Today the City Council of Portland, Oregon, voted unanimously to ban the use of facial recognition technology by City agencies or by private entities in places of public accommodation within the City limits, including at the Portland International Airport (PDX), effective immediately.

Many local and national organizations and individuals testified eloquently in favor of these proposals. We don’t need to repeat all of their general arguments.

But a point of particular concern and particular pleasure for us is that the Port of Portland asked the City Council for an exemption from the ban to allow use of facial recognition “for air carrier passenger processing” — and was turned down.

No member of the City Council mentioned the Port’s request for a carve-out for facial recogntion of air travelers during the City Council discussion, and the proposals were adopted without amendment except for making the ban on private use of facial recognition in places of public accommodation effective immediately, as had already been proposed for the ban on use by city agencies. (The amendment to make the private entity ban effective immediately was made verbally during the City Council meeting, so it isn’t reflected in the advance text of the proposal.)

This is an important precedent , as Portland is only the second jurisdiction in the US to consider local rules related to facial recognition at its airport.

Earlier this year, after behind-the-scenes threats by the US Department of Homeland Security (DHS) to make life difficult for the Port of Seattle if it didn’t collaborate with DHS facial recognition schemes at Sea-Tac International Airport (SEA) and allow airlines and contractors also to do so, the Port of Seattle Commission reneged on the aspirational policy principles it adopted in 2019  and decided to buy and operate common-use facial recognition cameras integrated with DHS and airline databases and operations.

(See our written testimony to the Seattle Port Commission on use of facial recognition at SEA: 1, 2, 3., and articles in our blog here and here.)

The decision by the Port of Seattle was made just before the COVID-19 pandemic drastically reduced traffic at SEA and other airports and delayed the need for the new gates at SEA where the DHS-linked cameras were to be installed. A broad coalition of local and national community and civil liberties organizations has called on the Seattle Port Commission to use the opportunity provided by this delay to reconsider its decision on facial recognition.

Portland did significantly better than Seattle in working to distance itself from and isolate the DHS — not surprisingly in light of the object lesson the DHS has provided in Portland recently with respect to DHS trustworthiness (not), self-restraint (not), commitment to the rule of law (not), and respect for civil and human rights (not). Portlanders don’t trust the DHS to behave any better at PDX Airport than it’s been behaving on the streets of Portland.

PDX airport is located within the City of Portland but operated by the Port of Portland, a special-purpose agency of the state of Oregon governed by a board appointed by the Governor of Oregon. The City of Portland can’t prevent use of facial recognition by the DHS or the Port of Portland, but can regulate or prohibit its use by private entities, including airlines, within the city limits, including at the airport.

The Port of Portland has the authority to enter into contracts, borrow and spend money, manage its employees, and enact rules for activities at PDX Airport. But in addition to the requirements of due process and other Constitutional rights, and the obligations on the airport as a publicly owned and operated place of public accommodations and common-carrier facility, the legislative authority of the Port is limited to the issuance of rules consistent with city ordinances. That appears to mean that the Port may not prohibit that which the city has duly prohibited. (If readers have more expertise on this jurisdictional issue, feel free to leave a comment or drop us a line.)

The Federal government could preempt the Portland ordinances if it enacted valid laws or promulgated valid regulations mandating use of facial recognition by Federally-regulated airlines and/or airports. But no law mandates use of facial recognition for US citizens, even when traveling internatoinally, or for passengers on domestic flights

The DHS has refrained from promulgating any such regulations, preferring to operate outside the law than to establish any legal framework for its use of facial recognition or subject it claim of authority to notice-and-comment rulemaking or judicial review. A petition for rulemaking on use of biometrics for traveler identification submitted to the DHS by the Portland-based World Privacy Forum has been ignored by the DHS for almost two years.

While the DHS has engaged in heavy-handed behind-the-scenes lobbying and threats to “persuade” airlines and airport operating agencies to become its “partners” in biometric surveillance and control of air travelers, as it did in Seattle, the DHS has continued to maintain — correctly — that this “cooperation” is entirely voluntary. In declining to participate, and by exercising its jurisdiction to prohibit airlines or other contractors form doing so within the city limits, the City of Portland is doing only what the DHS has consistently said that local jurisdictions have the authority to do, if they so choose.

The July 14, 2020, letter from the Port of Portland to the Portland City Council requesting exemption from the facial recognition ban made numerous false factual claims and specious arguments. Since these bogus arguments are likely to be raised again in other cites despite having failed to persuade any of the members of the Portland City Council, it’s worth noting and debunking them:

1. The letter from the Port of Portland claims that “there is a distinct difference between the general public use of ‘facial recognition technology’ and the limited ‘facial authentication’ processes being implemented at airports.” But while there is a difference, that difference is that use of facial images captured at airports is not, and cannot be, limited in the ways that some other local uses of facial imaging might be. Unlike comparison of facial images with a local database, all uses of facial imaging for “airline passenger processing” — the uses the Port of Portland wanted to have exempted from the city ban — involve use of a DHS “identification as a service” system in which the first thing that happens after a photo is taken by the airline, airport, or contractor is that the image is sent to the DHS. Once the images are sent to DHS, neither the airline, airport, or city has any way to put limits are how long they are retained, how they are used, or with whom they are shared. Under current protocols, any use of facial recognition for airline passenger processing — unlike purely private systems or systems in which data is kept internally by local government entities — entails unlimited access by DHS to all of the images collected, and subsequent uncontrolled retention, use, and sharing by DHS of those images. DHS “galleries” of images are used for purposes including immigration enforcement. Collaboration in such a system by any Portland city law enforcement agency would already violate the “sanctuary” provision of Oregon state law which prohibits collaboration by any state or local law enforcement agency with Federal immigration enforcement.
2. The Port of Portland suggests that that mug shots taken at the airport will be used “for the sole purpose of confirming identity and allowing the passenger to proceed.” This claim is entirely unsupported by law or regulation, and is contrary to official DHS notices. In fact, the System Of Records Notices (SORNs) required by the Privacy Act and published by DHS in the Federal Register for the TECS, Automated Targeting System, and Secure Flight [sic} databases in which these facial images are stored describe a far wider range of routine uses and sharing of this data. The DHS has exempted each of these databases from the provisions of the Privacy Act which would otherwise entitle travelers to access to records about themselves and an accounting for disclosures to third parties. So there is no way to know how much more widely these records are disseminated.  And contrary to the Port’s claim that these are used “for the purpose of… allowing the passenger to proceed”, passengers with valid tickets for travel by common carrier don’t need to be “allowed” to proceed. They have a right to proceed in the absence of lawful cause to detain them or otherwise restrict the exercise of their rights. The purpose of DHS facial recognition is to make extra-judicial warrantless decisions of which passengers not to allow to proceed. These decisions to prevent individuals form exercising their right to travel are made on the basis of secret blacklists (like the Rabble Rouser Index maintained by the FBI during J. Edgar Hoovers’ tenure); secret dossiers from the DHS, other agencies, and commercial sources; and secret pre-crime profiling algorithms.
3. The Port of Portland says that “Most travelers can opt out if they so choose (federal law requires it be used for foreign nationals), a right they are explicitly informed of.” None of this is true. Neither any Federal law nor any DHS regulations acknowledge a a “right” to opt out of facial recognition.  We regularly receive reports from travelers who have been told that it is mandatory, and prevented from proceeding through (or, in the case of arriving international passengers, leaving) the airport without submitting to mug shots. As for “notice”, the DHS hasn’t submitted its notices about facial recognition for approval by the Office of Management and Budget as required by the Paperwork Reduction Act (PRA), and the signs placed in airports by the DHS lack the notices  (including the notice of the right not to comply with unapproved requests for information) required by the PRA.
4. According to the Port of Portland, “federal law guides the use of facial authentication technology for the screening of international travelers.” Federal law could provide such guidance, but in fact it doesn’t. Nor do any DHS regulations. The Privacy Act would place some constraints on DHS use of facial images, but the DHS has exempted itself, to the maximum extent possible, from those restrictions.
5. The Port wants us to believe that “neither an airline or airport operator keeps any data connected with the passenger screening process; in fact, Customs and Border Protection requires that the local data be purged.” This is based on DHS press releases, not binding laws regulations. No Federal law or regulation requires that this data be purged. If the DHS “requires” any such action, it is a requirement of DHS contracts with airports and/or airlines that have not themselves been made public. Such contracts could be enforced only by the DHS, not by any oversight body or independent watchdog — or the DHS could, with impunity, chose to wink at noncompliance with its contracts. In any case, it’s the DHS that is the more dangerous party. Should, we be more concenred about retention and use of photos by local government agencies, airports, airlines — or the DHS? Even if true, we are not reassured by claims that “only” the DHS retains the mug shots of air travelers.
6. The Port of Portland suggested that the exemption it sought would “accommodate[ ] essential functions”.  But the ordinance “does not apply to use of Face Recognition Technology… To the extent necessary for a Private Entity to comply with federal, state or local laws.” No other exemption would be needed for use of facial recognition by airlines if it were actually “essential”. The Port sought an exemption to allow unlimited use of facial recognition for airline passenger processing  precisely because such use is neither essential or required by Federal law.

Facial recognition for travelers is already in use at PDX at Automated Passport Control (APC) kiosks, at the Global Entry enrollment center, and at Global Entry kiosks. Both Delta Air Lines and Alaska Airlines, the two largest airlines at PDX, have indicated their desire to use facial recognition at departure gates, as Delta already does at some other airports.

It’s unclear which of the current uses of facial recognition at PDX are covered by the new ban. That probably depends on whether the APC and Global Entry kiosks are owned and operated by, or depend on services provided by,  CBP,  the airport, and/or a contractor.

We’ll be watching, along with Portlanders and visitors, to see how the new ban is enforced. In the meantime, we hope other cities and states will follow the excellent example set by the City of Portland, and make their jurisdictions sanctuaries from local government or commercial collaboration in DHS use of facial recognition for mass surveillance.