Your face -- and the Web -- can tell everything about you
Imagine being able to sit down in a bar, snap a few photos of people and quickly learn who they are, who their friends are, where they live, what kind of music they like ... even predict their Social Security number.
Now, imagine you could visit one of those anonymous online dating sites and quickly identify nearly every person there, just from their photos, despite efforts to keep their online romance search a secret.
Such technology is so creepy that it was developed, and withheld, by Google - the one initiative that Google deemed too dangerous to release to the world, according to former CEO Eric Schmidt.
Too late, says Carnegie Mellon University researcher Alessandro Acquisti.
"That genie is already out of the bottle," he said Thursday, shortly before a presentation at the annual Las Vegas Black Hat hackers' convention that's sure to trouble online daters, bar hoppers and anyone who ever walks down the street.
Using off-the-shelf facial recognition software and simple Internet data mining techniques, Acquisti says he's proven that most people can now be identified simply through a photograph of their face - and anyone can do the sleuthing. In other words, our faces have become our identities, and there little hope of remaining anonymous in a world where billions of photographs are taken and posted online every month.
"If we were able to do it, anyone is able to do it," Acquisti said. "The goal here is not to generate fear, but we are very close to a point where the convergence of technologies will make it possible for online and offline data to blend seamlessly ... and for strangers on the street to predict certain information about you from your picture."
With some 2.5 billion photos per month posted to Facebook, odds are very good that you can be recognized, he said.
"For most of us, there is already a photo of us online. It is close to impossible to take this data back," he said.
Using the unnerving term "augmented reality," Acquisiti conjures up disturbing scenarios that involve law enforcement officials, marketers and other strangers constantly marrying offline and online data. Observers could overlay detailed information like political affiliation on pictures of crowds at protests, for example, creating a scary new form of crowd control, he suggested. Meanwhile, facial images could succeed in creating a national ID where enhancements to driver's licenses have repeatedly failed, said Acquisti in his report, titled "Privacy in the Age of Augmented Reality."
"Notwithstanding Americans' resistance to a Real ID infrastructure, as consumers of social networks we have consented to a de facto Real ID that markets and information technology, rather than government and regulation, have created," it said.
Anyone who's ever posted a photo on a supposedly anonymous dating site has encountered the very real fear that a friend or co-worker might recognize them from their profile picture. That risk can be roughly calculated, however, and assessed. Most users take comfort that their profile will be "lost in a crowd," with thousands of others in that age group and city making their risk of exposure low.
But Acquisti found that the convergence of facial recognition software with social networks like Facebook tilt those odds wildly in favor of the would-be exposer, or stalker.
Acquisti searched for dating site users within 50 miles of a zip code, found about 6,000, and then found 110,000 Facebook profiles where users said they lived near that same zip code. After eliminating some profiles that didn't match his criteria, he instructed computers to churn through about 500 million pairs of possibilities.
It would take a human about 2 million hours to compete such a task, but Carnegie Mellon's cloud computing cluster got results in about 15 hours. One in 10 members of the dating site were positively "outed" by the database search. A bit of fine-tuning - limiting the geographic area further or allowing approximate matches - produced even better results. And one sobering reminder: The researchers didn't even need to log in to Facebook to get these results.
In other words, you can't get lost in a crowd anymore.
"(The technologies) make possible a world of personally predictable information, linkable from someone's face, through end-users' devices connected to the Internet," the report concludes. "While anyone posting facial images of themselves on the Internet must realize that they may be recognized by strangers or friends, the possibility might seem remote." Now, it's not, the report argues.
Acquisti's team enjoyed even better results when they could obtain photographs themselves for matching purposes. Random students who agreed to be photographed on the Pittsburgh campus of Carnegie Mellon could be positively identified at three times the initial rate - or more than 30 percent.