Researchers Demonstrate Ability To Predict Social Security Numbers from People's Faces
PITTSBURGH-It is possible to identify strangers and gain their personal information - perhaps even their social security numbers - by using face recognition software and social media profiles, according to a new study by Carnegie Mellon University's Alessandro Acquisti and his research team. The results of the study will be presented Aug. 4 at Black Hat, a security conference in Las Vegas.
"A person's face is the veritable link between her offline and online identities," said Acquisti, associate professor of information technology and public policy at the Heinz College and a Carnegie Mellon CyLab researcher. "When we share tagged photos of ourselves online, it becomes possible for others to link our face to our names in situations where we would normally expect anonymity."
Acquisti said his research team, which included CMU postdoctoral fellows Ralph Gross and Fred Stutzman, combined three technologies - an off-the-shelf face recognizer, cloud computing and publicly available information from social network sites - to identify individuals online and offline in the physical world. Since these technologies are also accessible by end-users, the results foreshadow a future when we all may be recognizable on the street - not just by friends or government agencies using sophisticated devices, but by anyone with a smartphone and Internet connection.
The team ran three experiments and developed one mobile phone application.
In one experiment, Acquisti's team identified individuals on a popular online dating site where members protect their privacy through pseudonyms. In a second experiment, they identified students walking on campus - based on their profile photos on Facebook. In a third experiment, the research team predicted personal interests and, in some cases, even the Social Security numbers of the students, beginning with only a photo of their faces.
Carnegie Mellon researchers also built a smartphone application to demonstrate the ability of making the same sensitive inferences in real-time. In an example of "augmented reality," the application uses offline and online data to overlay personal and private information over the target's face on the device's screen.
"The seamless merging of online and offline data that face recognition and social media make possible raises the issue of what privacy will mean in an augmented reality world," Acquisti said.
Cloud computing will continue to improve performance times at cheaper prices, and online people-tagging and face recognition software will continue to provide more means of identification.
"Ultimately, all this access is going to force us to reconsider our notions of privacy," Acquisti said. "It may also affect how we interact with each other. Through natural evolution, human beings have evolved mechanisms to assign and manage trust in face-to-face interactions. Will we rely on our instincts or on our devices, when mobile phones can predict personal and sensitive information about a person?"