Sunday, January 1, 2012

Your face on Facebook 'your own worst enemy'

Using publicly available data, it is now possible to identify strangers and gain their personal information – even their Social Security numbers – by using facial recognition software and social media profiles, according to a new study to be presented tomorrow at the Black Hat Security Conference in Las Vegas. Professor Alessandro Acquisti from Carnegie Mellon University and his research team studied the implications of the combining, or "mash-up," of three technologies: face recognition, cloud computing (an Internet technology) and social networks. The team studied the possibility of using publicly available Internet data and commercially available facial recognition software to reveal more information about a person than was intended. In work that was funded by the National Science Foundation and the U.S. Army Research office, the team noted that Google has acquired Neven Visions, Riya and PittPatt and deployed face recognition into Picasa. Further, "Apple has acquired Polar Rose, and deployed face recognition into iPhoto. Facebook has licensed to enable automated tagging. So far, however, these end-user Web 2.0 applications are limited in scope: They are constrained by, and within, the boundaries of the service in which they are deployed.

Our focus, however, was on examining whether the convergence of publicly available Web 2.0 data, cheap cloud computing, data mining, and off-the-shelf face recognition is bringing us closer to a world where anyone may run face recognition on anyone else, online and offline – and then infer additional, sensitive data about the target subject, starting merely from one anonymous piece of information about her: the face." Acquisti noted that last year, more than 2.5 billion photos were uploaded by Facebook users per month. These users also use their real names, addresses, birthdates and other contact information as part of their profiles on social media such as Facebook, LinkedIn, Google-Plus and others, and in many cases the information is visible to the entire world.

 Now using a new commonly used Internet technology called "cloud computing," it is possible to easily run millions of facial comparisons in a matter of seconds. In the Carnegie Mellon study, 93 student volunteers had their pictures taken using a webcam attached to a laptop. The pictures then were uploaded to the Internet and compared with a database of 261,262 publicly available photos downloaded from Carnegie Mellon students' Facebook profiles. Using facial recognition software from a company called Pittsburgh Pattern Recognition, "PittPatt," Acquisti's team successfully identified more than 30 percent of the students by their pictures alone. Acquisti said the study "suggests that the identity of about one-third of subjects walking by the campus building may be inferred in a few seconds combining social-network data, cloud computing and an inexpensive webcam." He called it the "democratization of surveillance." Then, using a technique he developed in a 2009 study and data gathered from the Facebook profiles of the subjects he identified, the research team could correctly predict the first five digits of the person's Social Security number 27 percent of the time after just four attempts. He utilized the fact that in 1987 the Social Security Administration started assigning Social Security numbers in a way that inadvertently made them easier to predict, based on the person's birth date. (Acquisti also noted in his study that the last four numbers of the SSN are also predicable, but a larger sample size would be needed.)

With Facebook's and Google-Plus's (Google's new social media software) total membership of almost 800 million users, these sites have essentially become an online identity-verification database. "It's certainly not science fiction anymore," said Peter N. Belhumeur, professor of computer science at Columbia University. Since these same tools are available to anyone, the results of the study may foreshadow a future in which there is no privacy. With the mass deployment of security cameras, smart phones and other data imaging devices, anyone could be identified almost anywhere. Not only could individuals be identified by friends and neighbors, but by government agencies as well. Anyone with a smartphone and Internet connection will be able to establish who someone is, where they live, how much they earn, a credit score and whether they've ever gotten a ticket. All that from a person's face. "A person's face is the veritable link between her offline and online identities," said Acquisti. "When we share tagged photos of ourselves online, it becomes possible for others to link our face to our names in situations where we would normally expect anonymity." Acquisti believes that his study is about much more than facial recognition. "Our study is less about face recognition and more about privacy concerns raised by the convergence of various technologies. There is no obvious answer and solution to the privacy concerns raised by widely available face recognition and identified (or identifiable) facial images," he said. "Google's Eric Schmidt observed that, in the future, young individuals may be entitled to change their names to disown youthful improprieties. It is much harder, however, to change someone's face. Other than adapting to a world where every stranger in the street could predict quite accurately sensitive information about you (such as your SSN, but also your credit score, or sexual orientation), we need to think about policy solutions that can balance the benefits and risks of peer-based face recognition," he continued. "Self-regulation, or an opt-in mechanism, is not going to work, since the results we presented are based on publicly available information," he said. The technology and online investigative services may make government initiatives, such as the "Real ID" program, obsolete. Through the combination of social media, the Internet and smart devices, de facto, unregulated "Real ID" infrastructure already may exist.