The DHS is proposing to expand its biometric identification and surveillance programs, and its collaboration with commercial entities in biometric-based surveillance, with the creation of a new database of “External Biometric Records” (EBR). EBR would include (1) biometric identifiers (such as facial photos, iris scans, fingerprints, DNA profiles, etc.) and (2) logs of the location, date, and time where each image or biometric sample is created. EBR records would be aggregated from commercial sources, and available for use by all DHS components and sharing with other Federal, state, local, and foreign entities.
The DHS is also proposing to exempt EBR from most of the requirements of the Privacy Act, including the right of individuals to find out what information about them is in the database and to what other government agencies or third parties it has been disclosed.
Today we filed comments, together with four other national civil liberties and human rights organizations — Government Information Watch, the Cyber Privacy Project (CPP), Restore the Fourth, Inc., and the National Immigration Law Center (NILC) — objecting to the DHS proposals as unconstitutional and contrary to Federal law.
We’ve been working for years to expose and oppose DHS plans for “biometric” imaging and surveillance. In practice, this has mostly referred to databases of mug shots (facial images) and use of automated facial recognition software to track where and when these faces are spotted or recognized (or misrecognized) by automated surveillance cameras including cameras at mandatory travel checkpoints including at borders and airports.
EBR would be a major expansion of biometric-based surveillance from airports and borders to roads and other locations throughout the country monitored by cameras, and from data collected by government agencies to data from privately operated cameras.
According to the summary of our objections in the comments we and allied organizations filed today with the DHS:
As described in the System Of Records Notice (SORN), this system of records would include records of how individuals exercise rights guaranteed by the First Amendment to the U.S. Constitution, without explicit statutory authorization for their collection, in violation of the Privacy Act. This system of records would include records which could be, but would not be, collected directly from the individuals to whom they pertain, in violation of the Privacy Act. This system of records would include categories of records not listed in the “Categories of Records in the System” section of the SORN, in violation of the Privacy Act.
The SORN contains materially false claims concerning the status of the rulemaking for Privacy Act exemptions which are directly contradicted by the Notice of Proposed Rulemaking (NPRM) for those exemptions published the same day as the SORN in the Federal Register. Because the SORN falsely claims that the Secretary of Homeland Security has exempted this system of records from certain of the requirements of the Privacy Act, when the Secretary has not done so, the SORN is invalid on its face: It fails to provide the public with accurate notice of whether individuals can obtain access to records pertaining to themselves, as required by the Privacy Act. Unless and until a new, valid SORN satisfying the notice requirements of the Privacy Act is duly promulgated and published in the Federal Register, willful maintenance of this system of records would be a criminal offense on the part of the responsible DHS officials.
The false statements in the SORN concerning the status of the rulemaking for Privacy Act exemptions provide prima facie evidence of DHS bad faith in conducting this rulemaking. The statement in the SORN that the Secretary has already exempted this system of records from certain provisions of the Privacy Act suggests that the outcome of the exemption rulemaking has already been determined, and that the solicitation and “consideration” of public comments is a sham. Such a decision-making procedure violates the Administrative Procedure Act.
The SORN and the NPRM for Privacy Act exemptions should be withdrawn, and any information already collected in categories prohibited by the Privacy Act or beyond the scope of prior System of Records Notices should be expunged.