You can change your name or use a pseudonym. You can also edit or delete your social media accounts. But you cannot change your face so easily. Facial recognition helps us solve a lot of problems — and it simultaneously creates plenty of new ones. In this post, we discuss the threats that come with the global spread of such systems.
1. Losing the right to privacy — on a global scale
The FBI officially maintains the Next Generation Identification-Interstate Photo System (NGI-IPS) — a database containing photos of people accused or convicted of civil and criminal proceedings. That’s OK, isn’t it?
Not at all! In May, the American Government Accountability Office audited the Bureau and found out that in fact the FBI’s database of 412 million photos includes pictures of people who were never the target of any investigation. The Bureau even has a separate unit that is in charge of facial recognition: Facial Analysis, Comparison, and Evaluation (FACE) Services.
As it turned out, FBI representatives made arrangements with several states and obtained photos from driver’s licenses and passport and visa applications, as well as images of criminal suspects and convicts. The database also includes photos of foreign nationals — potentially about 100 million of them.
The FBI actively uses facial recognition during investigations. We’ve already written about how this approach pays off. But the situation is more complicated than that. Facial recognition technology is young and imperfect, and the FBI’s system is no exception: It has racial biases and at best achieves 80%-85% accuracy. At the same time, the FBI deliberately covered up the scale of its facial recognition usage, contrary to the requirements of the Privacy Impact Assessment.
— Kaspersky Lab (@kaspersky) August 19, 2016
Also noteworthy: The city council of Moscow and Russian law enforcement try to keep abreast of relevant technology and are getting ready to implement FaceN technology (developers of this system also provided the code for FindFace — a service that lets people search for other people using their photos). These new systems will be connected to hundreds of thousands of surveillance cameras in Moscow.
As Russian media Meduza reports, there are no analogues to this system in any city in the world. The algorithm can compare people on the streets with criminals database, but it’s not all. It can also detect individuals in any part of the city and match their images with social network accounts, which usually contain a lot of personal information”.
We should also point out that in the beginning of this year Russian Senate compelled Russian courts to consider photos and videos as legal evidence. Prior to that, the decision was at the court’s discretion.
2. Abuse by law enforcement
Facial recognition makes mistakes. People in charge of these systems misuse them — it’s a known fact. For example, in August, the New York Times reported that San Diego police gathered images of guilty and innocent people without their permission.
Aaron Harvey, a 27-year-old African-American living in San Diego claimed that police treated him with prejudice. Harvey lives in one of the most violent areas of the city. That is probably why the police stopped him more than 50 times and said he was a suspected gang member. When he refused to allow the officer to take his photo, the officer boasted that he could do so anyway.
— Kaspersky Lab (@kaspersky) July 1, 2016
“He said: ‘We’re going to do this either legally or illegally,’ and pulled me out of the car” — Harvey, describing the incident to the New York Times.
Earlier, in 2013, authorities in Boston also tested a facial recognition system. It was linked to surveillance cameras that covertly scanned people’s faces during concerts and other outdoor events. At the end of the testing period, the project was scrapped for ethical reasons. But Boston is one deal, and global implementation is quite another: Facial recognition systems are now being widely used by government agencies.
3. Corporations spying on everybody
Organizations own face databases that are much bigger than the FBI’s collection. Social networks top the list: Facebook, Instagram (which belongs to Facebook), Google (with its Google+), VC.com, and other social sites. The majority of these companies have their own facial recognition solutions that they constantly develop and improve.
Microsoft is now working on a similar technology for the FamilyNotes app that will enable the software to distinguish one user from another with the help of a camera built into a laptop or a tablet. Microsoft develops one of the most popular operating systems in the world, and this app will substantially supplement the company’s database of faces.
— Kaspersky Lab (@kaspersky) April 22, 2016
Facebook’s facial recognition system is one of the most accurate in the world. The company quietly launched this tool in 2012 and kept it on by default for the majority of users. Later, the company faced dozens of lawsuits — that number is still growing, and Google is also being pursued in court on similar charges. As a result Facebook had to disable facial recognition features in certain regions.
We should also note that Facebook has one-sided approach to this issue: For example, its knowledge base has zero articles on how to disable the facial recognition function — which, by the way, not a one-click operation is not a one-click operation.
Even if you are not a member of any social network (or if you avoided uploading your real photos to any of them) your face can still get into a social media company’s database. Last year, a Chicago citizen sued photo-book service Shutterfly because the site added his photo to its database without his consent. A third party (a friend, most likely) had uploaded his photo to Shutterfly and signed the image.
4. Anybody can find you
Any facial recognition system that is available for everyone can be used as a powerful tool for lynch-law, or vigilante justice. This year, for example, two young men set a fire in a building lobby in Saint Petersburg. After they finished, the pyromaniacs caused a ruckus in the elevator of the same building. Cameras in the elevator and around the neighborhood recorded how the duo entertained themselves.
When local police declined to open a criminal case, the tenants of the house took matters into their own hands: They took screenshots showing the culprits’ faces and used FindFace to locate them on social networks.
The amateur detectives reported their findings to the police, and as a result, the young men were charged. In Ren TV’s (Russian TV channel) report, one of the tenants said that they had enough data and evidence to send message to friends of the hooligans, and to their places of study and work.
Though the Petersburgers had enough patience to ask police for help, not all Internet users are as level-headed. And where there’s a will, there’s a way — to bully people. If you’ve heard of FindFace, you know about its most infamous use case: when members of the anonymous 2ch image board used it to hunt porn actresses online. The trolls found the women’s social media pages and sent scandalous messages to their friends and relatives along with corresponding images.
— Kaspersky Lab (@kaspersky) April 29, 2016
At the same time, the founder of FindFace Maxim Perlin is sure that nowadays people literally need to pay to preserve their privacy. In a television interview, he said that people who want to wipe their data from FindFace’s database will have to buy a premium account. A month of privacy on the service costs about $8.
5. There is a thin line between security and disaster
Many experts are sure: biometrics will replace passwords and make the world even more secure. So in the future, people will let the systems scan their irises, fingerprints, and even face prints to replace the process of entering complicated combinations of symbols.
Microsoft is already developing technology that allows users to authorize with selfies. NEC is researching the use of facial recognition to secure electronic payments. MasterCard is working on a selfie identification system that lets users send money without passwords.
We’ve already written about the downsides of dactylography, so let’s now focus on weaknesses in facial recognition. It’s really comes down to recent advances in 3D printing: Today you can print a really realistic copy of a person’s face. Developers of new identification systems will need to take that into account if they want to create really secure solutions.
For example, MasterCard and Google ask users to blink — a simple action that stops fraudsters from fooling the system with the help of a 3D-printed face or even just a photo. Unfortunately, Google’s solution failed — people managed to bypass the security measure with the help of a simple animated picture. MasterCard’s system is under development, so nobody knows yet if it can be fooled the same way.
6. Don’t share your face with any Tom, Dick, or Harry
You may have heard of Anaface, a website that analyzes your photo and rates your level of attractiveness. It uses symmetry as the main criterion — quite a questionable standard, don’t you think? For example, Angelina Jolie rated only 8.4 out of 10 on Anaface. But the site’s accuracy is not its only problem.
First, Anaface’s owners admitted they launched the project to encourage people to seek plastic surgery. Well, at least they’re giving it to us straight.
Second, the website’s terms and conditions are hard to read and really shady. They are given in a very small window so a user needs to scroll a lot to read the more than 7,000 words of small print. That’s why many will probably miss that every user of the site provides it with a “non-exclusive, transferable, sub-licensable, royalty-free, worldwide license” to use all photos uploaded to Anaface. In plain English: The service can sell the photos people upload without any obligation to pay the real owners of the images.
At the same time users, pledge to upload only their own photos: “You may not post, upload, display or otherwise make available Content that contains video, audio photographs, or images of another person without his or her permission (or in the case of a minor, the minor’s legal guardian);” The conditions also include vague remarks about privacy and the possibility of removing photos after registering a user account — but nobody can do that on Anaface; the site doesn’t allow it.
All in all, everybody collects photos: governments, corporations and companies, and even regular people. Nowadays, everyone can use and misuse facial recognition systems — and all we can do is try to hide from them.