Profile pics on social media sites pose privacy risk, researcher warns

Facial recognition tech makes it easier to combine offline, online identities

LAS VEGAS -- Imagine walking down a street and having a total stranger being able to instantly pull up your name, date of birth, Social Security number, your last blog item and other data on their smart phone.

That could soon happen, said Alessandro Acquisti, associate professor of IT and public policy at Carnegie Mellon University's Heinz College.

In a presentation at the Black Hat conference here this week, Acquisti demonstrated how it's becoming easier for strangers to identify people and infer detailed information about them from their publicly available images on sites such as Facebook and LinkedIn.

The trend has "ominous implications for privacy," Acquisti said. "I'm here to raise awareness of what I feel is going to happen."

Acquisti detailed the results of a series of experiments he conducted in which he applied off-the-shelf facial recognition tools to publicly available Facebook profile images to uniquely identify individuals. In one of the experiments, Acquisti and his team of researchers attempted to glean the true identities of individuals who had posted their images under assumed names on an online dating site

First, they used a search engine and an API they developed to automatically extract about 275,000 publicly available profile images of Facebook members in a particular city.

They then did the same with publicly available images of individuals in the same city who had posted on the dating site. Acquisti used a facial recognition tool called Pittsburgh Pattern Recognition (PittPatt) developed at CMU to see whether he could find matches between the dating site images and the Facebook profile pictures.

In all, about 5,800 dating site members also had Facebook profiles. Of these, more than 4,900 were uniquely identified. The numbers are significant because a previous CMU survey showed that about 90% of Facebook members use their real name on their profiles, Acquisiti said. Though the dating site members had used assumed names to remain anonymous, their real identities were revealed just by matching them with their Facebook profiles.

In another experiment, Acquisti's team took webcam photos of nearly 100 students and tried to match those images with the pictures on each student's Facebook profile.

Students were asked to pose for three photos and then fill out a short survey. While the surveys were being filled out, the webcam images were run against PittPatt to see whether a match could be found on Facebook.

In that experiment, about 31% of the students were correctly matched with their Facebook profiles -- in about 3 seconds.

For the last experiment, Acquisti and the other researchers tried to see whether they could then find the Social Security numbers of the students they identified.

To do that, Acqusiti relied on the findings of a previous study he had done showing how Social Security numbers of individuals can be inferred with a fair degree of accuracy using publicly available clues. In that study, Acquisti and another researcher had developed an algorithm for predicting the numbers based on data from the Social Security Administration's Death Master File, a database containing the Social Security numbers of deceased Americans.

Using the techniques from that study, Acquisti said he was able to correctly guess the first five digits of the SSNs of the students in about 16% of the cases. The number went up to 27% after four attempts, he said.

The experiments show how images posted online can easily be used by marketers and others to correctly identify individuals and to augment that information with all sorts of data inferred from online and offline sources. "Your face is the link between your offline identity and your online identity," Acquisti said.

Even those without profiles on social media sites are not immune. Facebook's photo 'tagging' features, for instance, allows people to be identified, even if they don't have a profile.

The growing use of facial images on social media sites is enabling the creation of "personally predictable information" about people that can be intrusive and invasive of privacy, he said. "It democratizes surveillance" and is leading to a world where literally anyone can run a facial recognition scan on others.

Ironically, most people are willing sharing the very information that will make such privacy intrusions possible.

Though some technology pieces still need to fall in place, it is already feasible to simply point a smartphone camera at someone and pull down their identity along with bits and pieces of other publicly available information on them. Improvements in facial recognition technologies and the growing abundance of personally identifiable information online will make the problem worse, he said.

"These technologies challenge our expectation of anonymity in the digital or the physical world," Acquisti said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies