House lawmakers are raising concerns that a powerful facial recognition tool Amazon is marketing to local law enforcement agencies could be used to inappropriately surveil innocent Americans and reinforce racial profiling of black communities.
In a pair of separate letters to Amazon chief executive Jeffrey P. Bezos late last week, two House Democrats and the Congressional Black Caucus are seeking answers about Rekognition, the service the company is selling for an extremely low price to law enforcement agencies in Oregon and Orlando that allows police to scan footage of crowds for possible suspects in real time.
Reps. Emanuel Cleaver (D-Mo.) and Keith Ellison (D-Minn.) want Bezos, who also owns The Washington Post, to turn over a full list of agencies that use Rekognition and provide assurances that the company is taking steps to root out the potential for bias in the software. They pointed to recent studies showing that facial recognition software consistently misidentified black people and women more often than white people and men.
Cleaver told me that it was up to companies such as Amazon "to hire diverse leadership to ensure that these artificial intelligence technologies do not adversely affect communities of color."
“If industry leaders won’t step up with their own policy improvements,” Cleaver told me in an email, “make no mistake about it, Congress will do it for them.”
The Congressional Black Caucus argued that an “algorithmic bias” could drive law enforcement to unfairly target African Americans and that Rekognition could also be turned against immigrants and protesters. “Surveillance of perfectly legitimate and constitutionally protected activity will only further erode the public’s trust in law enforcement,” wrote Chairman Cedric L. Richmond (D-La.). “We urge you to be thoughtful, deliberate, and assiduous as development of this technology advances.”
Rekognition appears to push the boundaries of how controversial facial recognition systems are used by law enforcement — but lawmakers may have a tough time regulating these systems, even as Republicans and Democrats alike say they are ripe for abuse.
Washington hasn’t come close to keeping pace with technological breakthroughs on facial recognition technology, says Alvaro Bedoya, director of the Center on Privacy and Technology at Georgetown University Law Center, which published a sweeping study in 2016 examining the risks to privacy and civil rights posed by facial recognition systems. “Not any state nor Congress has passed a law that comprehensively regulates this technology,” Bedoya said.
There has also been little pressure from constituents. “Because major law enforcement agencies have used this in secret, the public hasn’t had a chance to say what it thinks about it,” Bedoya said. “The technology has moved much quicker than public awareness and, until recently, public opinion.”
Documents released by the American Civil Liberties Union last week kicked off a debate about Rekognition, at least among privacy experts and lawmakers.
My colleague Elizabeth Dwoskin sums up how the program works: “It can identify up to 100 people in a crowd, the documents said. The sheriff’s office of Washington County, Ore., built a database of 300,000 mugshots of suspected criminals that officers could have Rekognition scan against footage of potential suspects in real-time. The footage could come from police body cameras and public and private cameras.” On top of that, the services are cheap: The county apparently pays Amazon between $6 and $12 a month for the service.
Not even the FBI is using its facial recognition software to track people in real time, Bedoya notes. Rather, in the FBI's system, officers can look for a suspect by feeding a photo obtained during an investigation into federal and state databases containing photos of hundreds of millions of people culled from mugshots, driver's licenses, passports and other documents. The ACLU’s findings are the “clearest example yet that these dragnet, real-time face recognition systems are real,” Bedoya said.
Lawmakers have already showed an interest in setting rules about how agencies more broadly use facial recognition systems. During a heated hearing last March, Republicans and Democrats from the House Oversight Committee grilled Kimberly Del Greco, deputy assistant director of the FBI's Criminal Justice Information Services Division, saying the bureau’s facial recognition system trampled on innocent Americans' privacy. Some lawmakers proposed requiring the FBI to get a warrant before using facial recognition to identify a suspect, as law enforcement officers do when they need a wiretap.
But since Amazon is marketing Rekognition to local law enforcement, it would largely be up to states, cities and even individual police departments to set rules for how law enforcement agencies use it. Currently, few such rules exist. And getting consistent laws across the board would likely prove a challenge.
Still, Bedoya says there could be a parallel in how the Justice Department and some local law enforcement agencies took steps to contain the use of StingRay devices, which simulate a cell-tower to surreptitiously collect data from people's phones. At the urging of Congress and advocacy groups, they set policies requiring warrants to use the devices. "It's not unheard of," he said. Cities or states could also bar the use of facial recognition in body cameras. And one way Congress could get involved would be to deny federal funding to local agencies that use facial recognition services that don't meet certain standards.
Amazon defends the technology. Spokeswoman Nina Lindsey told Elizabeth that the technology could be used to help locate people who have been abducted or gone missing, and she noted that during the royal wedding this month, clients used Rekognition to identify wedding attendees.
“Amazon requires that customers comply with the law and be responsible when they use [Amazon Web Services]," she said. "…When we find that AWS services are being abused by a customer, we suspend that customer’s right to use our services.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The number of national security-related data requests that Apple received from the U.S. government during the second half of 2017 soared compared to the same period in 2016, Reuters's Stephen Nellis reports.
“Apple said it received as many as 16,249 national security requests affecting up to 8,249 accounts during the second half of 2017,” Nellis writes. “The number of requests rose 20 percent compared with the first half of 2017, when Apple received 13,499 such requests.” Nellis also writes that such requests from the government increased more than two-and-a-half times when comparing the second half of 2016 to the same period in 2017, from as many as 5,999 to up to 16,249, respectively.
Apple said in a report on Friday the data requests from the U.S. government included national security letters and orders issued under the Foreign Intelligence Surveillance Act. Additionally, the company said it will start reporting requests from governments to remove apps from the company's App Store, and such data will start appearing a year from now, Nellis writes.
PATCHED: The FBI wants you to reboot your Internet router to help fight the VPNFilter malware linked to a Russian hacking group that has infected hundreds of thousands devices across the world, the New York Times's Louis Lucero II reports: “The F.B.I. has several recommendations for any owner of a small office or home office router. The simplest thing to do is reboot the device, which will temporarily disrupt the malware if it is present. Users are also advised to upgrade the device’s firmware and to select a new secure password. If any remote-management settings are in place, the F.B.I. suggests disabling them.” (I reported on VPNFilter last week in The Cybersecurity 202.)
Here's what the malware can do to your Internet router, according to the FBI's public service announcement: “VPNFilter is able to render small office and home office routers inoperable. The malware can potentially also collect information passing through the router. Detection and analysis of the malware’s network activity is complicated by its use of encryption and misattributable networks."
PWNED: Going against President Trump, Sen. Marco Rubio says Congress could move to block Chinese tech giant ZTE from operating in the United States, The Washington Post's Karoun Demirjian reports. “In an appearance on CBS News's 'Face the Nation,' Rubio (R-Fla.) said there is 'a growing commitment in Congress to do something about what China is trying to do to the United States' and that 'one of the things that Congress will do is . . . not even allow Chinese telecom companies to operate in the United States,'" Demirjian writes.
Rubio also said Chinese tech companies such as Huawei and ZTE should not be given access to the U.S. market. “They are used for espionage,” Rubio said on Sunday. “They are part of the supply chain, whether it's routers or anything else. They embed stuff in there that could be used to spy against us not just for national security. That's how they steal corporate secrets.”
Trump said Friday that he had decided to salvage ZTE after the Commerce Department imposed sanctions on the firm last month. He tweeted that he “closed it down then let it reopen with high level security guarantees, change of management and board, must purchase U.S. parts and pay a $1.3 Billion fine.”
— Congress has a lot of cybersecurity bills to pass and little time left to do so before the summer recess and the midterm elections, Inside Cybersecurity's Charlie Mitchell writes. Lawmakers have advanced cybersecurity measures on several fronts, including as part of their work on the National Defense Authorization Act, Mitchell writes. Additionally, committees in the House and Senate have passed bills to strengthen the Committee on Foreign Investment in the United States, whose mission is to review transactions that may give control of U.S. companies to foreigners.
“Otherwise, Congress has made precious little progress on relatively big-ticket cyber items that were poised for action — or at least a little attention — this spring,” Mitchell writes. “First-ever DHS reauthorization, which would consolidate and elevate the department's cyber functions in a new agency, bogged down after passage by the Senate Homeland Security and Governmental Affairs Committee in March,” he adds. Election security, self-driving cars and data breach notification are also areas where Congress has work left to do, according to Mitchell.
— The “golden age of electronic surveillance” may have passed, said Michael Hayden, former director of the National Security Agency and the CIA, in an interview with Kara Swisher on the Recode Decode podcast. As “enemies” of the United States resort to encryption and other tools to secure communications, Hayden said intelligence professionals may have to increasingly rely on other sources such as human intelligence.
“We might actually now be seeing another shift — you don't stop trying to collect things electronically, but now you realize, you know, that mine has played out a little bit, and maybe we need to start digging over here with the other sources of information,” Hayden told Swisher. “That would be now human intelligence, and again, I come back to where I began, so much is now available that you don't have to steal. Why don't you just look?”
— More cybersecurity news about the public sector:
— Tech industry groups are up in arms against a European data privacy bill, but it's not the General Data Protection Regulation that went into effect on Friday, the New York Times's Natasha Singer writes. It's the ePrivacy Regulation, which the European Parliament approved last fall and the Council of the European Union is reviewing.
“If the current draft prevails, the law will require Skype, WhatsApp, iMessage, video games with player messaging and other electronic services that allow private interactions to obtain people’s explicit permission before placing tracking codes on users' devices or collecting data about their communications,” Singer writes. The Developers Alliance, a group whose members include Facebook, Google, Intel and companies that build apps, said this month that ePrivacy Regulation could result in a loss of more than 550 billion euros, or about $640 billion, in annual revenue, Singer writes.
On the other side of the debate, Birgit Sippel, a German member of the European Parliament who drafted the bill, told Singer that consumers need to seize control of their data away from tech companies. “Do you really want that app to use your metadata? Do you really want them to read your content on a dating app?” Sippel said. “Consumers need to get back control over what is happening with their lives and their data.”
— More cybersecurity news from overseas:
— Two Canadian banks on Monday said “fraudsters” contacted them to claim that they accessed customers' personal and financial information, the Wall Street Journal's Vipal Monga reports. “Bank of Montreal said some personal and financial information for fewer than 50,000 customers may have been stolen,” Monga writes. “Simplii Financial, an online bank unit of Canadian Imperial Bank of Commerce, reported that information for roughly 40,000 customers may have been stolen.” BMO believes the cyberattack originated outside Canada, the bank said in a statement. “There were no signs other Canadian banks were affected,” Monga writes.
— More news about data breaches:
- Code Conference in Rancho Palos Verdes, Calif., today through May 31.
- Dallas CISO Executive Summit Q2 tomorrow.
- Texas Digital Government Summit in Austin tomorrow through May 31.
- SecureWorld Atlanta conference tomorrow through May 31.
- Cyber Threat Intelligence Forum in Washington on May 31.
Trump laid a wreath at the Tomb of the Unknowns on Memorial Day:
Outrage over reports of "missing" immigrant children:
Floodwaters ripped through downtown Ellicott City, Md.: