Are images uploaded to facebook though? Or are the face features extracted on the device? It's one thing to upload every picture in full to FB, but it's another to upload only a feature vector to Facebook.
What if the entire recognition pipeline happened completely on the device without any data being sent to Facebook?
Even if you have 1,000 friends, it might not a huuge deal to download a gallery of 1,000 models to compare to.
Of course, we can't be sure how this system works without the source.
Like you've ever met a developer who would risk the extreme likelihood of platform incompatibilities across a disparate menagerie of hardware platforms and mobile devices, instead of simply base64ing some images and JSONing them into a restful webservice, where they gain explicit control of the computation environment, and get to conveniently crawl the entire dataset in a high availabilty data center.
As if you've ever met anyone who would trade that, in favor of re-developing the same features 20 times for 20 different compiles, and risk the inability to deploy those builds to unreliable nodes, across throttled mobile contract pay-as-you-go bandwidth, to achieve a goal that doesn't align with the company's bottom line. As if you've ever seen any company anywhere do that... for privacy.
Most large app developers share common source code for all of their platforms, so I don't buy your argument about platform compatability. It's the same reason why the Facebook native app and Messenger are native apps rather than a simple UIWebView.
I also think that uploading tons of photos is going to be very hard on the "throttled pay-as-you-go bandwidth contracts" that you mention. It certainly sounds much more expensive than shipping a binary patch once in a while.
You bring up privacy, so let's explore this topic a little. I disagree that privacy inherently conflicts with a company's bottom line. Some Fortune-500 companies treat privacy as a desirable goal because it increases the perceived value of their business.
As one example, let's compare to Apple's public privacy statement[1]:
> We also refuse to add a "backdoor"
> into any of our products because
> that undermines the protections
> we’ve built in. And we can’t unlock
> your device for anyone because you
> hold the key — your unique password.
See also Tim Cook's statement[2]:
> Finally, I want to be absolutely
> clear that we have never worked
> with any government agency from
> any country to create a backdoor
> in any of our products or services.
> We have also never allowed access
> to our servers. And we never will.
Elsewhere:
> Apple has no way to decrypt iMessage
> and FaceTime data when it’s in transit
> between devices. So unlike other companies’
> messaging services, Apple doesn’t
> scan your communications, and we
> wouldn’t be able to comply with
> a wiretap order even if we wanted to.
This is what Apple wants you to believe: that they take privacy seriously enough to go out of their way to implement it. Facebook has never, ever tried to strike that chord. With their reputation, Facebook knows the public would never buy it.
The comparison isn't very far-fetched. Like Facebook, Apple also deals with biometrics. Rather than face recognition, they use fingerprint recognition. Do they upload fingerprints to Apple's servers? Or, despite your claims of impacting the bottom line, do they do the recognition on the device? Here's their official statement[3]:
> This [fingerprint representation]
> is stored in a Secure Enclave within
> your phone’s chip, and is never
> accessed by iOS or other apps,
> never stored on Apple servers,
> and never backed up to iCloud
> or anywhere else.
Maybe these claims are true. Maybe they aren't. However, you must admit that it makes good business sense for Apple to make these (strong) privacy claims. They're setting a very good precedent here -- one that I sincerely hope Facebook chooses to follow.
If Facebook wants to win these kinds of brownie points with their customers, maybe they could write a statement like this:
> Facebook knows that the photos you choose not
> to share are deeply personal to you. That's
> why we take special steps to keep them that
> way. If you choose not to share a photo in
> your camera roll, it will never be sent to
> Facebook.
But they can't even try to pull this off if people see encrypted blobs flying across the wire every time they click the shutter button.
So. From a privacy perspective, it makes good business sense to implement the recognition pipeline on the device. And Facebook knows they could win back some public trust by doing that. The delicious question is: Is the trade-off worth it? Do the costs you mention outweigh the perceived benefits I mention? I think there were certainly developers on the Photo Magic team who wished it could be this way. It might have even been a close decision. But we can only find out for sure once Photo Magic rolls out to everyone.
Fair enough, maybe the development team for this particular component is much larger than I'm imagining. Maybe I'm being naive about the head count at work behind the scenes on a project like this.
It's not really good news either way though. In my mind this would have been a smaller team, tasked with pulling the data over and then working on it to construct recognition scores, and passing a message back to prompt the user. This would have been a smallish team of 20 or 30, to do it quick and dirty.
For on-device processing, the project grows much more complicated, not just to develop, but also to test and prove end-to-end. So time and human resources are both more costly. And so too, come trade-offs. Network bandwidth, versus device battery/procesor/memory resources.
But all of this to push the envelope and solicit the user to expose more data to a for-profit service. Is it really something more convenient? Another nagging reminder, to do something the user doesn't need much prompting for?
The more weight thrown behind these sorts of projects the more curious the motives become.
Good point, I'm assuming things here and should have made that explicit.
It's pretty rare to have this kind of thing done on the device these days, but this example has a trade-off between the app using a lot of battery and using a lot of bandwidth so it's possible something else is going on.
You could probably get a good idea just by monitoring bandwidth usage while this feature is processing a new picture.
Perhaps I'm too used to the standard approach of "slurp everything because the users won't know or care and we can use that personal data to train models/sell/etc." and very biased against Facebook when it comes to privacy issues.
What if the entire recognition pipeline happened completely on the device without any data being sent to Facebook?
Even if you have 1,000 friends, it might not a huuge deal to download a gallery of 1,000 models to compare to.
Of course, we can't be sure how this system works without the source.