Questions about what social networks mean for personal privacy and security have been brought to a head by research at Carnegie Mellon University that shows that Facebook has essentially become a worldwide photo identification database. Paired with related research, we’re looking at the prospect where good, bad and ugly actors will be able identify a face in a crowd and know sensitive personal information about that person.
These developments mean that we no longer have to worry just about what Facebook, Google+, LinkedIn and other social sites do with our data; we have to worry about what they enable others to do, too. And it now seems that others will be able to do a lot.
As reported in various privacy and security outlets like Kashmir Hill’s Forbes blog and Paul Roberts at ThreatPost, and demonstrated at last week’s Black Hat conference, the CMU researchers relied on just Facebook’s public profile information and off-the-shelf facial recognition software. Yet the CMU researchers were able to match Facebook users with their pictures on otherwise anonymous Match.com accounts. The researchers also had significant success taking pictures of experimental subjects and matching them to their Facebook profiles.
Drawing upon previous research, they were also relatively successful at guessing individuals’ Social Security numbers. From there, of course, it is just an automated click to your Google profile, LinkedIn work history, credit report, and many other slices of private information. (See the FAQ to the research here.)
(Note that this research is independent of the controversy around Facebook’s own facial recognition technology, which it recently unveiled to automatically tag users in pictures—and which authorities in Germany think might violate its privacy laws. The CMU researchers didn’t even have to log into Facebook to get to the photos there; they accessed profile information through Facebook’s search engine APIs.)
The researchers have declined to make their system for matching widely available. But, now that they’ve shown that it is possible, the capabilities will no doubt be replicated. And you don’t have to stretch too far to imagine intrusive and unacceptable scenarios in retail settings, advertising venues, secured environments, social spots, protest rallies, dim lit streets, and so on.
There’ll be an app for that.