Risk
6/18/2013
12:04 PM
50%
50%

FBI Driver's License Photo Searches Raise Privacy Questions

Facial-recognition software advances allow law enforcement and government agencies to match images of unknown suspects with government-issued ID photos.

Spy Tech: 10 CIA-Backed Investments
Spy Tech: 10 CIA-Backed Investments
(click image for larger view and for slideshow)
When conducting investigations, the FBI can now compare images of unknown suspects with state-issued driver's license photographs, using facial-recognition software to find potential hits.

That revelation was made Monday by privacy rights groups Electronic Privacy Information Center (EPIC). "Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs," according to a statement released by the organization. "The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs."

According to EPIC, one use of this data would allow the FBI to create a "massive virtual line-up" of suspects in an investigation.

The FBI isn't alone in running biometric searches on driver's license data. According to the The Washington Post, 26 states -- including Texas, Massachusetts, Illinois and Florida -- have facial-recognition systems, and allow police to search that data or request searches against a combined 107 million photos. Meanwhile, 11 states have facial-recognition systems but generally don't allow law enforcement agencies to search their combined 38 million images. Finally, 13 states have amassed a combined 65 million photos, but don't have facial-recognition systems for searching driver's license photos.

[ Citizens are raising a lot of questions about how the government balances security and privacy. See NSA Prism: Readers Speak. ]

While the FBI has agreements with some states that allow the bureau to search their driver's license and non-driver ID photos, the bureau has also amassed about 15 million photographs of arrestees and people convicted of crimes. The State Department, meanwhile, has about 230 million photos relating to visas and passports, but has relatively tight controls on how that information can be accessed by law enforcement agencies. Finally, the Defense Department has a database of about 6 million photos, largely comprised of people in Afghanistan and Iraq, compiled by soldiers battling insurgents. In fact, the facial-recognition software used by most government agencies, developed by Boston-based private contractor MorphoTrust USA, which is owned by France-based Safran, was created to help soldiers in the field positively identify insurgents.

Running facial recognition searches has long been the stuff of cop shows: A grainy still image captured from a CCTV camera is compared, using software, with a database of driver's license or other official government ID photos, until a sudden high-probability "hit" is made, helping investigators chase down a suspect and crack their case.

While facial-recognition-search payoffs are common on NCIS, in real life, the software carries caveats, with the Post noting that one image of a middle-aged white man might return a match with a 20-something African-American woman who has similarly shaped eyes or lips.

Still, advances in software are making large-scale facial recognition searches more feasible. But that raises privacy questions: Who should be allowed to run these facial recognition searches, and what privacy controls or oversight should be in place?

One fear is that authorities might amass a facial recognition database on par with national registers of fingerprint data, and increasingly, DNA data. Accordingly, EPIC said that it's currently "suing the FBI to learn more about its development of a vast biometric identification database," referring to the bureau's Next Generation Identification program, which EPIC said will aggregate information about "fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs and other identifying information."

The privacy rights group has warned that large-scale biometric databases could, for example, be used by law enforcement agencies to automatically catalog the identity of everyone participating in a peaceful -- and legal -- political demonstration.

"The potential for abuse of this technology is such that we have to make sure we put in place the right safeguards to prevent misuse," said Sen. Al Franken (D-Minn.), in a statement. "We also need to make sure the government is as transparent as possible in order to give the American people confidence it's using this technology appropriately."

In the case of the FBI, facial recognition is provided by -- and full access to the underlying data restricted to -- the bureau's Facial Analysis Comparison and Evaluation (FACE) services unit, which is part of the bureau's criminal justice information services division, and which is staffed by highly trained biometric images specialists.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!