Boston Police Used Facial Recognition Software To Grab Photos Of Every Person Attending Local Music Festivals

from the can't-fight-terrorism-without-lots-and-lots-of-pictures dept

Once again, the government is experimenting on the public with new surveillance technology and not bothering to inform them until forced to do so. Boston's police department apparently performed a dry run of its facial recognition software on attendees of a local music festival.

Nobody at either day of last year's debut Boston Calling partied with much expectation of privacy. With an army of media photographers, selfie takers, and videographers recording every angle of the massive concert on Government Center, it was inherently clear that music fans were in the middle of a massive photo opp.

What Boston Calling attendees (and promoters, for that matter) didn't know, however, was that they were all unwitting test subjects for a sophisticated new event monitoring platform. Namely, the city's software and equipment gave authorities a live and detailed birdseye view of concertgoers, pedestrians, and vehicles in the vicinity of City Hall on May 25 and 26 of 2013 (as well as during the two days of a subsequent Boston Calling in September). We're not talking about old school black and white surveillance cameras. More like technology that analyzes every passerby for height, clothing, and skin color.
While no one expects their public activities to carry an expectation of privacy, there's something a bit disturbing about being scanned and fed into a database maintained by a private contractor and accessible by an unknown number of entities. Then there's the problem with the technology itself which, while improving all the time, is still going to return a fair amount of false positives.

Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members. The problem here is the cover-up and the carelessness with which the gathered data was (and is) handled.

First, the cover-up. Like many surveillance programs, this uses the assumed lack of an expectation of privacy as its starting point. But this assumption only works one way. The public can only expect a minimum of privacy protections in public, but law enforcement automatically assumes a maximum of secrecy in order to "protect" its investigative techniques.

In this particular situation, careless security dovetails directly into the cover-up. Boston's Dig website came across a ton of data, documents and captured video from this program just laying around the web.
Dig reporters picked up on a scent leading to correspondence detailing the Boston Calling campaign while searching the deep web for keywords related to surveillance in Boston. Shockingly, these sensitive documents have been left exposed online for more than a year. Among them are memos written by employees of IBM, the outside contractor involved, presenting plans to use "Face Capture" on "every person" at the 2013 concert. Another defines a party of interest "as anyone who walks through the door."
'Guilty until proven innocent" remains the mantra of mass surveillance. Here, a "person of interest" is also just an "attendee." They are inseparable until the software has done its sorting, and even then, the non-hit information is held onto for months or years before being discarded.

Beyond the documents, there's the captured video, much of which remains online and accessible by the general public.
[M]ore than 50 hours of recordings — samples of which are highlighted herein as examples — remain intact today.
Dig gathered up all of this info and confronted the Boston Police Department about its involvement in this project.
Reached for comment about “Face Capture” and intelligent video analysis, a Boston Police Department spokesperson wrote in an email, “BPD was not part of this initiative. We do not and have not used or possess this type of technology.”
A normal denial and generally solid… except for one thing.
The Boston Police Department denied having had anything to do with the initiative, but images provided to me by Kenneth Lipp, the journalist who uncovered the files, show Boston police within the monitoring station being instructed on its use by IBM staff.
The outing of these documents forced the city to acknowledge its participation.
In response to detailed questions, Kate Norton, the press secretary for Boston Mayor Marty Walsh, wrote in an email to the Dig: “The City of Boston engaged in a pilot program with IBM, testing situational awareness software for two events hosted on City Hall Plaza: Boston Calling in May 2013, and Boston Calling in September 2013. The purpose of the pilot was to evaluate software that could make it easier for the City to host large, public events, looking at challenges such as permitting, basic services, crowd and traffic management, public safety, and citizen engagement through social media and other channels. These were technology demonstrations utilizing pre-existing hardware (cameras) and data storage systems.”
The city claims it's not interested in pursuing this sort of surveillance at the moment, finding it to be lacking in "practical value." But it definitely is interested in all the aspects listed above, just not this particular iteration. It also claims it has no policies on hand governing the use of "situational awareness software," but only because it's not currently using any. Anyone want to take bets that the eventual roll out of situational awareness software will be far in advance of any guidance or policies?

Better security is also a must and Boston's -- despite recent events -- seems to be full of holes.
Similarly, [Dig's Kenneth Lipp] easily found his way into lightly secured reams of documents that include Boston parking permit info, including drivers’ licenses, addresses, and other data, kept online on unsecured FTP servers.

“If I were a different kind of actor, a malicious state actor, I could pose a significant threat to the people of Boston because of what I have in the folder.”
Government entities roll out pervasive surveillance programs, almost exclusively without consulting the public, and expect citizens to trust them with the data -- not only what they share and whom they share it with, but to keep it out of the hands of criminals and terrorists. But Boston (and IBM) have proven here that this trust is wholly undeserved.

When the Boston PD lied about its involvement, I'm sure it expected any damning info to be safely secured. Now that it knows that's not true, I wonder if it will be more careful in the future, both with the data it collects on its own as well as its partnerships with third parties.

Unfortunately, as with any mass surveillance, the ease of collecting it all turns everyone into a suspect until proven otherwise. Better targeting and stricter data minimization rules would mitigate this somewhat, but those deploying these programs usually feel it's better to have it all… just in case.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 3:55am

    Orwell wasn't wrong, he just missed the mark by 30 years...

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    That Anonymous Coward (profile), Aug 18th, 2014 @ 4:39am

    And these are the times people will remember as the slide to the US being a failed dystopian state picked up speed.

    Bad things happen.
    Society seems to have this idiotic idea that all bad things can totally be prevented, and demand it be done.
    Government takes this ball and runs with it, using the memory of the bad thing to get Society to accept it.
    More and more of our alleged rights that are supposed to be protected are taken away.
    This makes keeping our rights more secure, because we HAVE NONE.
    Anyone figured out we are like an abused wife yet?

    Perhaps it is time to admit, bad things will happen.
    We can not stop every bad thing.
    We should stop focusing on the single bad act, but rather what lead to it being possible.
    People who are clearly mentally ill are dumped on the streets, because we destroyed the system to help them.
    Saving a couple bucks in taxes (which never really stayed in our pockets anyways) set a bomb in motion.

    We pour unlimited amounts of cash into programs to keep us safe, that do no such thing. We are not safer because of the TSA, we are in more danger. Gangs of TSA agents rob the public, abuse their power unchecked, we are exposed to untested technology that could have future ramifications because a couple planes were hijacked.
    The mission keeps expanding stealing more rights and tax dollars lining the pockets of companies who will make their dreams of a star wars solution happen.

    We collect all the data we can get our hands on, and trust that corporations will not sell that information to make a buck. We need to stop believing in Santa and admit the abuse this makes possible outweighs ANY benefit.

    They lie to us about what they are doing.
    This is trickling down to every level, destroying what little faith we still had in those charged with protecting us, because they lie, cheat, steal with NO repercussions beyond soundbites trying to justify our "betters" actions in violation of the law of the land.

    Still more likely to be killed by a cop than a terrorist.
    Perhaps we need to look at the definitions we are using, stop acting out of fear, and allow rational thinking back into the room.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    That One Guy (profile), Aug 18th, 2014 @ 4:47am

    The coverup is almost always worse than the crime

    Even if they were completely innocent here, and were honestly just testing a system that they had no plans on deploying against the public, but only use for service situations, the fact that they went straight to a lie when questioned about it brings their motives into question.

    If they really weren't doing anything wrong here, why lie about it? Why not just tell the public what they were doing and who was involved?

    Of course even giving them every benefit of the doubt, even believing, for one second that they have nothing but good intentions, and would not for even a moment consider turning such a system against the public, the fact remains: it does not matter.

    Once the system is in place, it will expand in scope. What might be unthinkable today might not be seen as such a few years, or a decade in the future, because after all, 'the infrastructure is already there, why not use it?' And come on now, who could argue against using such a system to track and/or stop terrorists... or criminals... or suspected criminals... or potential criminals...

    For systems or programs like this, 'What could it be used for?' is just as, if not more important than 'What it's meant, currently, to be used for', because once they are in place, getting rid of them is all but impossible.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    That Anonymous Coward (profile), Aug 18th, 2014 @ 5:40am

    Re: The coverup is almost always worse than the crime

    If the roles were reversed, and a citizen outright lied to a cop would things be different?

    They need to play by the same rules.

    Police don't get to use state secrets to hide things, if it is using public funds they need to be forced to be open about it and if they fail to do so the penalty needs to be strict and not overturnable by some arbitrary arbitrator.

    If you are unwilling to tell the public what you are doing, that pretty much should be the glowing warning light that you shouldn't be doing it... and if you compound it by lying...

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Richard (profile), Aug 18th, 2014 @ 6:20am

    Re: The coverup is almost always worse than the crime

    If they really weren't doing anything wrong here, why lie about it? Why not just tell the public what they were doing and who was involved?

    Because, deep down, they know that they are doing something wrong.

    As someone said, nearly 2000 years ago:

    "Men loved the darkness... because their deeds were evil. For every one that doeth evil hateth the light, neither cometh to the light, lest his deeds should be reproved."

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Richard (profile), Aug 18th, 2014 @ 6:24am

    No greater violation?

    Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

    I take issue with that - in a world where technology enables the data to be analysed automatically.

    The single photographer will at most identify people who were there. The surveillance cameras - combined with modern technology - enable all your movements to be identified and tracked automatically, timestamped etc etc. This IS a bigger violation of privacy.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    That One Guy (profile), Aug 18th, 2014 @ 6:33am

    Re: No greater violation?

    Similar in a way with a person taking one photograph of you during the day, and them taking multiple photos of you as you go about your business.

    With one, they can tell where you are at that moment, but not really anything else. With multiple photos, spaced out in time and location, and you can pretty easily track where a person goes and when, based upon location and time data attached to the photos.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Ninja (profile), Aug 18th, 2014 @ 6:59am

    Re: The coverup is almost always worse than the crime

    The question that should be asked when putting any kind of system in place that gives power to a few people or a Government is not how it's being used or how it will be used by that specific Government alone. These are important for sure. The most important, crucial question is: how can it be abused in the future if a tyrant gets elected?

    If the answer is "it cannot be abused in anyway" then it's all good, if not you need to implement safety measures (ie: the 3 Powers, the Constitution etc).

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    limbodog (profile), Aug 18th, 2014 @ 7:12am

    As I am almost certainly in some of those databases now, I'd like to know who possesses the data, how it is secured, what the record retention policy is, what my options are to have myself removed from them, and who has access to them.

    If I get satisfactory answers to all of those, then I'm ok with this. If the collective answer is "move along citizen." then this is not ok.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Michael, Aug 18th, 2014 @ 7:25am

    Re: No greater violation?

    Nah. That's just metadata.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Michael, Aug 18th, 2014 @ 7:30am

    Re:

    who possesses the data
    Me.

    how it is secured
    It wasn't, that's how I got it, but MY copy is held securely on a system not connected to the internet and protected by an encrypted drive array.

    what the record retention policy is
    I intend to keep these records forever, but there is a chance that both my primary and backup systems will fail at some point.

    what my options are to have myself removed from them
    You are pretty much f***ed if you want to get your information removed.

    who has access to them
    Just me and anyone that can pay me enough for the information. Your information, in particular, is somewhat worthless (your porn habits are even boring), but if someone had a few bucks, they can have a copy. You may find yourself being included in the data I am selling to the DEA - those guys seem to want everything.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    weneedhelp (profile), Aug 18th, 2014 @ 7:52am

    Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

    "Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members."
    -
    Really? No different...Tim? The lone Photographer does not send his pics to a back end system that may trigger a SWAT response when your pic wrongly hits on a fugitive.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Michael, Aug 18th, 2014 @ 8:34am

    Re: Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.

    Unless he is using online storage that has been compromised by the NSA.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 9:27am

    This makes me think of Darth Vader and the original Star Wars thinking about the impact on the audience wondering who he was , It's rather scary to think that may be the only way to achieve any privacy while in a public place .

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Lynn Cheramie, Aug 18th, 2014 @ 10:23am

    very soon the cameras

    will start to come up missing. It's time to take it back. http://freedomfightersofamerica.blogspot.com before they ruin it forever.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 10:26am

    "Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members."


    Unless the cameras are used in coordinated fashion to follow you around as you move about the city. Then it becomes like stalking.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Michael, Aug 18th, 2014 @ 10:49am

    Re:

    You just blew it.

    When we see a guy in a Darth Vader mask, we will know it is you.

    - the NSA

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Padpaw (profile), Aug 18th, 2014 @ 10:55am

    We are the government you will be assimilated

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    That Anonymous Coward (profile), Aug 18th, 2014 @ 12:03pm

    Re:

    NYC and other places have already make it illegal to cover your face in public.
    They were spending to much time chasing a guy who died in 1606.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    John Fenderson (profile), Aug 18th, 2014 @ 12:24pm

    The difference

    Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members.


    I disagree. I think the difference is enormous, and is can very well be (and likely is) that the widespread, institutional surveillance is a greater violation of privacy than a single photographer.

    The invasion would be the same if the single photographer was taking thousands of pictures through dozens of cameras, performing face recognition on them, and entering all that data into a database that is linked with, and shared with, governmental agencies.

    The most severe privacy invasions happen in the database, not in the camera.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    John Fenderson (profile), Aug 18th, 2014 @ 12:25pm

    Re:

    Not "becomes like stalking." Rather, it's "becomes stalking."

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    ltlw0lf (profile), Aug 18th, 2014 @ 12:51pm

    Re:

    Orwell wasn't wrong, he just missed the mark by 30 years...

    Orwell didn't miss the mark by 30 years... This stuff has been going on for a long time, slowly ramping up to what it is today with the drop in the cost of the technology. Hell, people were saying the same thing in the 80's and early 90's. Orwell just missed the pervasiveness and subtle implementation of the technology to the point that most people didn't realize it until it was already there.

    The cost of surveillance cameras and the technology to run them is so low that many residents can purchase the equipment to monitor their own property for significantly less than $500. Used to be the only people with cameras were big businesses, the government, and crime syndicates. You'd be hard pressed to find someone who doesn't have a webcam pointed at their mailbox now...which is surprising that people still do mail-theft any more.

    As prices continue to drop, there is more you can do with the technology, and corporations will continue to explore.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    John Fenderson (profile), Aug 18th, 2014 @ 1:07pm

    Re:

    Also, Orwell was wrong in terms of the skill level employed. The US today makes the government in "1984" look like hamfisted amateurs.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    sorrykb (profile), Aug 18th, 2014 @ 3:19pm

    Concert video online?

    Beyond the documents, there's the captured video, much of which remains online and accessible by the general public.
    So... they recorded live music, and now it's online. Pirates!!!

    (Does this mean we can now enlist the RIAA in the fight against government surveillance?)

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 3:19pm

    Re: Re:

    lmfao

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    borty, Aug 18th, 2014 @ 5:21pm

    Welcome. Welcome to City 17.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 6:02pm

    Re: The difference

    Yep, with a system of distributed cameras and DBs managed by a handful of for-profit companies under contract with police departments, the "photograph" analogy doesn't exactly hold.

    When ALPRs, private business security systems, surveillance drones, cellphone GPS logs, and FRS systems are linked, a single query to the system wouldn't be returning pictures: it would be returning the frames of a film.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Aug 18th, 2014 @ 7:04pm

    So... pretty much any and all forms of surveillance technology are valid to at least try out (and frequently embrace and spend money on) without bothering with the tedium of developing policies for using them or being concerned about funding.

    Except for police body cameras and GPS tracking of squad cars. Because those present serious privacy and financial concerns.

    I think there's a word for that...

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Lizard Man, Aug 30th, 2014 @ 3:17pm

    And yet...

    And yet the police will still smash your camera and arrest you if YOU take pictures of THEM. (Which is perfectly legal in every state BTW.)

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    jetty, Aug 30th, 2014 @ 3:23pm

    What's wrong with Boston?

    The same city that allowed itself to be locked down because of a teenager after the Boston Marathon bombing. smh

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    miriam, Aug 30th, 2014 @ 7:50pm

    Re: Re: The coverup is almost always worse than the crime

    I loved the Biblical quote.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.