Risk
6/18/2013
12:04 PM
50%
50%

FBI Driver's License Photo Searches Raise Privacy Questions

Facial-recognition software advances allow law enforcement and government agencies to match images of unknown suspects with government-issued ID photos.

Spy Tech: 10 CIA-Backed Investments
Spy Tech: 10 CIA-Backed Investments
(click image for larger view and for slideshow)
When conducting investigations, the FBI can now compare images of unknown suspects with state-issued driver's license photographs, using facial-recognition software to find potential hits.

That revelation was made Monday by privacy rights groups Electronic Privacy Information Center (EPIC). "Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs," according to a statement released by the organization. "The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs."

According to EPIC, one use of this data would allow the FBI to create a "massive virtual line-up" of suspects in an investigation.

The FBI isn't alone in running biometric searches on driver's license data. According to the The Washington Post, 26 states -- including Texas, Massachusetts, Illinois and Florida -- have facial-recognition systems, and allow police to search that data or request searches against a combined 107 million photos. Meanwhile, 11 states have facial-recognition systems but generally don't allow law enforcement agencies to search their combined 38 million images. Finally, 13 states have amassed a combined 65 million photos, but don't have facial-recognition systems for searching driver's license photos.

[ Citizens are raising a lot of questions about how the government balances security and privacy. See NSA Prism: Readers Speak. ]

While the FBI has agreements with some states that allow the bureau to search their driver's license and non-driver ID photos, the bureau has also amassed about 15 million photographs of arrestees and people convicted of crimes. The State Department, meanwhile, has about 230 million photos relating to visas and passports, but has relatively tight controls on how that information can be accessed by law enforcement agencies. Finally, the Defense Department has a database of about 6 million photos, largely comprised of people in Afghanistan and Iraq, compiled by soldiers battling insurgents. In fact, the facial-recognition software used by most government agencies, developed by Boston-based private contractor MorphoTrust USA, which is owned by France-based Safran, was created to help soldiers in the field positively identify insurgents.

Running facial recognition searches has long been the stuff of cop shows: A grainy still image captured from a CCTV camera is compared, using software, with a database of driver's license or other official government ID photos, until a sudden high-probability "hit" is made, helping investigators chase down a suspect and crack their case.

While facial-recognition-search payoffs are common on NCIS, in real life, the software carries caveats, with the Post noting that one image of a middle-aged white man might return a match with a 20-something African-American woman who has similarly shaped eyes or lips.

Still, advances in software are making large-scale facial recognition searches more feasible. But that raises privacy questions: Who should be allowed to run these facial recognition searches, and what privacy controls or oversight should be in place?

One fear is that authorities might amass a facial recognition database on par with national registers of fingerprint data, and increasingly, DNA data. Accordingly, EPIC said that it's currently "suing the FBI to learn more about its development of a vast biometric identification database," referring to the bureau's Next Generation Identification program, which EPIC said will aggregate information about "fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs and other identifying information."

The privacy rights group has warned that large-scale biometric databases could, for example, be used by law enforcement agencies to automatically catalog the identity of everyone participating in a peaceful -- and legal -- political demonstration.

"The potential for abuse of this technology is such that we have to make sure we put in place the right safeguards to prevent misuse," said Sen. Al Franken (D-Minn.), in a statement. "We also need to make sure the government is as transparent as possible in order to give the American people confidence it's using this technology appropriately."

In the case of the FBI, facial recognition is provided by -- and full access to the underlying data restricted to -- the bureau's Facial Analysis Comparison and Evaluation (FACE) services unit, which is part of the bureau's criminal justice information services division, and which is staffed by highly trained biometric images specialists.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?