Germany: Federal police used mugshots to test facial recognition, report says

Bundeskriminalamt logo with Bundesadler
A man whose photo was presumably used in the tests is weighing a lawsuit against the BKA. (Source: IMAGO / Björn Trotzki)

The Bundeskriminalamt (BKA), Germany’s federal police, commissioned tests of facial recognition software using the photos of three million people. That’s according to a report from Bayerische Rundfunk (BR). Experts criticize the BKA’s actions.

As BR reports, in 2019 the Fraunhofer Institute for Computer Graphics Research evaluated facial recognition software from various suppliers at the behest of the BKA. The project, which bore the name “Fitness of BKA Facial Recognition Systems” (“Ertüchtigung des Gesichtserkennungssystems im BKA”), was meant to test how well the system used by the BKA stood up in comparison with four other products.

For the tests, the BKA provided the Fraunhofer Institute with roughly five million facial photos of around three million people from the central police information system INPOL-Z. The information comes from the project’s final report, says BR, which was released in response to freedom of information requests. In order to test how precise the facial recognition software’s capabilities were, the BKA also provided a list of 56,500 bearded individuals and 19,500 individuals who wear glasses.

When asked to comment, the BKA said that the test was necessary “in light of the great significance of facial recognition for law enforcement and danger prevention.”

Mark Zöller, professor of criminal justice and digitalization at the Ludwig Maximilian University in Munich, criticized the BKA’s actions. The case once again demonstrates how security agencies charge ahead without clear legal basis, he said. In his estimation this manner of data processing encroaches on fundamental rights – and could also affect individuals who have wound up in the INPOL system without being convicted of a crime.

Said Zöller: “I find it very risky, that they would be working with millions of people’s data without making sure to check the legal basis beforehand.”

BKA calls project research

In discussions with Ulrich Kelber, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), the BKA declared the project to be “scientific research” and invoked the BKA-Gesetz, the law governing the BKA, BR reports. Commissioner Kelber however characterized the tests in a 2022 letter as problematic and wrote that they lacked a legal basis. “In light of the complexity of the legal situation,” however, the commissioner declined to raise an objection.

After further review, the commissioner’s office concluded that “the testing of software products does not fall under the purview of law enforcement and danger prevention, for which reason the GDPR applies here.” In response to a request from BR the BKA also invoked the General Data Protection Regulation (GDPR).

Zöller, the criminal justice expert, told BR that the tests were conducted by the police in connection with their work. The BKA could not, Zöller said, invoke the GDPR with regard to law enforcement and danger prevention; rather the agency had to abide by the relevant laws pertaining to its specific mandate. In the case at hand that would mean the BKA-Gesetz – and that law does not stipulate which data security agencies are allowed to use for software tests.

Federal commissioner informed late

According to the report, the BKA repeatedly took months to respond to requests for information from the BfDI, and provided few details when it did. The commissioner’s office didn’t receive the final report until one and a half years after the project’s conclusion – and only then learned that millions of actual photos had been used.

The BKA told Bayerische Rundfunk that it was under no legal obligation to inform the BfDI. Nor was it technically necessary to do so.

In an interview with BR, Federal Commissioner Kelber called for clear rules for such tests and criticized the BKW: “Security agencies often have an interpretation of the legal situation which, from their perspective, is very broad.”

Criticism of misuse

In order to ensure the security of the data used in the tests, the data were analyzed on computers kept in a separate room, without an internet connection, at one of the BKA’s campuses. After the project’s conclusion the hard drives were destroyed.

But Matthias Marx, spokesperson for the Chaos Computer Club (CCC), nevertheless criticized the BKA, saying that the data were used for a purpose other than that for which they had been collected: “Even with measures taken to secure the data, misuse is misuse. The data were collected for the purpose of law enforcement and may be used only for that purpose.”

Marx has advocated against the use of biometric surveillance technology for years and had requested access to the final report on the project in accordance with Germany’s freedom of information law. It was interesting to see which actors were conducting which experiments “with our data,” he said.

The BR report also mentions an individual presumed to have been affected by the project: IT expert Janik Besendorf was booked under suspicion of domestic disturbance in 2018. The case was dismissed soon afterwards, but he assumes that the photos taken of him at booking were used in the tests of different facial recognition systems. He has filed a complaint with the BfDI – and according to BR, he is also considering filing a lawsuit against the BKA.

By its own admission, the BKA has been using a facial recognition system since 2008. The system, which is meant to identify unknown perpetrators, compares available images with photos stored in INPOL, the central police information databank. (js)