Soon it will be practicable to take someone's photo on a smartphone and within minutes know their Social Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers will tell the Black Hat security conference this week.
The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who will present the research at the conference.
He says if he can arrange the logistics, he will demonstrate the technique at the show using an application on a smartphone that taps cloud-based databases and facial recognition software. He uses Social Security numbers as an example of what can be projected, but other information such as sexual orientation and credit ratings can also be inferred, he says.
The point, Acquisti says, is to show that a framework of digital surveillance that can go from a person's image to personal data exists today and will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. "This, I believe and fear, is the future we are walking into," he says.
He admits the method is far from foolproof, but that the individual pieces of technology are developing rapidly and could be ready for use in the real world in the foreseeable future. He is working on projections of how long it will take for the technologies involved to develop to the point of being reliable.
Acquisti bases his presentation on three pieces of research he and his team carried out. The first took the primary Facebook images that people posted to establish their identity. The team compared the Facebook images using PittPatt face recognition software to identify other photos of the same person in another database, namely that of a popular dating service where people registered under fake names.
After the software made a match, actual people looked at the pictures to determine how accurate the matches were. They considered just PittPatt's best guess for each photo.
The software correctly identified 1 in 10 dating site members, which the researchers say is pretty good considering the experiment used just one photo, the Facebook profile photo, to identify the person with the known identity. Plus, they only considered PittPatt's best guess. Had they considered the second and third best guesses, accuracy might improve as well, he says.
The second experiment photographed random college students and asked them to fill out a questionnaire. Meanwhile, the photo was compared to others in online databases to identify the students in real time and compile other photos of them. The students checked the photos and found they were accurate about a third of the time.
The third experiment took the subjects' Facebook profiles and from inferences made from the profiles, predicted the first five digits of their Social Security numbers and their interests and activities.
The last part is an implementation of a Social Security number-predicting algorithm Acquisti presented at Black Hat two years ago. Based on when and where a person was born, the algorithm predicts the first five digits, which are based on location. It can then guess the remaining digits, but that could take up to 100 tries.