The Perpetual Line-up

In 2014, Victor Manuel Torres, a civil rights attorney in San Diego, began receiving complaint—about one a day over the course of a few months. Each caller had been stopped by the police for a different reason, but after that each story was the same: Sometime during questioning, the officer had pulled out a tablet and taken their photo, without asking for consent or providing an explanation. The callers were indignant and confused. Why would the police need my photo? How were they going to use it? Was this even legal?239

Police in San Diego County, California, began using face recognition to identify subjects in the field in 2012. Two years later, there were over 800 officers using the mobile systems from 28 different law enforcement agencies in the region.240 Yet it wasn’t until three years after it was deployed, in April 2015, that a face recognition use policy was put in place. Once that policy was made public, Torres noted, the complaints virtually stopped.

What’s unusual about the San Diego case is not the police’s use of face recognition without consent or notice—it’s that a use policy was eventually approved by an advisory board and then made available to the public.

Most law enforcement agencies have deployed face recognition with minimum levels of transparency and internal accountability. Four of the 52 responsive agencies—or less than 8%—have a face recognition use policy that is publicly available. For 24 jurisdictions that use or formerly used face recognition, no use policy whatsoever was provided in response to our survey. Just one jurisdiction received legislative approval for their policy, and one policy received formal review by an outside privacy or civil liberties organization. Compounding this lack of oversight, almost none of the jurisdictions we surveyed—including the FBI—have a functional internal audit regime to prevent misuse or document when it occurs.

• 239. Interview with Victor Manuel Torres, San Diego Criminal Attorney (Mar. 8, 2016) (notes on file with authors).
• 240. SANDAG, SANDAG Public Safety Committee Agenda (Dec. 12, 2014), Document p. 008309.

Police departments generally tell the public very little about their use of face recognition. When the existence of these systems comes to light, it is often due to the work of investigative journalists and privacy organizations.

Ohio’s face recognition system remained almost entirely unknown to the public for five years—until an investigation conducted by the Cincinnati Enquirer uncovered that the Ohio’s Bureau of Criminal Investigation had enrolled all Ohio state driver’s license photos in the system two months prior, with no notice provided to current or future license holders.241 The Sheriff’s Department in Hennepin County, Minnesota, acquired face recognition in 2013. Yet it only released information about its system in 2016 after a court ordered it to disclose that information to an investigative journalist.242

Some of the largest law enforcement agencies—and those who may have the most advanced face recognition systems—are the least transparent. The New York Police Department’s use of face recognition has been described in numerous news articles; NYPD spokespersons admit that it exists.243 Yet the NYPD denied our records request entirely, arguing that the responsive records fall under the “non-routine techniques and procedures” exemption in New York’s Freedom of Information Law.244 The Chicago Police Department provided responsive records to a small fraction of our request. These documents suggested that the department had purchased a large-scale system in 2009, but provided no information about how such a system is used or what policies are in place governing such use, except that such policies were to be developed in the future.245

The Los Angeles Police Department is the only American police department to openly claim to use real-time, continuous face recognition. Curiously, the LAPD found “no records responsive to [our] request”246 for information about this or any other face recognition system, despite ten years of LAPD news releases and annual reports that document at least three separate police face recognition initiatives.247

Unfortunately, communities aren’t the only ones in the dark. In criminal litigation, prosecutors are required to disclose to defense counsel any evidence that may exculpate the accused; those disclosures are referred to as “Brady disclosures” or “Brady evidence,” after the Supreme Court case that mandated those productions.248 The Pinellas County Sheriff’s Office system has been operational for almost 15 years. The Pinellas County Public Defender, Bob Dillinger, reports that in that time, his office has never received any face recognition information as part of a Brady disclosure.249 In an interview, he suggested that if the PCSO face recognition system ever identifies someone other than a criminal defendant as a potential suspect in that defendant’s case, public defenders have a right to know.250

• 241. Chrissie Thompson, Ohio residents not told how license photos used, Cincinnati Enquirer (Aug. 26, 2013); Chrissie Thompson, A year later, how secure is Ohio’s facial ID system? Cincinnati Enquirer (Aug. 15, 2014), http://www.cincinnati.com/story/news/politics/2014/08/14/ohio-facial-recognition/14090601/.
• 242. Tony Webster, Hennepin County Sheriff circumvents state to expand facial recognition database, Tonywebster.com (Jun. 3, 2016), https://tonywebster.com/2016/06/hennepin-sheriff-facial-recognition/.
• 243. See, e.g., Pei-Sze-Cheng, I-Team: Use of Facial Recognition Technology Expands as Some Question Whether Rules are Keeping Up, NBC New York (Jun. 23, 2015), http://www.nbcnewyork.com/news/local/Facial-Recognition-NYPD-Technology-Video-Camera-Police-Arrest-Surveillance-309359581.html; Peter B. Counter, Government Use of Facial Recognition Deepens in New York, FindBiometrics (Jun. 24, 2015), http://findbiometrics.com/government-use-of-facial-recognition-new-york-26244/; New York Post, NYPD uses high-tech facial-recognition software to nab barbershop shooting suspect (Mar. 16, 2012), http://nypost.com/2012/03/16/nypd-uses-high-tech-facial-recognition-software-to-nab-barbershop-shooting-suspect/.
• 244. New York City Police Department, Letter from Records Access Officer Lieutenant Richard Mantellino to Clare Garvie (Mar. 30, 2016), Document p. 016726 (letter denying New York State Freedom of Information Law Request # 2016-PL-337, denial appealed and determination pending as of September 2016).
• 245. Chicago Police Department, Letter from Chicago Police Department Freedom of Information Officer K. Tierny to Djana Martin (Sept. 29, 2015), Document p. 008726, 008729, and 008686.
• 246. Los Angeles Police Department, Letter from Senior Management Analyst Martin Bland to Clare Garvie (Feb. 25, 2016), Document p. 000102; Phone messages and conversations between Mary Taylor, Management Analyst, Discovery Section and Clare Garvie (Feb. 17, Mar. 22, and April 34, 2016) (notes on file with authors).
• 247. West Valley Community Police Station, Surveillance Cameras in West San Fernando Valley, West Valley Police (Jan. 1, 2013), http://www.westvalleypolice.org/index_news_20130120.html; Office of the Chief of Police, Los Angeles Police Department, LIII The Beat 10 (Oct. 2007), http://assets.lapdonline.org/assets/pdf/october_07_beat_9%20-%20OK.pdf (detailing deployment of prototype Smart Car with face recognition software); Los Angeles Police Department, LAPD Uses New Technologies to Fight Crime (Feb. 1, 2005), http://www.lapdonline.org/february_2005/news_view/19849 (describing face recognition as “major technological innovation” of Rampart Division of LAPD, contributing to 19 arrests).
• 248. See generally Brady v. Maryland, 373 U.S. 83 (1963).
• 249. Email from Bob Dillinger, Pinellas County Public Defender, to Clare Garvie (Aug. 8, 2016) (on file with authors).
• 250. Interview with Public Defender Bob Dillinger (July 27, 2016) (notes on file with authors).

While a limited number of agencies inform the public about the existence of face recognition, even fewer disclose how officers use it. Only four of the agencies we surveyed—the San Diego Association of Governments (SANDAG), the Honolulu Police Department, the Michigan State Police, and the Seattle Police Department—make their face recognition use policies available to the public.251 We are also aware of just one agency that regularly reports to the public how frequently face recognition is used.252

The FBI, for its part, has consistently failed to comply with the transparency requirements of the E-Government Act and the Privacy Act, which mandate that the FBI publish a System of Records Notice or a Privacy Impact Assessment when the agency starts to maintain—or significantly modifies—a database like the Next Generation Identification system.253 In 2011, the FBI gave select state police departments the ability to run face recognition on photos in the FBI’s database—yet the FBI didn’t publish a Privacy Impact Assessment about the program until 2015. Even though the FBI’s face recognition database itself was launched in 2008, the FBI didn’t publish a System of Records Notice about it until this year.254

These are not obscure bureaucratic filings. They are the means through which the American public can learn about new government tracking technology—and hold the government accountable for going too far. Instead of working to address these shortcomings, the FBI is now proposing to exempt its Next Generation Identification system, which includes its face recognition database, from provisions of the Privacy Act that guarantee members of the public access to records that identify them, information about the sharing of these records, and judicial review.255

• 251. ARJIS Facial Recognition Acceptable Use Policy, http://www.arjis.org/SitePages/Policies.aspx (last visited Sept. 22, 2016); Honolulu Police Department, Policy: Facial Recognition Program, http://honolulupd.org/information/index.php?page=viewPolicies (last visited Sept. 22, 2016); Michigan State Police, SNAP Acceptable Use Policy, http://www.michigan.gov/msp/0,4643,7-123-72297_64747_64749-357133--,00.html (last visited Sept. 23, 2016); Seattle Police Department, Manual: Booking Photo Comparison Software, http://www.seattle.gov/police-manual/title-12---department-information-systems/12045---booking-photo-comparison-software (last visited Sept. 23, 2016).
• 252. Upon request and on an annual basis, SANDAG holds open Public Safety Committee meetings during which member agencies provide information about the use of face recognition pursuant to the requirements provided in SANDAG’s Face Recognition Acceptable Use Policy. See SANDAG, ARJIS Acceptable Use Policy for Facial Recognition (Feb. 13, 2015), Document p. 008453.
• 253. See S. Gov’t Accountability Office, GAO-16-267, Face Recognition Technology: FBI Should Better Ensure Privacy and Accuracy 21–22 (May 2016), See S. Gov’t Accountability Office, GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal Government 13 (Nov. 1999); 44 U.S.C. § 101; M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (Sept. 26, 2003); 5 U.S.C. § 552a(e)(4) (requiring agencies to publish any “establishment or revision of” a system of records in the Federal Register).
• 254. See Center on Privacy & Technology et. al., Comment on NPRM 81 Fed. Reg. 27288 (July 6, 2016), https://www.regulations.gov/document?D=DOJ-OPCL-2016-0008-0114.
• 255. See 5 U.S.C. § 552a; Implementation, 81 Fed. Reg. 27288, 27829 (proposed May 5, 2016) (to be codified at 28 C.F.R. pt. 16); see also Center on Privacy & Technology et. al., Comment on NPRM 81 Fed. Reg. 27288 (July 6, 2016), https://www.regulations.gov/document?D=DOJ-OPCL-2016-0008-0114 (explaining impact of proposed exemption of FBI’s NGI System from key Privacy Act accountability provisions).

Very few agencies require or obtain legislative approval of a police face recognition use policy, or mandate review of that policy by privacy and civil liberties organizations. 

Of the 52 responsive agencies, only SANDAG appears to have a system in place where elected officials review and approve the agency’s face recognition use policy.256 The Acceptable Use Policy for face recognition requires annual review by SANDAG’s Board of Directors, which is mostly comprised of local elected officials. SANDAG’s Board of Directors meetings are also open to the public.257

• 256. SANDAG, Automated Regional Justice Information System (ARJIS) Acceptable Use Policy for Facial Recognition, (Feb. 13, 2015), Document p. 008453 (“The Acceptable Use Policy for Facial Recognition will be brought to the SANDAG Public Safety Committee and the SANDAG Board of Directors at least once per year for review and determination regarding the need for amendments.”); The SANDAG Board of Directors “is composed of mayors, councilmembers, and a county supervisor from each of the region's 19 local governments.” SANDAG, Board of Directors, http://www.sandag.org/index.asp?committeeid=31&fuseaction=committees.detail (last visited Sept. 22, 2016).
• 257. SANDAG, Board of Directors Agenda, (Feb. 13, 2015) Document p. 005696 (“Members of the public may speak to the Board of Directors on any item at the time the Board is considering the item.”)

The Seattle regional system appears to be the only one with a policy formally reviewed by an outside organization. The Seattle City Council approved funds for the program on condition that the ACLU of Washington was consulted on and approved the final policy.258 The Michigan State Police also initiated informal review of their face recognition use policy by a state legislator and a contact at the ACLU.259 No other jurisdiction we surveyed had any formal or informal external mechanism in place for review or approval of their system’s use policy, either by the legislature or privacy and civil liberties organizations.

• 258. South Sound 911, Interview with Staff Attorney Peter Beckwith and Facial Recognition Technology Program Manager Matt Johnson, (Feb. 9, 2016), Document p. 011899; Interview with Doug Klunder, ACLU Privacy Counsel (May 6, 2016) (notes on file with authors), Document p. 012666. The ACLU provided extensive review and feedback over the course of a year prior to the adoption of the policy. Note however that it is not clear whether this was a written requirement; if the system were to be changed or enhanced in the future, it would not necessarily receive the same scrutiny.
• 259. Michigan State Police, Interview with Peter Langenfeld, Program Manager, Digital Analysis and Identification Section, (March 23, 2016), Document p. 010928. We reached out to the ACLU of Michigan for more information on this process and they could not corroborate this consultation.

Few police departments seem to have implemented robust internal accountability measures. Many agencies, including the Maricopa County Sheriff’s Office, the Carlsbad Police Department, the Maryland Department of Public Safety, and the Albuquerque Police Department expressly stated that they had not audited face recognition use.260 Only nine of the 52 responsive agencies (17%), plus the FBI face recognition unit (FACE Services), expressly indicated that they audit their employees’ use of the face recognition system for improper use.261

Of these 10 regimes, however, some are non-operational. The Pinellas County Sheriff’s Office, for example, does not audit system use—despite policies that suggest otherwise. The Standard Operating Procedure for mobile biometrics states that “[a]ll [mobile] biometric and search activity are logged and subject to audit.”262 The Palm Beach County Sheriff’s Office, an agency that uses the Pinellas County system, also said that audits are “done by Pinellas.”263 Nonetheless, Sheriff Gualtieri acknowledged in an interview that internal audits are not conducted. “We don’t police our users,” he said.264The Pinellas County face recognition system—which appears to be the most frequently used face recognition system in the country—may therefore lack any internal oversight or accountability mechanism to protect against, or even to detect, misuse. 

Only one responsive agency—the Michigan State Police—actually provided evidence of routine audits in response to our request for such records.265

• 260. Maricopa County Sheriff’s Office, Letter to requestor, Document p. 014949; Carlsbad Police Department, Letter to requestor, Document p. 000149 (note that SANDAG states that it conducts audits, but also places the responsibility on agencies accessing face recognition to conduct their own audits as well. SANDAG, Automated Regional Justice Information System (ARJIS) Acceptable Use Policy for Facial Recognition, (Feb. 13, 2015) Document p. 008452 (“Identifying and addressing intentional misconduct is the responsibility of the individual agency.”); Maryland DPSCS, Response to requestor, Document p. 008906; Albuquerque Police Department, Letter to requestor, Document p. 009204 (“Does not exist” in response to the request for audits of the FRT system).
• 261. These agencies include: FBI FACE Services, PIA for FACE Services Unit (May 1, 2015), https://www.fbi.gov/services/records-management/foipa/privacy-impact-assessments/facial-analysis-comparison-and-evaluation-face-services-unit; Pinellas County Sheriff’s Office, Mobile Biometric Usage, Document p. 014375; Iowa Department of Public Safety, Letter from Public Information Officer Alex Murphy to Clare Garvie, (Jan. 29, 2016), Document p. 008658; Michigan State Police, SNAP Acceptable Use Policy, Document p. 011439; Pennsylvania JNET, End User Agreement, Document p. 010945; SANDAG, ARJIS Facial Recognition Acceptable Use Policy, Document p. 008452; Seattle Police Department, BPCS Manual, Document p. 009909; West Virginia Intelligence Fusion Center, General WVI/FC Privacy Policy, Document p. 009939.
• 262. See PCSO, General Order 12-14: Sheriff’s Office Biometric Identification Program, Document p. 013982; PCSO, Standard Operating Procedure POB 52: Mobile Biometric Usage, Document p. 014375.
• 263. Palm Beach Sheriff’s Office, Interview with Fusion Center Director Scott Nugent (Jan. 15, 2016), Document p. 008649.
• 264. Pinellas County Sheriff's Office, Interview with PCSO Sheriff Bob Gualtieri and Technical Support Specialist Jake Ruberto (July 26, 2016) (notes on file with authors).
• 265. Michigan State Police, Various audit records, Document pp. 011107–011145.