denisismagilov -

ICO says UK police must ‘slow down’ use of facial recognition

The Information Commissioner’s Office is calling for a statutory code of practice to govern how police in the UK deploy live facial recognition technology while controversy surrounding its use continues

This article can also be found in the Premium Editorial Download: Computer Weekly: Is facial recognition happening too fast?

The Information Commissioner’s Office (ICO) is calling on police forces to slow down and properly justify their use of live facial recognition technology (LFR).

Following a 17-month investigation into UK police force’s use of LFR, the ICO is recommending that the government introduce a statutory and binding code of practice on the deployment of LFR.

The findings and recommendations have been collected in a report of the investigation, which says: “The absence of a statutory code of practice and national guidelines contributes to inconsistent practice, increases the risk of compliance failures, and undermines confidence in the use of the technology.”

Writing in a blog post, information commissioner Elizabeth Denham says the report’s recommendations have such far-reaching implications for law enforcement’s use of the technology that she felt it necessary to publish a Commissioner’s opinion.

The opinion aims to guide police and other law enforcement bodies, such as the Home Office, through how to deploy LFR technology, and is the first of its kind to be issued under the data protection legislation introduced in 2018.

In the opinion, Denham says that the use of LFR in a law enforcement context constitutes sensitive processing as “it involves the processing of biometric data for the purpose of uniquely identifying an individual”.

“Controllers must identify a lawful basis for the use of LFR,” she adds. “The Commissioner expects that to give the public confidence in police use of LFR, more detail is required in data protection impact assessments (DPIAs).”

In Denham’s view, the legislative requirement that this type of data processing be “strictly necessary” has not been properly addressed in previous DPIAs.

In the case of South Wales Police, one of the police forces spearheading the use of LFR, its DPIA considers the processing of biometric data using LFR to be strictly necessary, as “it would be almost impossible for any one police officer to be able to effectively remember and identify several hundreds of individuals from their face alone”.

Similarly, although the Metropolitan Police Services’ DPIA points out that the processing must be “strictly necessary”, it does not explain how the force is meeting this requirement.

The opinion also considers the High Court’s recent ruling that South Wales Police’s use of LFR was lawful as it had “struck a fair balance and was not disproportionate”.

Although generally supportive of the ruling, the ICO takes the view that the combination of law and practice that were relied on by South Wales Police could be made “more clear, precise and foreseeable so that individuals can better understand when their biometric data may be processed by LFR”.

The ICO is currently conducting a separate investigation into the use of LFR in the private sector, including where it is used in partnership with law enforcement

Denham adds the warning that the High Court’s decision should not “be seen as a blanket authorisation to use LFR in all circumstances”.

The ruling itself also states: “The future development of AFR [automated facial recognition] technology is likely to require periodic re-evaluation of the sufficiency of the legal regime.” This leaves the door open for further conflict over use of the technology.

South Wales Police has published a response from deputy chief constable Richard Lewis on its website, who wrote: “South Wales Police’s use of the live facial recognition technology continues to be lawful and proportionate, and we will transparently engage with any stakeholders to ensure a proper understanding of technology and its use for law enforcement purposes.”

The Metropolitan Police responded to Computer Weekly by saying that it does not want to comment on either the report or opinion at the moment.

The ICO is currently conducting a separate investigation into the use of LFR in the private sector, including where it is used in partnership with law enforcement.

“We will be reporting on those findings in due course,” writes Denham.

Public perception and attitudes to LFR

As part of its investigation, the ICO commissioned Harris Interactive to conduct market research to understand how the public feels about police using LFR technology.

The findings of the survey and interviews conducted by Harris Interactive show that there is strong public support for police LFR, with 82% thinking it was an acceptable use of the technology.

In addition, 72% of those surveyed also agreed, or strongly agreed, that LFR should be used on a permanent basis in areas of high crime.

A national study conducted by the Ada Lovelace Institute from September 2019 shows similarly strong public support.

However, it added the caveat that police usage of LFR must be “qualified”, with a majority (55%) believing the government should place limits on police use of LFR.

While support among society in general is strong, the ICO report acknowledges a separate study carried out by the London Policing Ethics Panel, the London Mayor’s Office for Policing and Crime, and the University College London Institute for Global City Policing.

While support was still strong for police LFR, with 57% of those surveyed still agreeing it was acceptable, the London-specific study found that minority groups, who have historically had a very different relationship with the police, were less supportive. The majority of Asian (56%) and black (63%) people surveyed were opposed to police using LFR.

Support for the technology was also much lower among young people, with 55% of 16-24 and 52% of 25-39 year olds opposed to the police use of LFR.

“The ICO has noted the broad public support for LFR use by the police, but is also mindful that support is far from universal,” says the report.

“The public debate regarding LFR is significant, because the DPA 2018 only allows for LFR to be used by the police when it is strictly necessary for reasons of substantial public interest.”

Continuing controversy

South Wales Police were recently embroiled in another LFR-related controversy when, for the first time since the High Court ruling, it deployed the technology at a Cardiff City versus Swansea City football match at Liberty Stadium on 27 October.

In response to news that LFR was being used, some fans showed up to the game wearing masks and carried banners reading “No facial recognition”.

Officers confirmed afterwards that they had scanned the faces of more than 20,000 football fans at the event.

Football fans faces would have been scanned and compared to “watch lists”, which are made up of custody images that allow the LFR technology to identify people in real-time.

In March, biometrics commissioner Paul Wiles confirmed to the UK’s Science and Technology Committee that the Police National Database (PND) currently holds 23 million images taken while people were in custody, regardless of whether or not they were subsequently convicted.

Civil rights liberties group Big Brother Watch, who have called for the abolition of the technology on a number of occasions, joined with Green Party peer Jenny Jones in July 2018 to take legal action against the Metropolitan Police over its use of LFR, claiming that it “tramples over civil liberties”.

Jones had previously discovered in 2014 that her picture was held on a police database of “domestic extremists” after she had publicly criticised them.

“We shouldn’t have to change how we live our lives to protect ourselves from unwarranted surveillance”

Although the ICO investigation has established that the source of the watch lists is almost always custody images, it points to the fact that “there are potentially thousands of custody images being held with no clear basis in law”, and that there are many alternative sources for the watch list images.

Therefore, it is a real possibility that people such as Jenny Jones, whose images are recorded on secret databases as a result of their political activity, could find themselves on an LFR watch list.

According to Kevin Blowe, a coordinator at The Network for Police Monitoring, a group which seeks to challenge excessive and discriminatory policing, data protection laws are already failing to protect citizens from the police retaining their personal data on secret databases.

“The European Court of Human Rights has said people’s political opinions, expressed through their right to protest, deserve a ‘heightened level of protection’, but there has been no movement from the government or the police to reform and strengthen legal protections for campaigners,” he told Computer Weekly.

“This is why we do not think a code of practice is anywhere near enough. We need an immediate moratorium on the use of live facial recognition and strong, legally enforceable restrictions on intensive police surveillance on political campaigns and on individual activists.”

Human rights group Liberty also shares some of these concerns, arguing that LFR could have a chilling effect on freedom of expression and assembly.

“If we know we’re being watched and having our faces scanned, we change our behaviour,” Liberty states on its website. “We shouldn’t have to change how we live our lives to protect ourselves from unwarranted surveillance.”

Read more about facial recognition technology

  • As adoption of facial recognition systems continues to grow worldwide, there is increasing concern that this technology could undermine fundamental privacy rights and how it can be kept in check.
  • UK privacy watchdog is to investigate whether the use of live facial recognition technology at King’s Cross complies with data protection laws.
  • The first independent report into use of facial recognition technology by the police found a number of shortcomings around trials that would not withstand legal scrutiny.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management