ESET Tech Tip
By Cameron Camp, Researcher for ESET North America
How much photo data does Facebook really have?
According to a recent post by a Facebook Photos engineer, they receive around 200 million photo uploads per DAY, or about 6 billion per month. A separate post says Facebook currently hosts 4% of all photos ever taken. Specifically, it hosts 140 billion photos out of 3.5 trillion photos taken in history. Another post mentions that “it is estimated that 2.5 billion people in the world today have a digital camera. If the average person snaps 150 photos this year that would be a staggering 375 billion photos. That might sound implausible, but this year people will upload over 70 billion photos to Facebook, suggesting around 20% of all photos this year will end up there. Already Facebook’s photo collection has a staggering 140 billion photos; that’s over 10,000 times larger than the Library of Congress.”
Whatever the number, there’s never been a larger concentration of user-generated photo data in one spot, easily accessible, with the possibility of making interrelationships between users more meaningful, simple and relevant. This then becomes a boon for facial recognition training efforts to refine the fidelity of data sets, and lower the number of false positives generated. Also, a related boon is to be had correlating the increasingly accurate data with other data points in the set, raising the accuracy dramatically, especially over time.
So what does it mean? If other users tag you in photos, combined with facial recognition, it becomes very easy to reverse engineer who you are. Presumably this could lead to reduced fraud, but it could also enable nefarious third-party data miners to generate increasingly real-sounding identities that you would likely trust.
Social engineering has (for decades) been a cornerstone of online scamming. There were tricks to gain access to dial-up accounts, phone cards, etc., but it was mostly a hit-or-miss targeted exercise. But with the huge data sets now available online, automated social-engineering opportunities may start to hit the streets, offering criminals increasingly easy access (through you) to sensitive data, “spear phishing” their way into the deeper recesses of your organization’s data – definitely places they should not be prying into.
As the social media boom continues, many similar photo-relational systems will be implemented by default, causing concern from users who would prefer an opt-in system instead. Also, there will be booms in online reputation management systems, efforts that attempt to alert you and show just how much information can be relatively easily gathered about you (like people aggregator spokeo.com), hopefully allowing you to manage a bit of the data sprawl. Either way, protecting your identity, and thereby avoiding social-engineering scams, will become increasingly tricky with time.
In the 1980s, television showed the A-Team dressing as janitors and infiltrating myriad organizations without any shots being fired (at least until the car chase scenes). We will see a flurry of similar attacks, this time by scammers with buckets of relevant information about a potential target, so you may want to think seriously about guarding your reputation now. It’s easy to envision potential blackmail attempts in the future, starting with a phone message giving very specific details about you, promising to expose more to your employer unless you send money now to xyz organization to keep it from spilling an alleged goldmine of personal data. The threat will sound very convincing, very scary, and will become increasingly difficult to detect and stymie.
For questions about security or suggestions of topics you would like to see here, please email me at AskESET@eset.com.