Facial recognition: BKA used millions of police photos for test

The Federal Criminal Police Office (BKA) has extracted 4.8 million facial images from the central police information system INPOL-Z for software tests and given them to the Fraunhofer Institute for Computer Graphics Research (Fraunhofer IGD). In 2019, Fraunhofer IGD used real images in a project called EGES (Ertüchtigung des Gesichtserkennungssystems im BKA) to determine how well the system used by the BKA performed compared to products from four other manufacturers.

The 4.8 million frontal facial images were taken from around 3 million people, according to one of many documents published on the process. According to the Fraunhofer IGD evaluation report, frontal and half-profile images were used as test images. In order to test the recognition accuracy in as much detail as possible, thousands of images of people with beards and glasses were used. The BKA provided Fraunhofer with a list of 56,500 beard wearers and 19,500 spectacle wearers. The BKA and the Federal Commissioner for Data Protection (BfDI) have not yet responded to inquiries about these processes from heise online.

"Scientific research"

According to a report by BR, the BKA declared the project to be "scientific research" and referred to the BKA Act. However, according to BR, the BKA initially pointed out that the BfDI did not have to be involved in the processes, nor was it necessary from a technical point of view. Matthias Marx, spokesman for Chaos Computer, received the final report from the BKA in response to a request under the Freedom of Information Act and then contacted Kelber.

In a letter dated June 17, 2022, the BfDI described the process as "problematic" and doubted that the tests were about science, the letter continued: "There is a lack of a legal basis." However, Kelber also wrote: "Considering the complexity of the legal situation, which is assessed inconsistently (see in particular the opinion on Section 48 BDSG), I refrain from raising an objection."

According to the BKA, the computers on which the evaluations were carried out were located in a specially provided room without Internet access at the BKA location in Wiesbaden. Access to the computers was restricted to the BKA project team and data was permanently deleted. According to BR, Marx criticizes that the data was used for a purpose for which it was not collected.

General Data Protection Regulation in play

The Federal Criminal Police Office had referred to Section 21 of the BKA Act, among other things. This states, among other things: "The Federal Criminal Police Office may, within the scope of its tasks, further process personal data held by it if this is necessary for certain scientific research work, insofar as it is not possible to use anonymized data for this purpose and the public interest in the research work significantly outweighs the interest of the data subject worthy of protection."

However, as software tests do not fall within the scope of law enforcement and security, the General Data Protection Regulation (GDPR) applies. In response to a recent BR inquiry, the BKA is now also referring to the GDPR. Mark Zöller, Professor of Criminal Law and Digitalization at LMU Munich, on the other hand, says according to BR that security authorities are not allowed to refer to general data protection law, but must always comply with the respective specialist laws, i.e. the BKA law in this case. Security authorities have repeatedly rushed ahead with new technologies without a clear legal basis.

Only recently, the Bavarian State Office of Criminal Investigation ended tests of its new analysis software from the controversial data mining company Palantir using data from real people. This was sharply criticized by the Bavarian data protection commissioner.

(anw)