Declan McCullagh/CNET

LAS VEGAS--Facebook's online privacy woes are well-known. But here's an offline one: its massive database of profile photos can be used to identify you as you're walking down the street.

A Carnegie Mellon University researcher today described how he assembled a database of about 25,000 photographs taken from students' Facebook profiles. Then he set up a desk in one of the campus buildings and asked willing volunteers to peer into Webcams.

The results: facial recognition software put a name to the face of 31 percent of the students after, on average, less than three seconds of rapid-fire comparisons.

In a few years, "facial visual searches may become as common as today's text-based searches," says Alessandro Acquisti, who presented his work in collaboration with Ralph Gross and Fred Stutzman at the Black Hat computer security conference here.

As a proof of concept, the Carnegie Mellon researchers also developed an iPhone app that can take a photograph of someone, pipe it through facial recognition software, and then display on-screen that person's name and vital statistics.

This has "ominous risks for privacy" says Acquisti, an associate professor of information technology and public policy at the Heinz College at Carnegie Mellon University. Widespread facial recognition tied to databases with real names will erode the sense of anonymity that we expect in public, he said.

Another test compared 277,978 Facebook profiles (the software found unique faces in about 40 percent) against nearly 6,000 profiles extracted from an unnamed dating Web site.

About 1 in 10 of the dating site's members--nearly all of whom used pseudonyms--turned out to be identifiable.

Facebook isn't the only source of profile data, of course. LinkedIn or Google+ might work. But because of its vast database and its wide-open profile photos, Facebook was the obvious choice. (Facebook's privacy policy says: "Your name and profile picture do not have privacy settings.")

Facial recognition technology, which has been developing in labs for decades, is finally going mainstream. Face.com opened its doors to developers last year; the technology is built into Apple's Aperture software and Flickr. Google bought a face-recognition technology in the last few weeks, and Facebook's automated photo-tagging has drawn privacy scrutiny.

In the hands of law enforcement, however, face recognition can raise novel civil liberties concerns. If university researchers can assemble such an extensive database with just Facebook, police agencies or their contractors could do far more with DMV or passport photographs--something that the FBI has been doing for years. (The U.S. Army partially funded the Carnegie Mellon research.)

Acquisti is the first to admit that the technology isn't perfect. It works best with frontal face photos, not ones taken at an angle. The larger the database becomes, the more time comparisons take, and the more false-positive errors arise.

On the other hand, face recognition technology is advancing quickly, especially for nonfrontal photos. "What we did on the street with mobile devices today will be accomplished in less intrusive ways tomorrow," he says. "A stranger could know your last tweet just by looking at you."