By Tim Cushing of Techdirt.
Once again, the government is experimenting on the public with new surveillance technology and not bothering to inform them until forced to do so. Boston's police department apparently performed a dry run of its facial recognition software on attendees of a local music festival.
Nobody at either day of last year's debut Boston Calling partied with much expectation of privacy. With an army of media photographers, selfie takers, and videographers recording every angle of the massive concert on Government Center, it was inherently clear that music fans were in the middle of a massive photo opp.
What Boston Calling attendees (and promoters, for that matter) didn't know, however, was that they were all unwitting test subjects for a sophisticated new event monitoring platform. Namely, the city's software and equipment gave authorities a live and detailed birdseye view of concertgoers, pedestrians, and vehicles in the vicinity of City Hall on May 25 and 26 of 2013 (as well as during the two days of a subsequent Boston Calling in September). We're not talking about old school black and white surveillance cameras. More like technology that analyzes every passerby for height, clothing, and skin color.
While no one expects their public activities to carry an expectation of privacy, there's something a bit disturbing about being scanned and fed into a database maintained by a private contractor and accessible by an unknown number of entities. Then there's the problem with the technology itself which, while improving all the time, is still going to return a fair amount of false positives.
Ultimately, taking several thousand photos with dozens of surveillance cameras is no greater a violation of privacy than a single photographer taking shots of crowd members. The problem here is the cover-up and the carelessness with which the gathered data was (and is) handled.
First, the cover-up. Like many surveillance programs, this uses the assumed lack of an expectation of privacy as its starting point. But this assumption only works one way. The public can only expect a minimum of privacy protections in public, but law enforcement automatically assumes a maximum of secrecy in order to "protect" its investigative techniques.
In this particular situation, careless security dovetails directly into the cover-up. Boston's Dig website came across a ton of data, documents and captured video from this program just laying around the web.
Dig reporters picked up on a scent leading to correspondence detailing the Boston Calling campaign while searching the deep web for keywords related to surveillance in Boston. Shockingly, these sensitive documents have been left exposed online for more than a year. Among them are memos written by employees of IBM, the outside contractor involved, presenting plans to use "Face Capture" on "every person" at the 2013 concert. Another defines a party of interest "as anyone who walks through the door."
'Guilty until proven innocent" remains the mantra of mass surveillance. Here, a "person of interest" is also just an "attendee." They are inseparable until the software has done its sorting, and even then, the non-hit information is held onto for months or years before being discarded.
Beyond the documents, there's the captured video, much of which remains online and accessible by the general public.
[M]ore than 50 hours of recordings — samples of which are highlighted herein as examples — remain intact today.
Dig gathered up all of this info and confronted the Boston Police Department about its involvement in this project.
Reached for comment about “Face Capture” and intelligent video analysis, a Boston Police Department spokesperson wrote in an email, “BPD was not part of this initiative. We do not and have not used or possess this type of technology.”
The Boston Police Department denied having had anything to do with the initiative, but images provided to me by Kenneth Lipp, the journalist who uncovered the files, show Boston police within the monitoring station being instructed on its use by IBM staff.
The outing of these documents forced the city to acknowledge its participation.
In response to detailed questions, Kate Norton, the press secretary for Boston Mayor Marty Walsh, wrote in an email to the Dig: “The City of Boston engaged in a pilot program with IBM, testing situational awareness software for two events hosted on City Hall Plaza: Boston Calling in May 2013, and Boston Calling in September 2013. The purpose of the pilot was to evaluate software that could make it easier for the City to host large, public events, looking at challenges such as permitting, basic services, crowd and traffic management, public safety, and citizen engagement through social media and other channels. These were technology demonstrations utilizing pre-existing hardware (cameras) and data storage systems.”
The city claims it's not interested in pursuing this sort of surveillance at the moment, finding it to be lacking in "practical value." But it definitely is interested in all the aspects listed above, just not this particular iteration. It also claims it has no policies on hand governing the use of "situational awareness software," but only because it's not currently using any. Anyone want to take bets that the eventual roll out of situational awareness software will be far in advance of any guidance or policies?
Better security is also a must and Boston's -- despite recent events -- seems to be full of holes.
Similarly, [Dig's Kenneth Lipp] easily found his way into lightly secured reams of documents that include Boston parking permit info, including drivers’ licenses, addresses, and other data, kept online on unsecured FTP servers.
“If I were a different kind of actor, a malicious state actor, I could pose a significant threat to the people of Boston because of what I have in the folder.”
Government entities roll out pervasive surveillance programs, almost exclusively without consulting the public, and expect citizens to trust them with the data -- not only what they share and whom they share it with, but to keep it out of the hands of criminals and terrorists. But Boston (and IBM) have proven here that this trust is wholly undeserved.
When the Boston PD lied about its involvement, I'm sure it expected any damning info to be safely secured. Now that it knows that's not true, I wonder if it will be more careful in the future, both with the data it collects on its own as well as its partnerships with third parties.
Unfortunately, as with any mass surveillance, the ease of collecting it all turns everyone into a suspect until proven otherwise. Better targeting and stricter data minimization rules would mitigate this somewhat, but those deploying these programs usually feel it's better to have it all… just in case.
[Thumbnail photo: Watching Sailboat During Small Craft Advisory courtesy Jackie.]