* * *

Here’s how FindFace works. First, you take a photo of someone whom you want to identify. Next, you upload the photo to the app, which searches pictures from VK and gives you back those that it thinks look similar. FindFace’s facial recognition algorithm is state-of-the-art—developed by a company called NTech Lab, it recently went toe-to-toe with Google’s facial recognition algorithm in an international competition at the University of Washington—but it isn’t anything new. Facebook does these sorts of searches on a daily basis, albeit on different datasets. The real innovation that makes FindFace such a threat to privacy is its database.

When you upload a photo to Facebook, it compares the faces in that photo only to faces of your friends. FindFace, on the other hand, searches every profile picture from VK. This means that every time someone submits a photo to FindFace, it matches against a database containing every member of the most popular social networking site in the Russian-speaking world—hundreds of millions of accounts. And when it finds a match, it can tie that person back to a VK profile, revealing their name and contact information.

All VK profile pictures are public, so the only way to hide from this database is to delete your profile. This leaves Russians with two undesirable options. They can either leave VK for less popular platforms, missing out on all of the updates, photos, and messages. Or they can resign themselves to the fact that their faces are indexed and searchable by the entire world.

* * *

Could someone do the same thing to Facebook? Probably not.

FindFace most likely got its database of profile pictures by siphoning them out of VK—downloading them one by one either through the company’s API or by visiting every VK profile with a bot. This siphoning is a common nuisance for large websites like Facebook, Twitter, and Google, so these sites have banned “automated data collection” in their terms of service, strengthened privacy settings, and implemented robust anti-siphoning protections in the form of “rate-limiting.” If you try to load too many pages too quickly—if you begin to resemble a siphoner or a bot—these sites will automatically restrict or cut off your access.

That doesn’t mean Facebook is in the clear. The site doesn’t provide a way to hide your profile from the public at large, which would be the most basic defense against the risk of a FindFace clone. At the very least, Facebook should allow you to show a different picture to people outside of your network of friends. If desired, it could also help you display this picture in low-enough resolution that facial recognition algorithms like FindFace will be stumped. Facebook could even offer to make the photo grayscale or blur it slightly, further obfuscating the information that facial recognition technology needs to operate. These features are simple adaptations of the same technology that let people overlay a French flag on their profile pictures out of solidarity with Paris after last year’s terrorist attacks.