Kojo and Tom Sherwood chat with Corey Stewart, the chairman of the Prince William Board of County Supervisors, and Nancy Floreen, the current president of the Montgomery County Council.
Some say it’s the law enforcement tool of the future. Others say it’s a threat to free speech and freedom of assembly. Software can now link your name to photos of your face and allow them to be accessed by Facebook friends, police and even the Department of Defense –- without your knowledge. We explore privacy concerns over the boom in facial recognition technology.
- Ashkan Soltani Independent researcher and consultant
- Laura Donohue Law Professor, Georgetown University
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. Facebook has been using it for more than a year, software that can recognize your face and link it to your name. Unless you opt out, Facebook can suggest your name when friends post a picture of you and set out to tag it.
MR. KOJO NNAMDITechnology that identifies people in photos may seem harmless and even helpful among friends. But it's more questionable when a store snaps your picture and finds your name, then sends you targeted coupons, or when the police match your face and name to track where you've been. The boom in facial recognition technology is raising new privacy concerns among people who value anonymity because everyone from Facebook to the FBI can create vast databases of photos and names without telling us we're included.
MR. KOJO NNAMDIRetailers see this as a great way to target consumers, and law enforcement agencies see huge potential to track criminals. But what do the law and the courts say about our right to privacy when our face print is so easily collected and stored? Joining us in studio to discuss this is Laura Donohue. She's a law professor at Georgetown University. Laura Donohue, thank you for joining us.
PROF. LAURA DONOHUEThank you very much.
NNAMDIAlso with us is Ashkan Soltani. He is an independent researcher and consultant specializing in consumer privacy and security on the Internet. He's a former staff technologist in the Division of Privacy and Identity Protection at the February Trade Commission. Ashkan Soltani, thank you for joining us.
MR. ASHKAN SOLTANIThank you.
NNAMDIIf you'd like to participate in this conversation, you can call us at 800-433-8850. How do you feel about software that can match your name to your photo and store it in a database? 800-433-8850. Ashkan, facial recognition technology uses the distance between facial features to map an individual's unique face print. How does that work?
SOLTANISo similar to the way, say, fingerprinting works or any other kind of identification mechanism, it tries to figure out a unique pattern that's specific to that individual. So it will look at things like the distance between your eyes or the distance between your mouth and your eyes or your ears, and map out all of these distances that are unique to you, and that will be your face print. That way, a computer can simply look at a photo of your face and determine that this photo has these distances that must belong to this individual. It's simply just kind of like a fingerprint for your face.
NNAMDIIn the commercial realm, Facebook is probably the most prominent user of this technology. Facebook's tag-suggestions feature offers names to match the faces in photos people post. How did it develop the ability to do this?
SOLTANISo the technology has been around for quite some time, and I think I was going to talk about the patents behind this. There's been a great boom recently in the processing power and ability to do this. So we saw an increase in the number of photos available, as well as the technology behind doing this feature. And it's not specific to Facebook, right? So iPhones can do this, and we see iPhoto, which is the Apple product. It has feature where it will tag faces of your friends.
SOLTANIWe've seen this technology in the marketplace for some time. It's just now getting both cheaper and the data for it, the prints themselves are becoming more widely available.
NNAMDILaura Donohue, in the public sector, a variety of government agencies are using facial recognition to create a database that they can share among everyone from the local police department to the U.S. Department of Homeland Security. Could you please describe that database for us?
DONOHUECertainly. So there are a number of programs currently underway, almost all of which were put into place following 9/11 with not just congressional blessing but actual congressional encouragement, money and request that they actually do this. So the Department of Justice, for instance, runs what's called next-generation identification, which is a biometrics collection program. (word?) estimates about 94 million biometric records in this program, which has actually seven different components to it.
DONOHUEThese components, each of them focuses on different kinds of biometric technologies, such as the interstate photo system where they actually collect photos, CCTV, camera footage, pictures from friends, acquaintances, both publicly and privately available photos, and put them into the database. Then the U.S. Department of Homeland Security's major program is called IDENT. That's their major biometric initiative that they have underway. The Department of State runs the automated biometric identification system.
DONOHUEThe U.S. Department of Defense has now started next-generation automated biometric identification system. And what's interesting about all of these programs is that not only are these agencies building, creating these and putting massive amounts of data into these databases, but they're all increasingly interoperable. And so platforms are being built so that DOD, for instance, can directly access DOJ's records and the FBI's next-generation identification, and the same thing with regard to next-generation identification and IDENT with DHS and so on.
NNAMDIYou have said a mouthful. In case you're just joining us, we're talking about using facial recognition software with Laura Donohue. She's a law professor at Georgetown University, who has written about legal issues surrounding facial recognition that will appear in a law review article this fall. Our other guest is Ashkan Soltani. He is an independent researcher and consultant specializing in consumer privacy and security on the Internet.
NNAMDIYou can call us at 800-433-8850. Do you think it's an invasion of your privacy for someone other than you to link your name to your photo online? 800-433-8850. You can send email to firstname.lastname@example.org, send us a tweet, @kojoshow, or go to our website, kojoshow.org, and join the conversation there. Laura, Ashkan mentioned the comparison to fingerprint, so what's the difference between using facial recognition and other biometric identification like fingerprints or the pattern in the iris of my eye?
DONOHUESo there is an enormous difference, particularly when you pair these technologies with video technologies that it seems that we're moving into something that you can refer to remote biometric identification, which is you can scan crowds as people walk by and identify the individuals in that crowd. So Carnegie Mellon, for instance, just completed a research project where just using Facebook, they can identify 30 percent of the students, more than 30 percent, as they cross campus.
DONOHUENow, what's different about this from what we understand is ordinary fingerprinting or the way biometrics is traditionally understood is we understand ordinary biometrics that it's a single individual, it's close up. When you get your iris scanned, for instance, you're trying to gain access to facilities, or you're in detention. You have notice, often consent, and it's one-time occurrence.
DONOHUEWith remote biometric identification in contrast, you have multiple people that you can scan at once. You can do it from a distance. You do it in public space, not necessarily in private custody or that immediate encounter, trying to gain access to secure facilities, something of the sort. There's no notice, no consent necessarily involved in it, and it's continuous and ongoing. And this really represents something different in kind, not degree, from what we've seen before.
NNAMDIAshkan, Facebook recently bought a company called face.com that makes facial recognition software. Analysts say that Facebook's goal is to be the go-to application on your mobile phone. How will this help?
SOLTANISo the app that -- the company that Facebook bought called face.com was providing an app that allowed you to do the same type of facial recognition that Laura was just describing. You would install the app, link it to your Facebook profile...
NNAMDIClick, is that the app you're talking about?
SOLTANIIt was called Click, yeah. The app was called Click. It's no longer available. But once you install the app, you had the option to -- it would actually only work with your Facebook profile, so you would link it to your Facebook profile, and it would download the photos of all of your friends. And once it had the photos of all of your friends, it provided what was known as augmented reality. So you could just hold it up as you walk down the street, and if a friend walked by, it...
NNAMDIBecause a lot of people have Facebook friends that they don't necessarily...
NNAMDI...know very well, and if you see someone who is approaching who is smiling and waving at you and you don't know that person, you can simply, using that app, hold it up, and it will tell you who that person is if that person happens to be a Facebook friend of yours?
SOLTANIThat's right. That's right. And I was able to actually demonstrate that. You could do this for anyone's Facebook friends. So I was able to show a bug in the software that let me actually download face prints for anyone. And so if I wanted to tag, say, Lady Gaga's -- any of Lady Gaga's 1 million friends as they walk by the street, I could that 'cause of a vulnerability in the app.
SOLTANIThis just kind of demonstrates that the technology is very readily available and that the -- it simply just needs a database to work on. And as these databases become more readily available as well, then the privacy concern grows quite a bit.
NNAMDIOh, you see somebody coming towards you, and you go, oh, hi there, uh, uh, uh, Kojo Nnamdi. That's who that is. Laura, Facebook's use of facial recognition has put the company in hot water in Europe, particularly in Germany where authorities are investigating whether Facebook's database of faces and names is illegal because it is collected without users' consent. What's the dispute there?
DONOHUEWell, the key issue in Europe, particularly with regard to the German privacy officer is whether it's an opt-in versus an opt-out system. And Facebook currently has it that you can opt out of this feature. In Germany, the requirement is that you have to opt-in. Facebook's response to this, from a legal perspective, is that it's headquartered in Ireland, and it's meeting the requirements within the Republic of Ireland itself. And so there's a dispute ongoing as to whether the opt-in versus opt-out feature would be sufficient under European law.
SOLTANII believe in July of 2012 they disabled the feature by defaulting Europe.
DONOHUEThey did, yes.
SOLTANISo they're actually taking some steps. And to the point of whether, you know, you could use it to kind of tag someone without their knowledge that the same Carnegie Mellon researcher was able to demonstrate that using a face print, you can bring up someone's Facebook profile or bring up information about them. The concern is that, you know, throughout our lives, we've had identifiers that would let us look you up, your name, Kojo, and your city, for example, or your Social Security number, even your fingerprint.
SOLTANIBut facial recognition provides an identifier that links all of your activities to all of these different sensors, these cameras into a central queryable database. So if I see a picture of you in a setting, I can say, oh, Kojo was eating lunch here. He came out of this building. He went to this other place. And I think one of the challenges is that it's very hard to obscure. So I can tell you I don't want to let you take my fingerprint, and I can exercise some rights.
SOLTANII can't kind of obscure your ability to take my photo. It's very difficult. In New York, there's a law from 1845 that restricts the wearing of masks, right? So if you want to not be photographed or not be identified in some way, it becomes more and more difficult.
NNAMDIOn to the phones. Here is Joe in Richmond, Va. Joe, you are now on the air. Go ahead, please.
JOEYeah. I got a comment. It kind of cracks me up people complaining about, you know, potential privacy violations and such. They obviously don't know much about past history during the Joe McCarthy era. He would love to have the type of tools that they have now, and I'm sure some of your guests and you probably know who I'm talking about, what I'm talking about.
NNAMDIJoe McCarthy, the former U.S. senator who identified people in a variety of professions and associated them with communism without much real evidence.
JOEExactly right. Well, a lot of people -- most of the younger people don't even know who he is, but I've got a, you know, rule of thumb. If you don't want, you know, your name and your face and all that and all your information out on the Internet, don't go on the Internet. Most of the stuff people are doing with this, you know, facial recognition software and all the like, it's nothing but a waste of time. You know, my personal opinion, do something constructive.
NNAMDIOK. Thank you very much for your call, Joe. I think that horse, as the saying goes, has left the barn with more than 500 million people already on Facebook alone. But, Laura Donohue, you have raised a variety of constitutional concerns about facial recognition technology. Let's start with the First Amendment. How could this software threaten people's right to free speech and freedom of assembly?
DONOHUEThe basic argument here is that there would be a chilling of speech and a chilling of freedom of association that individuals would find it more difficult to get together, for instance, to protest politically about an issue, a pressing issue of the day. The problem with the First Amendment concern is that there's a key case called Tatum, where a generalized chilling effect is insufficient to establish that there's been a First Amendment violation. And in any event, it can be overcome by a pressing government need.
DONOHUEAnd here, the most recent kind of iteration of biometrics at federal level has been combining national security and criminal law enforcement together. And it's hard to find a more pressing government need than national security. So for those programs which are being conducted under a national security auspice, the idea that somehow the government shouldn't be allowed to engage in national security protection, now the courts simply won't recognize this as overcoming this other First Amendment right.
DONOHUESo the concern here is that, in fact, we do have a very important government interest in national security. All of these programs that I've mentioned and many more are based on a national security/criminal law justification. And so it's unlikely to succeed under First Amendment grounds if a challenge were mounted in the courts.
NNAMDIIn a recent case based in Washington, the Supreme Court ruled that police could not hide a GPS device on someone's car to track that person because it amounted to an unlawful search. Does the reasoning in that case apply here?
DONOHUEUnfortunately, no. That case -- the Jones case, this was a drug dealer whose wife -- there was a warrant obtained in Washington, D.C. to place a beeper on the car, and they had 10-day warrant. And what ended up happening was, after 11 days, the beeper was placed on the car in Maryland. And Justice Scalia, who authored the opinion for the court, came down on grounds of trespass. This was actually a case of trespass.
DONOHUENow, with regard with to facial recognition technology, iris scanning, you might be able to argue that there's a trespass of the body. But facial recognition generally, it's hard to argue that trespass covers this instance. In fact, if you look at the Fourth Amendment jurisprudence, the big concern here is that it utterly fails to take account of remote biometric identification technologies. It -- sorry.
NNAMDIGo ahead, please.
DONOHUEWell, it tends to distinguish between public versus private space, for one. And if we're talking about cameras mounted on telephone poles and just scanning massive amounts of individuals crossing the path, that's public space. If you look at the new technologies like thermal technologies, that's on grounds of whether the technologies become ubiquitous or not. And we've already been discussing how Facebook and other companies have already moved into facial recognition technology.
DONOHUEAnd so it turns out that under Fourth Amendment jurisprudence, if you look at the case law, there is very little to provide checks on these types of systems. In fact, the only kind of option, I think, here is Justice Sotomayor. There is a shadow opinion in Jones, one could say, where five of the justices signed on to concerns about mass surveillance and data mining and the generation of new knowledge and what that means. And I think that might be the only way to move forward is to rethink about privacy not as an individual right but as a constitutive right.
NNAMDIGot to take a short break. But if you have called, stay on the line. We'll try to get to your call. We still have lines open. How would you like to see facial recognition technology used in the future? 800-433-8850. How do you feel about the software that can match your name to your photo and store it in a database? Do you think that horse also has left the barn that there's really nothing we can do about that at this point? 800-433-8850 or send email to email@example.com. I'm Kojo Nnamdi.
NNAMDIWelcome back to out conversation about using facial recognition software. We're talking with Ashkan Soltani. He is an independent researcher and consultant specializing in consumer privacy and security on the Internet. He's a former staff technologist in the Division of Privacy and Identity Protection of the Federal Trade Commission. Joining us in studio also is Laura Donohue who is law professor at Georgetown University.
NNAMDIAnd we're talking your calls at 800-433-8850. In our last segment, Ashkan, one of our callers said, look, if you simply didn't go online, then you wouldn't be dealing with these problems at all. You were pointing out in the break that you don't have to be online.
SOLTANIThat's right. These -- so a lot of these technologies and especially the ones Laura was describing actually are in place on our streets. So there are cameras that are at our borders or at, you know, border crossings. These don't require that you be online. All you need is one photo of you that's been tagged with your name, and you can make that link. And we see this quite a bit.
SOLTANIEven if someone takes photo of you on the street, there's no law against them being able to take that photo, right? And they can decide to tag you on Facebook even if you don't have a Facebook profile. And there you have the link.
NNAMDIFacedeals is a new marketing app that's in the news. How does Facedeals help businesses identify shoppers and send them customized coupons?
SOLTANIRight. So a lot of the incentives on the commercial side are to be able to know you as a customer and then provide you kind of deals or advertisement at the point of sale, right? So, again, not requiring that you be online, but when you walk into a shop, there are -- there's digital signage that can currently detect whether you're male or female or kind of approximate your age and try to show you an advertisement for that demographic.
NNAMDIEven if I'm in drag?
SOLTANIWell, so that's harder, right? There's actually some fun -- there's some fun makeup you can wear to thwart this technology but look -- it kind of looks like "Blade Runner."
SOLTANIBut -- so the incentives are to know you, maybe your other purchase history, and then say Kojo really likes drag -- not that you do -- and then target you and sell you some of -- something at a deal. We see a lot of this kind of offline to online technology called enhancement. This is like Facebook is able to tell how many times they showed you a particular ad for a Compaq computer.
SOLTANIAnd then you later, next month, bought Compaq computer at your local Best Buy. And your credit card company can share that information with Facebook and say, well, this the -- your advertising was effective. And they do that by just simply using your name and your age and your city. Well, having a face print makes that much easier, right? So I can then -- even if I don't use a credit card, I walk into a store and pay cash.
SOLTANIIf I'm able to show that you walked in -- this face print walked in and purchased cash and this face print saw these ads, I'm able to track that ROI and demonstrate that my advertising is more effective.
SOLTANIReturn on investment.
NNAMDIOK. On to the telephones. Here is Joseph in Arlington, Va. Joseph, you're on the air. Go ahead please.
JOSEPHYeah, in relation to the question of, you know, should there be a law or should there be some sort of prohibition against people taking a photograph and catching a name to a tag in online. You know, I think there are laws in place that has to do with cyber harassment that would give that person, if they fell victimized by that, some recourse to address it. And so I think on that side of the equation, there is a potential remedy if you feel wronged by your picture being tagged online.
JOSEPHBut my concern is that there are no -- there aren't enough laws in place to prevent companies from allowing content that's just harassing to an individual to remain online. For example, Google, if your reputation is damaged in some way, they do not make it easy for an individual to remove the content. It's malicious. And I think that's a bigger problem.
NNAMDIWell, here's Laura Donohue.
DONOHUESo there are two major issues here. One is on the commercial side and one is on the government side. On the commercial side, we have laws about third-party data which, once you release information to a third party, your privacy rights or your privacy interest in that information are greatly diminished. And here we really are different from Europe in many respects with regard to this third-party data.
DONOHUESo in the EU, for instance, in Germany, there's this right to anonymity that people discuss where you have the right to go back and expunge information from any sources. We don't have that equivalent here because of our reliance on this third-party data rule. On the government side, the caller's absolutely right that there are no statutory framings for this that would limit or regulate or provide more extensive oversight of these authorities.
DONOHUESo we -- on the one hand, Congress has given the executive broad authority to collect personally identifiable information, so all of these agencies and organizations have the authority to collect it. But the limits that otherwise would be introduced, like under the 1974 Privacy Act, the 1990 Computer Act, the 2002 Electronic Government Act, many of these, they have exceptions for national security. They are both general and specific exceptions.
DONOHUEThey don't apply to state and local government which is, right now, one of the sources of -- much of the biometric data is being funneled through local law enforcement as well as private individuals. The criminal law warrant provisions don't apply under title III and title I. All of the circuits agree that the title III and title I regulations apply to while -- wire oral and electronic communications but not to video, for instance, which includes this biometric.
DONOHUEAnd it's really unclear whether FISA, the Foreign Intelligence Surveillance Act, of the National Security realm even governs this area. If it has been petitioned to the court to have this include as a technology, we don't know about it. And there would be very serious issues as to whether you could distinguish between U.S. persons and non-U.S. persons in public space which is how this remote biometric identification technology operates.
NNAMDIJoseph, thank you very much for your call. And you may have already answered Kate's question in Tysons Corner, Va., but let's see. Kate, your turn.
KATEYes. I guess I was just listening to the professor. My question was, how do you legislate something that's already been happening and that the current laws that are on the books really aren't applicable? So how does the legislative process (unintelligible) of the technology? 'Cause clearly the technology has gone forward, and the legislation is, frankly, (word?) backwards.
DONOHUESo it seems, yeah, that what Congress really needs to do is zero in on this kind of technology, this biometric technologies and remote biometric identification technologies. It's not just facial recognition. And iris, by the way, now that you can do it 10 feet, 20 feet, 30 feet away, you don't have to have a close up iris scan. It's also things like gait technologies, hormone-sniffing, vascular patterns. There are various identification technologies that can be used to think about this remote biometric identification and frame it differently. The problem is it's the cart ahead of the horse, right?
DONOHUEYou end up giving the executive branch the opportunity to use the new and emerging technologies and all of these tools without thinking through the back end of what this means and how to more carefully regulate it to protect the privacy interests. So I think Congress has a role to play. And then I -- the Supreme Court, frankly, has a role to play here. And what's at stake is how we think about privacy.
DONOHUEYou know, we tend to think about it in terms of personally identifiable information and individual rights. Maybe we need to start thinking about privacy in a broader sense. This is what Prof. Julie Cohen has recently written about as a constitutive right in terms of it is part of who we are as a society, of our social interaction, and we need to think more broadly about what that means when you start introducing mass surveillance.
NNAMDIKate, thank you very much for your call. We got a tweet from Frank who recommends never putting a picture of your face on your main Facebook profile photo. Would that help, Ashkan Soltani?
SOLTANISo it's not clear which photos they use for tagging, but I believe that if any photo is tagged by you, then that database at least exists on their end. They have that link. In the case of the click.com example that I told you, I believe it brings down your profile photo. So in that case, it might help, but that app is no longer available. And it's not -- the Carnegie Mellon study, I think, just -- they didn't even use Facebook profiles.
SOLTANIThey scrape latent Facebook profiles, which are basically just thumbnails of you. So if I Google for Kojo on the Internet, it would actually bring up a bunch of photos of you. I can use any of those as the indicator.
NNAMDIWe got an email, I think, from Dennis in Bethesda, who -- or Dennis couldn't stay on the line. He asked about the dangers of facial recognition software. For example, a predator taking a picture of someone and then being able to access his or her personal information, name, address, et cetera. If I remember correctly, Laura Donohue, that was a part of the Carnegie Mellon study, wasn't it?
DONOHUEYes, to be able to pick up -- and not only that but associate Social Security information, biographic data. So one thing to note about both these publicly and privately available programs is it's not just facial recognition. It's facial recognition paired with your address, your possible -- your Social Security number, your past records, where you went, things that you did publicly, who your neighbors are, your social network analysis, so all of this biographic data now can also be associated with many of these images.
NNAMDI'Cause by simply taking pictures of people walking across campus, they were able to find out a great deal about those people using facial recognition software. Here is Gene in Urbana, Md. Gene, you're on the air. Go ahead, please.
GENEHi. I was just listening to your guests talked about using cameras to scan whole crowds of people at once. And it reminded me of technology that I know that the police have been using for a number of years where they automatically scan license plates from your cars as they drive around in their patrol cars. And I was wondering if your guests are familiar with that and know of any particular challenges to that or the state of the legality of that.
SOLTANISo I can speak about the technical side, and then maybe Laura can talk about the legal challenges. But it is similar in terms of kind of automation of image analysis, right? So we have license plate detection technology or license plate recognition technology, LTR technology, currently deployed at many of our borders -- border crossings.
SOLTANIAnd so Department of Homeland Security operates these and has able us to monitor patterns of people leaving the country and coming into the country and link that to other biographic information about that, those people to determine their, kind of their likelihood of being a threat. This is for national security reasons obviously.
SOLTANIBut there's also additional concerns whereby there was a piece yesterday highlighting that this database of information was also being shared with some insurance companies to identify insurance fraud, right? So this is where stolen cars are coming out of the country or leaving the country. And so there is a secondary uses of this information collected by government that also gives rise to concern.
DONOHUESo as a legal matter, the closest analogy here would be to beepers, where you can attach a beeper to a car and then it, in effect, allows you to track that car the same way you would using the license plate reader. And here, there are a number of cases that simply say there is no Fourth Amendment privacy concern. There is no search that goes on, with the exception of Jones in which it was a trespass for them to do this without a warrant. There is a case called Knotts where you had a car that was en route to a cabin.
DONOHUEAnd the court said, look, this is a public thoroughfare. So to use a beeper to trace this car through public was all right. In another case, Karo, there was a beeper that actually entered the home. And that's the point at which you then have a privacy concern is once you enter the curtilage of the home, then you're in a different world.
DONOHUEBut as long as you're in public, whether you're in a helicopter 400 feet above the ground -- this is another case, Florida v. Riley -- whether you're in an airplane 1,000 feet above the ground -- this is Ciraolo -- whether you're looking, taking pictures of an industrial plant in Dow Chemical, all of these cases say, well, look, if you're in public space, there is no issue that goes on here. It's you're simply tracking something as it moves through public space.
NNAMDIIs there any evidence that facial recognition is being used for security at large gatherings like the Olympics or the upcoming Democratic and Republican national conventions, Ashkan?
SOLTANIThere is recently -- actually, hearing -- a Senate hearing, Senate -- I believe it was Senate Judiciary on this matter whereby the -- I believe a representative from DOJ was describing their technology. And the slide that they actually used to describe their technology showed a photo of a crowd and the ability to identify suspects in a crowd. And so we would, you know, I believed -- I don't have, you know, examples of this, but given that he used this as his actually opening slide in their manuals, it would seem to suggest that they do.
DONOHUEThere was a British company actually that handled all the facial recognition access for the previous few years, actually for gaining access to -- any of the Olympic sites in London recently. The World Cup routinely uses this. In Florida, we've used this at soccer games. There is, you know, this is being used on a regular basis. Most recently in New York, of course, has just rolled out this new program.
DONOHUEThe police commissioner has now announced that the CCTV footage is now patched in to the police networks so that they have real-time monitoring that they can do along with the other biographic and database information that they have on individuals, so that they can scan public space and understand what's happening.
NNAMDIWe had a caller who couldn't stay on the line who indicated that he had lived in Korea, I think it was, for a while, and that facial recognition software there helped -- in Tokyo, I'm sorry -- in Tokyo and that facial recognition software there contributed to the solving of a great deal of crimes. And there are invariable people -- invariably people who will make the argument that if you're not doing anything wrong while you're out in public, what should you be concerned about?
DONOHUESo the reason why this is different from what we have previously understood as just -- it's not just solving a crime. It is -- which is an important aim of the government, and that's why this has been emphasized in terms of not just the efficiency, but it's actually important to have the government out ahead to try to stop these things from happening. But what we're discussing is something that's different in type and kind of what's come.
DONOHUEIt's much more intrusive. It's a mass surveillance. It is indefinite. So you don't just get one piece of information, but you can generate new information from this data. You can put information together to find out new knowledge about people, to understand who they are, what matters to them, what they're likely to do in certain circumstances. And you, at the same time, diminish the resource limitations that have traditionally accompanied police surveillance of individuals. And when you put this together, that's a very different picture than the way that we've previously understood biometrics.
NNAMDIGot to take a short break. When we come back, if you have called, stay on the line. We will get to your call. The lines are still open at 800-433-8850 if you have a question or comment. You can also send us email to firstname.lastname@example.org or send us a tweet, @kojoshow. How would you like to see facial recognition technology used in the future? Have you turned off the automatic tagging feature on Facebook, or are you comfortable letting the software find you? 800-433-8850 or send us a tweet @kojoshow. I'm Kojo Nnamdi.
NNAMDIWelcome back to our conversation about facial recognition software with Laura Donohue -- she's a law professor at Georgetown University -- and Ashkan Soltani, who's an independent researcher and consultant specializing in consumer privacy and security on the Internet. We're taking your calls at 800-433-8850. We'll go now to Karen in Chevy Chase, Md. Karen, you're on the air. Go ahead, please.
KARENYeah. Hi. I think this subject is both fascinating and frightening at the same time. And I'm a parent, and I'm just wondering if your guests have suggestions on what we can do to protect our children. You know, given all the facial recognition technology, and given how much time children spend on the Internet, this really sounds an alarm bell to a parent such as myself.
NNAMDIAllow me to add to that an email we got from Jonathan in Logan Circle, who says, "I think you're spot-on that the horse has left the stable. Privacy is no longer really an option, a moot point. We should instead be concerned about how our information is being used and what boundaries we want to set. Police that issue and hope for the best." Laura Donohue?
DONOHUEYeah. So I would agree, actually, with both callers, both to be aware of the issues that come up and then to really start thinking about ways in which we want to look at how this information is collected, who sees it, how it's stored, with whom it's shared, what happens to it, any rights to challenge that information. You know, one of the problems is, under the current statutory framing, you actually can't challenge any of the information probably because you can't have access to it if the government invokes the national security rationale surrounding this information itself.
DONOHUEAnd so we actually have very little insight into exactly how much information is being collected. Instead, when the government does publish, for instance, a privacy impact assessment, they say that this PIA is your notice, that your information may be collected, associated with biometric data and so on. And you have no opportunity to challenge it and, in many cases, no opportunity to actually correct anything in the record as well.
NNAMDIWell, we talked about how the law may not be adequate at this point to deal with what already exists, but can we talk a little bit about how the law might be trying to adapt to deal with the privacy issue surrounding facial recognition technology? Minnesota Sen. Al Franken held a hearing on Capitol Hill last month that raised privacy concerns. Do you think Congress is not only interested in this, but is also going to take action, Ashkan?
SOLTANII definitely think Congress is interested in this, and we're seeing -- by this I mean privacy in general and the spread of personal information kind of so readily. Whether they take action is kind of a question to be seen. It's a very difficult thing. I think Laura brought up a point earlier where we could potentially, say, see limits on the use of facial recognition technology or facial data. But as we were talking during the break, there's other forms of remote biometric sensing, like vascular detection or detecting Parkinson's disease based on speech patterns.
SOLTANIAnd so there's this type of -- these boundaries that we have between our private and public lives are being changed by a lot of the technology that's introduced in our daily lives, and I think it's very hard to come up with rules that will govern that. To your earlier caller's point, it is quite possible that, yes, the horse has left the stable, unless they want to dress up their kids as, you know, "Blade Runner" or, you know, '80s-era David Bowie...
NNAMDIWear masks in public.
SOLTANI...makeup. But I think, as citizens, we can both try to identify surprising uses of our information and be vocal about those surprising uses, and then try to influence policy and say, well, we think as a society this type of use is acceptable, and this other type of use is not acceptable. So, you know, if her children are being profiled and then served advertisement at their local coffee shop every time they walk by or remembered when they walk by, that might seem like a surprising use and something worth highlighting both to the press and to, you know, their congressional representatives.
NNAMDISince you brought this up, is there anything people can do to foil facial recognition software and remain anonymous?
SOLTANII mean -- so you can, you know -- so there are limitations to facial recognition software, right? So, you know, obscuring yourself with, you know, sunglasses and hats, for example, is one way or, you know, not facing the camera directly is, you know, typically another way. But that -- the technology is just getting better, so it can track things like obscured -- you know, when you try to obscure yourself or when you try to not look at the camera directly.
SOLTANIWe're also seeing, you know, these types of issues with false positives where the camera will misidentify people, right? So like a lot of the technology has some limitations in 2-D versus 3-D, at least the commercial-grade technology. An example is, last year, the Google phone, the Android phone, would allow you to unlock your screen lock -- so when you -- if you don't want anyone to use it -- with a -- by looking at it.
SOLTANISo it had a screen -- a face unlock feature for the lock screen. So you will look at your phone, and it will unlock it. But I could hold a picture of you, Kojo, and unlock your phone, right? That's a limitation in the technology. And so we want to ask, you know, in these crowd surveillance technologies, if someone at a distance holds a photo of you and that's actually entered into a database that Kojo was present at this rally by simply setting off a false positive in the technology, that's also a limitation.
NNAMDIBut, Karen, I don't know if we've specifically answered your question about how to protect your children.
KARENThank you. Yeah, just tips to parents because this is -- I'm listening to all this, and it's great. It's scary, and it's -- you know, it's like, what can I do as a parent to sort of shield my child, knowing that the horse has left the stable? There's a lot out there. But what practical tips can I do?
NNAMDII guess the same you would use to try to protect yourself. Here is Ashkan.
SOLTANIKaren, I would -- check out a site called CV Dazzle. CV Dazzle. It's a research project demonstrating ways you can try to obscure your face. Granted -- like I said, your kid might end up looking like a punk rocker, but maybe that's actually good, and maybe that will see a trend or not.
NNAMDIKaren, thank you very much for your call and good luck to you. On the domestic front, Laura Donohue, how is the FBI using facial recognition technology to track potential crime suspects?
DONOHUESo the main biometric program that they have is this next generation identification program, which, as I mentioned, has, you know, about 94 million biometric records as of 2011. So that's even more now. Now, there are seven programs here. One is the advanced fingerprint identification technology. What's interesting is they have as part of this program, as subprogram of NGI, a repository for individuals of special concern which may include criminals.
DONOHUEIt may also include what they call KSTs, which are known or suspected terrorists. It also includes what they refer to as "other persons of special interest." So this is primarily supposed to be for criminal usage. They have extended it to national security, and now it's other persons of special interest. So a broader group can be combined into this particular database. There are 18,000 local police law enforcement agencies that are actually now part of this program and have access to this and can submit photos.
DONOHUESo there's something called the Morris Device, for instance, which is a handheld device that DOD is using, DOJ is using, that local police departments are using where a police officer in the course of an ordinary stop can take somebody's picture, scan their fingerprint and send it back to the FBI to check against this repository for individuals of special concern. That information, initially, is being kept by the FBI, and they say that they're going to destroy it once the pilot program has been run through.
DONOHUEAnd the idea is that this information comes in to the FBI, then they can use it to scan this database of criminals, of known or suspected terrorists and of other persons of special interest and then get the information, both back to the local police department as well as to the individual who first entered that information into the FBI's database. And that's one example of these seven programs that currently are under way. I had mentioned IPS before, the interstate photo system.
DONOHUEThere's another one, rap back service, where any employer can sign up with the FBI. You can provide your employee's biometric information and then the FBI will report back any criminal and, in some cases, civil activities in which your employee is engaged based on using biometric tracking systems.
SOLTANIThere's also -- and it's not just the police doing it. There was -- I think during the Seattle riots and in Vancouver as well, there was examples of -- no, maybe it was Toronto. There was examples of citizens uploading photos and then helping to tag people to identify people during looting. So do you know this person? Can you help identify this...
NNAMDII have a fascinating legal question for you, Laura Donohue, which you can respond to even as you want to continue this discussion, an email from Roger in Aspen. "Can a person protect his privacy by copyrighting his likeness?" There you go.
DONOHUECan you protect your privacy by copyrighting your likeness? No.
SOLTANIThere's actually a couple companies trying to do this in the area of digital privacy online. So the idea is you copyright data about you, and then you have -- you license the use of that information. I think, you know, we haven't seen it tested. I would be curious to see how that works out.
NNAMDIFascinating. But, Laura Donohue, I interrupted you.
DONOHUEWell, just the one thing I wanted to mention is the type of information that's being collected now. It's expected to increase exponentially, and there are really three reasons for this. First is these programs are expanding the types of submissions, so you can now have bulk submissions from private sources to the FBI for these databases. The second is the source of the information. It might be publicly available data. It could be driver's license information. It could be privately held photos of -- that families and friends have of you.
DONOHUEIt could be domestic or international information. They're liaising with international organizations and other agencies internationally. And then the third is the subject matter. Previously, you had to have personally identifiable information that goes on to this database. Now, they're allowing contextual information to come into it. And so the number of records, you know, we have more than 13 million records as of February this year.
DONOHUEThat's expected to explode in these databases, particularly the interstate photo system, because now what we're seeing funneled into this is not just one bit of information but multiple bits of information.
NNAMDIDavid in Manhattan in New York has an interesting take and question on this. David, you're on the air. Go ahead, please.
DAVIDGreat. Thanks so much. I just wanted to make a comment or actually request some comments on the idea of public anonymity. And it seems to me that some of the discussions that we're having about privacy and individual privacy are whether our actions in the public sphere are considered individually identifiable or if they're sort of publicly anonymous. And I'm -- I'll take my answer offline. I was just interested in some comments on that idea.
NNAMDIOn public anonymity, Ashkan Soltani.
SOLTANII think another way to phrase this is practical obscurity. So we've always been identifiable. We've always had records on us, right? So if I wanted to know David's habits, I would have to follow him around New York or hire someone to follow him and it would take that person's time. If I wanted to do it anonymously, I would necessarily need some trained agents that could surveil him secretly, right, and follow him around. I think what has changed is the level of practical obscurity we can afford.
SOLTANITechnology has changed such that it becomes very easy to now using network of cameras or using a GPS chip on David's phone to track him through his day-to-day life. And that's actually changed the calculus that we kind of approached our lives with. Someone can simply just query a database of my past activities without having had to put the effort into flying across the country to where David lives and follow him around.
DONOHUESo David Brin has a great book on this called "The Transparent Society" where he talks about -- his argument is we actually have gone from where we know everybody's business in the kind of pre-industrial era to where we have this anonymity that was granted to us during the industrial era. And now we're in this post-industrial digital society where we've lost that anonymity. And so his question, you know, isn't one, you know, do we have the right to anonymity?
DONOHUEThat was a characteristic of the industrial era and the movement to cities and kind of the great movement of great social groups of people where you could be anonymous. But the question is who has access to the information that everybody knows? That is, do we see inside the government and inside companies and what's happening to the same extent that they can see out? And who controls that information? Who can monitor that information? Who can do oversight over that information? That's the key question that we now face.
SOLTANISo to respond to that, I think, while that is true, in the context of the small town in rural America, where everyone knew your name and your activity, it was limited to the people in that town that kind of knew your name and knew your activity. Someone from across, you know, in Eastern Europe could inquire our information and then proceed to, you know, engage in identity theft with your information. Additionally, people have short memories, short attention span.
SOLTANISo I might remember that you went to the store yesterday, but unless there was other witnesses, I couldn't prove it, and I might forget about it next week. But as this information is indexed and archived for long periods of time, it becomes easy to say, two years ago, you went here and performed this action. I can actually look that up in our database, and there's a record of that. And I can do that from across the globe without leaving my chair. That's a very different fundamental expectation of privacy than being in a small town, I think.
DONOHUESo I think this goes back to Karen's point from Chevy Chase when she called in...
NNAMDIYou only have about 30 seconds.
DONOHUE...which is this idea of you want to protect for your children and for yourself, the ability to decide who you are going to be and to what extent do we then get tied to this digital person that follows us our whole lives with some sort of deep implication for humanitarian interest and the development of the self within society.
NNAMDILaura Donohue is a law professor at Georgetown University, who has written about legal issues surrounding facial recognition that will appear in a law review article this fall. Laura Donohue, thank you for joining us.
NNAMDIAshkan Soltani is an independent researcher and consultant specializing in consumer privacy and security on the Internet. Ashkan Soltani, thank you for joining us.
NNAMDIAnd thank you all for listening. I'm Kojo Nnamdi.
Most Recent Shows
It's your turn to set the agenda and chat with Kojo about the local news affecting your life.
In the Washington metropolitan region, the General Services Administration is in charge of more than 100 million square feet of federal workspace.
If it's not quite Southern, what is it?