At Black Hat, a researcher showed how facial-recognition could link passers-by to Facebook profiles
Using off-the-shelf facial-recognition software and students’ photos posted on Facebook, Alessandro Acquisiti, a CMU researcher, showed attendees at the annual Black Hat security conference how he was able to positively identify 30 percent of students walking around campus.
Acquisti also searched dating sites for users within 50 miles of a zip code and correlated them with approximately 110,000 Facebook profiles of users who also lived in that same area. The cloud-computing cluster at CMU obtained results in 15 hours and was able to positively identify 10 percent of the users on online dating sites, according to Acquisiti. Narrowing the geographic area increased the match rate.
Acquisti also combined the results with his previous research on predicting Social Security numbers and found he could guess within four tries the correct number for 28 percent of the subjects.
“The goal here is not to generate fear, but we are very close to a point where the convergence of technologies will make it possible for online and offline data to blend seamlessly… and for strangers on the street to predict certain information about you from your picture,” Acquisti said.
As more services include facial-recognition capabilities and as developers can create applications using the technology, the privacy implications are staggering, Acquisti said. Law enforcement officials can use publicly available information and government databases to compile detailed information dossiers on everyone in the country. These applications can be used on pictures of crowds at protests and demonstrations, creating a new form of crowd control.
Someone can snap photos of people at a public event and an application can cull through publicly available information on social-networking sites to identify these strangers and their friends, and list their likes and dislikes. Or online dating sites become no longer anonymous as the technology would be able to identify people by the photos.
De fact Real ID
“Notwithstanding Americans’ resistance to a Real ID infrastructure, as consumers of social networks, we have consented to a de facto Real ID that markets and information technology, rather than government and regulation, have created,” Acquisti wrote in his report, titled “Privacy in the Age of Augmented Reality”.
Google developed this kind of technology and withheld it because it was deemed to be too dangerous to release publicly, former chief executive Eric Schmidt had said.
“That genie is already out of the bottle,” Acquisti said.
Facebook has made it easier for people to tag their friends, and there is no way for users to opt out of getting tagged. Security experts have long said Facebook should allow privacy-conscious users to have a one-click option to stop tag-happy friends, instead of having to manually un-tag every instance.
Facebook also integrated facial-recognition technology into the social-networking platform to auto-suggest users to be tagged in photos. As all things privacy-related in Facebook, all users were included in the recognition database by default.
The researchers said the technologies will soon “democratise surveillance”, as sinking costs make peer-to-peer facial recognition cost effective and available to everyone.
German data-protection officials recently requested that Facebook disable its facial-recognition software and delete any previously stored data. Making facial-recognition technology opt-out runs afoul of European and German data-protection laws, John Caspar, Hamburg, Germany’s commissioner for data protection and freedom of information, said in a letter to Facebook on 2 August.
If Facebook does not comply with the request, German authorities would take action and the company could face fines of up to $425,490, or 300,000 euros (£180,000), Caspar said. Germany takes online privacy much more seriously than many other countries and its laws generally restrict photographs of people and property, except in public places, such as a sporting event, without a person’s consent.
“The legal situation is clear in my opinion,” Caspar told German newspaper Hamburger Abendblatt. “If the data were to get into the wrong hands, then someone with a picture taken on a mobile phone could use biometrics to compare the pictures and make an identification,” Caspar said.
Such a system could be used by undemocratic governments to spy on the opposition or by security services around the world. “The right to anonymity is in danger,” said Caspar.