Privacy in the Age of Ubiquitous Computer Vision

Posted on by Joshua Marpet

With Google Glass, cell phone cameras, hidden cameras, and ever cheaper surveillance cameras, can there truly be user privacy? With Google Glass and facial recognition apps, tagging people can happen at full walking speed, without a pause or possibility of the action being recognized.

Is there any parallel in other realms? At one point, a car with an expired registration would only get exposed when it was pulled over for a ticket. When license plate recognition (LPR) cameras came out, however, a car couldn't hide anymore. Police cars equipped with LPR cameras could cruise down the highway at 50 miles an hour, capturing 2,500 license plates a minute. If a plate was flagged in the database, the screen would flash, and cue the flashing lights and a bad day for the driver.

Google Glass, as well as the homemade version being brewed up by hardware hackers, can use similar algorithms for facial recognition. While Google has banned facial recognition apps from the Glass platform, it is inevitable that they will be sideloaded, jailbroken, or loaded in another similar way. Actually, they have already been written. FaceRec is an app written for the Glass platform, and it's been banned by Google.

But what database do programs like FaceRec use? If they use a personal "Rolodex" of faces, that's not horrible, since the only Glass devices that would show someone as "tagged" would be an existing friend or acquaintance of theirs. But FaceRec and its ilk use all the social media accounts they can get their hands on—Facebook, LinkedIn, Google+, etc. They run every face walked by through the gamut of all social media systems, and match the face. Once found, the data about the face can flood the Glass screen, invisibly making the wearer an "expert" on the person whose face was matched.

Once the regulatory barrier is overcome, what's to stop someone from walking down the street, seeing someone with nice clothes (money!), tagging him as a "mark," using FaceRec to do real-time OSINT (open-source intelligence), and using that information to do some social engineering? Possible downside for the hacker? Not being recognized by the mark and moving on to someone else. Potential upside? Scamming the mark out of money. A common scam with a stolen or cloned phone is the "I'm stuck in London! Send some money!!!" scam. Now, right there in person, the victim can help you draw it out of the ATM!

Now, prescription lenses have come out for Google Glass. People could legitimately insist on wearing them, as they need them in order to see. Even while driving! And privacy might suffer because of it. Will face-concealing clothing become the fashionable security accessory for user privacy?

Of course, people have tried to do SQL injection on license plate reader cameras. It's interesting to speculate on how they might try to do the same thing to Google Glass.

Google Glass, LPR cameras, ubiquitous video surveillance, and similar technologies are fascinating topics in privacy, as well as security. After all, more cameras make a better deterrent, and a better detective method, for crime. But if it erodes privacy significantly, will there be any spaces to have a reasonable expectation of privacy?


Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community