- Email: [email protected]
Hackers steal swathes of US Government facial data
NEWS facial recognition Editorial Office: Elsevier Ltd The Boulevard Langford Lane Kidlington Oxford OX5 1GB, UK Tel: +44 1865 843239 Email: [email protected] Website: www.biometricstoday.com Publishing Director: Sarah Jenkins Editor: Tim Ring Email: [email protected] Production Support Manager: Lin Lucas Email: [email protected] Subscription Information An annual subscription to Biometric Technology Today includes 10 issues and online access for up to 5 users. Subscriptions run for 12 months, from the date payment is received. More information: www.elsevier.com/journals/institutional/biometric-technology-today/0969-4765 This newsletter and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
12985 Digitally Produced by Mayfield Press (Oxford) Ltd
2
Biometric Technology Today
Aegis ‘school shooter’ facial detection system sparks row
S
chools in the US’s Lockport City, New York have been stopped from using the Aegis facial recognition system – which could alert them to the presence of sex offenders and guns carried by ‘school shooters’. Last month, the Lockport School District education body announced that it was starting to implement Aegis, with full rollout due to take place from 1 September, according to the Lockport Union-Sun and Journal. But the New York State (NYS) Education Department quickly stepped in to halt the trial. The Department said it had “directed the Lockport School District to cease the testing and utilisation of facial recognition technology until further notice”, after an apparent misunderstanding over whether it could go ahead, reports WKBW and other media. The Department added: “Our staff have consistently communicated to the District that they should refrain from the use of the facial recognition technology until the Department is satisfied that proper protocols and protections are in place. Any testing or implementation that may be occurring is being done contrary to clear direction from the Department.” Aegis is supplied by Ontario, Canada-based SN Technologies. The suite includes Sentry, a facial recognition tool that operates ‘on the fly’ and can alert school officials if anyone from the local Sex Offenders Registry enters a school, as well as suspended students, fired employees or known gang members. The suite also features Protector, a shape recognition tool that alerts officials if any of the top 10 guns used in school shootings are recognised – such as semi-automatic and revolver handguns, pump shotguns or an AR 15-type rifle. SN said: “In the US, there have been wellpublicised shootings at schools which resulted in the deaths and injuries to hundreds of children. Many state governments have set aside funding for individual schools to use technology for a safer school environment.” Lockport schools superintendent Michelle Bradley directly referred to this feature when she informed parents about the planned adoption of Aegis, according to The Guardian. But the planned rollout raised privacy fears, including from the New York Civil Liberties Union (NYCLU) – which insists that Lockport’s implementation of Aegis
could still go ahead in September despite the state ban. NYCLU pointed out that Aegis can store images of suspended students, despite there being racial disparities in suspension rates in the Lockport District. It claims that in the 2015-2016 school year, 25% of students who were suspended were black, but black students made up just 12% of enrolment.
cyber-crime
Hackers steal swathes of US Government facial data
B
iometric data on tens of thousands of travellers collected by the US Customs and Border Protection (CBP) agency has been stolen, highlighting the vulnerability of such data when it is centrally stored. The hacked information was the facial and licence plate images of travellers crossing the US southern border. After investigating, CBP said the data had been lost by a subcontractor company that failed to secure it properly. CBP said the company had “violated mandatory security and privacy protocols outlined in their contract” and had “without CBP’s authorisation or knowledge transferred copies of licence plate images and traveller images collected by CBP to its company network. The network was subsequently compromised by a malicious cyber-attack”. Unconfirmed reports in The Register, Washington Post and other media suggest the subcontractor concerned is Perceptics, which supplies vehicle identification and licence plate recognition technology to state and national governments worldwide for border control and security. The company claims it has secured thousands of border checkpoints and its products automate over 200 million vehicle inspections annually. Following the breach, the Washington Post, CNN and other media have claimed that Perceptics has now been found “preliminarily ineligible” to conduct business with the US federal government, pending a final decision, based on “evidence of conduct indicating a lack of business honesty or integrity”. Whoever is at fault, the incident has underlined the vulnerability of centrally stored biometric data. As a result, the American Civil Liberties Union (ACLU) privacy campaign group has said the CBP should stop rolling out new facial recognition systems. Neema Singh Guliani, a senior lawyer with ACLU, said: “This breach comes just as CBP
July/August 2019
NEWS research
Game of Guess Who? Researchers use DNA to identify a face US southern border: the facial and licence plate images of tens of thousands of travellers crossing it were cyber-hacked.
seeks to expand its massive face recognition apparatus and collection of sensitive information from travellers, including licence plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.” But security industry expert Irra Ariella Khi, CEO of VChain Technologies, said such breaches could be prevented by focusing on how facial data is stored, and securing it via encryption. She commented: “Facial recognition technology has been widely adopted, but government agencies the world over have been much slower at adopting the technology that allows the safe storage, transfer and verification of that data. Without that vital security element, data can too easily fall into malicious hands and expose governments and citizens alike. “It is not hard to identify the mistakes that were made in this case. This highly sensitive personally identifiable information should not have been either exposed to or stored as a copy by the subcontractor in a central, thirdparty database. While none of the CBP’s own systems were compromised, this also would have been avoided if the images were stored or shared in a way that made the original images inaccessible. All data of this level of sensitivity should be obscured – encrypted and unrecognisable – before being shared, stored or transferred.” Also commenting, BitSight VP of government affairs Jake Olcott, who previously served as legal advisor to the House of Representatives Homeland Security Committee, said: “All government agencies are at high risk of data breach through their third-party contractors. Government agencies have been spending too much time focused on protecting their own networks that they’ve virtually ignored the evolving threat landscape. The first step is to gain visibility into the security posture of critical third-party contractors – immediately.”
July/August 2019
R
esearchers from Belgium and the US have found a way to use any DNA captured at a crime scene to build an image of the suspect’s face – and they liken their technique to the game Guess Who? In a paper published in Nature Communications, the KU Leuven-led team said that a person’s physical appearance, including their face, is hardwired into their genetic material. But other factors are also at play – meaning there are limits as to how accurately crime investigators could draw someone’s face, based on a sample of their DNA. Lead study author Peter Claes of KU Leuven explained: “The shape of our face is determined by thousands of genes, but also by the food we eat and other living conditions. Therefore, it is unlikely that we will ever be able to accurately predict a lifelike face from DNA alone.” To get round this, Claes’s team have developed a reverse approach that works better: “Instead of going from DNA to face, we’re trying to go from face to DNA,” he said. “Using special software, we measure each face and check if this face is a possible outcome based on a unique bit of DNA. “It then becomes a game of Guess Who? If the face is male and the DNA says it is a woman, all the men are eliminated. If the hair is blond and the genetic material confirms this, that eliminates all other hair colours. The more genes we identify, the more accurate this method becomes, and it will only continue to improve as our knowledge of the relevant genes grows.” The result is that investigators can check if the profiled face matches any in their database of suspects. Elsewhere, MIT researchers have similarly found a way to create the facial image of an individual simply from a recording of their voice. In their recently published Speech2Face paper, the MIT team explain how they built and then trained a deep neural network that could reconstruct a person’s facial image from short recordings of them speaking. Using millions of YouTube videos, their model learned enough voice and face correlations to produce images that captured physical attributes such as the speaker’s age, gender and ethnicity. “We have demonstrated that our method can predict plausible faces with the facial attributes consistent with those of real images,” they report. The seven researchers involved
EVENTS CALENDAR 9–11 September 2019
Digital Identity Summit 2019
Los Angeles, USA This event explores best practices in the commercial application of digital identities, and the approaches needed to prevent cyber-criminals from gaining access to bank accounts and making fraudulent transactions, without increasing friction and false positives. The summit will feature speakers from leading e-commerce, financial services and payments organisations, giving attendees access to crowdsourced, cross-industry shared intelligence about digital identities. It will also offer hands-on demonstrations and networking opportunities for business people looking to drive secure, profitable growth through digital channels. More information: https://www.digitalidentitysummit.com/
17 September 2019 IDM Europe
Van Der Valk Hotel, Utrecht, The Netherlands Billed as Europe’s leading identity and access management (IAM) conference, IDM is aimed at senior risk management, security and IAM professionals across government and large enterprise organisations. It will examine how businesses can protect their critical data assets and ensure regulatory compliance, while embracing disruptive technologies like AI and big data, IoT and blockchain. The conference will cover key trends in digital identity and strategies to create secure IAM infrastructures. Featured topics will include machine learning and IAM, understanding the evolving nature of trust and digital identity, encryption techniques, privileged account management, multi-factor authentication, self-service IAM and single sign-on (SSO) capabilities. Other areas covered include managing entitlements, credentials, privileges, duties and roles; federated access management; intelligent API security; and effective data management and security. More information: https://whitehallmedia.co.uk/idmeuropesep2019/
26–27 September 2019 Ecommerce Expo
Olympia, London, UK This two-day exhibition and conference is billed as Europe’s largest retail event. The conference programme will focus on subjects including omni-channel and cross-border e-commerce, delivery and logistics, and personalisation. More information: https://www.ecommerceexpo.co.uk/
29–30 October 2019
Biometrics Institute Congress 2019
London, UK This Congress provides an off-the-record forum where the international biometrics community can discuss issues such as the ethical use of biometrics, digital identity, technology innovation, consumer biometrics, intelligent borders, and biometrics for social enablement. It is part of Biometrics Week 2019 (28 October-1 November) and is accompanied by satellite events on either side. Last year’s Congress had attendees from 30 countries. This year’s speakers include UK Biometrics Commissioner Paul Wiles; John Boyd, assistant director in the US Department of Homeland Security; Silkie Carlo, director of campaign group Big Brother Watch; and Patrick Grother, NIST’s head of biometric standards and testing. More information: https://www.biometricsinstitute.org/event/biometrics-congress-2019/
News continued on page 11....
Biometric Technology Today
3
12985 Digitally Produced by Mayfield Press (Oxford) Ltd
2
Biometric Technology Today
Aegis ‘school shooter’ facial detection system sparks row
S
chools in the US’s Lockport City, New York have been stopped from using the Aegis facial recognition system – which could alert them to the presence of sex offenders and guns carried by ‘school shooters’. Last month, the Lockport School District education body announced that it was starting to implement Aegis, with full rollout due to take place from 1 September, according to the Lockport Union-Sun and Journal. But the New York State (NYS) Education Department quickly stepped in to halt the trial. The Department said it had “directed the Lockport School District to cease the testing and utilisation of facial recognition technology until further notice”, after an apparent misunderstanding over whether it could go ahead, reports WKBW and other media. The Department added: “Our staff have consistently communicated to the District that they should refrain from the use of the facial recognition technology until the Department is satisfied that proper protocols and protections are in place. Any testing or implementation that may be occurring is being done contrary to clear direction from the Department.” Aegis is supplied by Ontario, Canada-based SN Technologies. The suite includes Sentry, a facial recognition tool that operates ‘on the fly’ and can alert school officials if anyone from the local Sex Offenders Registry enters a school, as well as suspended students, fired employees or known gang members. The suite also features Protector, a shape recognition tool that alerts officials if any of the top 10 guns used in school shootings are recognised – such as semi-automatic and revolver handguns, pump shotguns or an AR 15-type rifle. SN said: “In the US, there have been wellpublicised shootings at schools which resulted in the deaths and injuries to hundreds of children. Many state governments have set aside funding for individual schools to use technology for a safer school environment.” Lockport schools superintendent Michelle Bradley directly referred to this feature when she informed parents about the planned adoption of Aegis, according to The Guardian. But the planned rollout raised privacy fears, including from the New York Civil Liberties Union (NYCLU) – which insists that Lockport’s implementation of Aegis
could still go ahead in September despite the state ban. NYCLU pointed out that Aegis can store images of suspended students, despite there being racial disparities in suspension rates in the Lockport District. It claims that in the 2015-2016 school year, 25% of students who were suspended were black, but black students made up just 12% of enrolment.
cyber-crime
Hackers steal swathes of US Government facial data
B
iometric data on tens of thousands of travellers collected by the US Customs and Border Protection (CBP) agency has been stolen, highlighting the vulnerability of such data when it is centrally stored. The hacked information was the facial and licence plate images of travellers crossing the US southern border. After investigating, CBP said the data had been lost by a subcontractor company that failed to secure it properly. CBP said the company had “violated mandatory security and privacy protocols outlined in their contract” and had “without CBP’s authorisation or knowledge transferred copies of licence plate images and traveller images collected by CBP to its company network. The network was subsequently compromised by a malicious cyber-attack”. Unconfirmed reports in The Register, Washington Post and other media suggest the subcontractor concerned is Perceptics, which supplies vehicle identification and licence plate recognition technology to state and national governments worldwide for border control and security. The company claims it has secured thousands of border checkpoints and its products automate over 200 million vehicle inspections annually. Following the breach, the Washington Post, CNN and other media have claimed that Perceptics has now been found “preliminarily ineligible” to conduct business with the US federal government, pending a final decision, based on “evidence of conduct indicating a lack of business honesty or integrity”. Whoever is at fault, the incident has underlined the vulnerability of centrally stored biometric data. As a result, the American Civil Liberties Union (ACLU) privacy campaign group has said the CBP should stop rolling out new facial recognition systems. Neema Singh Guliani, a senior lawyer with ACLU, said: “This breach comes just as CBP
July/August 2019
NEWS research
Game of Guess Who? Researchers use DNA to identify a face US southern border: the facial and licence plate images of tens of thousands of travellers crossing it were cyber-hacked.
seeks to expand its massive face recognition apparatus and collection of sensitive information from travellers, including licence plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.” But security industry expert Irra Ariella Khi, CEO of VChain Technologies, said such breaches could be prevented by focusing on how facial data is stored, and securing it via encryption. She commented: “Facial recognition technology has been widely adopted, but government agencies the world over have been much slower at adopting the technology that allows the safe storage, transfer and verification of that data. Without that vital security element, data can too easily fall into malicious hands and expose governments and citizens alike. “It is not hard to identify the mistakes that were made in this case. This highly sensitive personally identifiable information should not have been either exposed to or stored as a copy by the subcontractor in a central, thirdparty database. While none of the CBP’s own systems were compromised, this also would have been avoided if the images were stored or shared in a way that made the original images inaccessible. All data of this level of sensitivity should be obscured – encrypted and unrecognisable – before being shared, stored or transferred.” Also commenting, BitSight VP of government affairs Jake Olcott, who previously served as legal advisor to the House of Representatives Homeland Security Committee, said: “All government agencies are at high risk of data breach through their third-party contractors. Government agencies have been spending too much time focused on protecting their own networks that they’ve virtually ignored the evolving threat landscape. The first step is to gain visibility into the security posture of critical third-party contractors – immediately.”
July/August 2019
R
esearchers from Belgium and the US have found a way to use any DNA captured at a crime scene to build an image of the suspect’s face – and they liken their technique to the game Guess Who? In a paper published in Nature Communications, the KU Leuven-led team said that a person’s physical appearance, including their face, is hardwired into their genetic material. But other factors are also at play – meaning there are limits as to how accurately crime investigators could draw someone’s face, based on a sample of their DNA. Lead study author Peter Claes of KU Leuven explained: “The shape of our face is determined by thousands of genes, but also by the food we eat and other living conditions. Therefore, it is unlikely that we will ever be able to accurately predict a lifelike face from DNA alone.” To get round this, Claes’s team have developed a reverse approach that works better: “Instead of going from DNA to face, we’re trying to go from face to DNA,” he said. “Using special software, we measure each face and check if this face is a possible outcome based on a unique bit of DNA. “It then becomes a game of Guess Who? If the face is male and the DNA says it is a woman, all the men are eliminated. If the hair is blond and the genetic material confirms this, that eliminates all other hair colours. The more genes we identify, the more accurate this method becomes, and it will only continue to improve as our knowledge of the relevant genes grows.” The result is that investigators can check if the profiled face matches any in their database of suspects. Elsewhere, MIT researchers have similarly found a way to create the facial image of an individual simply from a recording of their voice. In their recently published Speech2Face paper, the MIT team explain how they built and then trained a deep neural network that could reconstruct a person’s facial image from short recordings of them speaking. Using millions of YouTube videos, their model learned enough voice and face correlations to produce images that captured physical attributes such as the speaker’s age, gender and ethnicity. “We have demonstrated that our method can predict plausible faces with the facial attributes consistent with those of real images,” they report. The seven researchers involved
EVENTS CALENDAR 9–11 September 2019
Digital Identity Summit 2019
Los Angeles, USA This event explores best practices in the commercial application of digital identities, and the approaches needed to prevent cyber-criminals from gaining access to bank accounts and making fraudulent transactions, without increasing friction and false positives. The summit will feature speakers from leading e-commerce, financial services and payments organisations, giving attendees access to crowdsourced, cross-industry shared intelligence about digital identities. It will also offer hands-on demonstrations and networking opportunities for business people looking to drive secure, profitable growth through digital channels. More information: https://www.digitalidentitysummit.com/
17 September 2019 IDM Europe
Van Der Valk Hotel, Utrecht, The Netherlands Billed as Europe’s leading identity and access management (IAM) conference, IDM is aimed at senior risk management, security and IAM professionals across government and large enterprise organisations. It will examine how businesses can protect their critical data assets and ensure regulatory compliance, while embracing disruptive technologies like AI and big data, IoT and blockchain. The conference will cover key trends in digital identity and strategies to create secure IAM infrastructures. Featured topics will include machine learning and IAM, understanding the evolving nature of trust and digital identity, encryption techniques, privileged account management, multi-factor authentication, self-service IAM and single sign-on (SSO) capabilities. Other areas covered include managing entitlements, credentials, privileges, duties and roles; federated access management; intelligent API security; and effective data management and security. More information: https://whitehallmedia.co.uk/idmeuropesep2019/
26–27 September 2019 Ecommerce Expo
Olympia, London, UK This two-day exhibition and conference is billed as Europe’s largest retail event. The conference programme will focus on subjects including omni-channel and cross-border e-commerce, delivery and logistics, and personalisation. More information: https://www.ecommerceexpo.co.uk/
29–30 October 2019
Biometrics Institute Congress 2019
London, UK This Congress provides an off-the-record forum where the international biometrics community can discuss issues such as the ethical use of biometrics, digital identity, technology innovation, consumer biometrics, intelligent borders, and biometrics for social enablement. It is part of Biometrics Week 2019 (28 October-1 November) and is accompanied by satellite events on either side. Last year’s Congress had attendees from 30 countries. This year’s speakers include UK Biometrics Commissioner Paul Wiles; John Boyd, assistant director in the US Department of Homeland Security; Silkie Carlo, director of campaign group Big Brother Watch; and Patrick Grother, NIST’s head of biometric standards and testing. More information: https://www.biometricsinstitute.org/event/biometrics-congress-2019/
News continued on page 11....
Biometric Technology Today
3