[chris-allen-lane.com] Programming | Security | DIY

Tin Eye and Personal Privacy : A Hypothetical Attack Vector

If you who haven't heard of it, Tin Eye is an image search engine with a unique twist. While most image search engines (like Google Image search) allow you to search for images based off of textual search criteria, TinEye allows you to search for images that are similar to other images. The service works by allowing a user to upload an image file to TinEye. Images that are "similar to" the uploaded image are returned in the search results. (The ways in which the images are "similar", of course, is up to the TinEye algorithm, but in my opinion/experience, its groupings make sense to me as a human.)

TinEye is thus a great resource for finding images in a series, or for finding different variations upon a specific image. Looking for a higher quality version of a low-res pic? Try TinEye. Curious where your favorite wallpaper came from originally? Try TinEye. Looking for the same without Longcat 'shopped into it? TinEye.

I believe, however, that this unique functionality has some interesting security implications. I propose that, as TinEye is given more and more time to index the web, it may open up new attack vectors on personal privacy.

As an example, let's say that Alice has signed up for an online-dating site. Her would-be online suitor, Bob, takes a pass at her and is quickly shot down (or perhaps never attempts to contact her online at all). As Bob's interest escalates to infatuation, however, he transitions from suitor to stalker and decides to try to learn as much about Alice as he can with the intention of encountering her "in real life".

In the past, Bob's next several moves would likely look something like this:

Due to TinEye, however, Bob potentially has a few more tools for compromising Alice's identity:

This has a few important implications:

Firstly, and as always, be careful about what you post online! Recognize that the possibility exists that links can be drawn among the sites where you post the same pictures. If you don't want to go as far as not posting pictures of yourself online (which is understandable in the context of an online dating site), consider never posting the same photo to multiple sites.

Secondly, recognize the fundamental shift that the above signifies. In the past, it was possible to locate pictures of an individual based off of her textual descriptors (name, username, etc.). Now, however, the reverse is possible: you may now be able to locate textual information on a target based off of her picture.

To be clear, I'm not advocating that individuals flee from online dating. Nor am I stating that online dating, nor partcipating in the various "social media" sites in general, is intrinsically unsafe.

I am stating, however, that we must be increasingly vigiliant regarding what we post online. We must also recognize that, as technologies like TinEye continue to develop and mature, potential attack vectors on our personal privacy will likely continue to develop accordingly.