We’ve been drawing more attention to digital security and privacy as of late, largely due to our upcoming digital security guide, which will become available in about a week. The inspiration for the guide was born from the need for a basic repository of easy-to-implement digital security hygiene practices that end-users (all of us with devices) could employ in order to better secure their digital security and privacy. And due to the complexity and depth of some of these topics, more space and time is needed to go beyond the guide.

To be clear, this is not some random bandwagon we’ve jumped on simply due to the rise of connected devices or because we’re scared of mass surveillance. The ability to maintain digital security and privacy in an environment that profits from the sale of your data is critical. The ability to understand and reasonably function in this environment is equally as critical — not just for individual citizens but for military and intelligence professionals as well.

This criticality drives our emphasis to share what we can of the topic and to increase readers’ awareness and familiarity with common practices. That is what we’re discussing today in the context of facial recognition software and surveillance and how they can be used to great effect.

Smile, you’re on camera

We recently introduced the Electronic Frontier Foundation’s facial recognition resource to you, which provides a quick quiz listing the number of facial recognition databases in which one’s data may be present.

SOFREP recently obtained some basic data from Surfshark, a virtual private network provider. Surfshark conducted a study to map the use of facial recognition software in 194 countries and territories around the world. The data — which SOFREP has not independently verified — was derived from research conducted by the Carnegie Endowment for International Peace, the Electronic Frontier Foundation, and AlgorithmWatch. Our intent in sharing this data is to provide a generalized understanding of facial recognition use worldwide.

According to available data, common uses for facial recognition software largely concern law enforcement or security service activities. Specifically, facial recognition software has been employed in public closed-circuit television (CCTV) networks; has been maintained in internal law enforcement databases; and is used to augment identity verification processes during elections or when traveling.

There is no question that facial recognition is valuable under the right circumstances. Facial recognition technologies are a natural evolution of already-present surveillance tools and techniques. For example, CCTV has long proved valuable in reconstructing criminal activity and aided in more rapidly bringing closure to victims’ families. It has also been used to piece together otherwise secret intelligence operations conducted by highly trained operatives — but we’ll get to that shortly.

A key takeaway is that not all facial recognition technologies were created equal. Their use varies greatly around the world based largely on the resources available and respect for civil liberties in the specific country of employment. The question that we heavily weight is: At what cost do the uses of facial recognition software (and mass surveillance) come?

Indeed, facial recognition kiosks at Barbados’ main airport have been shown to reduce security wait times by 60 percent. Facial recognition at an airport in Panama allows law enforcement to identify an average of 30 people wanted by police per day. But how costly is this capability?

In Nice, France, for example, there is one CCTV camera for every 342 residents (the highest number of CCTV cameras in France). China, a notoriously oppressive surveillance state, has approximately 170 million CCTV cameras installed throughout the country — just about one camera for every twelve citizens. At what point does security stifle civil liberties?

Unfortunately, CCTV and other similar mass surveillance practices are difficult to counter. As an individual citizen, there is little one can reasonably do to avoid detection without significantly altering one’s lifestyle. Designing your day around defeating mass CCTV coverage in a modern city would prove quite the feat. And arguably, we have little reason to do so throughout the course of our daily lives — provided we are guaranteed reasonable protection of our civil liberties.

The real concern here is the overall degradation of civil liberties in relation to the security needs of an oppressive surveillance state (looking at you, China). While the U.S. and most other countries around the world are nowhere near as offensive as China, it is important to note when certain evolutions — say in facial recognition technology — slightly change the paradigm for us.

CCTV sucks for spies and assassins

Private citizens are not alone in their privacy and digital security concerns. Intelligence operations have also been particularly impacted by the rise of surveillance in foreign countries, including those professional agencies with otherwise stellar operational security practices. One particular operation was the 2010 assassination of top Hamas leader Mahmoud al-Mabhouh in Dubai, allegedly perpetrated by Israeli Mossad operatives.

Mr. al-Mabhouh was a founder of Hamas’ military wing, a man believed to have been behind the abduction and murder of two Israeli soldiers decades earlier. He was reportedly a liaison for illicit arms shipments from Iran to the Hamas-controlled Gaza Strip–no angel.

In this 2010 incident, an 11-person hit team arrived in Dubai using various fraudulently-obtained European passports. There they located, physically followed, and eventually assassinated Mr. al-Mabhouh inside his hotel room, possibly using a combination of poisoning and strangulation.

Mr. al-Mabhouh’s assassination was a revealing look inside a highly sophisticated and well-planned operation that was only unmasked due to extensive law enforcement review of countless hours of CCTV surveillance footage long after the operatives had departed the city.

While use of surveillance footage did not lead investigators to any significant arrests or judicial action, it did allow them to completely reconstruct the events of that day, thereby providing valuable insight into the tradecraft employed by a well-resourced spy agency’s top operatives. Such insights included observation of the use of disguises, technical expertise involving the reprogramming of hotel room electronic door locks, and other clandestine activities designed to obfuscate the team’s true purpose at their location.

The CCTV footage used to reconstruct the assassination was taken from various cameras at the Dubai airport and several luxury hotels that the hit team visited. The footage was then released in a 27-minute video by a prominent Gulf news outlet in an attempt to hold the perpetrators responsible (video available here). Unsurprisingly, the entire team was traveling under aliases with authentic but fraudulent documents. The operatives had, of course, altered their true appearance — leading to no further public repercussions for the team or its host organization.

I’m not an assassin — so what?

Commentary regarding the morality or legality of such assassinations aside, the interesting problem remains that the entire team was eventually discovered on surveillance footage at one point or another during their very short, deliberately planned, and well-choreographed time in Dubai.

While the operatives all have plausible deniability and some manner of protection due to the use of disguises and false documents, they likely did not appreciate having their entire operation reconstructed for the entire world to critique. Some may argue this was a calculated risk that was outweighed by the benefit of removing Mr. al-Mabhouh from the battlefield, to which we are inclined to agree. As they say, it’s the cost of doing business.

No doubt, the agency behind this hit dedicated considerable resources towards mitigating as much risk as they possibly could — the majority of which comes from being able to trace any operative’s activities in Dubai to their true identity or employer. As we can see, and Dubai is no exception, luxury hotels usually possess extensive security systems to protect their guests. This simply cannot be avoided.

What did the hit team then do? They attempted to mitigate the presence of extensive CCTV coverage by doing the best they could, by employing reasonable disguises and by always wearing baseball caps to partially obscure or shadow their faces in order to minimize the effectiveness of facial recognition attempts. Call it an 80 percent solution that’s “good enough for government work.”

Now, we’re not assassins and may not enjoy the impracticality of wearing baseball caps whenever we sense the presence of a surveillance camera. Thankfully, that is not a lifestyle change we have to follow due to the relative freedoms we are privileged to enjoy in places like the United States. If one is living in an oppressive surveillance state like China, the conversation would be entirely different.

The point here is not to offer any tips or tricks on how to defeat surveillance, because that wouldn’t be appropriate or effective. If one has such a need, your employer will address it for you. In the meantime, use the known case studies such as the 2010 assassination as a thought experiment. Apply your privacy needs to the specific environments in which you operate and go from there. The proper mindset here is critical, and that’s what we’re advocating. We will never tell anyone what to think. Rather, we simply offer ways of thinking that can aid you in your daily lives.

Thanks for listening.