Can someone snap a photo of me in the street and use it to identify me?

With facial recognition technology you can take pictures of people in the street, run them through publicly available photographs online, and get a match.

You would have heard this statement if you had been listening to the 20 September 2016 episode of Seriously on BBC Radio 4, called ‘The Online Identity Crisis’. I only heard it yesterday, though, as I caught up with it by podcast. It did, however, set me thinking. Just how likely, or easy, is it that someone should take a photo of me in the street, run said image through facial recognition software, and be able to identify me?

Anyone who has ever watched a police drama will be well aware that a crime-fighting duo can have their technologically-savvy lackey run an image through facial recognition software that will spit out a positive match within 30 seconds. Having successfully identified their nefarious quarry, mobile phone records and corresponding mast pings can be used to locate her or him, allowing our fearless heroes to thunder off across town, apprehend the suspect, and save the world from imminent disaster.

There’s also FindFace, the app launched by a Russian startup, which allows users to identify people by comparing images with those on the Russian social network, Vkontakte. FindFace boasts a 70% reliability rate. That created a bit of a storm earlier this year.

Both of these methods would meet with obstacles in trying to identify me, though. The first exists in TV-land and the second relies on my having an account with the Russian equivalent of Facebook, which I don’t. Is there a more likely method of identifying me, then?

The big players

What about the big players, the Googles and the Facebooks? Would either of these be able to somehow identify me? Both Facebook and Google have some powerful facial recognition programmes at their disposal. Facebook’s Deepface programme is a highly sophisticated operation. It can correctly identify the faces in two different photos as belonging to the same person over 97% of the time.

Does that mean that Creepy Guy sitting in the corner of my favourite café could snap a photo of me when I’m enjoying tea and cake with my grandmother there on a Saturday morning, upload it to Facebook, and its automatic facial recognition would identify me? In theory, Facebook’s DeepFace has that capability. In practice, it certainly cannot happen in the EU, owing to stringent EU privacy laws. It would also face a major stumbling block when it comes to me specifically because I do not have a Facebook account.

How about Google? Google, too, has developed facial recognition tools that are tack-sharp when it comes to identifying people. It’s called Facenet. If you’re in the right part of the world, its Photos app will use a pared-down take on facial recognition to sort your images for you. But, here in the EU that’s not an option.

What about trying to use Google in the classical sense to identify me? I tried a reverse image search of my mug to see if that would provide me with a workable result only to find that I couldn’t be identified anymore usefully than ‘head’. You would have to conduct your search using a copy of a photo that already exists on the web, and identifies me, to yield a result. My Saturday morning stalker wouldn’t have much success with that route either, then.

The smaller players

Are there any apps, then, which perform a subject identification function–something along the lines of FindFace, but not restricted to Russian networks? Well, I did find Facequare. You upload a photo, it scans it for identifiable features, and then allows you to search its database for similar or identical faces. Would this be able to put my name to my face? It’s highly unlikely. Facequare operates within a walled garden and as I’ve not uploaded anything to it (and have no desire to create an account) I doubt it’ll be able to identify me.

Without web-wide reverse image search these types of apps will only be able to operate within the confines of their own data sets. Unless your information has somehow made it there, as Vkontakte’s users’ data did with the FindFace app, it shouldn’t be able to find you.

The specialists

If you type ‘facial recognition software’ into Google, you will be returned with plenty of options, perhaps leading you to think that our Saturday morning scenario can be cracked. However, if Creepy Guy in the corner is expecting to upload an image of me to one of these providers and wait for it to churn out a corresponding identification, he’s going to be disappointed. These programmes tend to operate with far broader strokes.

For example, they might offer specific facial recognition services that form the basis for app security or building entry. They might monitor the ebb and flow of people in a given space. Or they could return metadata suggesting my gender, age, and ethnicity. If these services do have the capability to identify people from their photos, they’ll be doing so from a given dataset. Theoretically, if information that can be used to identify you is being stored anywhere, you should have given your consent for that. That’s quite a long way from ‘publicly available photos online’.

Who am I?

Trying to identify me from a photo snapped in the street, somewhere in the UK, is slightly harder than the Seriously team might have its listeners believe, right now, at least. Primarily, EU data protection laws are stringent; I would have needed to provide my consent for any personally identifiable information to be stored in such a way that would permit identification from a random photo. Yes, it is technically possible but practically and realistically there are some significant obstacles. Over all, I’m pretty safe from Creepy Guy in the corner.

Who am I going to be?

What the UK electorate’s decision to leave the EU might mean for my–and every other UK residents’–data security is a question that I can’t answer. But as processing power increases, even with the exponential rise in images stored on the web, and the already near-perfect recognition technologies available the likelihood of being able to use an app to identify the woman in the café is drawing closer.

All of which means that if I–or you–don’t want to be identified by Creepy Guy, we need to pay closer attention to whom we say can use our data and how. It’s either that or go incommunicado, which seems a bit extreme.