Boston Police Used Facial Recognition Software To Grab Photos Of Every Person Attending Local Music Festivals

from the can't-fight-terrorism-without-lots-and-lots-of-pictures dept

Once again, the government is experimenting on the public with new surveillance technology and not bothering to inform them until forced to do so. Boston’s police department apparently performed a dry run of its facial recognition software on attendees of a local music festival.

Nobody at either day of last year’s debut Boston Calling partied with much expectation of privacy. With an army of media photographers, selfie takers, and videographers recording every angle of the massive concert on Government Center, it was inherently clear that music fans were in the middle of a massive photo opp.

What Boston Calling attendees (and promoters, for that matter) didn’t know, however, was that they were all unwitting test subjects for a sophisticated new event monitoring platform. Namely, the city’s software and equipment gave authorities a live and detailed birdseye view of concertgoers, pedestrians, and vehicles in the vicinity of City Hall on May 25 and 26 of 2013 (as well as during the two days of a subsequent Boston Calling in September). We’re not talking about old school black and white surveillance cameras. More like technology that analyzes every passerby for height, clothing, and skin color.

While no one expects their public activities to carry an expectation of privacy, there’s something a bit disturbing about being scanned and fed into a database maintained by a private contractor and accessible by an unknown number of entities. Then there’s the problem with the technology itself which, while improving all the time, is still going to return a fair amount of false positives.

Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members. The problem here is the cover-up and the carelessness with which the gathered data was (and is) handled.

First, the cover-up. Like many surveillance programs, this uses the assumed lack of an expectation of privacy as its starting point. But this assumption only works one way. The public can only expect a minimum of privacy protections in public, but law enforcement automatically assumes a maximum of secrecy in order to “protect” its investigative techniques.

In this particular situation, careless security dovetails directly into the cover-up. Boston’s Dig website came across a ton of data, documents and captured video from this program just laying around the web.

Dig reporters picked up on a scent leading to correspondence detailing the Boston Calling campaign while searching the deep web for keywords related to surveillance in Boston. Shockingly, these sensitive documents have been left exposed online for more than a year. Among them are memos written by employees of IBM, the outside contractor involved, presenting plans to use “Face Capture” on “every person” at the 2013 concert. Another defines a party of interest “as anyone who walks through the door.”

‘Guilty until proven innocent” remains the mantra of mass surveillance. Here, a “person of interest” is also just an “attendee.” They are inseparable until the software has done its sorting, and even then, the non-hit information is held onto for months or years before being discarded.

Beyond the documents, there’s the captured video, much of which remains online and accessible by the general public.

[M]ore than 50 hours of recordings — samples of which are highlighted herein as examples — remain intact today.

Dig gathered up all of this info and confronted the Boston Police Department about its involvement in this project.

Reached for comment about “Face Capture” and intelligent video analysis, a Boston Police Department spokesperson wrote in an email, “BPD was not part of this initiative. We do not and have not used or possess this type of technology.”

A normal denial and generally solid… except for one thing.

The Boston Police Department denied having had anything to do with the initiative, but images provided to me by Kenneth Lipp, the journalist who uncovered the files, show Boston police within the monitoring station being instructed on its use by IBM staff.

The outing of these documents forced the city to acknowledge its participation.

In response to detailed questions, Kate Norton, the press secretary for Boston Mayor Marty Walsh, wrote in an email to the Dig: “The City of Boston engaged in a pilot program with IBM, testing situational awareness software for two events hosted on City Hall Plaza: Boston Calling in May 2013, and Boston Calling in September 2013. The purpose of the pilot was to evaluate software that could make it easier for the City to host large, public events, looking at challenges such as permitting, basic services, crowd and traffic management, public safety, and citizen engagement through social media and other channels. These were technology demonstrations utilizing pre-existing hardware (cameras) and data storage systems.”

The city claims it’s not interested in pursuing this sort of surveillance at the moment, finding it to be lacking in “practical value.” But it definitely is interested in all the aspects listed above, just not this particular iteration. It also claims it has no policies on hand governing the use of “situational awareness software,” but only because it’s not currently using any. Anyone want to take bets that the eventual roll out of situational awareness software will be far in advance of any guidance or policies?

Better security is also a must and Boston’s — despite recent events — seems to be full of holes.

Similarly, [Dig’s Kenneth Lipp] easily found his way into lightly secured reams of documents that include Boston parking permit info, including drivers’ licenses, addresses, and other data, kept online on unsecured FTP servers.

“If I were a different kind of actor, a malicious state actor, I could pose a significant threat to the people of Boston because of what I have in the folder.”

Government entities roll out pervasive surveillance programs, almost exclusively without consulting the public, and expect citizens to trust them with the data — not only what they share and whom they share it with, but to keep it out of the hands of criminals and terrorists. But Boston (and IBM) have proven here that this trust is wholly undeserved.

When the Boston PD lied about its involvement, I’m sure it expected any damning info to be safely secured. Now that it knows that’s not true, I wonder if it will be more careful in the future, both with the data it collects on its own as well as its partnerships with third parties.

Unfortunately, as with any mass surveillance, the ease of collecting it all turns everyone into a suspect until proven otherwise. Better targeting and stricter data minimization rules would mitigate this somewhat, but those deploying these programs usually feel it’s better to have it all… just in case.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Boston Police Used Facial Recognition Software To Grab Photos Of Every Person Attending Local Music Festivals”

Subscribe: RSS Leave a comment
ltlw0lf (profile) says:

Re: Re:

Orwell wasn’t wrong, he just missed the mark by 30 years…

Orwell didn’t miss the mark by 30 years… This stuff has been going on for a long time, slowly ramping up to what it is today with the drop in the cost of the technology. Hell, people were saying the same thing in the 80’s and early 90’s. Orwell just missed the pervasiveness and subtle implementation of the technology to the point that most people didn’t realize it until it was already there.

The cost of surveillance cameras and the technology to run them is so low that many residents can purchase the equipment to monitor their own property for significantly less than $500. Used to be the only people with cameras were big businesses, the government, and crime syndicates. You’d be hard pressed to find someone who doesn’t have a webcam pointed at their mailbox now…which is surprising that people still do mail-theft any more.

As prices continue to drop, there is more you can do with the technology, and corporations will continue to explore.

That Anonymous Coward (profile) says:

And these are the times people will remember as the slide to the US being a failed dystopian state picked up speed.

Bad things happen.
Society seems to have this idiotic idea that all bad things can totally be prevented, and demand it be done.
Government takes this ball and runs with it, using the memory of the bad thing to get Society to accept it.
More and more of our alleged rights that are supposed to be protected are taken away.
This makes keeping our rights more secure, because we HAVE NONE.
Anyone figured out we are like an abused wife yet?

Perhaps it is time to admit, bad things will happen.
We can not stop every bad thing.
We should stop focusing on the single bad act, but rather what lead to it being possible.
People who are clearly mentally ill are dumped on the streets, because we destroyed the system to help them.
Saving a couple bucks in taxes (which never really stayed in our pockets anyways) set a bomb in motion.

We pour unlimited amounts of cash into programs to keep us safe, that do no such thing. We are not safer because of the TSA, we are in more danger. Gangs of TSA agents rob the public, abuse their power unchecked, we are exposed to untested technology that could have future ramifications because a couple planes were hijacked.
The mission keeps expanding stealing more rights and tax dollars lining the pockets of companies who will make their dreams of a star wars solution happen.

We collect all the data we can get our hands on, and trust that corporations will not sell that information to make a buck. We need to stop believing in Santa and admit the abuse this makes possible outweighs ANY benefit.

They lie to us about what they are doing.
This is trickling down to every level, destroying what little faith we still had in those charged with protecting us, because they lie, cheat, steal with NO repercussions beyond soundbites trying to justify our “betters” actions in violation of the law of the land.

Still more likely to be killed by a cop than a terrorist.
Perhaps we need to look at the definitions we are using, stop acting out of fear, and allow rational thinking back into the room.

That One Guy (profile) says:

The coverup is almost always worse than the crime

Even if they were completely innocent here, and were honestly just testing a system that they had no plans on deploying against the public, but only use for service situations, the fact that they went straight to a lie when questioned about it brings their motives into question.

If they really weren’t doing anything wrong here, why lie about it? Why not just tell the public what they were doing and who was involved?

Of course even giving them every benefit of the doubt, even believing, for one second that they have nothing but good intentions, and would not for even a moment consider turning such a system against the public, the fact remains: it does not matter.

Once the system is in place, it will expand in scope. What might be unthinkable today might not be seen as such a few years, or a decade in the future, because after all, ‘the infrastructure is already there, why not use it?’ And come on now, who could argue against using such a system to track and/or stop terrorists… or criminals… or suspected criminals… or potential criminals…

For systems or programs like this, ‘What could it be used for?’ is just as, if not more important than ‘What it’s meant, currently, to be used for’, because once they are in place, getting rid of them is all but impossible.

That Anonymous Coward (profile) says:

Re: The coverup is almost always worse than the crime

If the roles were reversed, and a citizen outright lied to a cop would things be different?

They need to play by the same rules.

Police don’t get to use state secrets to hide things, if it is using public funds they need to be forced to be open about it and if they fail to do so the penalty needs to be strict and not overturnable by some arbitrary arbitrator.

If you are unwilling to tell the public what you are doing, that pretty much should be the glowing warning light that you shouldn’t be doing it… and if you compound it by lying…

Richard (profile) says:

Re: The coverup is almost always worse than the crime

If they really weren’t doing anything wrong here, why lie about it? Why not just tell the public what they were doing and who was involved?

Because, deep down, they know that they are doing something wrong.

As someone said, nearly 2000 years ago:

“Men loved the darkness… because their deeds were evil. For every one that doeth evil hateth the light, neither cometh to the light, lest his deeds should be reproved.”

Ninja (profile) says:

Re: The coverup is almost always worse than the crime

The question that should be asked when putting any kind of system in place that gives power to a few people or a Government is not how it’s being used or how it will be used by that specific Government alone. These are important for sure. The most important, crucial question is: how can it be abused in the future if a tyrant gets elected?

If the answer is “it cannot be abused in anyway” then it’s all good, if not you need to implement safety measures (ie: the 3 Powers, the Constitution etc).

Richard (profile) says:

No greater violation?

Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

I take issue with that – in a world where technology enables the data to be analysed automatically.

The single photographer will at most identify people who were there. The surveillance cameras – combined with modern technology – enable all your movements to be identified and tracked automatically, timestamped etc etc. This IS a bigger violation of privacy.

That One Guy (profile) says:

Re: No greater violation?

Similar in a way with a person taking one photograph of you during the day, and them taking multiple photos of you as you go about your business.

With one, they can tell where you are at that moment, but not really anything else. With multiple photos, spaced out in time and location, and you can pretty easily track where a person goes and when, based upon location and time data attached to the photos.

limbodog (profile) says:

As I am almost certainly in some of those databases now, I’d like to know who possesses the data, how it is secured, what the record retention policy is, what my options are to have myself removed from them, and who has access to them.

If I get satisfactory answers to all of those, then I’m ok with this. If the collective answer is “move along citizen.” then this is not ok.

Michael (profile) says:

Re: Re:

who possesses the data

how it is secured
It wasn’t, that’s how I got it, but MY copy is held securely on a system not connected to the internet and protected by an encrypted drive array.

what the record retention policy is
I intend to keep these records forever, but there is a chance that both my primary and backup systems will fail at some point.

what my options are to have myself removed from them
You are pretty much f***ed if you want to get your information removed.

who has access to them
Just me and anyone that can pay me enough for the information. Your information, in particular, is somewhat worthless (your porn habits are even boring), but if someone had a few bucks, they can have a copy. You may find yourself being included in the data I am selling to the DEA – those guys seem to want everything.

weneedhelp (profile) says:

Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

“Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.”

Really? No different…Tim? The lone Photographer does not send his pics to a back end system that may trigger a SWAT response when your pic wrongly hits on a fugitive.

John Fenderson (profile) says:

The difference

Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

I disagree. I think the difference is enormous, and is can very well be (and likely is) that the widespread, institutional surveillance is a greater violation of privacy than a single photographer.

The invasion would be the same if the single photographer was taking thousands of pictures through dozens of cameras, performing face recognition on them, and entering all that data into a database that is linked with, and shared with, governmental agencies.

The most severe privacy invasions happen in the database, not in the camera.

Anonymous Coward says:

Re: The difference

Yep, with a system of distributed cameras and DBs managed by a handful of for-profit companies under contract with police departments, the “photograph” analogy doesn’t exactly hold.

When ALPRs, private business security systems, surveillance drones, cellphone GPS logs, and FRS systems are linked, a single query to the system wouldn’t be returning pictures: it would be returning the frames of a film.

Anonymous Coward says:

So… pretty much any and all forms of surveillance technology are valid to at least try out (and frequently embrace and spend money on) without bothering with the tedium of developing policies for using them or being concerned about funding.

Except for police body cameras and GPS tracking of squad cars. Because those present serious privacy and financial concerns.

I think there’s a word for that…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...