Unless you are from Russia, you probably haven’t heard of a service, that analyzes an image of a person and finds their account in VK.com social network. It’s called FindFace. It was introduced in February 2016, but has recently become quite popular; thanks to the impressive photo project, published by the St.Petersburg photographer Egor Tsvetkov. We’ve recently mentioned this project in a blog post.
The Kaspersky Daily editorial team decided to check out the service to see how it works and what types of portraits it recognizes and what it does not. We wanted to know if it’s possible to find out a detailed biography of a complete stranger with the help of one accidental photo, the Internet and some modern technology.
How #bigdata turned you and me into a commodity. Try not to feel #dirty https://t.co/8yIXgsm9IY pic.twitter.com/p7khV4F95M
— Kaspersky (@kaspersky) April 22, 2016
The conclusions are alarming: it’s actually possible. During the research we also made several interesting discoveries; for example, one of our colleagues suddenly found out that his digital identity was stolen.
So what’s FindFace and how does it work?
FindFace is a service that can search for VK.com accounts on the base of a portrait photo of a person. 30 search attempts are free, then you’ll have to pay.
The service has mobile apps for iOS and Android , complimented by a website version. Applications come with limited functionality and several flaws in work, but they have one valuable advantage: users can take a photo and immediately use it to search with FindFace.
The app shows profile photos of the potential matches. You can click on each photo to look through all public images on the user’s account. Just look at Egor Tsvetkov’s work in the ‘Your Face is Big Data’ project to see how easy it is to find a complete stranger.
The Web service is more convenient as it lets you immediately jump to your target’s VK.com account. To search for a person using the website you’ll have to perform several additional steps like copying photos to your hard drive first and then uploading them to the FindFace.ru.
If you upload “ideal” photos, that were taken when your target was posing, everything works just great. The program has successfully found 9 of 10 test “victims” in the office.
If you take photos of strangers on the streets or in the subway sneakily, accuracy decreases two or even three times. And if you upload images taken from a long distance, the service often becomes unable to find a human in the photo. Still, if you zoom or crop the image, FindFace will work again.
How easy is it for hackers to steal your face? https://t.co/SGtYtE1y63 #digitalidentity pic.twitter.com/Cz85TxEkYt
— Kaspersky (@kaspersky) October 28, 2015
In the daylight it’s not hard to take a photo of a pedestrian with an average smartphone that would be good enough for Findface. In the subway you’ll need to use tripod or a good camera.
What did we find out
If you don’t want to be detected literally by any stranger with a phone, there are several things that you can do.
1. The service searches photos uploaded to your VK.com profile, not the whole account. This includes your current profile picture and all the previous ones. The social network keeps these photos in the ‘My profile photos’ album. It’s noteworthy that you can’t hide this album — it always stays public. The only thing you can do is to delete old profile images: the less photos you have in that album, the harder it is for the app to recognize you.
Tip: delete old photos. Store only the latest picture in this album to save yourself from face recognition tyranny.
2. It’s possible to hinder facial recognition by wearing hoodies or turning your head away from the camera or at an unusual angle. Making funny faces is also an option, with some exceptions. Eyeglasses with solid rings work just perfect, unless you have a photo with the same eyeglasses in your profile (or with the same funny face).
Tips and Tricks to Hide from #BigBrother Watchful Eye https://t.co/xJ6VqqUKuo pic.twitter.com/oeNopI12hL
— Kaspersky (@kaspersky) October 9, 2015
3. Many volunteers, who took part in the experiment, did not know that they had so many public photos. Yes, they’ve checked privacy options in ‘Settings’ but it was not enough as VK lets you limit access to albums only (and then only not all of them), not certain photos in particular.
Tip: ask anybody you know and trust to unfriend you (and befriend again after the test), explore your account and check what’s visible and what’s not. Then move photos from public albums to private if required.
4. FindFace works absolutely legally: it doesn’t cache data to show any information, hidden by the social media settings. When we removed all photos from VK.com, the service became unable to find us during the second search. Still it’s very possible that in future a new service could appear, which would behave more badly: for example, it could store the data from other popular social networks like Facebook or Instagram. So it’s better to check twice the security settings for other social media accounts beforehand.
Setting up your https://t.co/IQCYudiOoZ #privacy settings https://t.co/jWyNOz0yLt #global #socme pic.twitter.com/m6P4nKRMhF
— Kaspersky (@kaspersky) January 7, 2016
5. FindFace describes itself as a dating service. For example, you see an attractive person, take a photo and browse through their account — ok, now you’ve to a topic to make a pass. In fact, this service can let you make a lot of more useful — and strange — things.
Just remember a story recently revealed by ABC news: surveillance camera took a video of burglars, robbing a house. If this happened in Russian-speaking countries there would be a 99% chance that criminals would have an account on VK.com. One could use the service to find the culprits.
On the other hand, many people in social media use fake names for privacy concerns, but publish real photos. They think that Internet is too huge and nobody will find them by a photo. Well, they sure will do if they want to. For example, employers like to check candidate’s pages on social networks before an job interview.
How our employee found out that his digital identity was stolen
Some people just don’t publish any photos in social networks. At all. For example, one of our employees operates in this manner. Yet, FindFace found him.
The thing is that somebody called “Vitek Tizinksilov” copied his photo from the gallery of another user, which was published in a different social network, and decided to use it as his profile picture.
Are your #Social photos all public? You may want to reconsider. A Tale of stolen identity. https://t.co/iXwrMP7kfI pic.twitter.com/3IxwzeQnPb
— Kaspersky (@kaspersky) January 27, 2016
When we’ve tried searching Google Images for the very same photo, we’ve found that this image was used as a profile pic on yet another social network as well, called Fotostrana (which can be translated as Photo Country). It was not a sweet discovery at all.
So if you don’t upload anything online it doesn’t mean that you’re invisible: your friends might do it instead of you. If they post your portrait or even a group photo with you — nobody can predict the future of this image.
Tip: Before VK.com locks API used by this app to work you can check if you have any clones on the social media.
3 real-world incidents where the #internet made someone's life hell https://t.co/d50zA1j3yw pic.twitter.com/kLKFVoNGOa
— Kaspersky (@kaspersky) April 5, 2016
Disclaimer: we have removed the data about people whose photos were taken during the experiment without their permission to publish them.