Trustwave, a Chicago-based subsidiary of Singtel Group Enterprise, made the news recently when they developed and then released a new type of facial recognition tool. The software, known as Social Mapper, is an open-source project designed to recognize individual people across all of their online social media profiles using what is effectively a rudimentary artificial intelligence.

It’s important to note that searches like this — which use the name and photo of a subject — can be performed manually by any number of public and private organizations. With maybe a touch more enthusiasm than some Orwell readers might like, Trustwave described the intent behind their invention and explained how it differs from current approaches:

“Performing intelligence gathering online is a time-consuming process…What if it could be automated and done on a mass scale with hundreds or thousands of individuals?”

Let’s do our best to answer Trustwave’s question. “What if?”

What Makes Social Mapper Different?

As we mentioned, multiple government and corporate entities already use sophisticated tracking tools to follow consumers and suspects across the whole internet. But some of these marketing and law enforcement tools never reached their full potential because they required an API — that is, a degree of technological integration with specific platforms (Facebook, Twitter, Instagram, LinkedIn) — that wasn’t previously available. Unlike some of its precursors like Geofeedia, Social Mapper functions without an API.

Social Mapper is essentially an automated version of these manual searches, carried out in a bespoke browser window. It’s slower than a proper API-based internet trawl would be, but it still gets results that are hard to argue with: The inventors claim that 1,000 people (or “suspects” or “valued customers”) could be “processed” by the system in about 15 hours.

What Is the “Product” Here? And Who Stands to Benefit?

What does Social Mapper “produce” for its users? What potential is there for financial or even social gain? Is this a convincing research tool, or does it have the potential to become a part of a state or corporate surveillance apparatus? So far, it’s a bit of a mixed bag.

Social Mapper produces a literal spreadsheet when it’s done crawling the web looking for matches on the names and photos it’s been given to work with. The spreadsheet contains a list of matching social media accounts for each person of interest.

If you’re reading between the lines, you understand that this tool could just as easily be used by:

  • social media marketers
  • phishers
  • hackers
  • data thieves
  • corporations persecuting whistleblowers
  • governments cracking down on dissidents and many others.

The potential applications for a program like this are almost too many to name here. Social engineering campaigns — like the ones that lied to and coerced millions of Britons to vote for Brexit — are business, as usual, these days for states and corporations alike. And phishing campaigns don’t need any more sophisticated targeting tools than they’ve got already for seizing and holding our data hostage.

Trustwave, for their part, maintain that the development and subsequent release of this tool were done with “ethical hacking” in mind. That is, they want cybersecurity engineers to be able to use this, and tools like it, to find and patch vulnerabilities in our existing platforms.

What Are The Implications?

Even if this open-source software was designed first and foremost with security research applications in mind, it still feels a little like opening a can of worms. We live in unprecedented times where the collision of security and privacy is concerned. Social Mapper feels like an important tool to have on hand, but specific use cases slightly defy imagination. In fact, opportunities for misuse feel more likely than any definite benefits at this point.

The U.S. Supreme Court ruled recently that tracking individuals at the cell-tower-level is unconstitutional on Fourth Amendment grounds. But if geolocation via cell tower without a warrant is constitutional territory, mustn’t the same be true of our social media accounts? Our smartphones “check in” with cell towers at least as often as we humans “check in” with our social feeds. No matter the intent or who’s looking after the records, keeping tabs on thousands and millions of individuals at a time, as a matter of course, feels like an overstep for any one human institution.

That makes it significant, and maybe even a little reassuring, that this bundle of software and web-crawling algorithms is freely available and open-source. That means it’s in everybody’s hands instead of just one somebody. The tradeoff is the same as the benefits: It’s in everybody’s hands.

Maybe it’s creepy. Perhaps it’s a digital revolution in law enforcement. In either case, isn’t it merely collecting information we’ve already decided to make public? If nothing else, it’s a reminder to think twice before “opting in” — because you might find yourself on somebody’s spreadsheet.