Biometric tests with police data: IT expert sues Federal Criminal Police Office

On Friday, IT security expert and hacker Janik Besendorf, with the support of the Chaos Computer Club (CCC), filed a lawsuit against the Federal Criminal Police Office (BKA) at the Administrative Court in Wiesbaden. He accuses the authority of unlawfully processing his biometric facial data and presumably also passing it on to third parties for trial runs of biometric facial recognition.

According to the CCC, the lawsuit specifically targets a cooperation between the BKA and the Fraunhofer Institute for Computer Graphics Research (IGD). The Wiesbaden police authority is alleged to have misused nearly 5 million facial data records from the Inpol-Zentral (Z) police database and transferred them to the IGD without legal basis. The images were used as test material for four new BKA facial recognition systems.

Besendorf, whose facial photo was entered into the INPOL-Z database in 2018 after being processed by the identification service on charges of trespassing, feels that he has been unwittingly turned into a test subject. According to Netzpolitik.org, Besendorf wants to wait until the proceedings are concluded before potentially requesting that his photos be deleted. This is to prevent evidence from being destroyed.

Dispute with the data protection supervisory authority

The BKA's approach became known in 2021 through a request by CCC spokesperson Matthias Marx under the Freedom of Information Act (IFG). The then Federal Data Protection Commissioner Ulrich Kelber considered the investigators' practice to be problematic, but a subsequent complaint by Besendorf was unsuccessful.

According to Netzpolitik.org, the BKA wrote to the data protection authority: The image data had not left the authority "and was not available for inspection by Fraunhofer IGD employees." Strict data protection measures were taken during the test. The computer system used was password-protected and housed in a locked room to which only the project team had access. In addition, the computer was never connected to the internet or other police systems. The photos were reportedly transported on an encrypted hard drive, and after they were imported, the system's USB ports were deactivated.

New "security package" in the works

However, the report also stated that IGD experts had been in the computer room "under BKA supervision". Politicians from the Left Party criticized at the time that the whole process was "exemplary of how the security authorities deal with data protection requirements." Either the relevant supervisory authority is not involved at all, its competence is disputed, or the need for a legal basis is denied.

Automated facial recognition is playing an increasingly important role for German security authorities. By 2023, the local police will have almost 6.7 million relevant photographs of around 4.6 million people in Inpol-Z. The GES facial recognition system has been in use since 2008. The number of searches carried out with it has been rising rapidly for years. With a new, hotly contested "security package," Federal Interior Minister Alexander Dobrindt (CSU) wants to massively expand the powers of law enforcement agencies in this area.

(nie)