State agencies that issue drivers’ licenses are conducting warrantless searches of their databases of license photos, using automated face recognition software, at the request of law enforcement agencies including the Immigration and Customs Enforcement (ICE) division of the Department of Homeland Security.
The use of automated facial recognition to search databases of drivers’ license mug shots was revealed in responses to requests made under the Freedom Of Information Act and state public records laws by the Georgetown University Center on Privacy & Technology. It was reported in recent days in the Washington Post, New York Times, and in two stories on NPR, and was discussed in a Congressional hearing today on the use of automated facial recognition by Federal agencies. (Earlier Congressional hearings on automated facial recognition were held on May 22nd and June 4th.)
Questions are being asked by members of Congress, state officials, and civil libertarians: What is the legal basis, if any, for these dragnet searches of drivers’ license photo databases? How have they have evaded judicial oversight? Warrants or court orders were neither requested by DHS or other law enforcement agencies, nor demanded by the state agencies that carried out the searches in response to extrajudicial administrative requests.
A letter sent this week by a coalition of civil liberties organizations calls on Congress to suspend the use of facial recognition technology by the DHS. While that is appropriate, it doesn’t address how, from what sources, or on what legal basis databases of ID-linked mug shots of innocent individuals are being created and obtained by the DHS.
Additional questions ought to be asked about the implications of the latest revelations for the REAL-ID Act and the use of facial recognition by airlines, airport operators, and DHS officers and agents at airports and borders:
REAL-ID: The searches uncovered by the Georgetown researchers were carried out by individual states. There isn’t yet a national database of drivers license photos. But the Federal REAL-ID Act of 2005 creates a pathway to the creation of such a national ID photo database. States that don’t want their residents’ photos to to be part of such a database should refuse to comply with the REAL-ID Act or upload data to the REAL-ID database.
Compliance with the REAL-ID Act by states and territories is optional, but states and territories that choose to comply with the REAL-ID Act must, “Provide electronic access to all other States to information contained in the motor vehicle database of the State,” including, “at a minimum, all data fields printed on drivers’ licenses and identification cards issued by the State.”
The data fields in the outsourced and privately-held SPEXS database set up by a contractor for AAMVA to enable state to satisfy this statutory criteria of REAL-ID Act compliance don’t yet include digital photos. And the DHS, ignoring the plain language of the law, has certified 49 of the 56 states and territories subject to the REAL-ID Act as “compliant”, even though only 25 states and none of the territories have uploaded their residents’ data to SPEXS, and the other states and territories are unambiguously noncompliant.
So does this mean that SPEXS won’t become a national ID photo database? Not at all.
Once all or almost all states have agreed, at least in principle, to “comply”, the DHS can and probably will ratchet up its threats and extortion. of state compliance. Rather than being satisfied with a nominal agreement to submit to Federal demands, the DHS can start demanding that all states and territories opt in to SPEXS, under threat that the DHS will harass their residents when they travel if the state doesn’t join the national database.
And once states join SPEXS, their continued certification by the DHS as REAL-ID compliant will depend on continued participation in SPEXS. They won’t be able to withdraw without triggering decertification by DHS of their compliance, and DHS harassment of their residents. So they are at the mercy of whatever fields AAMVA — a nominally “private” entity not subject to the transparency, data privacy, or other rules applicable to government agencies — decides to require be added to SPEXS records.
It’s only a a matter of time before AAMVA decides to require states and territories to add digital photos to all SPEXS drivers’ license and state ID records.
States that don’t want to go down that road should decide now not to comply with the REAL-ID Act or participate in SPEXS, and start preparing to defend the rights of any of their residents who are treated as second-class travelers because the state where they live has chosen not to comply with these supposedly-optional Federal or AAMVA requests.
Airlines, airports, CBP, and TSA: Currently, the only photographs the US government can definitively link with the identities of most US residents who don’t have passports are those taken for drivers’ licenses or state ID cards. And while the latest revelations show a failure of state oversight over Federal and law enforcement access to these photos, these photos are at least theoretically under state control.
What Federal and other law enforcement agencies would prefer is a national database of ID-linked mug shots in private hands, so that it can be accessed without a warrant or even the knowledge of any other government agency (as long as the operator of the database consents).
The SPEXS database, held by AAMVA and AAMVA’s contractors, is one possibility for such a “private” national database of ID-linked mug shots.
But there’s another option: photos of air travelers who show ID and submit to mug shots at airline check-in or boarding. Some rules may apply to public airport operators, but no current law in the US restricts the ability of airlines or private airport operators to retain these photos for their own business purposes or “share” them with government or private entities for any purpose.
Travelers who don’t want to help build an uncontrolled privately-held national and international database of ID-linked airline and airport mug shots usable for both corporate and government surveillance and tracking of our movements and associations should opt out of biometric check-in, boarding, or other “passenger processing“.