Study: Live facial recognition by police only possible unlawfully

May the German police build databases with people's images to enable live facial recognition from video camera recordings? This political desire for largely automated searches for individuals posing a threat, criminals, and wanted persons is not entirely new. After all, the coalition agreement between the CDU, CSU, and SPD includes a clause stating that security authorities should be allowed "to conduct automated data research and analysis, as well as subsequent biometric matching with publicly accessible internet data, including through artificial intelligence," taking into account constitutional requirements and digital sovereignty.

However, alongside a lot of science fiction, one question in particular plays a role: What are the technical prerequisites for these criteria to be met? Because the political and legal answers depend heavily on them. The organization Algorithmwatch commissioned a study from Hamburg-based information scientist Dirk Lewandowski to explore the technical and legal limits of such hypothetical scenarios.

Live search "only theoretically possible"

Lewandowski examines various approaches to how real-time matching of facial images with the publicly accessible internet or entirely proprietary databases can be technically organized. Among other things, the scientist describes how the image search engine PimEyes, which is impermissible in the EU but well-known, operates: it not only stores images and their properties but also a template with essential features of the person depicted. This leads to faster and more accurate search results. "The superiority in search lies in the fact that biometric facial features are used for the search, and not just low-level features like shapes and color distributions or surrounding texts," the study states in the study.

However, what does not work is a pure live search: "Without building a database, no 'one to many' match can be performed, only a 'one to one' comparison." This direct comparison of two image files would then have to take place en masse to circumvent the need for a database – from an information science perspective, a "live search" on the web is therefore "only theoretically possible," says Lewandowski.

But what does this mean for the federal government's plans to create further possibilities here? At a joint press conference in Berlin this morning, representatives from various organizations emphasized that the federal government must draw consequences from this. The government cannot ignore these technical facts, says Algorithmwatch CEO Matthias Spielkamp, and calls for the preparations in the federal cabinet to be halted. "The biometric identification methods being pursued would inevitably violate EU law because they cannot be implemented without the use of databases." The EU AI Regulation prohibits exactly such databases.

Indeed, the AI Regulation contains numerous provisions for "real-time remote biometric identification," but does not fundamentally prohibit it for law enforcement purposes. However, Article 5 of the Regulation expressly prohibits "the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand databases for facial recognition by indiscriminately extracting facial images from the internet or from surveillance recordings." Lewandowski's expert opinion is likely to reignite the debate as to whether the prohibited acts and the permitted exceptions are technically compatible with each other at all.

Former Federal Commissioner for Data Protection Ulrich Kelber unequivocally warns Federal Minister of the Interior Alexander Dobrindt (CSU) that legislation could once again end up before the Constitutional Court: "The Federal Ministry of the Interior has not learned from this and wants to enact legal regulations again that clearly violate the requirements of the constitution, data protection, and AI regulation." Kelber had already expressed strong criticism of corresponding plans during his tenure until 2024.

Simone Ruf from the Society for Civil Rights (GFF) sees little room for maneuver for the legislator: "From our perspective, it is very likely that matching against a reference database will not stand up before the Constitutional Court." Furthermore, with an existing corresponding authorization at the Federal Office for Migration and Refugees, it would be considered to remove all security mechanisms. The risk and success are disproportionate.

Amnesty: Exclude Palantir from public contracts

People's body data should not be a free commodity, emphasized Matthias Marx from the Chaos Computer Club (CCC). Existing providers would be illegal in the EU for good reason. "Regardless of who operates them: biometric mass surveillance is unlawful. The police must not resort to criminal private face search engines like Pimeyes or ClearviewAI, and certainly not to legitimize them through the back door," warns Marx against the temptation that might have arisen from the case of former RAF terrorist Daniela Klette. Commercial services must be actively combated by German data protection authorities with all legal means.

Julia Duchrow from Amnesty International warns of potential for misuse and the intimidating effect of AI and biometric matching methods, which also pose a significant risk of discrimination. She explicitly warns against using software from the US provider Palantir and calls for the company to be excluded from public contracts.

Civil society actors and the former Federal Commissioner for Data Protection do not currently expect the EU, as part of current reform efforts under the heading "Digital Omnibus," to possibly change the corresponding restrictions of the AI Regulation. From Matthias Spielkamp's perspective, this makes the cabinet's plan by Schwarz-Rot pointless: "If you don't build a database, you get nothing out of it, but you're not allowed to build a database."

(vbr)