A year later, how secure is Ohio's facial ID system?
LONDON, Ohio – One year later, Ohio's facial recognition system still has fewer restrictions for its use than others around the U.S., and commonplace features to secure the system are still months from implementation.
But Attorney General Mike DeWine's office has cut the number of users by nearly 80 percent and eliminated all access by out-of-state law enforcement agencies.
The changes are intended to limit the opportunities someone might have to misuse the system – say, by uploading a snapshot of an attractive passerby and using the software to identify him.
Officials say the remaining users need access to the system to identify crime suspects using images, such as from a security camera.
But critics say the system is still too permissive.
A year ago this month, an Enquirer investigation revealed DeWine's office had quietly launched facial recognition software to search Ohio driver's license photos. Without notifying Ohioans, the state was allowing more than 26,500 police officers and court employees – thousands more than in other states – to upload a snapshot and try to identify the person in it, from any device with an Internet connection.
What's more, the state lacked a process for auditing to catch unsuspected misuse. And after The Enquirer investigation brought attention to the software, officials scrambled to add common security features to keep hackers from viewing information about nearly every Ohioan, such as requiring stronger passwords.
Since then, the attorney general's office has changed the system to address privacy concerns. But many updates have taken months, and some are still in progress. Meanwhile, users have run nearly 8,900 facial recognition searches.
Who can use the system
• What's changed. Access to facial recognition in Ohio remained at sky-high levels until this spring. That's when the attorney general's office updated its statewide law enforcement database to allow law enforcement agencies to select which officers needed access to individual software applications.
Court employees lost access to facial recognition, which former judges had said they didn't need for their jobs. Police chiefs limited access to only officers who conduct investigations. Approximately 150 officers from cities and states outside Ohio lost access, too.
By April, the number of users had dwindled to 7,830. It was down to 5,100 in May, then inched up to 5,594 as of last month, when two advisory boards held public meetings at the Bureau of Criminal Investigation headquarters in London.
BCI chief Tom Stickrath takes requests from out-of-state agencies that are seeking access. So far, he hasn't granted any – the requests have all been too general. He'd be willing to grant access if an out-of-state agency thinks the software will help it solve a specific case, he said.
• What hasn't. Even with facial recognition users cut by four-fifths, Ohio's 5,594-person system still lands at the top end of the most permissive systems in the U.S.
An Enquirer investigation last fall found most states with facial recognition software limit access to a handful of state investigators or license bureau staffers, who sometimes take requests from law enforcement officers around the state.
In Kentucky, for instance, only a few dozen state police officers and a couple license bureau staffers can run a facial recognition search. Illinois has an unusually large number of users, but even that state limits access to its 3,000-person state police department.
Ohio's access is wide in part because its statewide law enforcement database is unmatched in other states, Stickrath said. But even the state with the closest system, North Carolina, limits facial recognition use to a handful of fraud investigators in its license bureau. Officers must apply for the investigators to run searches for them on a case-by-case basis.
"When I look at (other state's) numbers, it raises the question: Is 5,000 still way too big for facial recognition?" Capital University law professor Dennis Hirsch said at last month's advisory meeting. "My concern is some kind of incident of abuse that ends up being an embarrassment for the program."
Fellow committee member Phil Stammitti, the Lorain County sheriff, defended the wide access. He's limited facial recognition in his department to detectives and their bosses.
"I think the officers do need that kind of access to save a life or ... pick someone up who might be a fugitive," he said. "You've got to trust the officers that they're doing the right thing.
"I think the controls are in place" to catch misuse.
How the state can catch abuse
• What's changed. As of last month, those "controls" Stammitti referenced include audits to check for inappropriate searches.
Using the state's law enforcement database for noninvestigative purposes is a felony. But rather than audit searches, the attorney general's office kept a record of every search made by all users. If a local police officer was suspected of misusing the system – say, someone reported a police officer was stalking her – the department accessed that record to see whether the officer's searches related to his job.
DeWine defended the practice last August, saying the threat of jail time deterred bad behavior. But an advisory panel recommended random audits to catch undetected abuse.
So far, DeWine's office has conducted four audits, selecting agencies randomly. The auditors recommended some tweaks in the agencies' roster of database users, but didn't find any misuse. Beyond the audits, the attorney general's office hasn't received any reports of misuse of facial recognition software.
• What hasn't. Officials are still working out how often they'll audit agencies, Stickrath said.
Even with a more robust audit system, some abuse could slip through unnoticed, said David Pepper, the former Hamilton County commissioner who is DeWine's Democratic opponent this November. Pepper has called for limiting facial recognition access to several dozen people who would take requests from other officers, as in most other states with the software. A smaller user pool would limit the possibilities for misuse, he said.
"A year after they've launched this, having done 8,900 searches, they still clearly don't seem to have a system to detect abuse," Pepper said. "No other state in the country is doing it in this shoddy of a way. They've got a real blind spot for the basic privacy of citizens."
Containing the expansion of facial recognition may also help prevent intrusive use by the government, said Gary Daniels, chief lobbyist for the ACLU of Ohio.
"Concerns remain about what the government itself does or someday will do with this information," Daniels said in a statement. "As technology improves and costs drop, we anticipate expanded use of facial recognition. ... It is what always happens with surveillance technology and law enforcement."
How it's secured
• What's changed. In June, IT specialists updated the facial recognition system to require officers to input a case number before running a search. That makes it easier for officials to check whether a search is related to a numbered crime investigation.
That change tops several catch-up security measures DeWine's office put in place last summer.
When facial recognition first launched, the law enforcement database that contains the system had few password guidelines.
Passwords, which worked anywhere with access to the Internet, were simply to be between six and 20 characters. Two weeks after The Enquirer broke the news of the system's launched, the attorney general's office changed those guidelines to require at least eight characters.
Around the same time, IT specialists updated the system to log users off automatically if their account was inactive.
The system also requires users to change their passwords more frequently.
• What hasn't. The tech team is working to make the system more secure to use on mobile devices, such as iPhones or iPads. Right now, officers can use the law enforcement database on smartphones that lack certain security and anti-malware features.
An update that's in process would implement a "mobile device management system," a common IT feature that contacts the iPhone to determine it has certain security features before allowing access.
That development could be as much as a year away, said Joe Dietz, who oversees the database.
Another update in process would trigger security questions if an out-of-state computer tried to access the system. ■
Gannett Ohio's
Jessie Balmert contributed.
Four things you should know about Ohio's facial recognition software
1. What it does. An officer can upload a snapshot of an unidentified suspect or, in some cases, an image from a security camera. The system searches through all Ohioans' driver's license photos and police mugshots. The computer then offers a sampling of photos that might be matches with the suspect. The officer can then evaluate the photos and try to identify the suspect.
2. What information it unlocks. Paired with a driver's three latest license photos are all the personal information found on a driver's license – sex, address, birth date, height, weight, and eye and hair color. The database also contains auto-registration and concealed-carry-license records and indicates how frequently a person's information has been viewed by officers around the state.
3. Who could get hurt. Before the facial recognition system's development, officers had to know a person's name or address to find a photo. Now, with facial recognition, officers can potentially identify any stranger they see or encounter, as long as they have a photo. For instance, an officer could conceivably use her home Internet access to log into the system and identify bar-hoppers – although such action would be illegal.
4. How it can help. In Solon, near Cleveland, police arrested a woman passing counterfeit $50 bills. She only knew her supplier by his street name, but gave officers a photo from her Instagram account. They identified the man using facial recognition, and the U.S. Secret Service arrested him for counterfeiting. Investigators also used facial recognition to identify an Akron homicide suspect this winter.
Facial recognition time line
June 6, 2013: AG's office launches the system, without notifying Mike DeWine.
June 20, 2013: DeWine's deputies tell him about the launch. DeWine and officials keep the system live.
Aug. 26, 2013: An Enquirer investigation reveals the system's launch. DeWine holds a press conference, saying he should have told the public about the launch.
Sept. 6, 2013: AG's office updates database password requirements.
March: AG's office begins cutting down access to facial recognition.
June: System updated to require crime case number for facial recognition search.
July: Officials conduct first audits.