Police responding to the mass shooting at the Capital Gazette newspaper in Annapolis faced a perfect storm of problems when they took the suspected gunman into custody: The man had no identification, he wouldn’t speak to investigators, and a fingerprint database wasn’t producing results.
But they had a backup plan: Investigators ran his photo in Maryland’s state-of-the-art facial recognition database. The system quickly returned a match.
The case appears to represent a highly successful deployment of the controversial technology, saving investigators critical time as they scrambled to identify a suspect and find out whether he was working alone. And it could boost arguments from law enforcement in favor of facial recognition at a time when systems such as Maryland’s have fallen under intense criticism from privacy advocates and civil rights groups who say they could be used to surveil innocent people or reinforce racial profiling. Proponents of the technology will surely point to it as a compelling example of the value such systems could offer police departments.
“This sensational case will probably awaken and create an awareness that will bring a lot more attention” to facial recognition systems among law enforcement agencies that haven’t adopted them, said Tom Joyce, a former lieutenant commander with the New York City Police Department’s cold case squad.
“It’s an extremely progressive idea, and it’s really important to the investigation to accelerate the case,” said Joyce, now vice president of Vigilant Solutions, which offers facial recognition services and other digital tools to law enforcement agencies. “You don’t know if he’s working alone. You don’t know if he’s got other victims. And you want to rapidly bring those to resolution. This was a great application of that.”
Maryland police were able to identify the man they say fatally shot five Capital Gazette staff members Thursday by feeding his picture into the Maryland Image Repository System, or MIRS, as my colleague Justin Jouvenal reported. The system uses algorithms to scan for a match across tens of millions of images from driver's licenses, offender photos and mug shots from an FBI database.
Police officials said facial recognition was their best option for identifying the alleged shooter, Jarrod Ramos, after the fingerprint database was slow to return a hit. In a news conference the morning after the shooting, Anne Arundel County Police Chief Timothy Altomare acknowledgedthe state's system had “come under fire from civil libertarians,” but said the investigation would otherwise have taken "much longer."
“It was a huge win for us last night and thus for the citizens of Anne Arundel County,” Altomare told reporters.
Altomare on using facial recognition tech to identify the shooting suspect: "We had lag getting answers on fingerprints is all I can tell you. That's probably why the unnamed senior law enforcement source ... said that because they read lag as some sort of attempt on his part." pic.twitter.com/xzXL36TZ8M— CBS News (@CBSNews) June 29, 2018
“The facial recognition system performed as designed,” Stephen T. Moyer, secretary of Maryland’s Department of Public Safety and Correctional Services (DPSCS), told Justin in a statement. “It has been and continues to be a valuable tool for fighting crime in our state.”
But critics of the technology say not every case is as straightforward as this one. They also note that facial recognition systems tend to misidentify African Americans more often than whites and could allow police to conduct real-time surveillance against people not suspected of crimes.
“While the method seems to have performed well in Ramos’ case, there are still significant civil liberties concerns around the way police use MIRS,” wrote Russell Brandom of The Verge. “Police are supposed to remove people who were arrested but found innocent, but since the system is rarely audited, it’s hard to say if that’s actually happening. There are also racial justice concerns, given racial disparities in rates of arrests, compounded by higher error rates for African Americans in many facial recognition algorithms.”
In the wake of the shooting, Samuel Sinyangwe, a prominent racial justice activist and data scientist, pointed out there are few checks on how police use systems such as Maryland's:
Note that half of all US adults are in facial recognition databases and there is very little oversight, testing for accuracy, or limits on how police use this software. https://t.co/ZaEsFtqviv https://t.co/lOHi7omIms— Samuel Sinyangwe (@samswey) June 28, 2018
And the Electronic Frontier Foundation, a digital rights organization, said that even flawless facial recognition would bring major privacy concerns:
Let’s say facial recognition improves—that it produces correct matches 100% of the time. Then what? Well, it means we can’t walk around “without the government knowing who we are, where we are, and who we’re talking to,” explains EFF’s Jen Lynch. https://t.co/GUuhNdqb3m— EFF (@EFF) July 1, 2018
Meanwhile, Clint Watts, a former FBI agent and senior fellow at George Washington University's Center for Cyber and Homeland Security, wondered why police couldn't have identified the suspect through other means:
Maybe there’s an investigative reason I’m not aware of, but if suspect has gone to this level of effort to hide his identity, facial recognition might be tougher than one thinks. Particularly if he’s not on social media.— Clint Watts (@selectedwisdom) June 28, 2018
Concerns such as those have dominated an escalating debate over facial recognition that has unfolded in recent weeks.
In May, privacy groups and several House lawmakers called on Amazon to reconsider selling powerful facial recognition software at a bargain price to law enforcement, as I've reported. They said the service, known as Rekognition, could be used to inappropriately surveil innocent Americans and exacerbate racial profiling in black communities. Amid the pressure, the Orlando Police Department said last week it wouldn't immediately renew a pilot program for the service, as my colleague Hazma Shaban reported.
Even a prominent facial recognition entrepreneur says he's worried about abuse. In a widely shared commentary for TechCrunch last week, Brian Brackeen, the chief executive of the facial-recognition company Kairos, wrote that he wouldn't sell his tools to police because the technology contained biases against people of color. He urged others to follow suit. “In a social climate wracked with protests and angst around disproportionate prison populations and police misconduct,” he wrote, “engaging software that is clearly not ready for civil use in law enforcement activities does not serve citizens, and will only lead to further unrest.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Attorney General Jeff Sessions quoted from hacked material published by WikiLeaks in a swipe at Hillary Clinton during a recent speech, The Washington Post's Matt Zapotosky and Michael Scherer reported on Saturday. Sessions referenced a “secret speech” Clinton gave in 2013 mentioning a “hemispheric common market, with open trade and open borders," saying “this is the presidential nominee of a major political party."
“What the attorney general didn’t say: The text of Clinton’s 'secret speech' was known publicly only because of hacked emails published by the WikiLeaks organization, which is being investigated by Sessions’s Justice Department,” Zapotosky and Scherer wrote.
Sessions's remarks raised questions about whether it's acceptable for government officials to use stolen material to make political points. Democratic Congressional Campaign Committee Chairman Ben Ray Luján (N.M.) and National Republican Congressional Committee Chairman Steve Stivers (Ohio) express differing views on the matter, according to Zapotosky and Scherer. Luján said last month that hacked information should be off-limits, while Stivers said it was okay to use if it is already “in the public domain” and accurate, my colleagues reported. “Since then, Stivers and Luján have met privately to discuss election security, including how to handle any future cyberattacks,” my colleagues wrote.
PATCHED: Facebook told Congress on Friday that it shared user information with 52 companies including Apple, Amazon.com and Chinese tech giant Huawei, The Post's Craig Timberg and Tony Romm report. “The acknowledgment, which came in more than 700 pages of replies to the House Energy and Commerce Committee, is the fullest to date regarding reports that Facebook shared user data with some companies for years after it stopped doing so with most app makers,” Timberg and Romm write. “Some of the partnerships continued into this year, and some continue to this day, the documents say.” Facebook has terminated 38 of those agreements and intends to end another seven by the end of the month and then another one by the end of October, according to the documents that the company provided to lawmakers.
My colleagues report that even though Facebook submitted 747 pages of responses to lawmakers, the social network did not answer all of the lawmakers' queries. “It didn’t say why Facebook didn’t audit apps such as the one at the heart of the Cambridge Analytica controversy years before it became the subject of international scrutiny, for example, or provide the names of company employees who were responsible for the lack of oversight,” according to Timberg and Romm. “Facebook couldn’t specify how many users actually read or accessed its terms-of-use policies in response to a question from Rep. Michael C. Burgess (R-Tex.).”
PWNED: A group of cybersecurity experts said last week that the termination of the White House cybersecurity coordinator position should leave the public “significantly concerned,” Nextgov's Joseph Marks reported Friday. Politico reported in May that the Trump administration ended the position. “The elimination was greeted with consternation by many cyber analysts who believed the job, which encompasses government cyber protections, international cyber negotiations and broad U.S. cyber policy, was too complex to be subsumed into broader White House operations,” Marks wrote. “That opinion was shared by a majority of about 25 cybersecurity policy leaders gathered by the Atlantic Council think tank Tuesday.”
The Trump administration's decision to cancel the position has also frustrated some lawmakers on Capitol Hill. Rep. Debbie Dingell (D-Mich.) and seven other House Democrats in May asked President Trump not to eliminate the cybersecurity coordinator job. “It should come as no surprise that nation-states and criminals will keep attacking us and our allies and it is vital that we have the best people working on these problems, with a visible figurehead that other government agencies, the private sector, and our allies can turn to for guidance,” they wrote in a letter released on May 17. And last week, Sen. Angus King (I-Maine) asked Karen S. Evans, a Trump nominee for a top cyber position at the Energy Department, to “urge the administration to think about a cyber coordination function.”
— More cybersecurity news:
— “A federal judge has approved a request to tightly control how evidence is shared with a Russian company accused of funding an Internet trolling operation to mislead American voters in the 2016 election,” The Post's Spencer S. Hsu reported Saturday. “The dispute over how to protect sensitive materials from disclosure had threatened to stall prosecution of the sole defendant to appear in court to face charges in the indictment of Russian entities under special counsel Robert S. Mueller III.” Concord Management and Consulting as well as 13 Russians and two other companies were indicted in February over charges of interference in U.S. politics and the 2016 election.
— Legislation directing businesses to disclose data breaches went into effect on Sunday in South Dakota, the Associated Press's James Nord reported. “If your Social Security number is stolen from a company, you’ve likely got a better chance of being warned,” Nord wrote. “A new law requires state residents be notified within 60 days of a data breach’s discovery, with some exceptions. The law also requires companies to inform the attorney general if a breach affects over 250 residents.”
— Data on more than 500 people may have been breached when a computer belonging to the Alaska Division of Public Assistance was hacked in April, StateScoop's Benjamin Freed reported last week. “The breach occurred April 26 when an agency computer in far northern Alaska was infected with malware known as Zeus, or sometimes Zbot,” Freed writes. “An investigation conducted by a security team from the state Department of Health and Social Services, the public assistance office's parent agency, determined that the computer had unauthorized software installed on it.”
— The city of Portsmouth, N.H., spent more than $150,000 to combat malware that infected its computer system earlier this year, the Portsmouth Herald’s Elizabeth Dinan reported last week. “The municipal computer problems began March 14 and the virus was identified as a Trojan horse malware named Emotet,” according to Dinan. “City officials said the malware was used to send imposter emails, that falsely appeared to be from city officials, in an effort to solicit money from local recipients.”
— More cybersecurity news from the public sector:
— Tinder says it has strengthened the privacy of the dating app's users, the Hill's Olivia Beavers reported Friday. “Match Group Inc., the company that operates Tinder, told Sen. Ron Wyden (D-Ore.) in a letter dated Wednesday that its swiping data and images on the application are better protected against malicious hackers looking to access such information,” Beavers wrote.
— More cybersecurity news from the private sector:
— Data on thousands of law enforcement officials leaked in a security breach, ZDNet’s Zack Whittaker reported Friday. “The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years,” according to Whittaker. “The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.”
— Hacking goes both ways between the United States and North Korea. “In recent years, the United States, through imagery and computer hacking, has improved its intelligence collection in North Korea,” according to The Post’s Ellen Nakashima and Joby Warrick. My colleagues report that the North Korean regime isn’t planning to get rid of all its nuclear weapons despite Trump’s claim in a tweet last month that “there is no longer a nuclear threat from North Korea.”
Just landed - a long trip, but everybody can now feel much safer than the day I took office. There is no longer a Nuclear Threat from North Korea. Meeting with Kim Jong Un was an interesting and very positive experience. North Korea has great potential for the future!— Donald J. Trump (@realDonaldTrump) June 13, 2018
— More cybersecurity news from abroad:
- National Homeland Security Conference in New York on July 9 through July 12.
- IoT Global Innovation Forum in Portland, Ore., on July 10 through July 11.
- House Homeland Security Committee hearing on the protection of election systems and other critical infrastructure on July 11.
- Two House Homeland Security subcommittees hold a joint hearing on supply chain threats on July 12.
- National Association of Secretaries of State 2018 Summer Conference in Philadelphia on July 13 through July 16.
Will Democrats’ “civility” strategy backfire in 2018?
Here's what the smartphone of the future looks like:
Baby sun bear born at Chester Zoo is U.K.'s first: