Tattoo Recognition Score Card: How Institutions Handled Unethical Biometric Surveillance Dataset

In response to an EFF marketing campaign began final yr, roughly a 3rd  of establishments that we imagine requested problematic and exploitive information as a part of a authorities automated tattoo recognition problem deleted the info or reported that they’d by no means acquired or used it.

EFF has lengthy been involved with the numerous issues related to efforts to make use of automated tattoo recognition, a type of biometric surveillance just like face recognition that may use your physique artwork to disclose your id or private details about you, equivalent to your political, non secular, familial, or cultural affiliations. We  have specific moral issues about an effort often called Tatt-C (also referred to as the Tattoo Recognition Problem) that was managed by the Nationwide Institute of Requirements and Expertise (NIST) and the Federal Bureau of Investigation. NIST launched this tattoo recognition program in 2014 by creating an “open tattoo database” that establishments may use to check, practice, and enhance software program that would acknowledge tattoos.

As a part of the problem, members acquired a CD-ROM stuffed with pictures to check their tattoo recognition software program. Nonetheless, this dataset was created with 15,000 pictures most of which have been collected from prisoners, who have been unaware of the supposed use of the photographs.

After EFF filed a FOIA lawsuit in 2017 searching for entry to NIST and FBI data about Tatt-C, we obtained paperwork that listed establishments and different events that had requested the Tatt-C dataset. We then wrote to every entity and demanded that the analysis establishments, if they’d acquired the Tatt-C dataset, delete the photographs, provoke an inner assessment of all analysis generated through the use of the dataset, and start a assessment of the establishment’s insurance policies for coaching and utilizing biometric information collected from people that didn’t consent to be photographed or to have their pictures utilized in such a manner.  

As EFF wrote within the letter despatched to the recipients of the dataset, there have been can be appreciable concern that there was no moral assessment of the gathering process that’s typically required when conducting analysis with human topics: 

“When compiling the Tatt-C dataset and conducting the Tatt-C problem, NIST researchers did not comply with the Frequent Rule’s necessities for moral assessment of the challenge. Particularly, the researchers didn’t search a Human Topics willpower, which is required earlier than assessing whether or not analysis have to be reviewed by an impartial assessment board (IRB). In keeping with official reports, ‘the human topic’s willpower was not recognized to be essential for the proposed use of information.’

NIST found the oversight solely after the Tatt-C analysis was performed. At that stage, Data Expertise Lab Director Charles H. Romine took the weird step of retroactively figuring out that the analysis didn’t contain human topics.  EFF’s analysis of the applying and willpower discovered a number of crimson flags, together with faulty claims that the info was sufficiently de-identified from the topics and downplaying NIST’s position in creating the info set. Lots of the pictures reviewed by EFF contained personally figuring out data, together with folks’s names, faces, and delivery dates. Of nice concern was the researchers’ omission that the info was collected from prisoners, which typically triggers larger scrutiny.”

Tattoos are additionally extremely private and sometimes include particular data and identifiers that might be used to trace down an individual even when their face and id have been obscured. For instance, regardless that the names of the inmates have been faraway from the Tatt-C metadata, the tattoos themselves typically contained private data, equivalent to life-like depictions of family members, names, and delivery dates that each one stay viewable to researchers.

Practically all of the entities that responded did verify the info had been deleted. Nonetheless, at the very least one college was nonetheless conducting analysis with the dataset 5 years later. The College of Campinas (UNICAMP) College of Engineering Pc Engineering in Brazil despatched a letter that said researchers are solely required to hunt ethics assessment for human information collected inside Brazil. UNICAMP mentioned that Prof. Léo Pini Magalhães would proceed to make use of the tattoo pictures via the top of yr after which would delete them. The college additionally refused to acknowledge that pictures contained private data. UNICAMP additionally mentioned that the professor is grabbing pictures of tattoos from the online, a apply that has more and more come below hearth from Congress in mild of the Clearview AI face recognition scandal.

UNICAMP’s response illustrates the issue with Tatt-C: as soon as the flawed dataset was shared, the federal government misplaced the power to regulate how the delicate pictures have been used. A number of establishments that didn’t reply to our letter are primarily based overseas, together with France, South Africa, Thailand, Mexico, and Peru. Due to this fact, it could be tough, if not not possible, for U.S. authorities to carry these entities accountable in the event that they misuse the data.

The desk beneath particulars the establishments that NIST recognized in authorities data as having requested the Tatt-C dataset and their responses to EFF’s letter.

For extra details about tattoo recognition expertise, take a look at EFF’s Street-Level Surveillance guide.