Ohio 27th state to implement Face Recognition

Ohioans not told how license photos used

Ohio 27th state to implement Face Recognition

Image courtesy of Wikimedia Commons

Without informing the public and without first reviewing security rules for the system, Ohio law enforcement officers started using facial recognition technology more than two months ago, scanning databases of driver’s license photos and police mug shots to identify crime suspects, The Enquirer has learned.

After they launched the system, officials in Attorney General Mike DeWine’s office weighed what new security protocols to establish for the state’s law enforcement database and wondered when they’d be ready to tell the public about it. In hundreds of pages of e-mails and memos reviewed by The Enquirer, officials also disagreed about whether the system was in beta testing or in a full launch and promised to make changes to the website that would be used to upload license photos, which was vulnerable to hackers.

Since June, police officers have performed 2,600 searches using the new database feature, which is designed to analyze a snapshot or, in some cases, security camera image, and identify the person by matching the photo with his or her driver’s license photo or police mug shot.

DeWine last week told The Enquirer he didn’t think the public needed to be notified about the launch because 26 other states have facial recognition databases. Now, more than two months into the launch, he’s creating an advisory group of judges, prosecutors and law enforcement officials to make recommendations for updated rules for the system’s use.

DeWine plans to announce the facial recognition system and the advisory group at a press briefing at 10 a.m. Monday in Columbus.

The facial recognition technology is aimed in part at leveraging the growing prevalence of security cameras in daily life. Ohioans are on camera in parks, schools, elevators, stores, highways and parking garages. Cameras track boats on the Ohio River, gamblers at casinos, revelers at concerts and sometimes people walking in their own neighborhood.

In Cincinnati alone, the police department can tap into 118 security cameras, but hopes to increase that number to 1,000 by the end of 2014. At least hundreds more are available to them if business owners hand over the images for investigations. The cameras can help to solve crimes, but opponents question whether the loss of privacy is worth the gains.

People with access to the new system – Ohio’s law enforcement officers and civilian employees of police departments – could match any photo of people on the street to photos in the database and gain access to personal information.

Law enforcement officers have long been able to look up suspects’ driver’s license photos and mug shots, with laws outlining harsh penalties for misusing the records. But the facial recognition system opens up new avenues for misuse, even as it offers new opportunities for solving crimes.

Before the facial recognition system’s development, officers had to know a person’s name or address to find a photo. Now, with facial recognition, people with access to the Ohio Law Enforcement Gateway can potentially identify any stranger they see or encounter, as long as they have a photo.

The system offers clear public safety advantages. It could make it easier to identify a dead body, a confused or mentally ill person or someone who refuses to reveal his or her identity: Just shoot a photo and run it through the system. E-mails from officials in the attorney general’s office show excitement at the possibility of uploading old photos of escaped convicts or photos sent in chatrooms by child exploitation suspects.

‘Who approved it to go live?’

Ohio’s new facial recognition system launched June 6, without the knowledge of the attorney general or his chief operating officer. Upon learning about it two weeks later, after it had already been used for 900 facial recognition searches, top officials debated turning it off.

On June 20, during a meeting with DeWine, Chief Operating Officer Kimberly Murnieks sent an urgent e-mail to DeWine’s chief information officer and top deputies: “First question: Can we turn this off for now? I am told it has been ‘live’ for two weeks. Who approved that go live?”

Officials had been working to develop the facial recognition technology for three years, starting before DeWine beat Democrat incumbent Richard Cordray in the November 2010 election. They had requested software contract approval from the General Assembly’s Controlling Board and had talked about its development internally and in speeches to law enforcement and special-interest groups.

So when the technology was ready, on June 6, the agency’s IT workers and officials closest to the project turned it on, without getting DeWine’s permission, said Tom Stickrath, head of Ohio’s Bureau of Criminal Investigation.

The decision to launch the system “was almost an IT-driven thing,” Stickrath told The Enquirer. “We’d been ready for quite some time and we talked about it and talked about it and talked about it. … IT literally said to Steve Raubenolt that we were ready, and then we hit the on switch and then set up the briefing.” Raubenolt is the BCI official who oversees the law enforcement database.

In the June 20 briefing with DeWine, officials quickly adopted a practice of calling the launch a “test,” although some continued to be nervous about whether the system should have been launched before new policies were created.

Later that day, Murnieks sent an e-mail to top officials at the attorney general’s office and the BCI: “Now that we are a few weeks into testing of the new facial recognition functionality … I wanted to check in with you to see if you have a date by which you would like to de-activate the service for the time being, until usage can be analyzed and policies can be updated?”

Instead, officials decided to keep the system running.

Before June 20, “I didn’t know it was up live, but I wasn’t concerned that it was up live,” DeWine said. “Whether you call it a test phase or don’t call it a test phase, if we find something (wrong), we would change it, and if we find something alarming, we would shut it down. …

“The fact that over half of states use (facial recognition technology), the fact that the FBI has used it, the fact that we have controls in (the online database) that work in the sense that we could prosecute people … all of those indicate to me that what we have is adequate.”

He said the system is still in a trial phase, but said its scope or useisn’t expected to change after the trial period ends.

“Should we have talked about it the day it went live?” DeWine said of the facial recognition system. “You could argue that.”

Communications between top officials refer to “concern” and “controversy,” citing the sensitivity of privacy issues after news broke of the federal National Security Agency’s secret spying efforts on cell phone calls, e-mails and Internet browsing.

“Given recent disclosures about the NSA review of consumer telephone data, this is a time of particular sensitivity to the potential intrusion of governmental snooping into private activities,” said an early-July memo drafted for BCI head Stickrath to send to DeWine. “It is important that we emphasize what this technology is and what it is not.”

After a meeting in July, BCI Chief Counsel Greg Trout wrote that DeWine “still views this as a ‘testing’ phase (Lisa Hackley called it a beta test phase), but neither he nor anyone else suggested we stop or back up.” Hackley is DeWine’s communications director. (The parenthetical insertion in the quote above is Trout’s.)

“Lisa’s term ‘beta’ test is not accurate. This (is) in full production,” wrote Raubenolt.

“I understand,” Trout replied. “The attorney general seems more comfortable than”Hackley.

System narrows 21 million to top 12 likely matches

When a law enforcement officer or employee conducts a facial recognition search, he or she uploads a snapshot or security camera image of someone who needs to be identified. The system compares the image with more than 21 million mug shots and license photos and returns up to 12 most likely to match the snapshot. The officer can then review the photos to judge whether any of them might be the same person in the uploaded image.

“This should not be treated as an exact science such as fingerprints or DNA,” reads a message posted on an opening page of the database. “It is one additional tool that you can use to identify or rule out a potential suspect.”

Straight-on, high-resolution photos work the best in the system. That means security-camera stills, which are often shot from above and which are often grainy, don’t often return accurate results. Photos in which people are wearing glasses or smiling also aren’t as easy to match.

The database retains Ohioans’ current driver’s license photos and their previous two photos. Paired with the photo is all the personal information found on a driver’s license – sex, address, birth date, height, weight and eye and hair color. Since the use of driver’s license photos is governed by Ohio and federal law, residents don’t receive anything when they get their license photo taken that explains how the government may use the photo, said Bureau of Motor Vehicles spokesman Joe Andrews.

The law prohibits, for instance, releasing photos as part of a public records request. At the same time, the law also requires the BMV to make photos accessible to law enforcement, Andrews said. “Driver’s license applicants consensually submit to a government photograph,” according to an early-July memo drafted to send to DeWine.

Photos and license information for the system were to be updated daily by the BMV. But the website BMV was to use to do so was vulnerable at several points to hacking. So BMV told the attorney general’s staff it would not initially upload new photos. Those security concerns were addressed about two months into the launch, Andrews said, and BMV is now adding new and renewed license photos and information into the system.

Read More