peshkova - Fotolia

FBI facial recognition systems draw criticism over privacy, accuracy

GAO report blasts FBI facial recognition programs over privacy and accuracy concerns; FBI systems offer access to over 411 million photos from federal and state sources.

A new GAO report blasts the FBI over concerns for privacy and accuracy of its facial recognition systems and its huge database of photographs. The FBI facial recognition program has access to over 411 million photographs gathered from state driver's license databases as well as from passport and visa applications.

The FBI facial recognition programs are under scrutiny after a report by the Government Accountability Office (GAO) revealed that the FBI's Facial Analysis, Comparison, and Evaluation (FACE) Services unit is using facial recognition software that has not been tested for accuracy.

The GAO audit was a response to a request from Senator Al Franken (D-Minn.) to review the FBI's facial recognition technology, including a review of FBI facial recognition capabilities, evaluation of whether the FBI's use of those capabilities "adhered to laws and policies related to privacy," and the degree to which the FBI tests the accuracy of its facial recognition.

FACE offers access to nearly 30 million photos through the FBI's Next Generation Identification-Interstate Photo System (NGI-IPS); however, the GAO concluded that "FBI officials have not conducted an operational review of NGI-IPS. As a result, they have not assessed the accuracy of face recognition searches of NGI-IPS in its operational setting."

FBI facial recognition systems have access to over 411 million photos, including hundreds of millions of photos from driver's license photos from 16 states, the Department of State's passport and visa application repository and a database of individuals detained by the Department of Defense. The Electronic Frontier Foundation called it "an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes."

The GAO also chided the FBI for failing to stay current on Privacy Impact Assessments of the facial recognition programs, noting that "[t]he timely publishing of PIAs would provide the public with greater assurance that the FBI is evaluating risks to privacy when implementing systems."

GAO found that although the NGI-IPS has been operating since 2011, the Department of Justice had not published a System of Records Notice (SORN) addressing "the FBI's use of face recognition capabilities, as required by law, until May 5, 2016, after completion of GAO's review. The timely publishing of a SORN would improve the public's understanding of how NGI uses and protects personal information."

In other news

  • A new piece of ransomware written completely in JavaScript has been discovered. Security researchers @JAMES_MHT and @benkow wrote, they spotted a tweet that "reported a suspicious domain with an open directory listing." While looking through the files in the listing, the researchers found a zip archive containing the malicious JavaScript code, "which we have dubbed RAA ransomware and that additionally delivers a dropping stage for the Pony malware." RAA is written completely in JavaScript so it can be delivered as a standard JavaScript file and made to look like an Office document, unlike the Ransom32 malware, which depends on Node.js and is delivered in an executable file.
  • Kaspersky Lab reports that the underground market xDedic offers buyers access to more than 70,000 hacked servers. Customers on the xDedic market can purchase access to government servers in an EU country network for as little as $6. "The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks." The trading platform appears to be run by a group of Russian-speaking hackers, according to Kaspersky's white paper, "The xDedic Marketplace." "The forum provides members with tools to patch RDP (Remote Desktop Protocol) servers to support multiple user logins, as well as other hacking tools, such as proxy installers and sysinfo collectors. The main goal of the xDedic forum is to facilitate the buying and selling of credentials for hacked servers which are available through RDP."
  • Microsoft aims to plug holes in C, with their new Checked C extension to the C programming language. "The Checked C research project is investigating how to extend the C programming language so that programmers can write more secure and reliable C programs," Microsoft wrote. "The project is developing an extension to C called Checked C that adds checking to C to detect or prevent common programming errors such as buffer overruns, out-of-bounds memory accesses, and incorrect type casts. The extension is designed to be used for existing system software written in C."
  • Let's Encrypt, the free certificate authority, exposed users email addresses, by mistake. According to the statement, the exposure occurred when Let's Encrypt "started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones."
  • Microsoft's Azure blockchain as a service (BaaS) is getting a new set of tools in Project Bletchley, Microsoft's "vision for an open, modular blockchain fabric powered by Azure," including new elements that Microsoft believes are key in enterprise blockchain architecture. "Azure will be open to a variety of blockchain protocols, supporting simple, Unspent Transaction Output-based protocols (UTXO) like Hyperledger, more sophisticated, Smart Contract-based protocols like Ethereum, and others as developed." Project Bletchley adds the concepts of blockchain middleware, which will "provide core services functioning in the cloud, like identity and operations management, in addition to data and intelligence services like analytics and machine learning," and cryptlets, which "will enable secure interoperation and communication between Microsoft Azure, ecosystem middleware and customer technologies. Cryptlets function when additional information is needed to execute a transaction or contract, such as date and time. They will become a critical component of sophisticated blockchain systems, enabling all technology to work together in a secure, scalable way."
  • Adobe released a patch for a critical zero-day vulnerability, two days after the flaw was reported. "Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks." Adobe wrote that "[s]uccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

Next Steps

Find out how retailers are using facial recognition software to track their customers.

Learn more about how governments are building their facial recognition databases.

Read about why governments and businesses are looking at biometric surveillance techniques.

Dig Deeper on Security operations and management