Recently, a Florida airport learned a fact that most high-security
organizations already know: facial recognition doesn’t work.
This article
in the Register details a month-long trial period with a Visionics
face recognition system at Palm Beach International Airport. The
system was tested on 15 volunteers from the the airport’s staff.
Visionics is one of the leaders in the field, and yet the success
rate was less than 50% – that is, the Visionics system failed to
recognize “terrorist” faces more than half of the time. Even worse,
the false positive rate was unacceptably high – 1 in 100 people
were falsely labeled as terrorists.
Last September, Bruce Schneier wrote a devastating argument against
face-scanning in his
Cryptogram newsletter.
I won’t repeat his ideas verbatim, but he concluded that facial
recognition simply doesn’t work. Its false positive rates make it
effectively useless, and what’s worse, the reference biometrics for
terrorists are unusable. If the system has a success rate of 50%
with high-resolution pictures in good lighting, how will the system
do with grainy, out-of-date pictures from 1000 yards?
Even worse, face scanning couldn’t have prevented most incidents
like 9/11 and the Oklahoma City bombing. Timothy McVeigh and the
9/11 hijackers weren’t in any federal photo databases. This is
one of the dirty little secrets of face scanning – the “terrorist”
database is usually nothing more than a criminal database, full of
carjackers and drunk drivers but conspicuously empty of actual
terrorists.
Reactive security
This may paint a gloomy picture, but personally, I believe the
problem runs deeper than faulty or misplaced technology. Post-9/11,
national security has become a hot topic. Technology vendors have
rushed to announce new security features in their shipping
products. Unfortunately, the vast majority of efforts to increase
national security have been reactive, not proactive. We have
attempted to combat terrorism by increasing security at potential
terrorist targets, such as airports, federal buildings, and
stadiums.
This is a fundamentally flawed endeavor, and it will not prevent
terrorism. We cannot protect every terrorist target – first, the
prevention mechanisms don’t work, as shown above, and second,
anything could be a target. If terrorists detonated a high-yield
conventional bomb in a small rural town, killing 5,000-10,000
people, would it be any less of a tragedy than 9/11? I don’t think
so.
Proactive security
We need to invest in proactive security, not reactive security. We
need more FBI agents on the ground, both in the US and abroad. We
need more reconnaissance and more opportunities to gather
international intelligence. We need to cooperate with intelligence
agencies in Europe, Asia, and the Middle East to actively search
out and infiltrate terrorist groups.
These methods are preemptive, deterministic, and proven to be
effective. For example, within weeks of 9/11, US intelligence
agencies had successfully investigated the al’Qaeda terrorist
network and had complete and accurate information on its location
and activities.
Of course, such proactive methods are a far cry from declaring war
on rogue nations that harbor terrorists. I’m not sure I agree with
the idea of a “war” on terrorism, per se. However, the bottom line
is that reactive national security will not prevent terrorism.
Proactive security will.
National Security
(back to writing)
Facial recognition in airports
Recently, a Florida airport learned a fact that most high-security organizations already know: facial recognition doesn’t work.
This article in the Register details a month-long trial period with a Visionics face recognition system at Palm Beach International Airport. The system was tested on 15 volunteers from the the airport’s staff. Visionics is one of the leaders in the field, and yet the success rate was less than 50% – that is, the Visionics system failed to recognize “terrorist” faces more than half of the time. Even worse, the false positive rate was unacceptably high – 1 in 100 people were falsely labeled as terrorists.
Last September, Bruce Schneier wrote a devastating argument against face-scanning in his Cryptogram newsletter. I won’t repeat his ideas verbatim, but he concluded that facial recognition simply doesn’t work. Its false positive rates make it effectively useless, and what’s worse, the reference biometrics for terrorists are unusable. If the system has a success rate of 50% with high-resolution pictures in good lighting, how will the system do with grainy, out-of-date pictures from 1000 yards?
Even worse, face scanning couldn’t have prevented most incidents like 9/11 and the Oklahoma City bombing. Timothy McVeigh and the 9/11 hijackers weren’t in any federal photo databases. This is one of the dirty little secrets of face scanning – the “terrorist” database is usually nothing more than a criminal database, full of carjackers and drunk drivers but conspicuously empty of actual terrorists.
Reactive security
This may paint a gloomy picture, but personally, I believe the problem runs deeper than faulty or misplaced technology. Post-9/11, national security has become a hot topic. Technology vendors have rushed to announce new security features in their shipping products. Unfortunately, the vast majority of efforts to increase national security have been reactive, not proactive. We have attempted to combat terrorism by increasing security at potential terrorist targets, such as airports, federal buildings, and stadiums.
This is a fundamentally flawed endeavor, and it will not prevent terrorism. We cannot protect every terrorist target – first, the prevention mechanisms don’t work, as shown above, and second, anything could be a target. If terrorists detonated a high-yield conventional bomb in a small rural town, killing 5,000-10,000 people, would it be any less of a tragedy than 9/11? I don’t think so.
Proactive security
We need to invest in proactive security, not reactive security. We need more FBI agents on the ground, both in the US and abroad. We need more reconnaissance and more opportunities to gather international intelligence. We need to cooperate with intelligence agencies in Europe, Asia, and the Middle East to actively search out and infiltrate terrorist groups.
These methods are preemptive, deterministic, and proven to be effective. For example, within weeks of 9/11, US intelligence agencies had successfully investigated the al’Qaeda terrorist network and had complete and accurate information on its location and activities.
Of course, such proactive methods are a far cry from declaring war on rogue nations that harbor terrorists. I’m not sure I agree with the idea of a “war” on terrorism, per se. However, the bottom line is that reactive national security will not prevent terrorism. Proactive security will.