Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Face Recognition Can Uncover SSNs

Posted by CmdrTaco on from the oh-thats-just-fine dept.

nonprofiteer writes "Building on previous work showing that social security numbers are not random, CMU researchers ran experiments in which they predicted students' social security numbers after taking a photo of them with a cheap webcam. Using off-the-shelf facial recognition technology and data-mining publicly available Facebook photos and profile information, they were able to come up with the social security numbers of several of the students. (More impressive, as they note that 60% of the students were foreign, and had no SSNs, leaving them a pool of less than 50)."

10 of 103 comments (clear)

  1. This article by Dunbal · · Score: 3, Funny

    Has nothing to do with nuclear submarines.

    --
    Seven puppies were harmed during the making of this post.
  2. want to see something really scary? by alphatel · · Score: 3, Insightful

    90% of Americans don't care if you know anything and everything about them, are invading their privacy, tracking their behavior or identifying their SSids. They latch onto kitch phrases like "The government owns Facebook" but they don't really understand what their personal and private freedoms are worth.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:want to see something really scary? by MacTO · · Score: 4, Interesting

      Life lesson: those who fear that they will lose their freedom if they lose their privacy are usually so busy defending their privacy that they do not have freedom.

      Here's the thing. There's maintaining your privacy, then there's shutting yourself out of the world because you're trying to protect a part of your privacy that aren't very defendable. To some people, having a Facebook profile is like walking on a public street. People on the street know what their name is and know what they look like. Protecting the privacy of their name and likeness would be cutting them off socially. In a very real sense, that sort of privacy would be a loss of their freedom.

      You may draw the line somewhere else. I know that I do. But, for some people, just wouldn't be free if they had to worry about a stranger knowing their name and face or even some of their habits.

      As for the SSN thing, the government is to blame for not assigning numbers properly. The numbers themselves aren't necessarily a problem.

    2. Re:want to see something really scary? by SQLGuru · · Score: 5, Insightful

      Actually, it's the fault of the banking industry for comandeering a government number for a purpose other than what it was intended. An SSN was not supposed to be a unique identifier for anyone other than Uncle Sam as they go to collect Social Security tax money and then pay it back out.

    3. Re:want to see something really scary? by TheRaven64 · · Score: 4, Insightful

      The problem is not using the SSN as a unique identifier (well, that's not the only problem - the fact that they're not actually globally unique makes that a bit of a problem too), it's using SSNs as proof of identity. Banks tend to assume that if you know someone's SSN, then you are that person, in spite of the fact that the SSN is public information. It's like designing an system where you can log in with a username and no password - and usernames are prepended to every message.

      --
      I am TheRaven on Soylent News
    4. Re:want to see something really scary? by Obfuscant · · Score: 3, Interesting

      There's nothing wrong with using a SSN as an identification.

      Other than the fact that my Social Security Card says quite clearly on the front "not to be used for identification", you would be right. Maybe.

    5. Re:want to see something really scary? by PatHMV · · Score: 3, Insightful

      Mod parent up. TFA says: "the social security number system has a huge security flaw — social security numbers are predictable if you know a person’s hometown and date of birth."

      We should read that as sounding as absurd as: "the phone numbering system has a huge security flaw -- phone numbers are discoverable if you know a person's name." This was NOT a design flaw. Nobody, as best I can tell, ever thought, when designing the system, that an SSN should be treated like a PIN, a number known only to the individual, where knowledge of the PIN is considered strong evidence of the identity of the person.

      The single best thing which could be done for security at this point is to publish a nation-wide database of all SSNs matched with the names registered to those SSNs, to totally destroy the idea that SSNs should be "secret" identifiers.

      The SSN exists to establish that we're identifying the John Doe who was born to Jim and Jane Doe on January 1, 1972 in Madison, Wisconsin, rather than the John Doe who was born on January 8, 1963 in New York City, or the John Doe who was born to Bill and Joan Doe on January 1, 1972 in Madison Wisconsin. It is an identifier, not a PIN.

      I'd like a good class action lawyer to consider a nice lawsuit against any creditor who acts on the assumption that somebody who knows a person's SSN must be that person, or authorized by that person to take action on their behalf.

  3. Bad writeup by jandrese · · Score: 5, Informative

    The writeup made it sound like you could look at a crappy snapshot of a person and magically discover their SSN. What actually happened is that they trolled the Facebook profiles for their hometown and date of birth to discover the SSNs, the webcam was just to match up the person sitting at a terminal currently with their Facebook profile. The story is basically: Off the shelf facial recognition software seems to work pretty good, even with a crappy webcam.

    --

    I read the internet for the articles.
  4. Re:But SSNs aren't identifiers! by kbolino · · Score: 3, Insightful

    The SSN was never intended as a means of identification initially, but:

    1. When a system of identification was needed, the SSN system was already in place;
    2. In theory, SSNs have a 1:1 person-to-number correspondence, unlike other forms of identification (name, birthplace, birthdate, etc.);
    3. Without such a system, the government would perform much more invasive checks for things like employment, voting, and banking.

    So either you accept that the government shouldn't be doing such things (so "illegal" immigrants can work, dead people can vote, and terrorists can open bank accounts, e.g.) or you recognize that SSNs are the lesser of two evils.

    That doesn't mean there couldn't be a better system, but such a system would invariably require the government to keep even more information about its citizens.

  5. Re:Roundabout... by Jahava · · Score: 4, Insightful

    I find this article title to be silly.

    What they do is use facial recognition to match people to their Facebook profile, then use the details stored there to obtain the SSN.

    Up next:

    - How names and surnames can Uncover SSN - How giving people your email address can Uncover SSN. - How running a facebook search can Uncover SSN

    Researchers demonstrated a clearly fatal flaw in SSNs. They have shown beyond a shadow of a doubt that the current SSN system is unsuitable for usage. They did this years ago ... and nothing has changed. It's not a political talking point. There's no proposed solution sweeping in to correct the problem. SSNs still are the gateway to every American's private information, and there's no sign that this will stop being the case, despite clearly-fatal flaws.

    I welcome anything that makes this scary enough for people to demand that SSNs be immediately deprecated. This article is just the same researchers shouting louder, but the system does need to change.