Privacy is a big concern when grouping photographs of people together. Facebook has very complex privacy settings to decide who can see which photos and we need to consider this carefully.
First to be considered is the privacy of the image owner, who may not want his photos tagged. This is solved via the permissions as mentioned in the post “Who is allowed to tag?”.
Next, it must be considered that some users do not wish to be tagged, and these could be opted-out through a simple button on the website, this would show them as disabled when someone attempts to tag them (so that they don’t think it’s just a bug in the software missing them from the list).
Apart from users who have opted out completely, it is also important to ensure that people can only tag other users who they have some relationship with. For the case of etags we will consider facebook friends, twitter “friends” (who you are both following, and being followed by), and other standard definitions of “friends” as being taggable.
When trying to view tags on a photograph, we will follow the Facebook model of showing every tag on the photograph regardless of privacy settings, even to unauthenticated users. This is because managing privacy of showing only some tags on a photograph would be excessively complication. This may change in a future version of the software depending on demand.
When viewing photographs of a particular user, it will be checked that the users are linked by a friendship on at least one social network. This is a very simple model and is not nearly as powerful as facebook. It can be a target of future work to ensure that the privacy model is more complete before releasing the software.
When a user removes a tag of themselves from a photograph, they can not be tagged again on that photograph – this is consistant with the way currently existing tagging systems work.