In early May, the South Wales Police posted a press release bragging about the success of their facial recognition software deployed in 2017.
Perhaps today the person responsible for redacting that press release is really reconsidering their choices, as the numbers presented are less than stellar. In fact, they’re downright disturbing, showing concerns about the risk and security landscape.
Why the police are investing heavily in facial recognition software
A face biometric system could replace a large part of the law enforcement workforce – while the upfront costs for the software are huge, automation will certainly bring the bills down in the future.
Catching those criminals with outstanding warrants is certainly appealing, as well as the idea of reducing crime in those communities which, due to budget constraints, are now underserved by law enforcement.
According to Allied Market Research, the facial recognition market is expected to grow to $9.6 billion by 2022. And in 2015, 21% of the market revenue came from the homeland security sector so, obviously, the police and other authorities are spending quite a lot on facial recognition software.
From the other side of the fence, the FBI said that more than 4,000 ransomware attacks are occurring daily since January 2016, with government institutions being primary targets.
Clearly, beyond the obvious privacy concerns surrounding facial recognition software, a discussion centered on security must take place. Let’s look at some results.
Facial recognition misidentification rates are immense
Since June 2017, South Wales police has been testing a facial recognition software at more than ten events. Out of 2,470 alerts of possible matches with suspects, 2,297 were false positives and only 173 were actual matches. Yes, that’s a 92% rate of failure to identify a suspect.
Fortunately, no arrests were made, as the officers are aware about the limitations of this technology, especially when processing low-quality images like those from CCTV.
The Metropolitan Police system fared no better – 95 people at last year’s Notting Hill Carnival were misidentified as criminals.
And in China, police officers wearing glasses with integrated facial recognition arrested 7 people in just a few days, issuing travel bans for 27 others. What is not publicized is the accuracy of the facial recognition software used in those glasses.
What about the cybersecurity risks?
The usual discussion around facial recognition used in surveillance centers, evidently, on privacy issues. What should also be discussed more is the high probability of security breaches and the volume of personal information that can leak.
While biometric data is one of the most reliable tools for authentication, it is also a major risk. If someone loses a credit card in a high-profile breach like that of Equifax, they have the option to freeze their credit and can take steps for changing the personal info that was leaked. What if you lose your face?
A 2016 report from the Center on Privacy & Technology at Georgetown Law revealed that, “One in two American adults is in a law enforcement face recognition network. [These networks] include over 117 million American adults.”
In the UK, the independent Biometrics Commissioner has attacked the Government’s practice of keeping mugshots of unconvicted citizens – about 19 million of them. “The Commissioner outlines exactly how intrusive this national database is becoming as facial recognition is applied to it. He is also damning about the lack of safeguards surrounding its use”, said Jim Killock, executive director of Open Rights Group.
What can you do when biometric information is leaked or stolen?
Around the world, biometric information is captured, kept and analyzed in quantities that boggle the mind.
As facial recognition software is still in its infancy in some ways, laws on how this type of biometric data is used are still non-existent or up for debate. And regular citizens whose information is compromised have almost no legal avenues to pursue.
The most plausible answer to the above question is “nothing”.