A security researcher has discovered that if people use a so-called Juggalo makeup on their faces, they will stand a good chance of beating many facial recognition software in operation around the world.
Even though data privacy laws are now mandating global firms to obtain clear and informed consent from their customers before using facial recognition to identify them, security researchers have always feared that the technology could easily be misused by individuals or firms for various purposes without obtaining the required consent.
For example, in April this year, a San Francisco District Judge advised Facebook users in Illinois to initiate a class action lawsuit to claim damages from Facebook for using facial recognition to identify them in photos and videos without obtaining prior consent.
Fearing the prospect of facing billions of dollars in fines, Facebook announced that it would obtain explicit consent from users in Europe and Canada on the use of facial recognition in line with GDPR, and added that it used the technology to improve people's privacy as it could detect whenever a person's image was used by unknown persons in posts on Facebook.
Defeating facial recognition tech
Even though Facebook promised to abide by data protection laws, researchers still fear that facial recognition technology could either be misused by firms or government agencies or could be defeated by hackers to access sensitive information of citizens.
To bring home the point that facial recognition technology isn't invincible and can be defeated, security researcher Ian O’Neill recently demonstrated that a person can fool the software by applying a so-called Juggalo makeup on his face.
"Facial recognition generally relies on looking for a few different important facial features - nose, eyes, mouth, eyebrows, and jawline. This makeup actually replaces the jawline, as well as a few other large features, which makes it very difficult to match it to other regular faces," he told RT.
He said that unlike other face paints, this particular makeup can defeat facial recognition software as it can obscure a jawline and hides certain characteristics in faces to redefine a person's facial features, adding cheekily that people can use the Juggalo makeup if they want to avoid surveillance.
So what exactly is a Juggalo?
The Juggalo face-paint was first used by fans (Juggalos) of Insane Clown Posse, a group of rappers based in Detroit, Michigan who shot to middling fame in the 1990s and early 2000s. The clown face-paint, worn by the rappers and their fans, never really caught up with the general public and would have been completely forgotten had it not been discovered by O’Neill.
According to RT, the Juggalo makeup isn't completely foolproof and cannot hide a person's identity from facial recognition technologies that use depth-perception instead of light-recognition such as Apple's Face ID.
"Unfortunately, most of the techniques to avoid facial recognition on yourself are generally quite drastic. Instead it may be better to limit the sorts of online exposure you have on social media, and consider what that facial recognition identity might be used for. Even if you can’t prevent people from recognizing your face, you can limit what they can do with that information," O’Neill told RT.
This isn't the first time that security researchers have been able to evade facial recognition or to fool recognition software. In November 2017, security researchers at Bkav Corporation succeeded in tricking Apple's Face ID by using a face mask that was crafted using a popular 3D printer, a hand-made nose, and certain parts of it designed using a 2D printer. The mask took approximately 150 USD to create.
'It is quite hard to make the "correct" mask without certain knowledge of security. We were able to trick Apple's AI because we understood how their AI worked and how to bypass it. As in 2008, we were the first to show that face recognition was not an effective security measure for laptops,' the researchers said.
In the same year, Samsung was forced to ask users of Galaxy S8 and S8+ smartphones to not use just facial recognition tech on its own but combine it with PIN and/or fingerprint after some YouTubers demonstrated how easy it was to fool the facial recognition tech insuch phones using photos instead of faces.
"In the identity industry, facial recognition (FR) on its own wouldn't count as a strong form of authentication. Most systems would require a second factor, such as possession or knowledge (password), which would be something like the device you used being registered on the account," said Mayur Upadhyaya, managing director EMEA at Janrain.
"As such, there are known limitations of FR. The Juggalo discovery just highlights another limitation of automated FR, which relies on contrast levels. As @tahkion points out, this kind of facial obscurification would need to be either manually flagged or built into the FR system itself, which doesn't seem that feasible. So this is certainly a flaw that surveillance concerned citizens could exploit, if wearing clown paint wasn't an inhibitor to day-to-day life," he added.