Home/red-rock-eater/[RRE]face recognition, EU privacy law, frequent flier miles

[RRE]face recognition, EU privacy law, frequent flier mileswriting

rreauto-importedrre-post
1998-12-05 · 10 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/1998/RRE.face.recognition.EU..html

Content

This web service brought to you by Somewhere.Com, LLC.

[RRE]face recognition, EU privacy law, frequent flier miles

``` [Here are a few messages from the most recent Privacy Forum Digest. Full info on the Privacy Forum at http://www.vortex.com/ ]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to requests@lists.gseis.ucla.edu with Subject: info rre

---

Date: Sat, 5 Dec 98 12:58 PST From: privacy@vortex.com (PRIVACY Forum)

PRIVACY Forum Digest Saturday, 5 December 1998 Volume 07 : Issue 19

---

Date: Wed, 18 Nov 1998 07:47:38 -0000 From: "Jason Ross" Subject: Image Recognition on the streets of London

In PFD V07 #18, Keith Parkins submitted the article "CCTV", detailing a scheme now in use in Newham, London to automatically identify criminals as they walk along the road.

I've obtained a little more information which focuses more on the technical side of the system, and which I thought may be of interest.

The #60,000 ($96,000 approx.) system, which was launched on 14 October, uses the council's 140 CCTV cameras. The images from these cameras are fed into SSI's Mandrake Face Recognition Software, running on council-owned PCs. The software the compares these faces with a set of 'mugshots' which it also holds. Currently 100 images from two police stations are on file. If any of the faces prove to be an 80% match or better, a council camera operator is alerted to call the police.

I believe this system was also mentioned earlier this year in Computing Magazine, when the trials first started. Apparently the system uses, amongst other things, the distances between, and sizes of, the eyes, nose and mouth. Therefore you can't just grow a beard to avoid being recognised.

Newham has received enquiries from twenty councils and eight police forces so far. Their emergency services manager believes many of the 250 councils in the CCTV User Group would also adopt the technology in the near future.

Charles Nisbet, the secretary to the Association of Chief Police Constables' IT Committee said that his group had held talks on face recognition software during the summer, and had supported local police force moves to introduce it. However, he did say that there were no plans to create a national system linked to the police's central database of 5.7 million known offenders, 'in the near future'.

There are both privacy and risks implications with this system. The UK's Data Protection Registrar wants a meeting with the Metropolitan Police on the issue. Jonathan Bamford, the assistant data protection registrar was quoted as saying "People are being compared to convicted felons - there are clear civil liberties implications," He also pointed out that the 80% threshold left a sizeable scope for error. Personally, having seen the quality of images from CCTV cameras, especially in poor weather or at night under sodium or IR floodlights and when someone is standing some distance away from them, I'm surprised that they can claim an accuracy of even that high.

So, we now have a local council in the UK whose computer system watches every face that passes any of its CCTV cameras, and has an operator call the police if it recognises convicted felons, or anyone who looks enough like one of the ones on its database.

I feel it is important to point out that the camera operators are employed by the local council. Prospective police officers are investigated to find any criminal records they may have. I do not believe that council camera operators are investigated in the same way, so there seems little to prevent convicted criminals from operating the system.

I would also assume that, due to the intended purpose of the system, it could also track a given face, or group of faces, as they make their way around. If it cannot already do so, I don't think it would take a huge amount of engineering effort to add such a feature.

The police have said that there are no plans to create a national system 'in the near future'. They have not totally discounted the idea, and will no doubt implement it when the price of the technology has decreased enough to bring it within their budget. It may take a few years, but it will happen. Then it will be possible for the police, and anyone else who can get to the records, to find where you were at any given time, on any given day, and where you were before and afterwards.

Naturally, the "If you have nothing to hide you have nothing to worry about" brigade will be ecstatic when such a system is introduced. After all, it's only the convicted criminals who have to worry isn't it?

---

Date: Wed, 18 Nov 98 08:36:30 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Re: Image Recognition on the streets of London

> Currently 100 images from two police stations are on file. If any > of the faces prove to be an 80% match or better, a council camera operator > is alerted to call the police. > ... > clear civil liberties implications," He also pointed out that the 80% > threshold left a sizeable scope for error. Personally, having seen the > quality of images from CCTV cameras, especially in poor weather or at night > under sodium or IR floodlights and when someone is standing some distance > away from them, I'm surprised that they can claim an accuracy of even that > high.

Greetings. In the previous message (excerpted above), Jason Ross discusses the London CCTV system which is programmed to "scan" for particular individuals. As described, that 80% figure quoted by the London authorities says nothing about the actual accuracy of the system in performing that task. The system accuracy, in terms of actually alarming only when it has really found a targeted person, could be 0%, for all we know. All that the 80% number appears to mean is that when the system gets an 80% or better match between the data points in the image and the data points in their database, it triggers an alarm. But that doesn't tell us whether or not the person who triggered that match actually is the person for whom the database was targeted.

To judge the real accuracy of the system, you'd need to know (for real world situations, not laboratory environments):

(a) how often the system claims it has found a match and it turns out that it was incorrect (alarmed on the wrong person)

(b) how often the system fails to recognize a targeted person within its view

One also has to wonder exactly what actions are taken when such an alarm sounds. Do the authorities rush out to that location, hoping the target will still be in the area? How often will a wanted person be apprehended thanks to this system? How often will an innocent person be confronted?

I agree with the stated skepticism.

--Lauren-- Lauren Weinstein Moderator, PRIVACY Forum http://www.vortex.com

---

Date: Thu, 5 Nov 1998 10:32:45 -0800 From: Klaus Rieckhoff Subject: Swedish (and EU) privacy protection provisions

Forwarded message:

Sender: Lars Aronsson Subject: Re: CPSR-GLOBAL digest 928

Steven Clift wrote on DO-WIRE (?), quoted on CPSR-GLOBAL:

> Today I was attempting to access an e-mail list archive for the > OldNorseNet and ran into this: > > Our discussion lists archive > > 1998-10-24. > Due to a new swedish law (harmonizing to the EU directives) > we are no longer allowed to publish archives of our > discussion lists. This will be a severe obstacle for the > democracy and the free debate.

This statement is obviously the result of the webmaster's (or list administrator's) own interpretation. There is a new law in Sweden, and it is much debated, but I have not heard any news of any verdict or even an interpretation from the responsible Swedish governmental agency in the direction described above.

On the referenced URL, there is also a logotype of a political campaign against this new Swedish law ("R=F1r inte mitt Internet", Don't touch my Internet). This campaign is launched by Bitos (http://www.bitos.org/), a Swedish non-profit organization for issues concerning Internet content providers. The campaign is also applauded by the Electronic Frontier Sweden (http://www.efs.se/), an independent branch of the EFF, where much of the current debate is taking place.

The way "legal harmonization" works in the European Union (EU), is that the European Commission (EC) writes up a "directive" that each member country has to implement in its national legislation. This new Swedish law is intended to implement a EC directive on privacy. The idea seems to be that companies should not be allowed to store and sell your address, and other data pertaining to you, without your consent. This sounds fine in principle, but the rest is a matter of interpretation. For example, the language of the Swedish law does not make any difference between "companies" storing personal data about individuals and individuals storing data about other individuals, or even individuals storing information about the government.

If I happen to mention that the name of the Swedish prime minister is Goran Persson and the fact that he is rather FAT, then this is personal information, which I hereby store in my computer and even export to countries outside the EU, thus making me a criminal, as I do not have his consent. I think you see the problem.

In order to avoid stupid questions, or at least postpone them, the Swedish Database Inspection Agency (http://www.din.se/), which has to supervise the implementation of the new law, has declared that systems already in use before the enactment of the new law (ten days ago), will be allowed to continue for a transitional period of three years. This of course is not very reassuring for the average Internet user. And nobody seems to know what will happen after these three years.

Surely, life goes on as normal in Sweden. The referenced URL is one of very few examples where people actually cared to abide by this new law. Members of the Swedish parliament, from all political parties, are currently busy writing bills to withdraw the new law, even though they voted in favor of it, not too long ago.

I hereby give my consent to store and export the personal data below.

Lars Aronsson.

---

Aronsson Datateknik tel +46-70-7891609 Teknikringen 1e tel +46-13-211720 lars@aronsson.se 583 30 Link=F1ping, Sweden fax +46-13-211820 www.aronsson.se

---- End of Forwarded Message

Klaus E. Rieckhoff, Ph.D.,LlD.(h.c.), Professor Emeritus, Department of Physics, Simon Fraser University

---

Date: Tue, 27 Oct 1998 16:32:59 -0500 From: antunes@xeno.gsfc.nasa.gov (Sandy Antunes) Subject: NW Frequent Flyer Miles are publically accessible-- and usable

Flyers beware-- I've run into a severe privacy/security hole in Northwest's frequently flyer program, "WorldPerks"-- one that NW is not interested in changing.

The short summary is, it seems anyone who knows your phone number can use your Northwest "WorldPerks" frequent flier miles to get an E-ticket issued in their name with your miles (or can simply find out your mileage balance). This is intentional, by design.

I found this out when my mother was able to upgrade a "gift" ticket I gave her to First Class-- using my miles-- without my authorization. It turns out that it doesn't even have to be a relative or someone you got a ticket for-- just someone who knows your phone number.

The record of this transaction (a receipt) is provided as the only notification of the transactions. Tickets issued can be for travel as soon as 4 days in the future (at which point the receipt is FedExed or faxed) or over 14 days in the future (receipt is just sent postal mail). In my case, 3 weeks passed between the ticket request and arrival of a receipt.

The privacy concerns are this:

  • anyone can get your frequent flyer mileage balance knowing only your
    • phone number,
  • anyone can deplete your mileage balance with malicious intent, knowing
    • only your phone number, and
  • the only sign that a ticket was issued is a receipt mailed by post,
    • so people with open mailboxes, people changing addresses, people on vacation, bosses with secretaries, and people with housemates are easy prey to having their miles stolen without knowing.

    Unlike credit card fraud, NW does not consider banked miles as currency, and it is the account holder's responsibility to find and file fraud charges against the ticketholder. 1st line managers have the option of waiving the $35 'rebank' fee if you wish to cancel such a ticket, if the flight has not already occurred.

    The most likely safeguard-- that only the person who ownes the frequent flyer account can request a ticket be issued-- is not something NW will consider. Quothe Jay (with permission), "The system is a great system, and it works, and we don't have problems with it. You're taking a situation that happened to you, and trying to completely blame it on Northwest, and I don't appreciate it."

    So, your account information is available to anyone who has access to a phone book (a privacy concern), the actual balance can be tampered with by same (an authorization risk), and catching such deeds is the responsibility of the account holder (verification after the fact).

    "Some People Just Know How to Fly", indeed. Sandy Antunes antunes@xeno.gsfc.nasa.gov

    ---

    End of PRIVACY Forum Digest 07.19

    --- ```

    This web service brought to you by Somewhere.Com, LLC.