Features

Face off

Read time 9min 10sec

Always struggling to put a face to a name? Soon, facial recognition technology (FRT) may be able to do the job for you. Except, advanced recognition systems won't only match faces to names, but to their identity numbers, personal details, purchasing behaviour and banking information, too. All without the face in question being aware of it.

Much attention was focused on the potential of FRTs last year, following a report released by Carnegie Mellon University, which suggested facial recognition, paired with social media profiles, could spell the death of privacy. In future, goes the theory, anyone with a smartphone and an Internet connection would be able to accurately identify someone simply by snapping their picture and cross-referencing it with publically available online data.

"When we share tagged photos of ourselves online, it becomes possible for others to link our face to our names in situations where we would normally expect anonymity," said lead researcher Alessandro Acquisti.

The technology is still fairly immature - put on a hat, or grow a beard, for example, and you'll fool the machine.

Glenn Wilkinson, SensePost

In a world where massive volumes of data are being collected through a growing number of interconnected channels, it's getting far easier for criminals to unearth detailed personal information. Facial recognition could significantly increase the risk of identity theft, by allowing people to be traced through something that cannot be password-protected or kept out of sight.

As online privacy company Abine states in a Federal Trade Commission document: “Think of your personal information - name, photos, birth date, address, usernames, e-mail addresses, family members and more - as pieces of a puzzle. The more pieces a cyber criminal has, the closer he is to solving the puzzle. Facial recognition software is a tool that can put all these pieces together.”

These kinds of facial recognition services are already emerging, and while many are still in developing stages, they offer a glimpse of a far less private future.

Identity watch

Carnegie Mellon researchers conducted their study in three experiments. In one, they took photos of random people walking on campus and used FRT and public online data to identify them. In another experiment, they identified individuals on an online dating site, even though members use pseudonyms.
In a third experiment, they tested how much personal information could be gleaned from only a photo, and were able to determine people's names, ages, their place of birth and, in some cases, their social security numbers.

Swedish company The Astonishing Tribe (recently bought by Research In Motion), for example, has developed a smartphone app called Recognizr, which works on the concept of 'augmented ID'. It enables users to identify individuals, and see their social media connections and contact details, simply by pointing their phones at them. The app does, however, require both users to subscribe.

Another service, Face.com, provides the Photo Finder and Photo Tagger applications on Facebook, which scan public photos in a user's social network and suggests tags for faces. The apps do this for billions of photos monthly, linking them directly to available social networking information.

The common requirement for FRT services is a database of photos within which to search for matches. This may have been an obstacle previously, but since Facebook created the world's largest photo repository, with over 300 million photos uploaded every day, the chances of finding a match are better than ever.

SensePost security analyst Glenn Wilkinson notes that no other individual body has this kind of data available, both in terms of number of photographs per individual and photos across geographic borders. "An estimated 75 billion photos have been uploaded to Facebook since it was set up.”

At present, facial recognition tagging is a default feature on Facebook, meaning that while users can disable it in their privacy settings, many may be unaware it's there in the first place. Even if the function is disabled, a user's information and images remain on Facebook's servers, so the potential to link their face and personal data remains.

Despite these developments, Wilkinson says facial recognition is an area where humans still have a significant advantage over even the most advanced computers. “The technology is still fairly immature - put on a hat, or grow a beard, for example, and you'll fool the machine.”

But he adds that combining facial recognition with other biometric characteristics or identifying objects such as cellphones and RFID tags could improve its success.

Bevan Lane, director at Infosec Consulting, adds that once FTRs get more sophisticated, this need for complementary identifiers could fall away. “Tracking wouldn't have to rely on a device like a cellphone anymore, but simply the person's face. Potentially, you could be tagged and traced wherever a camera is installed, such as walking in a mall, on a highway, or in an airport.”

Faces in places

Another technology adding fuel to the surveillance fire is location-based services, which, when combined with FRT, could lead to the holy marketing trinity of person, preference and place.

Mind-goggling

With Google announcing the development of its augmented reality Goggles, users could soon tell far more about a person than the eye can see.
With Web streaming, mapping tech and a built-in camera, Google Goggles could link to online data sources and provide wearers with additional information on the person standing in front of them.
If facial recognition software becomes advanced enough, it could offer reminders of the person's name, where you've met them before, and whether you should stay talking to them or not.

Real-life implementations of the technology are already taking place in social contexts. SceneTap, for example, automatically and anonymously collects real-time information about the gender, age and number of people entering a venue. This can inform venue owners about who their customers are and enable them to advertise events using criteria like male-female ratios.

There is also enormous potential when it comes to targeted marketing and discriminatory pricing. Here's the scenario: Jane walks into the store and has her face scanned as she enters. Based on her photo and online networks, the system can tell she's a 30-year-old female who plays competitive sport and has several dogs. And that it's her good friend's birthday tomorrow. Cue a series of in-store promotions that draw her attention to a special on hockey sticks, a new brand of dog food, and a scarf in her friend's favourite colour.

Security expert Frans Lategan says that while FRT is not yet at the point of tying real-world marketing to one's Google searches, billboards could be customised according to how long someone looks at the ad, where they look, and their estimated age and gender.

“I think this will only become more invasive and probably not limited to real-time only. Geotagged photos coupled with facial recognition could create an almost complete history of any person's movements from other people's publicly disclosed photos.

Private data mining organisations could sell a product to governments that incorporates all aspects of citizens' lives.

Glenn Wilkinson, SensePost

“Anonymity in public places will probably no longer be possible, especially when combined with micro cells for cellphones, e-tags, number plate recognition, tyre pressure sensors, RFID cards, and so forth.”

However, Mark Eardley, owner of Eardley & Associates, argues that using FRTs in consumer applications is “pie in the sky”. “I think this is far more likely to be fingerprint-based rather than anything to do with facial recognition and similarly peripheral technologies.”

State of control

Besides its social impacts, FRT is also making waves as an identification tool for security and law enforcement purposes, as well as access control.

Accurate facial recognition could, for example, help authorities spot criminals or missing persons in a crowd, and prevent dangerous individuals from boarding mass transport carriers like trains and planes.

Similar to analysing fingerprints, an FRT system could scan someone's 'faceprint' (a digitally recorded representation of their face) and positively identify them based on their facial features. Law enforcement bodies could check faces against databases of known criminals or other information repositories.

Practical applications of the technology haven't always proved successful, however. Last year, facial recognition gates at Manchester Airport, in the UK, were temporarily put out of service after a husband and wife walked through the scanners with swapped passports. This followed another FR security scare a year earlier.

Eardley believes facial recognition technology is something of a non-starter as an identification tool. “It's one of a clutch of biometric technologies that are in their infancy, and just like any infant, it has been born into a very harsh and competitive environment. It will probably not survive beyond childhood.”

Spy 'n buy

Adidas is just one company that's announced its intentions to use facial recognition for more effective marketing.
It has partnered with Intel to trial digital walls in selected stores, whereby if a customer of a certain age walks by, the majority of the shoes displayed will be for their age range. Kraft Foods is conducting similar tests with face-scanning kiosks.

He says FRT, along with other recognition technologies such as iris, voice, vein, gait (the way someone walks) and even ear-physiognomy, is peripheral to fingerprints, which will continue to be the mainstay of biometrics. “There are too many variables within facial recognition, such as varying light and temperature conditions.”

Wilkinson says surveillance states and state-sponsored data mining are two contexts where facial recognition may become an area of concern. “London has more CCTV cameras per unit area than anywhere else in the world, with an estimated 1.85 million in the whole UK. Many developed nations are heading in a similar way.”

He points to initiatives like the US government's post-9/11 Total Information Awareness programme, which sought to incorporate data from numerous sources, under the guise of national security. While the project has been disbanded, government surveillance projects continue, and private organisations are introducing similar services.

Anonymity in public places will probably no longer be possible.

Frans Lategan, security expert

“Private data mining organisations could sell a product to governments that incorporates all aspects of citizens' lives - a plethora of state records combined with a database of images incorporated into a mass surveillance CCTV system.”

He adds, however, that automated facial recognition is still a long way off, mainly because most countries have small databases of existing images to compare photos to, as well as the high number of false positives generated by existing FRTs.

Hype vs reality

ITWeb Security Summit

Hear more about the security threats of the future from Frans Lategan, Bevan Lane, SensePost experts and other high-profile speakers at ITWeb's annual Security Summit, taking place from 15 to 18 May at the Sandton Convention Centre.

While the potential and reality of facial recognition may still be worlds apart, its combination with other identifying technologies does conjure up significant privacy concerns.

Infosec Consulting's Lane says citizens' rights will have to be taken into account as FRTs become more pervasive. ”Privacy legislation is going to have to force some sort of opt-in process or jamming/protection mechanism. At the moment, if you are not registered, then it's not an issue, but this will change once they access national databases.”

Eardley says it comes down to whether people want their identities to be more securely handled than they are now. “For example, anyone can use your Internet banking username and password to access your accounts, and the same is pretty much true of all our payment cards. Compared to the status quo, I'd argue that biometrics offer us more, rather than less, in terms of security and identity protection.”

Lategan adds that it's become extremely difficult to prevent one's face being recorded publically. Avoiding this would mean “not having any photos of yourself identified on the Internet; not carrying a cellphone; not geotagging your photos; and not having a Facebook or other social network profile...In short, it is probably no longer feasible, though not yet impossible”.

Lategan believes facial recognition technologies will become increasingly invasive until there is a pushback from society. “At that point, the technology might become more low-key, but the genie cannot be put back in the bottle.”

Have your say
Facebook icon
Youtube play icon