THE KEY

Police responding to the mass shooting at the Capital Gazette newspaper in Annapolis faced a perfect storm of problems when they took the suspected gunman into custody: The man had no identification, he wouldn’t speak to investigators, and a fingerprint database wasn’t producing results.

But they had a backup plan: Investigators ran his photo in Maryland’s state-of-the-art facial recognition database. The system quickly returned a match.

The case appears to represent a highly successful deployment of the controversial technology, saving investigators critical time as they scrambled to identify a suspect and find out whether he was working alone. And it could boost arguments from law enforcement in favor of facial recognition at a time when systems such as Maryland’s have fallen under intense criticism from privacy advocates and civil rights groups who say they could be used to surveil innocent people or reinforce racial profiling. Proponents of the technology will surely point to it as a compelling example of the value such systems could offer police departments.

“This sensational case will probably awaken and create an awareness that will bring a lot more attention” to facial recognition systems among law enforcement agencies that haven’t adopted them, said Tom Joyce, a former lieutenant commander with the New York City Police Department’s cold case squad.

“It’s an extremely progressive idea, and it’s really important to the investigation to accelerate the case,” said Joyce, now vice president of Vigilant Solutions, which offers facial recognition services and other digital tools to law enforcement agencies. “You don’t know if he’s working alone. You don’t know if he’s got other victims. And you want to rapidly bring those to resolution. This was a great application of that.”

Maryland police were able to identify the man they say fatally shot five Capital Gazette staff members Thursday by feeding his picture into the Maryland Image Repository System, or MIRS, as my colleague Justin Jouvenal reported. The system uses algorithms to scan for a match across tens of millions of images from driver's licenses, offender photos and mug shots from an FBI database.

Police officials said facial recognition was their best option for identifying the alleged shooter, Jarrod Ramos, after the fingerprint database was slow to return a hit. In a news conference the morning after the shooting, Anne Arundel County Police Chief Timothy Altomare acknowledgedthe state's system had “come under fire from civil libertarians,” but said the investigation would otherwise have taken "much longer." 

“It was a huge win for us last night and thus for the citizens of Anne Arundel County,” Altomare told reporters.

“The facial recognition system performed as designed,” Stephen T. Moyer, secretary of Maryland’s Department of Public Safety and Correctional Services (DPSCS), told Justin in a statement. “It has been and continues to be a valuable tool for fighting crime in our state.”

But critics of the technology say not every case is as straightforward as this one. They also note that facial recognition systems tend to misidentify African Americans more often than whites and could allow police to conduct real-time surveillance against people not suspected of crimes.

“While the method seems to have performed well in Ramos’ case, there are still significant civil liberties concerns around the way police use MIRS,” wrote Russell Brandom of The Verge. “Police are supposed to remove people who were arrested but found innocent, but since the system is rarely audited, it’s hard to say if that’s actually happening. There are also racial justice concerns, given racial disparities in rates of arrests, compounded by higher error rates for African Americans in many facial recognition algorithms.”

In the wake of the shooting, Samuel Sinyangwe, a prominent racial justice activist and data scientist, pointed out there are few checks on how police use systems such as Maryland's:

And the Electronic Frontier Foundation, a digital rights organization, said that even flawless facial recognition would bring major privacy concerns: 

Meanwhile, Clint Watts, a former FBI agent and senior fellow at George Washington University's Center for Cyber and Homeland Security, wondered why police couldn't have identified the suspect through other means: 

Concerns such as those have dominated an escalating debate over facial recognition that has unfolded in recent weeks. 

In May, privacy groups and several House lawmakers called on Amazon to reconsider selling powerful facial recognition software at a bargain price to law enforcement, as I've reported. They said the service, known as Rekognition, could be used to inappropriately surveil innocent Americans and exacerbate racial profiling in black communities. Amid the pressure, the Orlando Police Department said last week it wouldn't immediately renew a pilot program for the service, as my colleague Hazma Shaban reported.

Even a prominent facial recognition entrepreneur says he's worried about abuse. In a widely shared commentary for TechCrunch last week, Brian Brackeen, the chief executive of the facial-recognition company Kairos, wrote that he wouldn't sell his tools to police because the technology contained biases against people of color. He urged others to follow suit. “In a social climate wracked with protests and angst around disproportionate prison populations and police misconduct,” he wrote, “engaging software that is clearly not ready for civil use in law enforcement activities does not serve citizens, and will only lead to further unrest.”

PINGED, PATCHED, PWNED

PINGED: Attorney General Jeff Sessions quoted from hacked material published by WikiLeaks in a swipe at Hillary Clinton during a recent speech, The Washington Post's Matt Zapotosky and Michael Scherer reported on Saturday. Sessions referenced a “secret speech” Clinton gave in 2013 mentioning a “hemispheric common market, with open trade and open borders," saying “this is the presidential nominee of a major political party."

“What the attorney general didn’t say: The text of Clinton’s 'secret speech' was known publicly only because of hacked emails published by the WikiLeaks organization, which is being investigated by Sessions’s Justice Department,” Zapotosky and Scherer wrote.

Sessions's remarks raised questions about whether it's acceptable for government officials to use stolen material to make political points. Democratic Congressional Campaign Committee Chairman Ben Ray Luján (N.M.) and National Republican Congressional Committee Chairman Steve Stivers (Ohio) express differing views on the matter, according to Zapotosky and Scherer. Luján said last month that hacked information should be off-limits, while Stivers said it was okay to use if it is already “in the public domain” and accurate, my colleagues reported. “Since then, Stivers and Luján have met privately to discuss election security, including how to handle any future cyberattacks,” my colleagues wrote.

PATCHED: Facebook told Congress on Friday that it shared user information with 52 companies including Apple, Amazon.com and Chinese tech giant Huawei, The Post's Craig Timberg and Tony Romm report. “The acknowledgment, which came in more than 700 pages of replies to the House Energy and Commerce Committee, is the fullest to date regarding reports that Facebook shared user data with some companies for years after it stopped doing so with most app makers,” Timberg and Romm write. “Some of the partnerships continued into this year, and some continue to this day, the documents say.” Facebook has terminated 38 of those agreements and intends to end another seven by the end of the month and then another one by the end of October, according to the documents that the company provided to lawmakers.

My colleagues report that even though Facebook submitted 747 pages of responses to lawmakers, the social network did not answer all of the lawmakers' queries. “It didn’t say why Facebook didn’t audit apps such as the one at the heart of the Cambridge Analytica controversy years before it became the subject of international scrutiny, for example, or provide the names of company employees who were responsible for the lack of oversight,” according to Timberg and Romm. “Facebook couldn’t specify how many users actually read or accessed its terms-of-use policies in response to a question from Rep. Michael C. Burgess (R-Tex.).”

PWNED: A group of cybersecurity experts said last week that the termination of the White House cybersecurity coordinator position should leave the public “significantly concerned,” Nextgov's Joseph Marks reported Friday. Politico reported in May that the Trump administration ended the position. “The elimination was greeted with consternation by many cyber analysts who believed the job, which encompasses government cyber protections, international cyber negotiations and broad U.S. cyber policy, was too complex to be subsumed into broader White House operations,” Marks wrote. “That opinion was shared by a majority of about 25 cybersecurity policy leaders gathered by the Atlantic Council think tank Tuesday.”

The Trump administration's decision to cancel the position has also frustrated some lawmakers on Capitol Hill. Rep. Debbie Dingell (D-Mich.) and seven other House Democrats in May asked President Trump not to eliminate the cybersecurity coordinator job. “It should come as no surprise that nation-states and criminals will keep attacking us and our allies and it is vital that we have the best people working on these problems, with a visible figurehead that other government agencies, the private sector, and our allies can turn to for guidance,” they wrote in a letter released on May 17. And last week, Sen. Angus King (I-Maine) asked Karen S. Evans, a Trump nominee for a top cyber position at the Energy Department, to “urge the administration to think about a cyber coordination function.”

— More cybersecurity news:

U.S. President Donald Trump will press Russian leader Vladimir Putin on Moscow's denial of meddling in the 2016 presidential election when the two leaders meet next month, national security adviser John Bolton said on Sunday.
Reuters
National Security
A draft of the document says American telecommunications companies are “attractive targets for espionage, sabotage and foreign interference activity.”
Shane Harris, David J. Lynch and Josh Dawsey
The ACLU has been trying to challenge the NSA's bulk surveillance for years. A hearing in Wikimedia v. NSA Friday could mark a breakthrough.
Wired
PUBLIC KEY

— “A federal judge has approved a request to tightly control how evidence is shared with a Russian company accused of funding an Internet trolling operation to mislead American voters in the 2016 election,” The Post's Spencer S. Hsu reported Saturday. “The dispute over how to protect sensitive materials from disclosure had threatened to stall prosecution of the sole defendant to appear in court to face charges in the indictment of Russian entities under special counsel Robert S. Mueller III.” Concord Management and Consulting as well as 13 Russians and two other companies were indicted in February over charges of interference in U.S. politics and the 2016 election.

— Legislation directing businesses to disclose data breaches went into effect on Sunday in South Dakota, the Associated Press's James Nord reported. “If your Social Security number is stolen from a company, you’ve likely got a better chance of being warned,” Nord wrote. “A new law requires state residents be notified within 60 days of a data breach’s discovery, with some exceptions. The law also requires companies to inform the attorney general if a breach affects over 250 residents.”

— Data on more than 500 people may have been breached when a computer belonging to the Alaska Division of Public Assistance was hacked in April, StateScoop's Benjamin Freed reported last week. “The breach occurred April 26 when an agency computer in far northern Alaska was infected with malware known as Zeus, or sometimes Zbot,” Freed writes. “An investigation conducted by a security team from the state Department of Health and Social Services, the public assistance office's parent agency, determined that the computer had unauthorized software installed on it.”

— The city of Portsmouth, N.H., spent more than $150,000 to combat malware that infected its computer system earlier this year, the Portsmouth Herald’s Elizabeth Dinan reported last week. “The municipal computer problems began March 14 and the virus was identified as a Trojan horse malware named Emotet,” according to Dinan. “City officials said the malware was used to send imposter emails, that falsely appeared to be from city officials, in an effort to solicit money from local recipients.”

— More cybersecurity news from the public sector:

In the long term, large government contracts and cutting-edge projects will be hard for tech companies to resist.
Foreign Policy
Charles Rettig, the Trump administration's pick to lead the IRS, told lawmakers at his June 28 confirmation hearing that the tax agency's legacy tech is one of its most critical challenges.
FCW
"The City upon receiving a request for documents must first do an adequate search…"
Ars Technica
PRIVATE KEY

— Tinder says it has strengthened the privacy of the dating app's users, the Hill's Olivia Beavers reported Friday. “Match Group Inc., the company that operates Tinder, told Sen. Ron Wyden (D-Ore.) in a letter dated Wednesday that its swiping data and images on the application are better protected against malicious hackers looking to access such information,” Beavers wrote.

— More cybersecurity news from the private sector:

Grade Point
The three-year grant is from the National Science Foundation, according to Howard.
Sarah Larimer
SECURITY FAILS

— Data on thousands of law enforcement officials leaked in a security breach, ZDNet’s Zack Whittaker reported Friday. “The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years,” according to Whittaker. “The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University.”

THE NEW WILD WEST

— Hacking goes both ways between the United States and North Korea. “In recent years, the United States, through imagery and computer hacking, has improved its intelligence collection in North Korea,” according to The Post’s Ellen Nakashima and Joby Warrick. My colleagues report that the North Korean regime isn’t planning to get rid of all its nuclear weapons despite Trump’s claim in a tweet last month that “there is no longer a nuclear threat from North Korea.”

— More cybersecurity news from abroad:

Trying to break into semiconductor markets, mainland companies are accused of poaching employees and stealing data. China watchers say the threat is growing and is also part of an effort to undermine a political rival.
The Wall Street Journal
ZERO DAYBOOK

Coming soon

EASTER EGGS

Will Democrats’ “civility” strategy backfire in 2018?

Here's what the smartphone of the future looks like:

Baby sun bear born at Chester Zoo is U.K.'s first: