November, 2016

One-Half of Americans in Facial-Recognition Databases

A recent study at the Georgetown Law’s Center on Privacy and Technology found that over 117 million adult Americans are now in law enforcement face recognition network databases.  At least 26 states allow law enforcement agencies to use driver’s license and ID photos for facial recognition of suspects, and 16 allow the FBI to use the biometric database.  The recent study recognizes the real benefits of face recognition technology used by well-meaning law enforcement agents to catch fugitives and violent criminals, but notes that use of the databases is also largely unregulated.  The authors found no state requiring a search warrant or providing any limitation, for example, to only serious crimes being investigated.  Of the agencies examined, only four had a publicly available policy relating to use of the technology.

The authors stated that, historically, fingerprint and DNA databases have been created from information taken in criminal arrests or investigations; the database created by the FBI from driver’s license and ID photos “primarily includes law-abiding Americans.” (Emphasis in original.)  The study reported that the Pinellas County Sheriff’s Office runs 8,000 searches monthly on the 7 million registered drivers in Florida, without any need for a showing of reasonable suspicion; also, according to the county public defender, the Sheriff’s office has never disclosed, as Brady-material, the use of such biometric searches.

The authors found that law enforcement users of the technology generally do little to guarantee accuracy.  Only two departments, one in California and one in Washington, required accuracy tests of the technology as a condition of purchase.  The study suggests that African Americans would be disproportionately affected, due in part to racially-based error in the programs (as suggested by an FBI co-authored study), and to African Americans being disproportionately reflected in mugshot databases due to “disproportionately high arrest-rates.”

The authors found there is little protection of free speech.  For example, of the 52 agencies using face recognition technology, only one had an express policy prohibiting its employees from using the technology to track individuals engaging in political, religious or other free speech activities.

Increasingly, police departments are using live-feed surveillance video for real-time facial recognition, for example, of pedestrians walking on the street.  “Nearly all major face recognition companies offer real-time software.”

The authors recommended that legislatures enact laws to regulate law enforcement use of face recognition technology; that reasonable suspicion be required prior to a database search; that mugshots, not driver’s licenses, “should be the default photo databases for face recognition, and they should be periodically scrubbed to eliminate the innocent”; and that a court order based upon probable cause should be required for driver’s license and ID database searches, except in cases of identity theft and fraud.

Further, communities should determine whether to allow real-time facial face recognition technology because, given the pervasiveness of surveillance video and police-worn body cameras, use of real-time face recognition technology ”will redefine the nature of public spaces.” National standards and accuracy testing should be developed, and the testing should include regular testing for algorithmic bias relating to gender, race, and age.  Also, use of the technology to track people based on political or religious affiliation should be prohibited.

Sources:  Kevin Collier, “Study: 1 in 2 American Adults Already In Facial Recognition Network,”, October 18, 2016:  Clare Garvie, Alvaro Bedoya, and Jonathan Frankle, “The Perpetual Line-up: Unregulated Police Face Recognition in America,, October 18, 2016:  Daniel Victor, “Study Urges Tougher Oversight for Police Use of Facial Recognition,”, October 18, 2016: e.html?_r=0

Security Risks in Biometric Scanning

“Every time you unlock your smartphone, use a fingerprint scanner at the airport, or upload a photo with facial recognition to Facebook, your physical attributes are scanned and scrutinized against a template.”  The templates allow the ease of accessing secure information without the need for memorized and hackable passwords; however, a recent article cautions that “unlike a password, if a person's biometrics are hacked, they can't be changed.”

Some large-scale hacks have already occurred.  The article notes that in December, 2014, a security breach at the Office of Personnel Management involved personal information, including fingerprint data, of about 22 million people.

Source:  Chiara Sottile, “As Biometric Scanning Use Grows, So Does Security Risk,”, July 24, 2016:

Yahoo Scanned Emails for Government

A Reuters report October 4, 2016, claimed that Yahoo built a system at the direction of a federal law enforcement agency to scan the content of emails for hundreds of millions of Yahoo Mail accounts.  Reuters reported that Yahoo CEO Marissa Mayer’s decision to initiate the system led to the departure from Yahoo of its chief information security officer, Alex Stamos (who is now security chief at Facebook).   Bulk data transfers from private companies to government agencies have occurred before, but experts stated this was the first time a company had “either such a broad directive for real-time Web collection or one that required the creation of a new computer program.”  Google, Microsoft, Facebook and Apple all denied having implemented similar programs.  Following the Reuters report, and an article in Fortune, a Yahoo spokesperson contacted Fortune to claim the article was “misleading.”

Source: Robert Hackett, “What to Make of Yahoo’s Email-Scanning Allegations,”, October 5, 2016: yahoo-mail-spying-software/.

UK Requires Internet Providers to Keep Histories of Users

A recent report states that the Draft Communications Data Bill (called by critics the “snoopers’ charter”), initially proposed in 2012, has now – after several unsuccessful tries – become law in the United Kingdom.   Among the law’s provisions are requirements for service providers to keep users’ real-time histories – calls, texts and web-browsing – for up to one year, to decrypt data upon demand by the government, and disclose security features in new products before the products are launched; additionally, the government can hack devices or large-scale systems to search data.

Sources:  Zach Whittaker, “Britain has passed the ‘most extreme surveillance law ever passed in a democracy,’” November 17, 2016: Steve Ranger, “Despite hacking and snooping fears, web surveillance legislation sails forward,”, June 8, 2016:

by Neil Leithauser
Associate Editor