Online anonymity is dead, according to a Black Hat presentation, in which researchers demonstrated how facial-recognition technology could be used to link strangers on the street to their Facebook profiles.
LAS VEGAS - A Carnegie
Mellon University researcher used Facebook photos to demonstrate how facial-recognition
technology can be used to identify people as they walk down the street.
Using off-the-shelf facial-recognition
software and students' photos posted on Facebook, Alessandro Acquisiti, a CMU
researcher, showed attendees at the annual Black Hat security conference how he
was able to positively identify 30 percent of students walking around campus.
Acquisti also searched
dating sites for users within 50 miles of a zip code and correlated them with
approximately 110,000 Facebook profiles of users who also lived in that same
area. The cloud-computing cluster at CMU obtained results in 15 hours and was
able to positively identify 10 percent of the users on online dating sites,
according to Acquisiti. Narrowing the geographic area increased the match rate.
Acquisti also combined the
results with his previous research on predicting Social Security numbers and
found he could guess within four tries the correct number for 28 percent of the
"The goal here is not to
generate fear, but we are very close to a point where the convergence of
technologies will make it possible for online and offline data to blend
seamlessly ... and for strangers on the street to predict certain information
about you from your picture," Acquisti said.
As more services include
facial-recognition capabilities and as developers can create applications using
the technology, the privacy implications are staggering, Acquisti said. Law
enforcement officials can use publicly available information and government
databases to compile detailed information dossiers on everyone in the country.
These applications can be used on pictures of crowds at protests and demonstrations,
creating a new form of crowd control.
Someone can snap photos of
people at a public event and an application can cull through publicly available
information on social-networking sites to identify these strangers and their
friends, and list their likes and dislikes. Or online dating sites become no
longer anonymous as the technology would be able to identify people by the
resistance to a Real ID infrastructure, as consumers of social networks, we
have consented to a de facto Real ID that markets and information technology,
rather than government and regulation, have created," Acquisti wrote in his
report, titled "Privacy in the Age of Augmented Reality."
Google developed this kind
of technology and withheld it because it was deemed to be too dangerous to
release publicly, former CEO Eric Schmidt had said.
"That genie is already
out of the bottle," Acquisti said.
Facebook has made it easier
for people to tag their friends, and there is no way for users to opt out of
getting tagged. Security experts have long said Facebook should allow
privacy-conscious users to have a one-click option to stop tag-happy friends,
instead of having to manually un-tag every instance.
Facebook also integrated
facial-recognition technology into the social-networking platform to
auto-suggest users to be tagged in photos. As all things privacy-related in
Facebook, all users were included in the recognition database by default.
The researchers said the technologies
will soon "democratize surveillance," as sinking costs make peer-to-peer facial
recognition cost effective and available to everyone.
officials recently requested that Facebook disable its facial-recognition
software and delete any previously stored data. Making facial-recognition
technology opt-out runs afoul of European and German data-protection laws, John
Caspar, Hamburg, Germany's commissioner for data protection and freedom of
information, said in a letter to Facebook Aug. 2.
If Facebook does not comply
with the request, German authorities would take action and the company could face
fines of up to $425,490, or 300,000 euros, Caspar said. Germany, takes online
privacy much more seriously than many other countries and its laws generally
restrict photographs of people and property, except in public places, such as a
sporting event, without a person's consent.
"The legal situation is
clear in my opinion," Caspar told German newspaper Hamburger Abendblatt.
"If the data were to get into the wrong hands, then someone with a picture
taken on a mobile phone could use biometrics to compare the pictures and make
an identification," Caspar said.
Such a system could be used
by undemocratic governments to spy on the opposition or by security services
around the world. "The right to anonymity is in danger," said Caspar.