I uploaded a selfie for one of my kids.
It was shot on an iPhone 7. The sun is shining in the background, there’s a row of trees along one side and a river off in the distance. It looks harmless, and the photo isn’t exactly a cherished keepsake. Yet, after uploading the photo, I gasped a little.
Contained within the metadata of the photo is the location where the photo was taken, the gender and age of the subject, and whether the subject is smiling. What’s even more troubling? Since it was from a wedding, the site added tags to the photos like “bride” and “wedding” without my involvement. There’s even what looks like a Facebook ad that pops up complete with overlay text on top of the selfie.
The site is called Selfie Reveal, and it worked wonders. It’s a “proof of concept” for a new game called Watch Dogs 2, and it shows how hackers can take innocuous photos like the one I used and read detailed information. Perhaps even worse than knowing the location of the photo: The tags then become part of a vast archive. Companies could use the photo for advertising purposes. The site even determines if the person in the photo makes a good job candidate, assesses risk and trust, and if there is a security concern.
The game, which I’m currently testing out, hinges on the idea of a vast global network of computers that can scan for information within everyday files like a selfie. The main character is arrested on false pretenses due to a data processing error.
Data hacking expert David Maynor told me the Selfie Reveal site is not just a marketing trick, although it does get your attention. He says real hackers routinely parse data from photos and can then use the information to find out more information about you.
The EXIF data in a photo, for example, contains a time and location stamp. Hackers then use artificial intelligence routines to examine the photo to determine your age (based on a comparison to image libraries), your facial expression, gender, and other data points. This information could be sold for marketing purposes. If you’re famous, it could be used for extortion, since the hacker could parse some compromising information.
“You start with a selfie or image from a commonly available source like Linkedin or Facebook, and then it’s just a matter of matching or running it through these analysis tools to mine the photo for actionable data,” says Maynor.
The problem is when the data leads to false conclusions. “A person who considers themselves happy may be assessed as depressed by AI; someone who portrays themselves as a voter of one party may really line up with another,” he says.
The AI can also scan for information in the background of a photo. A selfie might seem tame to human eyes, but a computer can scan for a Post-It note on a mirror behind you that contains a password, then associate the location with your age and gender to break into your social media sites.
It doesn’t stop with selfies. Some of the latest hacks are quite ingenious. Maynor says there are apps that can play a sound a human can’t hear which is recorded by a listening device; the hacker can then determine your location based on GPS data. Another hack conducted by the Georgia Institute of Technology found that, with newer smartphones, the accelerometer is so sensitive that, if the phone is near a keyboard, it can be used to determine what you are typing with an 80% degree of accuracy.
I was a little flummoxed by the selfie data. As with many of these ingenious hacks, there’s not much you can do about it–other than never taking or posting selfies again.