Security researchers have demonstrated a system by which they can use publicly available photographs of an individual to trick facial recognition technology and achieve successful authentication.

In their paper entitled Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos (PDF), researchers Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose from the University of North Carolina at Chapel Hil explain their spoofing attacks work because of the inherent dangers of social media:

"It should come as no surprise that personal photos from online social networks can compromise privacy. Major social network sites advise users to set privacy settings for the images they upload, but the vast majority of these photos are often accessible to the public or set to 'friend-only' viewing.... Users also do not have direct control over the accessibility of photos of themselves posted by other users, although they can remove ('un-tag') the association of such photos with their account."

For their experiment, the researchers used Facebook, Google+, LinkedIn, and other social networking sites to collect photos of 20 volunteers. Most of the participants were security researchers committed to protecting their privacy online. Even so, the team easily found between three and 27 images of each individual.

From there, the researchers used a series of techniques to refine each photo so that it stood the best chance of fooling the facial recognition system.

In the event one of their volunteer's faces was cut off or placed at an angle in an image, for instance, the team used "landmarks" on the participant's face to construct a three dimensional virtual reality (VR) rendering of their face. They then added skin texturing, altered the person's gaze (if necessary), and added animation to mimic facial movement of a living, breathing user.

The experiment concluded with the researchers testing each animated VR face against the volunteers' user profiles on five authentication systems: KeyLemon, Mobius, TrueKey, BioID, and 1D. Their approach tricked all but 1D with a success rate of 55 percent to 85 percent.

These findings mean facial recognition-based authentication technology needs to change. As the researchers explain:

"Our work outlines several important lessons for both the present and the future state of security, particularly as it relates to face recognition systems. "First, our exploitation of social media photos to perform facial reconstruction underscores the notion that online privacy of one's appearance is tantamount to online privacy of other personal information, such as age and location. "The ability of an adversary to recover an individual's facial characteristics through online photos is an immediate and very serious threat, albeit one that clearly cannot be completely neutralised in the age of social media. Therefore, it is prudent that face recognition tools become increasingly robust against such threats in order to remain a viable security option in the future."

The team recommends using sensors to detect subtle changes in skin tone texturing and light patterns that might suggest a spoofing attack is underway.

While the security industry works to secure facial recognition technology as a means of authentication, law enforcement are determined to use such systems to assist with their criminal and anti-terrorist investigations. The German Interior Minister's announcement that he would like to introduce facial recognition systems at all German airports and train stations testifies to that resolve.

Law enforcement agencies are increasingly working together to assist one another in identifying criminal suspects, as evidenced by the FBI's Next Generation Identification-Interstate Photo System (NGI-IPS) service. Tech such as the privacy visor could help people protect their privacy in public places. But even then, evading government surveillance is much more complicated than that. It's more of a lifestyle than a choice to wear a special pair of goggles. As such, it's a topic that's beyond the scope of this article.