Schneier on Security
A blog covering security and security technology.
« Criminal Intent Prescreening and the Base Rate Fallacy |
| Tampon-Shaped USB Drive »
May 4, 2012
Facial Recognition of Avatars
I suppose this sort of thing might be useful someday.
In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there would be no way of linking an avatar username to a human user.
Yampolskiy and colleagues have developed facial recognition techniques specifically tailored to avatars, since current algorithms only work on humans. "Not all avatars are human looking, and even with those that are humanoid there is a huge diversity of colour," Yampolskiy says, so his software uses those colours to improve avatar recognition.
Posted on May 4, 2012 at 6:31 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What is the use-case for this?
Because it sounds like the dumbest idea in the world.
Avatars are represented by digital code and rendered on the client. So they are easily identified, and easily copied.
Wouldn't be easier to use SecondLife APIs to verify which graphics/textures an human uses as avatar?
Also, I ignore whether you can change your avatar in SL, but if you can, facial recognition becomes quite useless.
Funny, I didn't see Ben's post when posting mine, but we had the same train of thought.
When fishing for government grant money, the more outlandish, useless, and potentially stupid, the better your chances at getting the dough. Shrimp on treadmills is just one example of what the fine folks in the u.s. government think worthy of throwing away your hard earned tax dollars.
There is NO use case for this whatsoever. As if a user couldn't change the way an avatar looks or something. Sheesh.
Also--- do people still use Second Life?
i don't get it suppose that his worked perfectly and could recognize any particular avatar how does that link it back to the person who created it even theoretically?
As a general rule of thumb all "useful technology" is more general than specific even if it's a double edged sword.
Normally I can look at a piece of new technology and come up with over half a dozen different uses the designers never thought of within a few seconds. However I'm failing to see one use for this as described let alone two or more.
So I'm tending to think "not useful technology" at first sight...
Though I'll give it the benifit of the doubt and devote a whole "drink a cup of hot brown stuff" time to mull it over.
Not sure which is a greater waste of tube space, this article or 2nd Life itself.
All of this begs the question (or questions) on avatars, something I know little about and have generally ignored as being useless or a waste of time.
Why would one give up their identity to an electronic component, where that component can be hijacked, kidnapped, or stolen, and used for nefarious purposes?
My attention on this was focused when I read a credit card agreement update (you know, the one way agreement that you have no control over but to cancel the card). This agreement update makes you responsible for the actions of using your card as taken by the intermediaries that handle the transaction processing of your card. At one time, the credit card companies handled the processing and were responsible for dealing with loss, theft, or fraudulent use. Then, that responsibility moved to the card processor (the intermediary) who as such has moved the responsibility to the merchant (merchants don't like this). This latest agreement change introduces an "agent" (or avatar) for which you are responsible, and you get to direct the processing and the merchant, but overall, you become responsible for the unintended use of your card, which means all losses are likely to become yours (no lawsuits, arbitration only by a panel they pay to render decisions in their favor). The "avatar" moves all parties but the cardholder away from responsibility.
Shades of TSA...
In my opinion, the NewScientist article was posted ten days late.
It sounds almost as if it was someone's senior-year project.
The best use I can think of it is where:
1) you have access to a computer screen displaying an avatar, but
2) you have no access to any computer displaying that avatar. and
3) you have no access to unique identifying information.
If you had #2, you could simply make a copy. At minimum, the computer needs to render the image, so the visible portions of the avatar have to be made available to the graphics card.
Even if both are true, I'm not certain what it buys you. Avatars can typically be easily changed. Multiple people could use the same avatar. It might narrow down your search, but it would be hard to use knowledge of the appearance of an avatar to narrow down your search to one person.
And if you could, there's an obvious defense - copy someone else's avatar, then commit the crime, then stop using that avatar.
So, realistically, the best use I'm coming up with is as an aide to playing the "can you figure out which disguised avatar matches which undisguised rendering" game.
"And if you could, there's an obvious defense - copy someone else's avatar, then commit the crime, then stop using that avatar."
I still don't understand what crime someone could commit in this situation that this technology could have any impact on. Being digital my first thought would be fraud\phishing\stealing personal info, maybe harassment\cyber bulling. Assuming someone commits one of these crimes using a completely unique avatar and doesn't ever change it and the person being defrauded saved a screen shot of the avatar but has no other information at all. The police use the screenshot to scan the p2p network for an avatar matching this description, they find him and then what? They still have not linked it back to a real person.
Can you change your avatar in Second Life?
Oh yes, yes, boy can you change your avatar.
Here's a few of my 300 or so avatars...
It would be simply amazing if there was anyone on this planet that resembled any of them.
In that hypothetical, tracing down the individual depends a lot on the specifics of the network. An avatar's actions are being directed by some computer somewhere. If you can trace those messages to that computer, you might then be able to connect that computer to a person (or another computer). If it's fairly securely designed (or the person knows how to cover their tracks well), it may still be very hard to trace to a person.
Honestly, if it's a monetary crime, I'd think it would be easier to follow the money.
This doesn't really solve anything, if you want to be anonymous you just randomize the avatar metrics or clone someone how looks trustworthy.
I too collect avatars (since I haven't been in-world in a while, they would likely be considered antiques). Argent has me beat by quite a bit.
Leave it to Raytheon to come up with such a brilliant idea. Is it really a good idea to fuze personal data with an avatar? Like it was such a good idea to fuze biometric data to passports?
The 10 year olds won't think to check if they are talking to a 40 year old, but the 40 year old will think to check if they are talking to an undercover cop.
Yes, there are a lot better ways to trace back another user in SL than biometrics of the avatar!
If you're Linden Lab, or you have a warrant, simply getting them to pull up the IP address from their logs is orders of magnitude better.
If you're not, there are still ways to get another SL user's IP address if they have their client set to automatically connect to websites or streaming audio servers, but after some modest scandals involving an ex-con running a "service" in SL using this to guess people's alts, it's considered a bit dodgy to leave these options enabled all the time.
(and of course the integrated magic IP trace and GIS zoom in that CIS:NY episode set in SL is strictly bad fiction)
While in risk of beating a dead horse:
- In SL, you can change avatar at the click of a button
- There are "copybots" that can "pirate" any avatar look they can see
- If your SL client can "see" another avatar, it also means that it received the UID of its owner. If you are looking for a system that recognizes the people.... I can write you a 100% accurate matching system in less than a dozen lines of scripting. And I only charge half what they charge :)
I don't get it suppose that this worked perfectly and could recognize any particular avatar how does that link it back to the person who created it even theoretically?
Asside from the points raised by Fred P, there are also characteristics of "software" and "data" used to create the avatar, which potentialy could be used as a "fingerprint".
One aspect of "artists" is they have signiture strokes and in the case of tattoo artists their work can identify them. This has been used to help identify deceased people as many tattoo artists keep records of the work they have done for who.
Now if an avatar is "bespoke" and paid for in a traceable way then it's owner can be identified by the artist who created it. The question then becomes not "who is hiding behind the avatar" but "who paid for it and can they account for it's usage" which considerably narrows down the field of search.
I can safely assume that there will be no case of peer-to-peer case of that loosen game developed, even if the internet speed of home user is increasing, because the company creating the game will always have a better connection with the end user then the users that needs to connect with each other in order to show their changes in movements. Currently, for example, in SL I mean, if you go into a bar and the guy who own the bar is playing the guitar has to upload also the sound, not just his movements he does, and this connection is between him and SL company, which in turn it will broadcast it to the other users in the bar. On peer-to-peer that will translate into x connections to it's PC, where x=no of users in his bar. So the end user will need to have a better hardware beside better internet connection and only in a ideal world all the users will have equal HW+internet, which makes my initial assumption Q.E.D.
It is indeed rather a strange thing. It's a solution looking for a problem. More, it's a solution looking for an environment and an architecture in which the problem could potentially exist.
Alas, no such environment/architecture is (to the best of my knowledge) developed or planned (or even actually a good idea).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.