Focusing public attention on emerging privacy and civil liberties issues

Face Recognition

Latest News/Events

  • EPIC Recommends Safeguards For Facial Recognition Technology: In a letter to the Department of Commerce, EPIC called on the agency to develop a facial recognition framework based on the Fair Information Practices ("FIPs"). The National Telecommunications and Information Administration is meeting to address the commercial use of facial recognition, which has seen a backlash. Google banned facial recognition apps and services and Europe required Facebook to discontinue the use of facial recognition for photo tagging. Today Senator Al Franken raised concerns about NameTag. Senator Franken, in a letter to the app developer, called for the delay of the apps release until best practices are established. In comments to the Federal Trade Commission, EPIC previously recommended the suspension of facial recognition technology until adequate safeguards are established. For more information, see EPIC: Face Recognition. (Feb. 5, 2014)
  • EPIC FOIA - FBI Says 20% Error Rate Okay for Facial Recognition: EPIC's Freedom of Information Act lawsuit has produced new documents about "Next Generation Identification" and the FBI's plans for facial recognition. According to the document obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." That number is much greater than expected. Earlier this year, EPIC received documents from the FBI regarding the use of facial recognition and state DMV photos. The FBI has still not updated a 2008 Privacy Impact Assessment on facial recognition technology despite telling Congress last year that a new assessment was planned. For more information, see EPIC: EPIC v. FBI - Next Generation Identification and EPIC: Face Recognition. (Oct. 4, 2013)
  • EPIC FOIA - DHS Facial Recognition System Lacks Privacy Safeguards: In response to an EPIC FOIA request, the Department of Homeland Security has produced documents revealing that the agency has failed to establish privacy safeguards for "BOSS" (the Biometric Optical Surveillance System), an elaborate system for facial recognition and individual identification. The documents obtained by EPIC indicate that none of the agency's contracts or statements of work require any data privacy or security protections for BOSS' design, production, or test implementations. The New York Times reported on EPIC's acquisition of these documents, noting also high failure rates for these systems. EPIC is also pursuing a FOIA lawsuit with the FBI over the agency's development of "Next Generation ID," which, when complete, will be the largest biometric identification database program in the world. For more information, see EPIC: Face Recognition, EPIC: EPIC Opposes DHS Biometric Collection, and EPIC - Biometric Identifiers. (Aug. 22, 2013)
  • FBI Performs Massive Virtual Line-up by Searching DMV Photos: Through a Freedom of Information Act request, EPIC obtained a number of agreements between the FBI and state DMVs. The agreements allow the FBI to use facial recognition to compare subjects of FBI investigations with the millions of license and identification photos retained by participating state DMVs. EPIC also obtained the Standard Operating Procedure for the program and a Privacy Threshold Analysis that indicated that a Privacy Impact Assessment must be performed, but it is not clear whether one has been completed. EPIC is currently suing the FBI to learn more about its development of a vast biometric identification database. For more information, see EPIC: Face Recognition and EPIC: Biometric Identifiers. (Jun. 17, 2013)
  • Google Bans Facial Recognition Glass Apps: Google announced that it will not approve any facial recognition apps for Google Glass, pending the development of privacy safeguards. "[W]e won't add facial recognition features to our products without having strong privacy protections in place," the company said in a blog post. In comments on facial recognition to the Federal Trade Commission last year, EPIC recommended that the Federal Trade Commission enforce Fair Information Practices against commercial actors when collecting, using, or storing facial recognition data. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques," EPIC wrote to the FTC in early 2012. For more information, see EPIC: Facial Recognition and EPIC: Federal Trade Commission. (Jun. 3, 2013)
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database: EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition. (Apr. 8, 2013)
  • Federal Trade Commission Proposes "Best Practices" for Facial Recognition Technology: The Federal Trade Commission has released a report recommending practices that businesses using facial recognition technology should follow in order to protect the privacy and security of consumers. The report noted that facial recognition techniques range from simple face detection to the identification of previously anonymous individuals. The FTC recommended several practices for all businesses, such as privacy by design, data deletion, and security standards. In services involving facial recognition to identify individuals, the FTC recommended that companies obtain the affirmative express consent of consumers, and in certain sensitive locations, such as health care facilities, the FTC said that the technology should not be used at all. In earlier comments to the Commission, EPIC recommended a moratorium on the use of facial recognition until adequate privacy safeguards are developed. A similar recommendation is found in the Madrid Privacy Declaration, which is endorsed by more than 100 civil society organizations worldwide. Facebook has ended the use of facial recognition in the European Union and suspended use in the United States. For more information, see EPIC: Face Recognition and EPIC: Federal Trade Commission. (Oct. 22, 2012)
  • Facebook Ceases Facial Recognition in European Union: The Irish Data Protection Commissioner issued a report finding that Facebook has implemented many of the Commissioner’s recommendations, such as halting the automatic use of facial recognition through "tag suggestions." Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15. The report also found that Facebook had implemented recommendations for improving transparency, enhancing the ability for users to delete data, and allowing users to access their data. On recommendations concerning user education, data deletion, and as targeting based on sensitive terms, the report found that "full implementation has not yet been achieved but is planned to be achieved by a specific deadline." The Federal Trade Commission recently adopted a proposed settlement with Facebook that prohibits Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In November 2011, EPIC recommended that the FTC prevent Facebook from creating facial recognition profiles without users' consent. In February 2012. EPIC recommended "the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established." For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Sep. 21, 2012)
  • EPIC Recommends Protections for Use of Commercial Facial Recognition Technology: In a statement for the record, EPIC called on the Senate Subcommittee on Privacy, Technology, and the Law to protect the ability of individuals to control the disclosure of their identity. The hearing on "What Facial Recognition Technology Means for Privacy and Civil Liberties" will feature witnesses from the government, private companies, and academia. EPIC recommended that Fair Information Practices ("FIP") be enforced against companies that collect facial recognition data. These legal obligations would include limitations on collection, use, and retention of the data, informed consent, security, accessibility, and accountability. "In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques." For more information, see EPIC: Facial Recognition. (Jul. 18, 2012)
  • Facebook Acquires Facial Recognition Company Face.com: Facebook announced the acquisition of Face.com, a facial recognition technology company and long-time business partner of Facebook. Facebook uses an automatic facial recognition system, called "tag suggestions," to create a database of users' biometric information. Last year, EPIC filed a complaint with the Federal Trade Commission, stating that Facebook created biometric profiles of users without their explicit consent, failed to provide a clear mechanism for the deletion of these profiles, and failed to take adequate safeguards to ensure that users' biometric information would not be accessible to government agents and other third parties. In recent comments to the FTC, EPIC recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. For more information, see EPIC: Facial Recognition and EPIC: Facebook and Facial Recognition. (Jun. 20, 2012)
  • International Police Organization Proposes Worldwide Facial Recognition System. Interpol, the Europe-based international law enforcement group, has proposed an automated face-recognition system for international borders. Such a system could require travelers to undergo face scans, and make the information available to numerous countries. An Interpol face-recognition database would permit Interpol member nations to search records containing travelers' personal biometric information, and could be used in conjunction with travel watch lists. The inaccuracy of facial recognition technology has repeatedly been criticized. Privacy watchdogs have questioned the efficacy and wisdom of government programs that collect ever-more personal information at border crossings. "We need to get our data to the border entry points. There will be such a large role in the future for fingerprints and facial recognition," said Mark Branchflower, head of Interpol's fingerprint unit. (Oct. 20, 2008)
  • Companies Use Surveillance Cameras for Advertising Studies. Surveillance cameras have long been used as anti-crime devices. However, companies are now seeking to use surveillance cameras to watch people for advertising research. In Germany, developers are placing video cameras into street advertisements and attempting to discern people's emotional reactions to the ads. Dutch researchers are using experimental emotion-recognition software to test individuals' reactions to advertisements and marketing. (July 10, 2007)
  • Federal Air Marshals to Surreptitiously Photograph Travelers. The US Department of Homeland Security is investing in face recognition technology so that federal marshals can surreptitiously photograph people in airports, bus and train stations, and elsewhere to check whether they are in terrorist databases. The Los Angeles police department already is using handheld facial recognition devices. See EPIC's Video Surveillance page. (May 10, 2007)
  • British Police Look to Build National Mugshot Database. The Police Information Technology Organisation aims to create a national database of still and video facial images, tattoos, and other imagery linked to criminal biographical information. They are also looking into how they can incorporate facial recognition software into the mugshot database for the police forces of England, Scotland, and Wales. (Jan. 16, 2006)

History

Facial recognition systems are computer-based security systems that are able to automatically detect and identify human faces. These systems depend on a recognition algorithm, such as eigenface or the hidden Markov model. The first step for a facial recognition system is to recognize a human face and extract it fro the rest of the scene. Next, the system measures nodal points on the face, such as the distance between the eyes, the shape of the cheekbones and other distinguishable features. These nodal points are then compared to the nodal points computed from a database of pictures in order to find a match. Obviously, such a system is limited based on the angle of the face captured and the lighting conditions present. New technologies are currently in development to create three-dimensional models of a person's face based on a digital photograph in order to create more nodal points for comparison. However, such technology is inherently susceptible to error given that the computer is extrapolating a three-dimensional model from a two-dimensional photograph.

Throughout the nation and the world, the debate on the privacy implications of face recognition and other surveillance technologies is heating up. In January 2001, the city of Tampa, Florida used the technology to scan the faces of people in crowds at the Super Bowl, comparing them with images in a database of digital mug shots. Privacy International subsequently gave the 2001 Big Brother Award for "Worst Public Official" to the City of Tampa for spying on Super Bowl attendees. Tampa then installed cameras equipped with face recognition technology in their Ybor City nightlife district, where they have encountered opposition from people wearing masks and making obscene gestures at the cameras. In late August 2001, a member of the Jacksonville, Florida City Council proposed legislation to keep the technology out of Jacksonville.

The Virginia Department of Criminal Justice Services gave a $150,000 grant to the city of Virginia Beach in July 2001, to help the city obtain face recognition cameras to look for criminal suspects and missing children. Although officials had initially expressed mixed feelings about the technology, the city council voted on November 13 to install the software at the oceanfront. To fully fund the system, the city must pay an additional $50,000.

In the wake of the September 2001 terrorist attacks on the U.S., privacy advocates, citizen groups, political leaders, and the manufacturers of the technology itself are debating whether these technologies should be more widely used, and if so, how they should be regulated to protect the privacy of the public. Some airports are considering installing face recognition cameras as a security measure. However, T.F. Green International Airport in Providence, Rhode Island, one of the first airports to consider it, decided in January 2002 that they would not install it after all, citing the possibility of false matches and other technological shortcomings of facial recognition systems.

Subsequently, in August of 2003, the Tampa Police Department scrapped Ybor City's facial-recognition system, citing the system's ineffectiveness as bearing heavily on their decision. Virginia Beach's system is still in place, however, it has never produced a match or arrest since its installation in 2002. Boston's Logan Airport ran two separate facial recognition system tests at its security checkpoints using volunteers posing as terrorists over a three-month period and posted disappointing results. Throughout the testing period, the systems correctly identified the volunteers 153 times and failed to identify the volunteers 96 times. As a result of the lackluster success rate of only 61.4 percent, the airport decided to explore other technologies for securing its checkpoints

Recently, the focus on facial recognition systems has shifted to its use as a way to secure borders. The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program requires visitors of the United States to provide fingerprints and a digital photograph at their port of entry. US-VISIT then interfaces with the Automated Biometric Identification System (IDENT) database to check and see if the visitor is a "person of interest." Similarly, the Real ID Act of 2005 would include an integrated computer chip in every driver's license issued after May 2008 that contains a digital photograph, which could be used for facial recognition purposes.

News Items

Resources

Reports on Facial Recognition

Previous Top News

  • EPIC Calls for Moratorium on Facial Recognition Technology: In detailed comments to the Federal Trade Commission, EPIC today recommended the suspension of facial recognition technology deployment until adequate safeguards and privacy standards are established. EPIC said that facial recognition is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security. EPIC also noted that some companies have adopted techniques that are more favorable to privacy as they allow users to control the image database while others undermine privacy, as the image database is centrally maintained. EPIC previously submitted a complaint to the FTC about Facebook's use of facial recognition technology to build a secret database of users' biometric data and allowing the company to automatically tag users in photos. The comments follow an FTC workshop exploring the privacy and security issues raised of facial recognition technology. For more information, see EPIC: Federal Trade Commission, EPIC: Face Recognition, and EPIC: Facebook and Face Recognition. (Feb. 1, 2012)
  • FTC Publishes Performance Report: The Federal Trade Commission has issued the 2011 Performance and Accountability Report. The report summarizes the agency’s accomplishments, shows how the agency has managed its resources, and explains how it plans to address future changes. According to the FTC, during 2011 the agency exceeded its privacy goals by providing 52 comments to foreign consumer protection and privacy agencies, conducting 14 technical assistance missions, and hosting one international consumer protection fellow. The agency’s privacy goals for the coming year include "issu[ing] a final report on protecting consumer privacy," and "examin[ing] malware and spyware threats to mobile devices . . . and malware distributed through social networks." The FTC report made no mention of several pending complaints, including EPIC's 2009 complaint regarding the changes by Facebook to its users' privacy settings. For more information, see EPIC: Federal Trade Commission and EPIC: Facebook and Facial Recognition. (Nov. 22, 2011)
  • Sen. Rockefeller Requests FTC Report on Facial Recognition Technology: Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)
  • FTC Announces Workshop on Facial Recognition Technology: The Federal Trade Commission announced that it will host a workshop on December 8, 2011, on the privacy and security issues raised by the increasing use of facial recognition technology. Facial recognition technology has been used by Facebook to build a secret data base of users’ biometric data and to enable Facebook to automatically tag users in photos. The Army has also used facial recognition technology to collect biometric data from Iraqi and Afghan civilians at checkpoints, workplaces, the sites of attacks, and door-to-door canvasses. EPIC, Privacy International, and Human Rights Watch wrote to the US Secretary Defense in 2007 to warn that the system could lead to reprisals and further killings. Police agencies are also using facial recognition to identity political protesters. EPIC’s complaint regarding Facebook’s facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, EPIC: Face Recognition, and EPIC: Iraqi Biometric Identification System. (Sep. 20, 2011)
  • New German E-Passports Thwarted by People Smiling. Germany started issuing biometric passports a week ago but problems have been caused by people smiling and visible teeth. Germany has had to issue guidelines warning that people "must have a neutral facial expression and look straight at the camera." Germany, Belgium and Sweden are the three EU countries offering biometric passports. (Nov. 10, 2005)
  • Spotlight: Facial Recognition Systems Don't Picture Privacy. This month, Spotlight focuses on facial recognition systems. The Department of Homeland Security has spent millions of dollars on these "smart" cameras that attempt to identify people based on their facial images. However, several tests show the systems are not reliable. Facial recognition systems also create significant privacy risks: the cameras are often hidden and there are no laws to prevent abuse. (Nov. 4, 2005)
  • UK Will Have E-passports With Facial Recognition in 2006. The United Kingdom plans to have e-passports equipped with facial biometrics and ID cards early next year. The UK government also plans to include fingerprints in both by 2009. The passports include a microchip that holds a digitised facial image, and has space to hold another biometric if needed. Bernard Herdan, chief executive of the UK Passport Service, said the passports would be phased in by February 2006 and completed by July 2006. (Oct. 25, 2005)
  • Pakistan to Use Facial Recognition with Passports. The National Database and Registration Authority of Pakistan is using Viisage Technology's face recognition systems to identify passport holders. NADRA announced this week that it has scanned 34 million images for duplicates in three months. The database was expected to grow to 50 million records once enrollment is complete. (Aug. 31, 2005)
  • NY Train System to Adopt New Electronic Security System. The New York Metropolitan Transportation Authority has announced that it is working with Lockheed Martin to develop a state-of-the-art electronic security system to enhance security on its trains by using "intelligent video" to monitor suspicious individuals and packages. The system will be adaptable to new technology, such as devices that detect explosives, measure signs of nervousness and recognize faces. The $212 million dollar system has recently come under criticism for its inability to determine whether an object has been left in a garbage can. (Aug. 23, 2005)
  • State Department Requires Digital Photographs. The State Department has decided to implement an identification system for individuals in the Visa Waiver Program that requires those individuals to produce a passport with a digital photograph stored in an integrated circuit chip by October 26, 2006. It is still unknown whether the digital photograph will be used to as a biometric identifier, but many experts have debated the safety of including sensitive information in e-passports that include RFID chips. EPIC has previously issued comments on the related issue of RFID use in US-VISIT. (June 15, 2005)
  • British National ID Plan's Biometrics Use Called Flawed. Under the UK's national ID proposal, face, iris and fingerprint scans will be used to identify people. However, studies have found that biometrics being scanned in the wrong type of light or in shadow could lead to a false identification. One problem, a Home Office minister admitted, is that people with brown eyes could experience difficulties using the national ID cards. The cost of a combined passport and ID card, is estimated at £93 each. The UK House of Commons last week passed the national ID bill; it now moves to the House of Lords. (Oct. 24)
  • Report: Costly National ID Scheme An Unfunded Mandate. The National Conference of State Legislatures, a bipartisan group, today released a report documenting pending legislation that pre-empts state authority, including the national ID card created by the recently passed REAL ID Act. NCSL officials estimate the national ID scheme could cost states $13 billion as they try to restructure motor vehicle offices. "The REAL ID Act handcuffs state officials with unworkable, unproven, costly mandates that compel states to enforce federal immigration policy rather than advance the paramount objective of making state-issued identity documents more secure and verifiable, " Sen. Michael Balboni said, in announcing the report. The new ID cards will include biometrics, including digital photographs that can be linked up to facial recognition systems. (Aug. 16)
  • UK Identity Card Bill Introduced in Parliament. The Labour Party introduced its Identity Cards bill in the House of Commons on Monday. The bill, which may cost £18B ($32.6B) over the next 10 years, provides for ID cards that will be tied to the National Identity Register, also established by the bill. As the bill's Explanatory Note states, in the first stage only individuals who apply for "Designated Documents" will be required to register, though the bill provides authority for the government to make registration compulsory for all UK residents. The National Identity Register may eventually include name, date of birth, residence, and immigration status, as well as biometric information and personal history of every individual in the UK. The bill was initially introduced in the House of Parliament last November, but was withdrawn in April pending the outcome of the May 6 general election. (June 2)
  • Congress Passes Controversial ID Bill Without Debate. The Senate yesterday approved the supplemental military spending bill to which the REAL ID Act had been attached. The legislation mandates federal identification standards and requires states DMVs, which have become the targets of identity thieves, to collect sensitive personal information. The new ID cards will include digital photographs that can be linked up to facial recognition systems. Legislators in both parties urged debate and more than 600 organizations opposed the legislation. (May 11)
  • Spotlight: Federal Grants Fund Surveillance Cameras in Nation's Cities. This month, Spotlight on Surveillance turns to the $2 billion that the Department of Homeland Security will provide to state and local governments. Some of this money will be for surveillance cameras that watch people in shopping centers and on public streets, and may even look into homes. Such cameras can be linked to facial recognition systems. Studies have found that such surveillance systems have little impact on crime, and that it is more effective to place officers on the streets and improve lighting in high-crime areas. (May 2)
  • Sweeping ID Bill Faces Opposition in the Senate. A bipartisan coalition of senators is urging debate on a bill that would establish a federal mandate for identification standards across the United States. The REAL ID Act would impose technological standards and verification procedures on the states, many of which are beyond the current capacity of the federal government. The bill is opposed by the National Governors Association, the National Conference of State Legislatures, the Council of State Governments, and the American Association of Motor Vehicle Administrators. Sen. Richard Durbin also expressed concern this week that REAL ID would repeal earlier legislation that contained "carefully crafted language -- bipartisan language -- to establish standards for States issuing driver's licenses." (Apr. 22)
  • Facial Recognition Linked to Mobile Phones. New software allows personal digital assistants, mobile phones or other handheld devices to use a built-in camera to recognize the face of their owner. The Okao Vision Face Recognition Sensor software by Omron is compatible with the Symbian, Binary Runtime Environment for Wireless, Linux and Itron operating systems. (Mar. 1, 2005)
  • Homeland Security Adopts New Facial Recognition Standard. The Department of Homeland Security has adopted a standard developed by the International Committee for Information Technology Standards (INCITS). The standard (INCITS 385) will be used to as the technical criteria for designing equipment such as cameras and software for facial recognition. (Oct. 28, 2004)
  • CATO Institute Holds Biometrics Event. The Cato Institute will be holding an event called "Eye in the Sky and Everywhere Else: Do Biometric Technologies Violate Our Rights?" Speakers included Frances Zelazny, Visionics; Dorothy Denning, Georgetown University; Marc Rotenberg, EPIC; and John D. Woodward, Jr., RAND. (Jan. 24, 2002)
  • Watch the Watchers. An international coalition composed of artists, scientists, engineers, scholars, and others declared December 24 to be "World Subjectrights Day", or "World Sousveillance Day", a day to watch the watchers. Passengers are encouraged to photograph cab drivers, customers to photograph shopkeepers, citizens to photograph the police, etc. There is also a photo competition encouraging participants to send in pictures for inclusion in a national face recognition database. (Dec. 2001)
  • EPIC Event to Explore Privacy Implications of New ID Systems. EPIC holds National Press Club event where experts Whitfield Diffie, Jeffrey Rosen, Richard Smith, Robert Ellis Smith, John Woodward, and Marc Rotenberg discuss privacy issues relating to security and surveillance technologies. (Oct. 22, 2001)