Risk
6/18/2013
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

FBI Driver's License Photo Searches Raise Privacy Questions

Facial-recognition software advances allow law enforcement and government agencies to match images of unknown suspects with government-issued ID photos.

Spy Tech: 10 CIA-Backed Investments
Spy Tech: 10 CIA-Backed Investments
(click image for larger view and for slideshow)
When conducting investigations, the FBI can now compare images of unknown suspects with state-issued driver's license photographs, using facial-recognition software to find potential hits.

That revelation was made Monday by privacy rights groups Electronic Privacy Information Center (EPIC). "Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs," according to a statement released by the organization. "The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs."

According to EPIC, one use of this data would allow the FBI to create a "massive virtual line-up" of suspects in an investigation.

The FBI isn't alone in running biometric searches on driver's license data. According to the The Washington Post, 26 states -- including Texas, Massachusetts, Illinois and Florida -- have facial-recognition systems, and allow police to search that data or request searches against a combined 107 million photos. Meanwhile, 11 states have facial-recognition systems but generally don't allow law enforcement agencies to search their combined 38 million images. Finally, 13 states have amassed a combined 65 million photos, but don't have facial-recognition systems for searching driver's license photos.

[ Citizens are raising a lot of questions about how the government balances security and privacy. See NSA Prism: Readers Speak. ]

While the FBI has agreements with some states that allow the bureau to search their driver's license and non-driver ID photos, the bureau has also amassed about 15 million photographs of arrestees and people convicted of crimes. The State Department, meanwhile, has about 230 million photos relating to visas and passports, but has relatively tight controls on how that information can be accessed by law enforcement agencies. Finally, the Defense Department has a database of about 6 million photos, largely comprised of people in Afghanistan and Iraq, compiled by soldiers battling insurgents. In fact, the facial-recognition software used by most government agencies, developed by Boston-based private contractor MorphoTrust USA, which is owned by France-based Safran, was created to help soldiers in the field positively identify insurgents.

Running facial recognition searches has long been the stuff of cop shows: A grainy still image captured from a CCTV camera is compared, using software, with a database of driver's license or other official government ID photos, until a sudden high-probability "hit" is made, helping investigators chase down a suspect and crack their case.

While facial-recognition-search payoffs are common on NCIS, in real life, the software carries caveats, with the Post noting that one image of a middle-aged white man might return a match with a 20-something African-American woman who has similarly shaped eyes or lips.

Still, advances in software are making large-scale facial recognition searches more feasible. But that raises privacy questions: Who should be allowed to run these facial recognition searches, and what privacy controls or oversight should be in place?

One fear is that authorities might amass a facial recognition database on par with national registers of fingerprint data, and increasingly, DNA data. Accordingly, EPIC said that it's currently "suing the FBI to learn more about its development of a vast biometric identification database," referring to the bureau's Next Generation Identification program, which EPIC said will aggregate information about "fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs and other identifying information."

The privacy rights group has warned that large-scale biometric databases could, for example, be used by law enforcement agencies to automatically catalog the identity of everyone participating in a peaceful -- and legal -- political demonstration.

"The potential for abuse of this technology is such that we have to make sure we put in place the right safeguards to prevent misuse," said Sen. Al Franken (D-Minn.), in a statement. "We also need to make sure the government is as transparent as possible in order to give the American people confidence it's using this technology appropriately."

In the case of the FBI, facial recognition is provided by -- and full access to the underlying data restricted to -- the bureau's Facial Analysis Comparison and Evaluation (FACE) services unit, which is part of the bureau's criminal justice information services division, and which is staffed by highly trained biometric images specialists.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio