As Government Agencies Expand the Use of Biometric Technologies, Privacy and Civil Liberties Activists Raise Alarm, and Legislators Start Paying Attention

By Michael A. Shapiro, Attorney at XPAN Law Group, LLC

Last month, we wrote about legal developments and changing regulatory landscape affecting the use of biometric data in the private sector. The government at the federal and local levels also collects and processes a vast amount of biometric information on U.S. citizens and foreign nationals.  Although the oversight over some of these programs remains scant, the legislators have begun raising questions and seeking to assert more control over the law enforcement agencies’ collection and use of biometrics.   

Just in May and June of this year, Congress conducted a series of hearings on the legality and integrity of the government’s most controversial use of biometrics – facial recognition programs.  Facial recognition technologies can help law enforcement stop terrorists at the border, identify criminals, prevent identity theft, and even locate missing persons. On the other hand, academics and privacy advocates have raised serious questions about the accuracy of these technologies, as well as their impact on individual privacy and civil liberties. Indeed, San Francisco and Somerville, Massachusetts recently decided to ban the use of facial recognition software by law enforcement over these concerns. 

In a rare show of bipartisan support, the federal lawmakers expressed concern over the law enforcement agencies’ widespread use of flawed facial recognition methods and lacking oversight over these programs.  Currently, federal agencies are not required to obtain a warrant prior to using facial data to identify potential criminal suspects, whereas the existing technologies have flaws that could lead investigators to misidentify suspects, particularly among the minority communities.  

The FBI faced particular criticism over its failure to act on a number of earlier recommendations by the Government Accountability Office (GAO) aimed to better ensure the accuracy of its face recognition capabilities and improve transparency and oversight to better safeguard privacy. These include timely updating “system of record notices,” required by the Privacy Act of 1974, 5 U.S.C. § 552a, which inform the public about the existence of the systems and the type of data collected.  According to the GAO’s most recent report, the FBI has access to around 640 million photos in searchable repositories maintained by the federal and state agencies and has conducted over 390,000 searches since 2011 in attempt to find photo matches of known individuals in these databases.  

The U.S. Customs and Border Protection (CBP) has also been under fire in Congress over its handling of the Biometric Exit program. Under this program, just before the entry into or exit from the United States, each international traveler’s photo is taken and compared with existing images from passports, visas and other travel documents.  In a recent letter to the Department of Homeland Security, a number of U.S. Representatives questioned the CBP’s use of this technology on U.S. citizens when the statutory authority limits the program to  foreign nationals. Even though U.S. citizens can technically opt out of the program, the Congressmen questioned the adequacy of the notice and information currently provided about the program to the public. 

As agencies collect more biometric data, the impact of a possible breach increases. The CBP recently reported that hackers breached a network of one of its contractors and stole an unspecified number of license plate images and traveler’s ID photos collected by the agency.   According to some cybersecurity experts, however, the full scope of the breach might be broader and include facial data. 

The breach of the CBP’s data also highlights the challenges of the agencies’ cybersecurity vendor management and the need for robust oversight and audit process.   This issue is of particular importance as the government increasingly relies on private partners in collecting and processing biometric information. For example, the Department of Homeland Security recently revealed that it will move its entire biometric screening system, including data collected by the TSA, FEMA, and ICE, from the government servers to Amazon Web Services.

With the rapid development of biometric technology, the law enforcement agencies’ collection and use of biometrics has increased significantly in recent years, while the regulation and oversight have been lagging behind.  The potential for government abuse of these technologies has been on display in other countries. The Chinese authorities are using facial recognition technology integrated into a vast networks of surveillance cameras to track and control a largely Muslim minority population, while the Russian authorities have experimented with using facial recognition software during anti-government protests.  Although there are legitimate concerns over privacy and civil liberties, an outright ban on government use of facial recognition capabilities in the United States is hardly the best solution in the long run.  The challenge facing the legislators is to acknowledge the benefits of these technologies and establish a strong regulatory and oversight framework that would minimize the possibility of misuse and loss of biometric data, a tricky balance for anyone to strike. 

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.