How Russia's New Facial Recognition App Could End Anonymity

blvdone/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By Jonathan Frankle,
The Atlantic

By Jonathan Frankle ,
The Atlantic

|

The power to identify total strangers on the street is the advertising pitch for a new wave of startups hoping to capitalize on rapidly advancing facial recognition technology. But in Russia, it’s already a reality.

Imagine you’re sitting in a coffee shop. Out of the corner of your eye, you see a stranger pointing his phone in your direction. The next day, you get an email from someone claiming to have seen you at the coffee shop. He’s asking you on a date. You have no idea how he got your contact information, let alone how he identified you.

The power to identify total strangers on the street is the advertising pitch for a new wave of startups hoping to capitalize on rapidly advancing facial recognition technology. But in Russia, it’s already a reality.

FindFace, an app launched by a Russian startup two months ago, lets its users identify strangers from pictures of their faces. It does so by matching the photos against profile pictures from VK—also known as VKontakte—a Russian social networking website similar to Facebook. Its founders have touted the app as great for building friendships or starting relationships with strangers. But the privacy risks are enormous.

Since the launch, many news outlets have asked whether similar products are coming to the United States. But the real threat isn’t that an app like FindFace will come to a social network like Facebook. It’s that it may soon be applied to countless other databases of photos, like campus directories and employee lists—or even the entire Internet.

* * *

Here’s how FindFace works. First, you take a photo of someone whom you want to identify. Next, you upload the photo to the app, which searches pictures from VK and gives you back those that it thinks look similar. FindFace’s facial recognition algorithm is state-of-the-art—developed by a company called NTech Lab, it recently went toe-to-toe with Google’s facial recognition algorithm in an international competition at the University of Washington—but it isn’t anything new. Facebook does these sorts of searches on a daily basis, albeit on different datasets. The real innovation that makes FindFace such a threat to privacy is its database.

When you upload a photo to Facebook, it compares the faces in that photo only to faces of your friends. FindFace, on the other hand, searches every profile picture from VK. This means that every time someone submits a photo to FindFace, it matches against a database containing every member of the most popular social networking site in the Russian-speaking world—hundreds of millions of accounts. And when it finds a match, it can tie that person back to a VK profile, revealing their name and contact information.

All VK profile pictures are public, so the only way to hide from this database is to delete your profile. This leaves Russians with two undesirable options. They can either leave VK for less popular platforms, missing out on all of the updates, photos, and messages. Or they can resign themselves to the fact that their faces are indexed and searchable by the entire world.

* * *

Could someone do the same thing to Facebook? Probably not.

FindFace most likely got its database of profile pictures by siphoning them out of VK—downloading them one by one either through the company’s API or by visiting every VK profile with a bot. This siphoning is a common nuisance for large websites like Facebook, Twitter and Google, so these sites have banned “automated data collection” in their terms of service, strengthened privacy settings, and implemented robust anti-siphoning protections in the form of “rate-limiting.” If you try to load too many pages too quickly—if you begin to resemble a siphoner or a bot—these sites will automatically restrict or cut off your access.

That doesn’t mean Facebook is in the clear. The site doesn’t provide a way to hide your profile from the public at large, which would be the most basic defense against the risk of a FindFace clone. At the very least, Facebook should allow you to show a different picture to people outside of your network of friends.

If desired, it could also help you display this picture in low-enough resolution that facial recognition algorithms like FindFace will be stumped. Facebook could even offer to make the photo grayscale or blur it slightly, further obfuscating the information that facial recognition technology needs to operate. These features are simple adaptations of the same technology that let people overlay a French flag on their profile pictures out of solidarity with Paris after last year’s terrorist attacks.

Facebook is uniquely positioned to provide one other powerful privacy feature. It could use its own facial-recognition capabilities to see whether anyone else’s profile pictures seem like a match for yours—whether you have Facebook doppelgangers. If you do, then an algorithm like FindFace will have a hard time pinpointing you in particular as opposed to your lookalikes. And if you really are unique, Facebook could offer to blur the photo and lower the resolution until you fade into the crowd.

* * *

The reason that Facebook can offer this range of privacy protections is that it is a walled garden. It controls content like profile pictures, and the only way to get them is to go through Facebook, rate-limiting and all. Unfortunately, a vast sea of images on the Internet—perhaps even the majority of them—are not under anyone’s control.

Google your name. Look at the gallery of familiar faces staring back. Google didn’t covertly extract these pictures from Facebook. Its army of bots collected them from millions of public websites and linked them to keywords on the page, your name included. Since these bots take a little information from a lot of different places, no single website has reason to restrict these visits in the way that Facebook does siphoning. In fact, most sites actively seek out these bots to ensure that they’re searchable on Google.

Right now, the primary way that you can search for an image is with keywords describing it. Google does allow you to search for images with other images, but it doesn’t use facial recognition to do so—you can’t search for similar faces like you can with FindFace. In fact, Google Executive Chairman Eric Schmidt referred to facial recognition as “the only technology Google has built and, after looking at it, we decided to stop.”

But the ability to crawl the Web and amass a database of photos is not the sole province of big search engines like Google. Although mimicking FindFace on the scale of the entire Internet is probably still beyond the realm of technical feasibility for the moment, it may not be impossible for long.

Facial recognition technology is improving exponentially according to experts at NIST, and storage and processing power are always getting cheaper. A startup with fewer ethical inhibitions may soon be able to write a Web crawler, build a database, and unleash the Internetwide facial recognition search that Google has thus far resisted.

And once this feature becomes the next social media must-have, will companies like Google continue to hold back?

Even if the Internet won’t turn into a giant facial-recognition database tomorrow, this technology can be applied on a smaller scale right now—in fact, it already has.

In 2011, Alessandro Acquisti, a professor at Carnegie Mellon University, downloaded the profile pictures of every member of the school’s network on Facebook and matched them against webcam photos of volunteers. He found that almost a third of his subjects could be identified in this manner, revealing their Facebook profiles. With today’s technology, the success rate likely would be much higher. (In the time since Acquisti’s experiment, Facebook has improved protections after several of these mass download incidents.)

On the scale of a workplace, a college campus, or a town, apps similar to FindFace could strip away the practical anonymity we think we have in the communities we frequent on a daily basis. The sizes of these online directories and other databases are in the thousands, not the billions—a scale that might not trigger anti-siphoning measures and is well within the reach of existing facial recognition. And many of these databases are readily available. Just consider the original “facebook”—the directory of names and photos of students at a university.

It may sound extreme, but the stark choice that VK users face now in Russia could extend to everyone with an online presence. You can’t simply delete your profile from the Internet; many photos are added by others without our knowledge or consent, down to pictures from the school science fair or neighborhood swim meet that were put online before we were old enough to intervene. These include photos on sites where we aren’t even mentioned by name.

In this world that FindFace’s creators imagine, you could try to battle to keep your face off the Internet, hiding from the databases that FindFace’s successors will accumulate. Or you might have to concede that you no longer have anonymity in public. You may never again be just a face in the crowd.

NEXT STORY: What the T in FITARA Really Means

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.