More Than Facial Recognition

More Than Facial RecognitionMore Than Facial Recognition

Alessandro Acquisti

Tagging your friend in a Facebook photo seems like harmless fun.

But a new study from Carnegie Mellon University warns of potential danger.

When facial recognition software is paired with social media profiles, the risk of identity theft rises.

It is possible, says privacy expert Alessandro Acquisti, to identify strangers and gain their personal information — perhaps even their Social Security numbers — by using face recognition software and social media profiles.

The results of the study are being presented today at Black Hat, a security conference in Las Vegas.

"A person's face is the veritable link between her offline and online identities," Acquisti said.

"When we share tagged photos of ourselves online, it becomes possible for others to link our face to our names in situations where we would normally expect anonymity."

Acquisti is an associate professor of information technology and public policy at the Heinz College and a Carnegie Mellon CyLab researcher.

He and his research team, which included CMU postdoctoral fellows Ralph Gross and Fred Stutzman, combined three technologies to identify individuals online and offline in the physical world.

They used an off-the-shelf face recognizer, cloud computing and publicly available information from social network sites.

Since these technologies are also accessible by end-users, the results foreshadow a future when we all may be recognizable on the street.

Not just by friends or government agencies using sophisticated devices, but by anyone with a smartphone and an Internet connection.

In one experiment, Acquisti's team identified individuals on a popular online dating site where members protect their privacy through pseudonyms.

In a second experiment, they identified students walking on campus — based on their profile photos on Facebook.

In a third, the team predicted personal interests and, in some cases, even the Social Security numbers of the students, beginning with only a photo of their faces.

CMU researchers also built a smartphone application to demonstrate the ability of making the same sensitive inferences in real-time.

In an example of "augmented reality," the application uses offline and online data to overlay personal and private information over the target's face on the device's screen.

"The seamless merging of online and offline data that face recognition and social media make possible raises the issue of what privacy will mean in an augmented reality world," Acquisti said.

Cloud computing will continue to improve performance times at cheaper prices, and online people-tagging and face recognition software will continue to provide more means of identification.

"Ultimately, all this access is going to force us to reconsider our notions of privacy. It may also affect how we interact with each other," Acquisti said.

"Through natural evolution, human beings have evolved mechanisms to assign and manage trust in face-to-face interactions," he added.

"Will we rely on our instincts or on our devices, when mobile phones can predict personal and sensitive information about a person?"

Related Links: Alessandro Acquisti | CyLab | Information Networking Institute | INI, WQED Cybersecurity Outreach Program | "Anonymous No More" The Economist