10 Ways To Avoid Identity Theft During Vacation Travel
The FCC, Keeping An Open Internet (Net Neutrality), And Related Issues

N.S.A. Programs Collect Facial Images From Users' Online Communications

National Security Agency logo The New York Times reported that the National Security Agency (NSA) captures and stores millions of images each day, of which about 55,000 are "facial recognition quality images." During the Obama Administration, the agency has reportedly increased its use of facial recognition software and programs. According to the news report:

"It is not clear how many people around the world, and how many Americans, might have been caught up in the effort. Neither federal privacy laws nor the nation’s surveillance laws provide specific protections for facial images. Given the N.S.A.’s foreign intelligence mission, much of the imagery would involve people overseas whose data was scooped up through cable taps, Internet hubs and satellite transmissions."

For online communications (e.g., e-mail, text, web surfing) within the United States, the agency would need a court order to collect your images. Exceptions to this are if a telecommunications company provided content directly in response to a request by the F.B.I. or other government agency, or if you communicate with persons outside the United States:

"Because the agency considers images a form of communications content, the N.S.A. would be required to get court approval for imagery of Americans collected through its surveillance programs, just as it must to read their emails or eavesdrop on their phone conversations, according to an N.S.A. spokeswoman. Cross-border communications in which an American might be emailing or texting an image to someone targeted by the agency overseas could be excepted."

The NSA uses both in-house and commercially available facial recognition software:

"One of the N.S.A.’s broadest efforts to obtain facial images is a program called Wellspring, which strips out images from emails and other communications, and displays those that might contain passport images... the N.S.A. relies in part on commercially available facial recognition technology, including from PittPatt, a small company owned by Google..."

Although the facial recognition software used is powerful, it still introduced errors:

A 2011 PowerPoint showed one example when Tundra Freeze, the N.S.A.’s main in-house facial recognition program, was asked to identify photos matching the image of a bearded young man with dark hair. The document says the program returned 42 results, and displays several that were obviously false hits... another 2011 N.S.A. document reported that a facial recognition system was queried with a photograph of Osama bin Laden. Among the search results were photos of four other bearded men with only slight resemblances to Bin Laden."

Reportedly, the agency does not collect images through its bulk metadata collection of phone records. All of the selfies you e-mailed and posted online probably have helped the NSA with its image collection because most social networking sites did not offer secure, encrypted capabilities before 2011. Ars Technica reported:

"According to the documents cited by the Times, the agency began performing facial recognition searches using captured images in 2010, matching photos in Pinwale (the NSA’s long-term store of captured content from external sources) and a terrorist watch list database called Tide... Of the major Web mail providers, only Google was providing SSL encryption at the beginning of 2010. Microsoft added SSL encryption to Hotmail in November of 2010. But SSL wasn’t even an option for Yahoo mail until early in 2013—and Yahoo didn’t turn it on by default until October of 2013."

And, your mobile device and your apps probably are leaky and less secure than a traditional browser interface. Ars Technica did some testing and found:

"Yahoo, Google, Microsoft, Apple, and Facebook now all encrypt images and other content from servers to Web browsers—though there are some exceptions in the mobile realm. Facebook, for example, encrypts all the images transmitted from its content delivery network to users’ browsers, though the images can still be reached through an unencrypted interface. During our testing, Pwnie Express founder and CTO Dave Porcello found that on an Android 4.1.1 “Jelly Bean” device—admittedly an older phone, but still in wide use—Facebook profile pictures and images were transmitted unencrypted to the Facebook app."

NSA Android logo I look forward to reading the full report by Ars Technica when it is available. What to make of the NSA image-collection programs? First, the facial image collection is probably much more extensive, due to: a) cooperation by the spy agencies (e.g., GCHQ) of allies; and b) telecommunications and technology companies that have provided information in response to requests by the FBI, NSA, or other agencies. Second, consumers have to demand from app developers the same level of privacy with mobile apps that is available via traditional browser interfaces.

Third, know that when you communicate with persons outside the United States, you probably have far less privacy than you think. Fourth, contact your elected officials and demand that they rein in the NSA, stop the secret courts, laws, processes, and "back doors", and strictly comply with the Fourth Amendment of the U.S. Constitution.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.