Researchers at the annual Black Hat Briefings in Las Vegas have demonstrated how cloud computing, facial recognition technology, Facebook, a freely available personal information can be used to match faces in a crowd to detailed online profiles.
The demonstration brings us closer to the brink of a Minority Report-style future where marketers, governments and law enforcement use technology to pull back the veil of anonymity that separates our real world and online personas, according to Alessandro Acquisti, a Carnegie Mellon University professor and one of the authors of the report.
The researchers, who presented their findings at the annual Black Hat Briefings in Las Vegas, demonstrated how commercially available facial recognition software can be combined with social network data to match individuals out in public with online personas such as Facebook and dating Web sites, as well as infer additional sensitive information about those individuals, such as their social security number.
The demonstration has huge implications for both commerce and privacy, with applications for brick-and-mortar retailers that “may be enthralling,” but have privacy implications that are “unnerving,” the researchers wrote.
In an interview with Threatpost at Black Hat, Acquisti, an economist who studies the behavioral economics of privacy, said that his research grew out of work he did that led to the publication of a paper in 2009 that showed how publicly information available in Facebook users’ online profiles could be used to accurately infer their social security number.
Following the success of that experiment, Acquisti and his fellow researchers decided to expand the scope of that experiment: looking at how facial recognition, social networking and statistical identification techniques could be used to merge both online and offline data and connect silos of data – for example, between two social networks, using facial recognition.
“I wanted to see if it was possible to go from a face on the street to a Social Security Number.”
Acquisti conducted a number of experiments to test his theory. In one, he used publicly available photos from Facebook to “re-identify” users on other social networks, such as dating sites. In a second experiment, Acquisti and his team asked students walking on the Carnegie Mellon University campus to stop and fill out a quick, online survey. While the students were filling out the survey, Acquisti and his team used a Web cam to take a snapshot of the student, analyzed it using facial recognition technology, then matched in real time, to other photos of that person available publicly online. The survey taker was then asked to identify any photos of themselves that were found. In around 30% of cases, the researchers were able to dynamically retrieve and present other photos of the survey taker during the survey.
Acquisti said that the rapid pace of development in computing are bringing the kind of ubiquitous databases depicted in Stephen Spielberg’s rendition of Philip K. Dick’s short story Minority Report close to realization. For one thing, facial recognition technology has improved tremendously in the last decade, and has now caught the eye of some of Silicon Valley’s largest players. In fact, the facial recognition technology that Acquisti used for his experiments, PittPatt, was acquired by Google in July.
Also, the advent of ubiquitous, elastic cloud computing resources makes it possible and affordable to do large scale facial scan matching in real time, Acquisti notes.
The lessons of the experiment are both intriguing and sobering, he said.
“There’s a blending of online and offline data, and your face is the conduit – the veritable link between these two worlds,” Acquisti told Threatpost. “I think the lesson is a rather gloomy one. We have to face the reality that our very notion of privacy is being eroded. You’re no longer private in the street or in a crowd. The mashup of all these technologies challenges our biological expectation of privacy.”
The rapid evolution of the technology is moving well ahead of policy, though Acquisti said that he sees little movement on that front in the U.S.
“I think the only possible resolution is through policy, but it won’t be easy. There’s an exciting side of face recognition, and I don’t feel like industry self regulation will cover it, but now in the U.S. the debate is framed so that every form of regulation is perceived as bad.” ”