The potential pitfalls of facial recognition technology are becoming clearer by the day.
The American Civil Liberties Union came out with a report yesterday claiming Amazon’s facial recognition tool misidentified more than two dozen lawmakers during a test conducted by the organization. Recent studies have also shown that the software falsely identifies people of color more often than whites. With all the bad press and growing social awareness, even companies that make this technology are starting to worry: Microsoft just last week called on Congress to regulate facial recognition, citing the potential for abuse by government and corporations.
But the spread and sophistication of these tools may be outpacing Congress’s ability to rein them in. This is a perennial issue for any developing technology, but the stakes are especially high when you consider the risks of people being wrongfully arrested or incarcerated based on a digital mismatch when this technology is in law enforcement's hands. And the longer Congress waits to act, the more time private companies will have to push the boundaries.
“It’s so much of a Wild West right now,” said Rachel Levinson-Waldman, senior counsel at the nonpartisan Brennan Center’s Liberty and National Security Program. And lawmakers are “basically all over the map.”
“There are a lot of resources at the fingertips of elected representatives and their staffs to come up to speed and get an understanding of the scope of this technology,” she added. “But they’re clearly not using that capability.”
There's no federal law governing the use of facial recognition, nor is there anything on the table that would. Congress hasn't held a major hearing dealing with facial recognition in more than a year. By all appearances, most lawmakers are still just getting a grip on how the technology works.
A range of factors may explain the inaction. A well-endowed tech lobby is pushing back against privacy regulations generally. Levinson-Waldman also noted, for example, that Congress mandated the biometric entry-exit the Department of Homeland Security is developing to verify travelers’ identities — so lawmakers might feel like they have “skin in the game,” she said. And, of course, there’s another, simpler explanation: Some members of Congress just aren’t tech-savvy enough to come up with rules for issues they don't fully understand.
The ACLU tried to draw lawmakers’ attention to the issue Thursday by running images of every member of Congress against a mug shot database using Amazon’s “Rekognition” tool. The facial recognition software now in the hands of some local law enforcement incorrectly identified 28 of them as criminal suspects, as my colleague Tony Romm reported. The false identifications were disproportionately people of color, including Rep. John Lewis (D-Ga.) and five other members of the Congressional Black Caucus, according to the ACLU. (Amazon founder and chief executive Jeffrey P. Bezos also owns The Washington Post.)
Shining a light on the false positives could help lawmakers move on the issue, said Jake Laperruque, senior counsel at the nonpartisan Project on Government Oversight's Constitution Project. “It's clear the technology is so pervasive, dangerously inaccurate and just creepy that wanting limits can get bipartisan support,” he told me. “And because of the inaccuracy it's going to connect with people even if they're not alarmed by the serious privacy risks — anyone could be a false positive that pings on a body camera telling an officer that you're a murderer at large or the suspect in an Amber Alert.”
A few of the misidentified lawmakers clearly got the message. Lewis and Rep. Jimmy Gomez (D-Calif.) fired off a letter to Bezos asking for a meeting “to discuss how to address the defects of this technology in order to prevent inaccurate outcomes,” as CNN reported. Sen. Edward J. Markey (D-Mass.) also sent a letter to Amazon calling on the company to answer questions about its software and its relationships with law enforcement.
This is the second time in recent months that lawmakers have raised concerns about Rekognition. In May, the Congressional Black Caucus demanded answers from Amazon about whether it could be used to inappropriately surveil innocent Americans or reinforce racial profiling of black communities.
As of last week, they have an important ally. Microsoft President Brad Smith, whose company makes facial recognition software, warned in a blog post that the technology “raises issues that go to the heart of fundamental human rights protections like privacy and freedom of expression.” He said lawmakers should form a bipartisan and expert commission to study how facial recognition tools are used and recommend new measures
“While some question whether members of Congress have sufficient expertise on technology issues, at Microsoft we believe Congress can address these issues effectively,” he wrote. “The key is for lawmakers to use the right mechanisms to gather expert advice to inform their decision making.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “U.S. Sen. Claire McCaskill of Missouri, one of the most vulnerable Democrats running for reelection this year, was targeted by Russian government hackers who sought but failed to compromise her Senate computer network,” my colleague Ellen Nakashima reports. “Russia continues to engage in cyber warfare against our democracy,” McCaskill said in a press release Thursday evening. “While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, [Russian President Vladimir] Putin is a thug and a bully.”
The hackers were part of Russia’s military spy agency GRU. Ellen writes: “They targeted two other candidates running in the midterms, according to a Microsoft executive, Tom Burt, who spoke at the Aspen Security Forum in Colorado last week. He did not identify the candidates. None were compromised, he said.” The Daily Beast was first to report on the hack Thursday. “The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it,” according to the Daily Beast. “If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”
PATCHED: “China continues to steal intellectual property and trade secrets from U.S. companies for its own economic advancement and the development of its military but 'at lower volumes' since the two countries forged an agreement in 2015 meant to curb the practice, according to a report published Thursday by American intelligence agencies,” The Washington Post's Shane Harris reported. “The assessment, which also incorporates the findings of private-sector security experts, comes amid roiling trade tension between the U.S. and China that has spawned dueling tariffs on billions of dollars worth of goods.”
The report, which was released by the Office of the Director of National Intelligence's National Counterintelligence and Security Center, identifies China, Russia and Iran “as three of the most capable and active” actors in economic cyberespionage. But foreign countries “with closer ties to the United States” have also engaged in the practice, the report notes. “William Evanina, who heads the counterintelligence center, said China was by far the most aggressive country trying to steal economic information from the United States and was responsible for most of the theft,” Harris reported. “He told reporters Thursday that while other nations, including Russia and Iran, were trying to steal valuable technology to enhance their own economies, 'None of them equals China.'”
PWNED: Facebook's troubles on the stock market this week show that the social network can no longer escape the privacy concerns it has spawned in recent years, The Post's Craig Timberg and Elizabeth Dwoskin reported Thursday. “Worries about the rising costs of privacy regulations and controversies, along with declining growth in users and revenue played a key role in a major Wall Street selloff that started Wednesday night after Facebook reported earnings,” Timberg and Dwoskin wrote. “Facebook’s stock closed down 19 percent Thursday, at its lowest level in nearly three months. The steepness of the decline suggests investors are reevaluating the viability of Facebook’s core business — collecting extensive data on users so that they can better target them with advertising — in a world in which public pressure is mounting for stricter privacy protections.”
Daniel Ives, chief strategy officer and head of technology research at GBH Insights, told The Post that the Cambridge Analytica scandal has taken a toll on the tech giant. “If Cambridge [Analytica] had never happened, I don’t think the worries would be as pronounced. Cambridge has thrown in a whole host of worries around confidence for users, advertisers, and regulators. It creates a murkier picture,” Ives told my colleagues.
— The deal that the Trump administration reached with Chinese telecommunications giant ZTE is set to stand after the House passed the annual defense authorization bill in a 359-to-54 vote on Thursday, The Post's Karoun Demirjian reported. “Instead of reimposing sanctions on the company — a move that officials say would have put it out of business — lawmakers included a less heavy-handed restriction preventing the federal government from buying any products made by ZTE and Huawei, another Chinese telecom company that both Democrats and Republicans believe poses a national security risk,” my colleague wrote. Additionally, the defense bill provides “updated authorities for the Committee on Foreign Investment in the United States, or CFIUS, that some lawmakers have argued will be vital for blocking transactions with companies, including Chinese corporations, that pose national security risks to the country,” Demirjian wrote.
— A coalition of cybersecurity, tech and business groups including the U.S. Chamber of Commerce is calling on senators to pass a cybersecurity bill that would rebrand the Department of Homeland Security's National Protection and Programs Directorate to reflect its focus on cybersecurity and critical infrastructure. “The bill would foster stronger public-private partnerships to better address cyber risks that could jeopardize America’s national security and economic prosperity,” the groups told the Republican and Democratic leaders in the Senate in a letter dated Thursday. (I wrote in greater detail last month about what the bill aims to achieve.)
— The ranking Democrats on the House Administration, Judiciary, Oversight and Homeland Security committees on Thursday asked the Republican chairmen of those House panels to convene a hearing on election security and invite top Trump administration officials to appear before lawmakers. The Democratic lawmakers asked the Republican chairmen to invite FBI Director Christopher A. Wray, Homeland Security Secretary Kirstjen Nielsen, Director of National Intelligence Daniel Coats, Deputy Attorney General Rod J. Rosenstein and Election Assistance Commission Chairman Thomas Hicks to testify. “We are under attack and the very foundation of our democracy is at stake,” Reps. Robert A. Brady (D-Pa.), Jerrold Nadler (D-N.Y.), Elijah E. Cummings (D-Md.) and Bennie Thompson (D-Miss.) wrote in a letter. “We urge you to put aside partisan politics and work with us to protect and defend our country from this ongoing attack.”
— U.S. and Japanese officials on Thursday took part in the sixth United States-Japan Cyber Dialogue in Washington. “The United States and Japan reinforced mutual understandings on a wide range of cyber issues, including our shared commitment to deter cyber adversaries and malicious cyber activities, to protect the cybersecurity of critical infrastructure, to enhance information sharing, to improve military-to-military cyber cooperation, and to address international security issues in cyberspace,” the State Department said in a release.
- The Department of Homeland Security hosts a National Cybersecurity Summit on July 31 in New York.
- Senate Commerce subcommittee hearing on “global Internet governance” on July 31.
- Black Hat USA security conference on Aug. 8 through Aug. 9 in Las Vegas.
- DEF CON security conference on Aug. 9 through Aug. 12 in Las Vegas.
Trump mocks media coverage of his Russia comments:
Can Bose's noise-masking Sleepbuds really help you sleep?
Protesters in Spain attack ride-share car with customers inside: