The WAPO article in May of this year (“CIA chief faces stiff test in bid to revitalize human spying”) revealed a peril that has been on my radar for a few years. Writers Warren P. Strobel and Ellen Nakashima reported that the CIA is facing ‘unprecedented operational challenges’ in conducting human intelligence (HUMINT) missions, particularly in “denied areas” such as China, Russia, and other heavily surveilled states. The central premise is that advances in artificial intelligence–powered facial recognition, combined with integrated surveillance networks are making it extremely difficult for intelligence officers and sub-handlers to operate covertly. Maybe, . . . but maybe not.
As I.C. agencies grapple with the proliferation of AI-enhanced facial recognition in denied areas, human intelligence (HUMINT) operators must seek new tradecraft to elude detection. Exploiting the inherent bias vulnerabilities and adaptive learning mechanisms within facial recognition systems, HUMINT operatives can deliberately degrade their reliability, more specifically, by flooding systems with inputs that are not identical but very similar thereby “poisoning” the recognition algorithm. Operators can broaden acceptance thresholds and reduce fidelity. Drawing a parallel with Apple’s iPhone Face ID system, whose adaptive mechanism occasionally grants access to similar-looking individuals (e.g., family members), here is how HUMINT practitioners could deliberately introduce adversarial noise to AI surveillance systems to slip through.
Algorithmic Bias in Facial Recognition
Facial recognition systems are susceptible to algorithmic bias rooted in uneven training data. For instance, the now-classic “Gender Shades” study revealed error rates up to 35 % for darker-skinned women versus < 1 % for lighter-skinned males. More broadly, the National Institute of Standards and Technology (NIST) has documented that commercial face recognition systems misidentify Black and Asian faces 10 to 100 times more often than white faces. These disparities not only expose systemic flaws but also point to the system’s sensitivity to subtle variations. Adversarial machine learning research has demonstrated that imperceptible perturbations can dramatically mislead facial recognition models. These adversarial examples exploit “non-robust” features, patterns perceptible to AI but invisible to humans that induce misclassification. Studies in the domain have confirmed that even small alterations in pixel patterns can force erroneous outputs in face recognition systems.
Adaptive Learning: The iPhone Face ID Example
Apple’s Face ID serves as a real-world instance of an adaptive facial recognition mechanism. The system uses a detailed infrared depth map and neural engine adaptation to adjust to users’ appearance changes over time, i.e., aging, makeup, glasses, or facial hair. Critically, Face ID “updates its registered face data” when it detects a close match that is subsequently unlocked via passcode, effectively learning from borderline inputs. This adaptability can lead to misrecognition in practice. A widely reported case involved a ten-year-old boy unlocking his mother’s iPhone X on the first attempt, thanks to their similar features. The system adapted sufficiently that the child could consistently unlock the device in subsequent attempts even though he was neither registered nor the primary user. Apple’s own user disclosure acknowledges that Face ID is statistically more prone to false positives with twins, siblings, and children under thirteen owing to underdeveloped, similar facial features.
HUMINT Application: Poisoning Recognition Systems
HUMINT operators, aware of such adaptive vulnerabilities, could deliberately exploit them when entering denied areas monitored by AI facial recognition cameras or checkpoints. How would that work?
Creating “near duplicate” appearances: Operators could train the system by repeatedly presenting faces that are not identical but nearly identical. Sending similar-looking collaborators through passport control wearing slight variations in makeup, glasses, lighting, or facial hair is a good example. Over time, the system’s adaptive threshold would widen, accepting a broader range of inputs as belonging to the same identity.
Adversarial perturbation via “morphing”: Using adversarial machine learning techniques, operatives could create morphs (digital or printed images blending two individuals) so that the system’s recognition vector drifts toward both identities. The DHS has documented such “morphing attacks” as a real threat to face recognition systems. Not a perfect solution as adversarial C.I. might simply surveil them ALL.
Feedback loop poisoning: With systems that incorporate user feedback (e.g., unlocking after near matches), HUMINT operators might deliberately trigger false acceptances or input other authentication data after near matches, feeding the system mis-labelled data and amplifying its error tolerance. That’s the way siblings or children inadvertently taught Face ID to accept them in the previous example.
Ethical, Operational, and Technical Defense
Is the approach technically plausible or ethically defensible? Technically, the literature on adversarial attacks and adaptive biases confirms that recognition systems can be deliberately misconfigured through controlled input poisoning. Operationally, such techniques must be deployed after careful risk assessment. If a HUMINT operating group consistently “trains” a system in advance, the likelihood of detection increases, perhaps dramatically. However, in dynamic environments with rotating operators and multiple lookalikes, the system can deteriorate in reliability over time without drawing attention to a single individual. Ethically, these strategies are defensible under the doctrine of necessity and deception inherent to espionage. The goal is not harm but evasion in hostile surveillance contexts.
Limitations and Countermeasures
The approach is not foolproof. Highly calibrated systems may lock after repeated unlock failures or require emergency analysis and supervisory resets. Advanced systems may isolate per identity representations, preventing cross-contamination. Systems without adaptive learning or those that guard against morphing remain immune. Nonetheless, many real-world systems are not designed for adversarial resistance, . . . yet. Authoritarian regimes with bulk “brute” surveillance networks, less than state-of-the-art platforms and/or resource constraints may nullify robust defense against poisoning.
In the escalating arms race between AI surveillance and clandestine operations, HUMINT tradecraft must evolve. By exploiting biases and adaptive flaws in facial recognition systems (ex., through near identical inputs, morphing techniques, and feedback poisoning) operators can subtly degrade recognition fidelity. The iPhone Face ID example underscores the viability of such tactics in practice, i.e., a system designed for convenience can become a liability when its adaptability is weaponized. As surveillance proliferates, understanding and manipulating AI’s algorithmic susceptibilities will be indispensable for evasion and operational success.
Facial recognition is not the only sophisticated peril to HUMINT operations. Per Thomas Claburn’s recent report in The Register, “Researchers in Italy have developed a way to create a biometric identifier for people based on the way the human body interferes with Wi-Fi signal propagation. The scientists claim this identifier, a pattern derived from Wi-Fi Channel State Information, can re-identify a person in other locations most of the time when a Wi-Fi signal can be measured. Observers could therefore track a person as they pass through signals sent by different Wi-Fi networks – even if they’re not carrying a phone.” (Claburn, 2025) Tradecraft and countermeasures will likewise have to evolve to address this threat, but I’ll leave that subject for a future piece.
~ C. Constantin Poindexter, MA in Intelligence, Graduate Certificate in Counterintelligence, JD, CISA/NCISS OSINT certification, DoD/DoS BFFOC Certification
References
Buolamwini, J., & Gebru, T. (2018). Gender Shades: Intersectional accuracy disparities in commercial gender classification. Proceedings of Machine Learning Research, 81, 1–15. https://en.wikipedia.org/wiki/Algorithmic_bias
National Institute of Standards and Technology. (2019). Face recognition vendor test (FRVT) Part 3: Demographic effects (NIST Interagency/Internal Report No. 8280). https://en.wikipedia.org/wiki/Anti-facial_recognition_movement
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2015). Explaining and harnessing adversarial examples. International Conference on Learning Representations. https://www.wired.com/story/adversarial-examples-ai-may-not-hallucinate
Vakhshiteh, A., Alparslan, F., & Farokhi, F. (2020). Adversarial attacks on deep face recognition systems. arXiv. https://arxiv.org/abs/2007.11709
Apple Inc. (2024). About Face ID advanced technology. Apple Support. https://support.apple.com/en-us/102381
Greenberg, A. (2017, December 14). A 10-year-old unlocked his mom’s iPhone X using Face ID. Wired. https://www.wired.com/story/10-year-old-face-id-unlocks-mothers-iphone-x
U.S. Department of Homeland Security. (2023). Risks and mitigation strategies for morphing attacks on biometric systems. https://www.dhs.gov/sites/default/files/2023-12/23_1222_st_risks_mitigation_strategies.pdf