Law Enforcement Around the Country is Quietly Enlisting the Private Sector to Develop Real-Time Facial Recognition Capability

Posted on July 16, 2018

Once relegated to the fanciful flights of science fiction, facial recognition technology has not only reached sufficient maturity to enter the market, but has even entered mainstream consumer consciousness as a tool of convenience. One need only ask the satisfied owners of the iPhone X, the Samsung Galaxy S9, or more than a dozen other smartphone models who readily prefer “face unlock” features to typing in a PIN code to witness how receptive most consumers are to it.

But while facial recognition has managed to don a relatively innocuous guise as an efficient biometric authentication mechanism, private and public sector players are working in tandem to equip law enforcement around the country with an invasive new entrant into their policing arsenal, with concerningly little public reaction. And while facial recognition technology is currently only robust enough to convince a handful of US police departments to deploy it in limited test cases, inter-agency and inter-sectoral infrastructures permissive enough to let this formidable technology spread like wildfire are already in place. 

One of the most prolific implementations of facial recognition among US law enforcement is Amazon’s Rekognition product, which is hosted on the company’s Amazon Web Services (AWS) cloud platform. Already deployed by police departments in Florida and Oregon, Rekognition can be integrated with police body cameras and government surveillance camera networks. Primarily, and in its current iteration, it is used to compare mugshots against video footage from explicitly public surveillance camera networks though, again, functionality is already included for analyzing video regardless of its source (including private cameras linked to police) or time lag from initial capture.

This allegedly limited, preliminary use of Rekognition already grants departments employing it shockingly broad capabilities. In addition to using facial data to track individuals captured in footage, including after they turn their faces away from the camera lens, the software is capable of scanning faces to make determinations about the subject’s age or emotional state. Perhaps the robustness of its features account for the notable increase of interest in Amazon’s software, in both the public and private spheres. Along with the agencies in Florida and Oregon, law enforcement agencies in other states including Arizona and California are also considering licensing Rekognition from Amazon; and Motorola Solutions, which manufactures police body cameras, has already licensed Rekognition. Amazon’s attitude toward the growth of this side business is disconcertingly cavalier, as it stated that while they reserved the right to suspend service to customers they deem to be abusing their software, they did not confirm whether or not they have ever exercised this right, and maintained that facial recognition should not be legally prohibited because of its potential for abuse. Essentially, their position is “trust Amazon.”

In light of the current social and legal backdrop against which the development of facial recognition technology unfolds, there are a number of concerns worthy of attention. Foremost among these is that current research points overwhelmingly to serious inaccuracies when analyzing the faces of racial minorities, which opens the door to erroneously tracking (and thereby invading the privacy of) members of groups that are already more likely to suffer police abuse. As ripe for abuse as their respective implementations of Rekognition currently are, there is also nothing stopping departments in the two jurisdictions identified by The Verge and others in their reporting from extending the reach of their programs. At least one of the contacted departments maintained that they are not processing facial data in real time, but simply testing mugshots against archived video footage, but there is nothing stopping them from enabling the live video facial recognition and tracking feature–residents in these jurisdiction merely have their respective departments’ self-imposed policies to fend off unwarranted breaches of their privacy. In fact, in most police jurisdictions in the US, there is no statutory limit on how facial recognition software may be used. 

As police utilization of facial recognition software does not exist in a vacuum, the networks and technical infrastructure required to host such platforms also merit consideration. Compounding the invasion of privacy posed by facial recognition software is the fact that it is paired with apps (intended for law enforcement users) developed by the government, which has a poor track record of designing secure and usable software even when hiring contractors. This means that surveillance powered by sophisticated Amazon facial recognition software could be susceptible to interception by malicious actors that are able to compromise these law enforcement apps, leading to a much wider spread of sensitive data on those being tracked.

Unsettling as all of this is, it only represents one half of the equation, namely the the extent to which the private sector catalyzes the adoption of facial recognition by US law enforcement. However, there is also a supplementary public sector apparatus that private sector technology like Amazon’s can seamlessly tap into. The faces of roughly half of all US citizens, taken from mugshots but also driver’s license photos and background check applications, are tagged and stored in an interdepartmental database that can be accessed by, among other agencies, the FBI. Police departments which license Amazon’s Rekognition and which also enjoy access to this database would have an enormous repository of images to seed Rekognition’s analysis, magnifying the amount of data they could derive from nonstop live video feeds from surveillance camera networks. Used by itself, Rekognition’s matching function merely determines if a face in an image matches a face in a database, and does not determine the identity of the person whose face is matched. Powered by the interdepartmental database, the otherwise anonymous faces scanned by Rekognition, which would still enable the tracking of individuals’ physical location in isolation, would be supplied with identities which can then be further detailed by mining social media associated with them. The magnitude of pervasive monitoring that this would make possible cannot be overstated. 

As terrifying a prospect as this is, it may represent the best-case scenario since the abysmal accuracy and lack of any review process for the interdepartmental facial recognition database mean that it is entirely likely that an individual could be misidentified as a false positive and subsequently tracked. And, again, because pairing real-time facial recognition capabilities like Rekognition’s with the expansive interdepartmental database means that tracked faces can be linked to a name, these misidentified individuals are then vulnerable to having their social media mined needlessly. 

As this takes shape in the US, China is also employing facial recognition software as a tool for maintaining order in society, but whereas its use in the US is so far mostly restricted to a handful of police departments quietly pursuing supposedly controlled testing, China is employing it quite openly not only to aid in maintaining public safety but to shame people into compliance with trifling misdemeanors like jaywalking. Chinese hyper-surveillance which includes facial recognition is also being linked to a “social credit” system which quantifies citizens’ behavior (including political behavior) and metes out enforcement penalties such as denial of ability to purchase train or air travel, all without appeal or even prior notice.

It would be foolish to believe that the nature of the technology’s use in the US is far removed from that of China. One eerie similarity is the collaboration between government and private industry, and the rapid development of facial recognition technology it generates. To dismiss this fact would be to egregiously underestimate the degree to which we are approaching a point of pervasive, suspicionless physical monitoring of individuals. Since 9/11 we have been elaborating an architecture of totalitarian surveillance and control beyond Orwell’s imagination. At what point will it become the house we all live in?

Jonathan Terrasi has been a Research Assistant with the Chicago Committee to Defend the Bill of Rights since January 2017. His interests include computer security, encryption, history, and philosophy. In his writing, he regularly covers topics on current affairs and political developments, as well as technical analyses and guides on security issues, published on his blog, Cymatic Scanning, and Linux Insider

Bob Clarke, President of CCDBR, contributed to the style and content of this piece.