Identity News Digest – June 14, 2024

Welcome to FindBiometrics’ digest of identity industry news. Here’s what you need to know about the world of digital identity and biometrics today:

Houston Council Approves $178K Facial Recognition Network for Police

The Houston City Council has approved a $178,000 contract with Airship AI Holdings, Inc. to install a 64-camera network for the Houston Police Department (HPD) that will use facial recognition technology. The one-year agreement also includes additional server space for the system, though camera locations have yet to be determined. While HPD supports the initiative to combat crime, concerns have been raised about privacy and the risk of misidentification, particularly from local residents and experts like Texas Southern University professor Carroll Robinson. Robinson, alongside Dr. Michael O. Adams, advocates for legislation to prevent racial discrimination in AI applications.

IRS Directs Online FOIA Requests to Biometric IDV Service, Drawing Scrutiny

The IRS is under scrutiny for directing users filing Freedom of Information Act (FOIA) requests through its online portal to use ID.me, a biometric identity verification service. ID.me’s system, which requires users to upload a photo ID and either take a selfie or participate in a video appointment, has raised privacy concerns. Critics, including Alex Howard of the Digital Democracy Project, argue that this requirement could be seen as overreach and a potential violation of the right to access information. While FOIA requests can still be submitted via FOIA.gov, mail, fax, or in-person, the IRS promotes ID.me for faster service. The IRS defends its choice, stating that ID.me follows National Institute of Standards and Technology (NIST) guidelines and that the collected biometric data is promptly deleted—within 24 hours for self-service verification and within 30 days for video verifications.

Bulgaria Prepares Rollout of Biometric IDs

Bulgaria will launch a new biometric ID card on June 17, featuring an embedded chip with biometric data such as fingerprints and a photograph. This initiative aims to enhance document security and streamline border crossings within the EU. The new card will also support future use of electronic identity certificates for online authentication. Existing identity cards issued before June 17, 2024, will remain valid until August 2, 2031, or their expiration date. The implementation is led by a consortium headed by Mühlbauer, which secured a 240 million Bulgarian Leva contract (approximately $134 million) for ten years, covering the design and production of the new ID cards, residence cards, and permits. The modernization effort, funded partly by the EU’s Operational Programme Good Governance and the Internal Security Fund, aims to provide advanced anti-forgery protections.

Kaspersky Researchers Flag Numerous Security Vulnerabilities in ZKTeco Access Control Systems

Kaspersky researchers have identified 24 security vulnerabilities in biometric devices made by ZKTeco, which are widely used in offices, hospitals, and critical infrastructure like nuclear and chemical plants. These flaws allow attackers to bypass biometric verification and gain unauthorized access. Notable issues include CVE-2023-3938, an SQL injection vulnerability that enables hackers to manipulate databases and access sensitive information, and CVE-2023-3940, which allows attackers to read any file on the system, including biometric data and passwords. Other vulnerabilities allow for unauthorized command execution and complete system control, as well as the upload of malicious data and the creation of backdoors. Affected models include ZKTeco’s ProFace X and Smartec solutions.

Deepfakes Could Push Financial Fraud Losses to $40B by 2027: Deloitte

Deloitte has highlighted the escalating threat of deepfake technology in financial services fraud, predicting that generative AI could drive U.S. fraud losses to $40 billion by 2027, up from $12.3 billion in 2023. The consultancy’s Center for Financial Services report indicates that the rapid development and accessibility of generative AI tools make it easier for fraudsters to create deepfake videos, voices, and documents, thereby challenging current anti-fraud measures. The financial sector is particularly at risk, with a 700 percent increase in deepfake-related incidents in fintech in 2023. Business email compromises, already a common fraud type, are expected to become even more prevalent with generative AI. While banks have been early adopters of fraud prevention technologies, Deloitte asserts that existing frameworks may not suffice against AI threats. The report recommends integrating advanced technology with human expertise, collaborating with third-party providers and industry peers, educating customers, and investing in employee training and new talent to effectively combat AI-assisted fraud.

Ontario Police Agencies Defend IDEMIA Tech in Light of 2019 Wrongful Arrest

IDEMIA technology was implicated in the wrongful arrest of Nijeer Parks in 2019, who was detained for ten days on charges of shoplifting and assault based on a facial recognition match to a fake driver’s license. Parks was later exonerated after proving he was in another city during the incident. The facial recognition system that had been provided by IDEMIA is now being implemented in two major municipal jurisdictions in Ontario, Canada. Despite the past incident, Ontario police agencies including Peel and York region police, are defending the technology, stating that they will not make arrests solely on biometric matches and that human investigators will corroborate matches with other evidence. They also highlight advancements in facial recognition accuracy since 2019, referencing a National Institute of Standards and Technology evaluation ranking an IDEMIA algorithm as top for accuracy regarding false match rates.

—

June 14, 2024 — by Tony Bitzionis and Alex Perala