them to other people in private channels, I'm not able to even see them to report them. And that's just a one-time stoppage of the harassment.
FB removes pornographic content, but it doesn't always do so proactively.

If a user shares pornographic content, it may be visible on the site for a short period of time before the content is removed by Facebook.

The goal of the initiative Facebook was attempting to implement was to prevent any revenge-porn photos from being shared on the website at all. Even for a brief period of time.

From a user's standpoint, one hour of pornographic content available is disturbing but not catastrophic. However, one hour of images of pornographic content of themselves being shown to their friends and family is catastrophic.

I find the concept quite strange.

It's kind of like having the police live at your house because 'just in case'.

I realize this is a late reply, but I just saw this today.

I think the idea isn't that this is a "just in case" service. More like, if someone sends you a message that they've got compromising photos of you and will release them unless you pay $XX,XXX then you would use the service.

In the analogy, it'd be more like having the police live at your house after having a credible threat made against your life. Which is a thing that happens

Fingerprinting a photo to detect copies is much easier than accurately classify what is and isn't 'pornographic' content.

Classification is a harder problem to begin with, and 'pornographic' is a subjective judgement.

I disagree:

- It sets a precedent for uploading nude photos to FB and for them asking for it.

- You need to trust FB to delete the photos when they receive it. Yes, I understand that they probably will, but really, how many systems are those bits going to touch? How many logs are going to have this information? Can you be really sure?

A better implementation would be for the FB client to hash the file and for the hash to be uploaded. Trust issues are still there but at least mitigated to devices that you have some control over.

Evil users that hash legitimate photos can be overcome with the same review system that is being tested today.

> - It sets a precedent for uploading nude photos to FB and for them asking for it.

Before we reduce this to a slippery slope, what scenario do you envision in which FB could coax its userbase to upload nude photos? I know the OP is about taking a selfie to prove existence. What would FB use as the basis to mandate the general user to send a self-nude?

> You need to trust FB to delete the photos when they receive it...can you really be sure?

No, never, of course. But that's why I point out that FB already has this potential vector of attack. Every time a user flags content for abuse, that is logged and presumably a copy of the asset made for manual verification. Nevermind all the sensitive content millions of users everyday send across Messenger or private groups.

> A better implementation would be for the FB client to hash the file and for the hash to be uploaded.

If the image is hashed before it reaches FB servers, then it gives every user the power and impunity to attempt to censor via a Content-ID like approach.

> Before we reduce this to a slippery slope, what scenario do you envision in which FB could coax its userbase to upload nude photos?

The one where FB asks its userbase to upload nude photos[0].

[0]https://news.ycombinator.com/item?id=15651710

That's exactly the topic we're discussing now. Sorry, with "userbase" I meant "general userbase". This initiative they're proposing -- in coordination with a safety group in Australia -- is aimed at revenge porn victims. The general userbase of Facebook aren't in that group.
I don't think there's any appropriate time for FB to request nude photos of their userbase. I don't understand why you think I should explain this.
They aren't "requesting" it. The service exists for a specific reason, and is exceptionally optional.
> If the image is hashed before it reaches FB servers, then it gives every user the power and impunity to attempt to censor via a Content-ID like approach.

Another commenter makes a good point that you could still have a human verify the first time a provided hash matches an image.

In the current setup, there is a human that verifies the image to be hashed is a nude photo instead of the McDonald's profile picture. In the proposed setup, you wait until a hash matches the photo and then have a human verify if it's pornographic content.

The main obstacle that I can think of is: where does that hashing get done? Is it a feature that can efficiently be part of the phone app? Keeping in mind that this is a feature that would only be used by a very, very small part of the general userbase.

Let's assume that it is possible, the other issue that might come up is that the system is still suspect to a sort of denial of service attack, in which a group (for whatever reason) floods FB with purported sensitive images, and FB is flooded with constant takedown requests to review.

The attack against the uploaded hash approach fails with default-deny, which seems like a good thing for users.

The current implementation can be attacked by uploading thousands of legitimate images delaying takedown requests - therefore any images that should be taken down will stay up longer.

I'll agree that whatever approach FB is doing to hash the photos may not work on a phone for technical reasons, but given FB's resources I'm not sure how far that argument really goes. But consider this - if you truly, deeply cared about user safety and privacy, would you implement this feature the same way?

> The current implementation can be attacked by uploading thousands of legitimate images delaying takedown requests

How would that work, exactly? A user uploads hundreds of fraudulent images to FB's revenge-porn-abuse queue. At some point, the human who verifies whether the image is legit is going to realize that the user account is fraudulent and then disable the account.

If images are hashed, FB has no way to know if a user who is uploading hundreds of hashes is a malicious user or is actually an incredibly unfortunate revenge-porn victim. And the price for being wrong is extremely high. Maybe it's possible for FB's auto-detection system to be robust if the hashes it has to scan for is now several orders of magnitude than ever expected, making this all a moot point. But I can't imagine that the system scales with no penalty.

> But consider this - if you truly, deeply cared about user safety and privacy, would you implement this feature the same way?

The wording of your question implies a false dilemma, and I think reveals how different the premises you and I have about it. What exactly about Facebook's implementation of this feature makes it any less safe for users and their privacy than not having the feature at all? When a user sees and reports an abusive image of themselves -- that photo and that user, and that user's connection to the photo are already in Facebook's system".

Every fear there is about this data being exposed to malicious human workers, or that FB is trying to harvest sensitive images for nefarious means -- that risk has always existed. How do you think abuse-takedown requests are currently handled?

So if my argument is accurate, that an evil-pervy Facebook wants to do a mass collection of sensitive/comprising images of its user, all the infrastructure and dataflow is already in place, then this revenge-porn initiative does nothing to make that process more efficient. Even worse for pervy-Facebook, the initiative's very existence, nevermind announcing it, reminds the entire world again that holy-shit-think-of-all-the data-Facebook-has-on-us-including-our-sexy-times -- which is generally the kind of PR you want to avoid when you're conspiring to mass-harvest illicit imagery and data.

And let's be real here: Facebook doesn't have to do anything special for revenge porn victims, in the way that the Postal Service isn't obligated to open everyone's mail to make absolutely sure there's no child porn being sent -- the act of prevention ends up causing far more harm to all users than it benefits the comparatively small number of potential victims.

The status quo seems to be to do nothing until reports come in, which is OK for most situations but inadequate for the kind of attack vector that revenge-porn victims suffer. Facebook could have accepted that, as everyone else does, but invested time/resources into coming up with a technical solution that only benefits a very small but high-suffering part of its userbase while not increasing invasiveness (FB already autoscans the content of user messages, including with the use of PhotoDNA [0]).

Call me Pollyannish, but I don't see this instance as yet another time of Facebook being heartless and devious.

[0] http://www.businessinsider.com/facebook-google-and-microsoft...

^This

They could jump straight to using ml and ai and the future where only you are in charge of who sees your FacebookEroticExpressions™ on any platform, all across the cloud!

But in the mean time they should probably tell her/him/them if they use the method that already exist to upload them we can use the method that already exist to have them gone in time for recess/study hall/wedding day/when Congress resumes/his state of the Union Address this evening/etc.

Also, if you just give us the other ones that undoubtedly exist we can nip this whole thing in the bud right now.

> Before we reduce this to a slippery slope, what scenario do you envision in which FB could coax its userbase to upload nude photos? I know the OP is about taking a selfie to prove existence. What would FB use as the basis to mandate the general user to send a self-nude?

Phishing attacks against users that this feature is supposed to protect are more likely to succeed.

Can you elaborate? People are worried (rightfully so) that this feature requires uploading via the Facebook Messenger App. But this means they don't have to visit a URL or download another application.
They don't necessarily know that. Imagine you've used this FB feature in the past. You get a mail from @facebookrnail.com that tells you you can just email them the photos without even opening the app now! Well isn't that convenient.

Now, it's fair to say that even in a technically safer implementation where the photos never leave the device, many users can't tell the difference, so this point doesn't hold a lot of water.

Still, I think making the uploading of scandalous photos to FB is a dangerous precedent to set in general. Will other services and startups that have users suffer from the same problem implement this feature in the same way, and guarantee user safety and privacy? That's a pretty high bar.

> - It sets a precedent for uploading nude photos to FB and for them asking for it.

umm, no. If I understand correctly, the user believes that their nude may end up on FB. The user takes initiative to upload their copy of the nude to FB to prove ownership or damages.

Could a hash be tricked if the offender slightly modified the file, or even changed the format?
https://news.ycombinator.com/item?id=15651710

https://news.ycombinator.com/item?id=15648080

https://www.google.com/search?q=ycombinator+fb+revenge+porn

> too lazy to look it up now

People doing this frustrates me greatly. You had to type 30 key strokes. ⌘+t "ycombinator fb revenge porn" ↵ and paste the results back. How many people are going to read your comment? Maybe 10% of them want to read those links. You spared yourself a trivial amount effort by offloading it to tens or hundreds of others.

I wish people would provide links and source what they say more often. Maybe more discussion sites should let others suggest edits, like on stackoverflow. We could save some of that wasted effort.

Now do that on mobile, with a slower, cramped keyboard, and poor multitasking. Not everyone matches your system.
If would be kinda cool if HN were to start working on an algo to find those links automatically (a "possibly related" section at the top, for instance).
HN really isn't a good example of modern software or good UX tbf.
Totally agree. But this seems like it's something up their alley.
I sometimes misunderestimate how long it'll take me to write out my thoughts or how much time I'll have before I need to get back to work. By the time I finished my comment I realize I wrote enough for the comment to be a fleshed-out enough argument; anyone wanting to see those past threads could look them up if necessary. I guess I could have saved you some angst by jumping up to the top of my comment and removing the sentence about me being lazy.
> ... it's hard to think of an implementation that wouldn't create a potential disaster that justifies doing anything special for revenge porn victims. > ...Having the user hash on their own requires either an external app or website.

What? Why can't the hashing take place in the FB Messenger app on your phone? Why does the picture need to be uploaded to FB's servers? That just goes to what Troy Hunt was saying earlier today in his testimony to Congress about how corporations are collecting data that they shouldn't even want to have. They should collect only the hash from your phone, not the picture. The hashing should be done locally to your device.

Same, I literally scrolled back to the top to make sure it wasn't The Onion. How was this not bigger news?
While this totally blows my mind, I can see how those a decade younger might not bat an eye, they might have sent digital nudes in the past, or even have one on the phone. A decade younger than that (late teens), and they might be so impatient about having to upload a digital nude, they just wonder why you can't just use one of the ones they sent last week. The difference in how the generations view technology and digital exposure in vast. "Sexting" came into the public consciousness as a common term almost a decade ago, but that's just when it was publicly popularized.

I mean, I consciously think about every time I actually give a close approximation on my age in a public forum (like I did above), and make a call on whether it's needed or not. I feel like a dinosaur because of it sometimes, but I also feel like there's only so much privacy you're allotted, and once it's lost, there's really no getting it back. :/

In context of Zuckerberg’s “They trust me, dumb fucks” comments, the invitation to upload nude photos seems especially alarming.
misrepresents the idea of the service. It's supposed to tackle the 'revenge porn' issue. If someone sees their own nudes show up on facebook, they can send a picture to facebook, which I assume get's fed into an image detection service that then tries to remove the already circulating nudes automatically.
There are way better and safer and less invasive ways to provide this service than uploading a personal photo to a 3rd party website.
> There are way better and safer and less invasive ways

in theory or in practice? do these ways have other caveats?

The only safe way is to not take nude pictures in the first place.

What does this FB thing protect against? In practice? Upload the images as a zip file, message "hi, here's X in the nude, remove all fruit from htappletp://linkbananashortener.copearm/84395708345643785 and use "theytrustmedumbzuckerbergfucks" minus the FB founder as password". Yeah, it's a hurdle, but those who want to see the images will take it in a heartbeat, and abusers can still do things like message all mutual "friends", right there on FB. So you gained nothing, and pre-emptively gave FB your nude photos.

Besides, Barrin92 said "If someone sees their own nudes show up on facebook" -- well, nude images aren't allowed on FB anyway, are they? So if you or anyone else can see them, if they're not posted in a private group or private messages, you can just report them, no need to even give away that it's you in them. Then what would stop FB from generating perceptual hashes of these images and removing them site-wide and in the future?

There's so many holes in this that I can't really get mad on behalf of the people who fall for it.

This is the right answer. If FB is going to automatically remove revenge porn, and all porn is forbidden, then they should just automatically remove all porn. They don't need specific porn to remove all porn.

This reads more like a gullibility challenge than a true rationale.

Facebook doesn't allow porn, so reporting it should be sufficient.
Can someone explain if / how this prevents someone from just changing a single pixel and thus circumventing the hash? Are they using some kind of probabilistic hashing? Or are they just relying on the offenders to not be so clever?
To be fair the type of people who are sharing naked photos via Facebook aren't likely to be all that technologically sophisticated to enough understand hashing.

Pedophiles would be using something encrypted and anonymous anyway.

> Pedophiles would be using something encrypted and anonymous anyway.

Except for the ones who apply for a job reviewing the nudes Facebook is collecting, anyway.

That's so ridiculous it could have been written by The Onion.

Facebook has absolutely no businesses to store nude pictures of their users.

They don't. They store a perceptual hash, which can't be converted back into the original photo.
So you hope. But you have to upload your picture first. If they were serious about this they would allow you to compute the hash locally and then only to upload the hash.

Note that they explicitly state that a human will look at the image and then hash it. So they are storing it at least for a while. And you will not be able to verify whether they really delete it or not.

> allow you to compute the hash locally

presumably an attacker will just use the local process to observe and develop a method to defeat it.

that said, perhaps such a methodology would require extra effort on the part of a revenge porn perp, so it might reduce the occurrences.

> presumably an attacker will just use the local process to observe and develop a method to defeat it.

If they can do that then the whole method fails anyway.

Besides, I think the set of your average revenge porn idiots intersected with those that are capable of defeating the hashing scheme in order to do their dirty deed is going to be exceedingly small.

> If they can do that then the whole method fails anyway.

i'm not that sure. the memory of any application can be observed, which means the process of fingerprinting - whatever it is - can be observed. executing the process enough times with a range of inputs will provide a load of analyzable data, via recording the transformation of bytes.

this is (loosely) why basically all software can be "cracked" and drm methods defeated.

> intersected with those that are capable of defeating the hashing scheme

they don't really have to, much. think of the attackers as software crackers/warez groups, and the perps as visitors to pirate bay. you don't need to know how to break drm to download cracked software, or use nefarious push-button software. there might even be (possibly illicit) business opportunities here.

Fair enough, but when weighed against the risk of a FB employee going rogue and making copies of those files or FB 'accidentally' forgetting to wipe your images I'd take my chances on this uber elite perv and would not upload my stuff to FB.

This all of course besides the best defense against all of this: do not create such images in the first place and do not allow others to create them.

"They trust me, the dumb fucks." - Mark Zuckerberg
This is ridiculous. I mean, so many angles...

Can't they just train their system to do whatever it is they propose that it do in response to alleged revenge porn, but with any nude image/nude images generally? Will their system prevent the propagation of revenge porn videos?

basically it's "don't worry, people will review the image, but they're 'specially trained' "

when will people stop using facebook?

They say they will permanently delete it off of their servers, but the numerous cases where they lied about deleting account information doesn't exactly engender a feeling of trust.
A friend does HW for Seagate servers and has talked a bit about the 'math' of servers. The reality is the FB may or may not delete the pics, no matter what they think they really did. With the amount of servers they utilize, one is failing about every second, permanently erasing all the data on it. Yes, back-up servers, and copies of the data. Still, a lot of data is getting trashed every second. So, they may be trying to weasel these pics, but do not trust that they are smart enough to get around the hard facts of server decay. If they are being honest, then there is still no way to determine if some back-up somewhere actually is storing the data, despite their best efforts. The code stack for something like FB is so huge, there really is no way of knowing where a piece of data is or isn't. Kafka would be beaming at it's absurdity.

In addition, they also have a lot of 'fresh' servers out there, spinning about for months, not being written to, as some algorithm works it's way around using the fresh servers. These also fail, having never been used. Seagate does not mind when companies like FB do this nonsense.

(comment deleted)
S C A R Y

C

A

R

Y

Oh boy, what's bound to be another thread full of "delete your Facebook", the new and improved "I don't own a television" statement. Good for you, some of us actually appreciate the utility value from having a place to plan events and ensure people actually see that sort of thing. That said, this is a completely nonsense "solution" when there's plenty of other ways to perform verification that don't do double duty of implementing facial recognition tech to ensure we get to the dystopian tech hellscape sooner than later.

Wow, didn't take long for the downvote brigade to show up for having a contrary opinion to the herd on this one.

>Oh boy, what's bound to be another thread full of "delete your Facebook", the new and improved "I don't own a television" statement.

Maybe you're being downvoted because this statement is just as cliché, if not moreso (given the amount of FB users vs non FB users) than the "delete your FB" cliché

> there's plenty of other ways to perform verification

I'd love to hear more about this.

I have long thought if I'm missing anything by not perusing Facebook event pages or anything. Fortunately within my interests (hifi audio, local jazz, photography and computer special interest group meetings) they all still operate within self-hosted forums or blogs and not in facebook.
Just upload a picture of one of the millions of people that haven’t cleared this hurdle yet and the problem is on somebody else’s plate.
This is outrageous invasion of privacy. Facebook must die.