National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE

« Previous: VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS
Page 49
Suggested Citation:"IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 49
Page 50
Suggested Citation:"IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 50
Page 51
Suggested Citation:"IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 51
Page 52
Suggested Citation:"IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 52
Page 53
Suggested Citation:"IX. DEVELOPING STATE AND LOCAL LAWS,AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 53

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 49 1. Illinois Illinois has one of the most comprehensive regulatory schemes in the country regarding biometrics. The Illinois Bio- metric Information Privacy Act (Illinois BIPA)464 is seen as offering some of the most robust protections of biometric data in the United States One of the key express legislative findings is the recognition that [b]iometrics are unlike other unique identifiers that are used to ac- cess finances or other sensitive information. For example, social security numbers, when compromised can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at a heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.465 The Illinois BIPA is notable in that it contains a statutory def- inition of a “Biometric Identifier” as being “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”466 Likewise, it contains expressly defined exclusions for “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demo- graphic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.”467 Significantly, given the COVID-19 pandemic and the increased use of air passenger temperature screenings, the Illinois BIPA does not state that a biometric identifier includes an individual’s temperature.468 The four main Illinois BIPA compliance requirements in- clude retention, collection, disclosure, and destruction.469 The collection component has the following three requirements: (1) the entity must inform the subject or the subject’s legally author ized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) the en- tity must inform the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) the entity must re- ceive a written release executed by the subject of the bio metric identifier or biometric information or the subject’s legally author ized representative.470 The Illinois BIPA creates a civil right of action and pro- vides for statutory damages and attorney’s fees for a prevailing party.471 As a result, it has generated substantial litigation. The seminal decision by the Illinois Supreme Court regarding the Illinois BIPA is Rosenbach v. Six Flags Entertainment Corp.,472 where the Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person 464 740 ILCS 14/1 et seq. 465 740 ILCS 14/5. 466 740 ILCS 14/10. 467 740 ILCS 14/10. 468 740 ILCS 14/10. 469 740 ILCS 14/15. 470 740 ILCS 14/15(1)-(3). 471 740 ILCS 14/20. 472 2019 IL 123186. New Mexico and Rhode Island essentially follow the structure of the CCPA model in their legislative proposals.461 In contrast, the legislative proposals in New York and North Dakota do not follow the CCPA model, but do contain much of the same statu- tory language.462 In further contrast, the Washington state bill is modeled after the GDPR rather than the CCPA.463 That the majority of the proposed state legislation adopts the CCPA model reveals certain trends, such as a focus on con- sumer rights, including a right to demand deletion of data and to opt-out of disclosures to third parties other than service pro- viders. Also, the definition of consumer information has greatly expanded in the proposed state legislation. Finally, under the proposed state legislation, even businesses that collect informa- tion only on the internet must designate multiple methods for consumers to submit requests, including maintaining a toll-free number. H. Conclusions The structure of data protection and privacy laws in the United States creates a patchwork of legal requirements that can vary by jurisdiction. This patchwork creates significant legal and logistical challenges in dealing with data collection and use practices that cross state (and international borders). Airports and airport stakeholders need to engage counsel to assist in nav- igating the requirements of not only the laws in their state, but also the laws in other states to ensure that their data protection and privacy programs properly mitigate legal risk. IX. DEVELOPING STATE AND LOCAL LAWS, AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE With the growing use of facial recognition technology and the development of governmental programs to introduce it into the traveler screening process, there is increased airport focus on biometrics, in general, and facial recognition, in particular. Outside of the airport industry, there is also significant court and legislative activity addressing biometrics and facial recognition. A. State Law Developments State laws regarding biometric information are increasing. The following states have varying regulatory schemes. Some have comprehensive regulatory schemes, while others regulate certain aspects of biometric information collection. 461 S.B. 418, 2019 Leg., 30th Sess. (Haw. 2019); S.B. 613, 2019 Reg. Sess. (Md. 2019); S.D. 341, 191st Leg., Reg. Sess. (Mass. 2019); H.B. 1253, 2019 Leg., Reg. Sess. (Miss. 2019); S.B. 176, 54th Leg., 1st Sess. (N.M. 2019); S. 0234, 2019 Gen. Assemb., Reg. Sess. (R.I. 2019); Cal. Civ. Code §§ 1798.100–1798.199. 462 S. 224, 2019-2020 Gen. Assemb., Reg. Sess. (N.Y. 2019); H.B. 1485 2019 Leg., 66th Sess. (N.D. 2019) (enacted); Cal. Civ. Code §§ 1798.100-1798.199. 463 S.B. 6281, 66th Leg., 2020 Reg. Sess. (Wash. 2020).

50 ACRP LRD 42 keeping in the workplace had to present such contentions to an adjustment board under the Railway Labor Act (RLA) rather than to a court.484 Miller specifically found that a union is a “legally authorized representative” for purposes of the Illinois BIPA.485 Finally, Miller also limited the reach of the Illinois BIPA, noting that United wrongly supposed that the suit challenged its employment practices nationwide, which the court noted was not possible as the state statute is limited to Illinois.486 Following Miller, a U.S. District Court for the Northern Dis- trict of Illinois ruled in Crooms v. Southwest Airlines Co.487 that airline workers who filed a putative class action under BIPA re- garding their employer’s practice of collecting employee’s finger- prints for timekeeping had to pursue their claims in arbitration or before an adjustment board, not in federal court. Likewise, a U.S. District Court for the Northern District of Illinois granted a defendant’s motion to compel arbitration of the Plaintiff ’s claim under the Illinois BIPA in Miracle-Pond v. Shutterfly, Inc.488 Notably, the Plaintiff in Miracle-Pond had accepted the defen- dant’s terms of use, which contained a provision that the terms could be revised simply by posting new terms, and the defen- dant later added an arbitration provision, which the court en- forced.489 However, in Acaley v. Vimeo, Inc., a U.S. District Court for the Northern District of Illinois ruled that a putative class action under the Illinois BIPA was an invasion of privacy claim outside of the scope of the parties’ agreement to arbitrate claims, and therefore, could be litigated in federal court.490 2. Texas In 2009, Texas became the second state to enact a biometric information privacy act.491 While the Texas Act (which does not contain an official title) lacks many of the key components of the Illinois BIPA, it is still comprehensive in that it applies to all data collection statewide.492 Interestingly, unlike the Illinois BIPA, the Texas Act applies to a “person,”493 and no “entity” is referenced. Also, the Texas Act does not provide for a statutory penalty, but instead contains a cap on damages.494 There is also no provision for attorney’s fees for a prevailing party. 484 Id. at 905. 485 Id. at 903. 486 Id. at 905. 487 No. 19-cv-2149, 2020 U.S. Dist. LEXIS 84360 (N.D. Ill. May 12, 2020). 488 No. 19-cv-4722, 2020 U.S. Dist. LEXIS 86083 (N.D. Ill. May 15, 2020). 489 Id. 490 No. 19-cv-7164. 2020 U.S. Dist. LEXIS 95208, at *25 (N.D. Ill. June 1, 2020). 491 Tex. Bus. & Com. Code Ch. 503. 492 Tex. Bus. & Com. Code Ch. 503. 493 Tex. Bus. & Com. Code Ch. 503. 494 Id. § 503.001(d). and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”473 The notion of “data insecurity” as an in- jury in itself is also being explored in academic writing.474 In May 2020, the American Civil Liberties Union filed a law- suit in an Illinois state court against Clearview AI, Inc. for an alleged violation of the Illinois BIPA.475 The complaint claims that Clearview has illegally scraped three billion face-prints from images available online without the knowledge of any of those individuals in violation of the Illinois BIPA.476 It further asserts that Clearview has shared this database with its clients including over 200 companies, law enforcement and other gov- ernment entities in Illinois, and other federal, state and local government agencies.477 This case could serve as a litmus test regarding the feasibility of ubiquitous facial recognition usage. Among the significant federal cases regarding the Illinois BIPA is Bryant v. Compass Group USA, Inc.478 There, the U.S. Court of Appeals for the Seventh Circuit held that a defendant vending machine owner’s failure to make the requisite dis- closures before it collected the Plaintiff ’s fingerprints denied the Plaintiff the ability to give informed written consent as re- quired under the Illinois BIPA.479 The Seventh Circuit found that this failure was a concrete injury-in-fact particularized to the Plaintiff sufficient for Article III standing.480 For airports that have vending machines for employees or other customers implementing this type of biometric technology, this case has substantial implications. In July 2020, a U.S. District Court for the Northern District of Illinois ruled in Figueroa v. Kronos, Inc.481 that a major pro- vider of biometric timekeeping systems to a defendant employer should not be dismissed from a class action lawsuit under the Illinois BIPA where allegations in the complaint contended that the defendant provider did not comply with numerous aspects of the statute.482 Whether a plaintiff may litigate his or her Illinois BIPA claim in court has been the subject of a number of cases. In Miller v. Southwest Airlines Co.,483 a consolidated case involving both Southwest Airlines and United Airlines, the Seventh Circuit ruled that employees who contended that the air carriers vio- lated the Illinois BIPA by using biometric information for time- 473 2019 IL 123186, ¶ 40. 474 See Jay P. Kesan & Carol M. Hayes, Liability for Data Injuries, 2019 U. Ill. L Rev. 295 (2019). 475 ACLU, et al. v. Clearview AI, Inc., No. 20 CH 4353 (Ill. Cir. Ct. May 28, 2020). 476 ACLU, et al. v. Clearview AI, Inc., No. 20 CH 4353, Compl. 3 (Ill. Cir. Ct. May 28, 2020), https://aclu.org/legal-document/aclu-v- clearview- ai-complaint. 477 Id. at 4. 478 958 F.3d 617 (7th Cir. 2020). 479 Id. at 626. 480 Id. at 627. 481 No. 19 C 1306, 2020 U.S. Dist. LEXIS 64131 (N.D. Ill. July 24, 2020). 482 Id. 483 926 F.3d 898 (7th Cir. 2019).

ACRP LRD 42 51 surveillance technology.505 The San Francisco ordinance de- fines surveillance technology to include “biometric software or technology, including facial, voice, iris, and gait-recognition software[,] and databases . . . .”506 The San Francisco ordinance is broader in scope than the statewide CBCAA because San Francisco ordinance applies to all city departments and covers various biometric information, while the CBCAA only applies to facial recognition technology used in law enforcement body cameras.507 On June 13, 2019, Oakland, California, enacted an ordi- nance508 similar to the San Francisco ordinance in that it ap- plies to all City departments, but narrower in its technical reach in that it applies only to facial recognition.509 Significantly, the Oakland ordinance contains several findings as the bases for the Oakland City Council’s action, one of which refers to a 2018 report by the Massachusetts Institute of Technology Media Lab that concluded facial recognition systems produced error rates of up to 34.7% in persons other than white males.510 On June 27, 2019, the City of Somerville, Massachusetts, enacted an ordinance banning the use of facial recognition technology by any city official.511 The Somerville ordinance, un- like the San Francisco and Oakland ordinances, provides for a cause of action for injunctive or declaratory relief, or for a writ of mandate.512 On December 10, 2019, the Port of Seattle Commission ap- proved a moratorium on new biometric technology programs at the portion of the Seattle-Tacoma International Airport over which it has control.513 The Commission’s action established a set of principles for guiding the development of biometric tech- nology and established a working group to further examine the issue. The Motion specifically noted that its actions did not af- fect programs of the federal government. The moratorium will not apply to the plan of the U.S. CBP Agency to install facial rec- ognition cameras at the airport in July 2020, because that part of the airport is controlled by the federal government.514 Similarly, the moratorium will not affect the CLEAR program authorized for use by the Transportation Security Administration, which 505 S.F. Admin. Code Ch. 19B. 506 Id. at 19B.1. 507 Compare Cal. Penal Code § 832.19, with S.F. Admin. Code Ch. 19B.2. 508 Oakland Mun. Code 9.64. 509 Id. at 9.64.045. 510 Joy Buolamwini & Timnit Gebru, Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification, Proceedings of Machine Learning Research 81:1-15, Conference on Fairness, Accountability & Transparency (2018), http://proceedings.mlr.press/ v81/buolamwini18a/buolamwini18a.pdf. 511 Somerville Ord. No. 2019-16, § 9-25. 512 Id. § 9-25(c). 513 Motion 2019-13, A Motion of the Port of Seattle Commission, Port of Seattle Com’n Meeting (Dec. 10, 2019), https://meetings. portseattle.org/index.php?option=com_meetings&view=attachments &Itemid=235#key=39057rol. 514 Id. 3. Washington In 2017, Washington became the third state to enact a bio- metric information privacy act.495 The Biometric Identifiers Act also lacks many of the key components of the Illinois BIPA. Like the Texas Act, it applies only to a “person,” and no “entity” is referenced.496 Unlike both the Illinois BIPA and the Texas Act, the Biometric Identifiers Act does not provide for any private civil action, but instead provides that it “may be enforced solely by the attorney general under the consumer protection act.”497 On March 31, 2020, Washington enacted a separate act regulating facial recognition usage by both state and local gov- ernment.498 Among other requirements, the Facial Recognition Act requires that state and local government agencies submit ac- countability reports on facial recognition systems detailing the rate of false matches, data security measures, and procedures for testing and feedback.499 4. California The CCPA500 expanded California’s privacy and information regulatory scheme to include biometric data. Additionally, on October 8, 2019, California enacted the Body Camera Accountability Act (CBCAA)501 which bans the use of facial recognition technology with law enforcement body cameras. The CBCAA states that it will remain in effect until January 1, 2023.502 5. Oregon While Oregon does not have a comprehensive bio metric information privacy act, it does regulate law enforcement agency policies and procedures regarding video and audio re- cordings and has an express “prohibition on the use of facial recognition or other biometric matching technology to analyze recordings obtained through the use of the camera.”503 6. New Hampshire New Hampshire does not have a comprehensive biometric information privacy act, but it has banned the use of facial rec- ognition technology with police body cameras.504 B. Local Restrictions A growing number of cities have banned the use of facial recognition by city agencies, including the police. On May 14, 2019, San Francisco became the first city to ban the use of 495 Wash. Rev. Code Ch. 19.375. 496 Id. 497 Wash Rev. Code § 19.375.030. 498 Wash. Rev. Code Ch. 257. (eff. July 1, 2021). 499 Id. at § 3. 500 Cal. Civ. Code § 1798.100. 501 Cal. Penal Code § 832.19. 502 Cal. Penal Code § 832.19(e). 503 Or. Rev. Stat. § 133.741(1)(D). 504 N.H. Rev. Stat. § 105-D:2.

52 ACRP LRD 42 traveler will proceed through the TSA security checkpoint and to their departure gate as usual.”525 On June 21, 2018, the CBP announced that Orlando Inter- national Airport became the first U.S. airport to commit to processing all arriving and departing international travelers with facial recognition technology.526 The CBP also indicated that it has facial recognition operations in Miami, Atlanta, New York JFK, San Diego, Houston (Intercontinental and Hobby), Washington Dulles, Las Vegas, Chicago O’Hare, and in pre- clearance locations in Aruba, Abu Dhabi, and Ireland (Dublin and Shannon).527 In the Fall of 2019, DHS proposed a rule to amend CBP’s regulations to begin a comprehensive biometric entry-exit sys- tem and to remove the references to pilot programs and port limitations.528 At about the same time, DHS also proposed “to amend the regulations to provide that all travelers, including U.S. citizens, may be required to be photographed upon entry and/or departure.”529 On December 4, 2019, the CBP posted on its website that after its third meeting with leading privacy experts, it deter- mined that “U.S. citizens may opt out of the biometric facial comparison process by notifying a CBP officer or airline representative.”530 The CBP instructed that “[i]ndividuals who opt out simply present their passport for visual inspection, as is standard practice at ports of entry today.”531 Both technical and legal issues relating to facial recognition systems (FRS) in the United States have received national atten- tion regarding the dual concerns of accuracy and privacy. There are currently no industry standards for the development of FRS. The NIST of the U.S. Department of Commerce conducted a detailed study through its Face Recognition Vendor Program and published a report in December, 2019, which evaluated the effects of factors such as race and gender on facial recognition software.532 525 Id. 526 CBP Advances Biometric Exit Mission as Orlando International Airport Becomes First U.S. Airport to Commit to Facial Recognition Tech- nology, U.S. Customs & Border Prot. (June 21, 2018), https://www. cbp.gov/newsroom/national-media-release/cbp-advances- biometric- exit-mission-orlando-international-airport. 527 Id. 528 Collection of Biometric Data from Aliens Upon Entry to and Exit from the United States, Dep’t of Homeland Sec., Reg. Id. No. 1651-AB12 (Fall 2019). 529 Collection of Biometric Data from U.S. Citizens Upon Entry to and Departure from the United States, Dep’t of Homeland Sec., Reg. Id. No. 1651-AB22 (Spring 2019). 530 CBP and Privacy Groups Discuss Biometric Entry-Exit Mandate, U.S. Customs & Border Prot. Dec. 4 (2019), https://www.cbp.gov/ newsroom/national-media-release/cbp-and-privacy-groups-discuss- biometric-entry-exit-mandate. 531 Id. 532 59 Face Recognition Vendor Test (FRVT Part 3: Demographic Effects, Nat. Inst. Of Standards & Tech. (Dec. 2019), https://nvlpubs. nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf. uses biometric technology to allow passengers to go to the front a screening line.515 On June 30, 2020, the Mayor of Boston enacted an ordi- nance that had been unanimously approved by the City Council entitled “Banning Face Surveillance Technology in Boston.”516 The ordinance also bans private sector use of this technology when related to a City permit.517 The ordinance provides a pri- vate cause of action as a remedy.518 However, the ordinance is limited to “any department, agency, bureau, and/or subordinate division of the City of Boston.”519 A ban on the use of facial recognition technology was also adopted through two ordinances in the City of Portland, OR on September 9, 2020.520 One ordinance that was effective im- mediately prohibited the use of facial recognition technology by City of Portland governmental units.521 The second ordinance, effective January 1, 2021, prohibits “private entities’” use of facial recognition in any place of “public accommodation.”522 This legislation represents the broadest limitation on use of facial recognition to date. C. Federal Agency Actions and Legislative Proposals In the Spring of 2017, the U.S. Department of Homeland Security (DHS) proposed a rule to amend regulations of the CBP to allow for a nationwide biometric exit program at all ports of entry and to collect biometrics from an expanded scope of persons upon entry to and exit from the United States.523 On October 11, 2017, the CBP announced the development of facial recognition biometric technology at one terminal at John F. Kennedy International Airport for 30 days.524 The an- nouncement indicated that “[w]hen travelers on outbound international flights reach the TSA ticket document checking podium, the TSA officer will review the traveler’s boarding pass and identify documents in accordance with TSA’s standard op- erating procedures and will then direct the traveler to a camera placed next to the podium. After capturing the facial image, the 515 Id. 516 Bos. Ord. No. 16-62. 517 Id. 518 Id. at 16-62(c). 519 Id. at 16-62(a). 520 City Council Approves Ordinances Banning Use of Facial Recogni- tion Technologies by City of Portland Bureaus and By Private Entities in Public Spaces, City of Portland, (Sept. 9, 2020), https://static1. s q u a r e s p a c e . c o m / s t a t i c / 5 9 6 7 c 1 8 b f f 7 c 5 0 a 0 2 4 4 f f 4 2 c / t / 5f3ad787ba3fd27776e444af/1597691785249/Ordinance+to+ban+use+ of+FRT+in+Places+of+Public+Accommodation+plus+code+ amendment+-Final.pdf. 521 Id. 522 Id. 523 Collection of Biometric Data Upon Entry to and Exit from the United States, Dept’ Homeland Sec., Reg. No. 1651-AB12 (Spring 2017). 524 CBP Deploys Facial Recognition Biometric Technology at 1 TSA Checkpoint at JFK Airport, U.S. Customs & Border Prot. (Oct. 11, 2017), https://www.cbp.gov/newsroom/national-media-release/cbp-deploys- facial-recognition-biometric-techno.

ACRP LRD 42 53 of origin, and age.548 This increase is present for most algorithms and datasets.549 For race, false positive rates are highest in West and East African and East Asian people with some exceptions noted in the study.550 In August 2020, as part of its effort to assist in the develop- ment of trustworthy AI, NIST published a draft of Four Prin- ciples of Explainable Artificial Intelligence (NISTIR 8312).551 The four principles are explanation, meaningfulness, accuracy, and knowledge limits.552 NIST’s work to advance the development of AI standards has been the focus of increasing attention in Con- gress to provide funding for a national program to advance AI research.553 Given the demographic differences in the rates of false posi- tives and false negatives for facial recognition data, there may be increased interest in biometric technologies that do not rely upon information ostensibly linked to demography. One such biometric is indicated to be an individual’s “cardiac signature.”554 A Massachusetts Institute of Technology (MIT) Review states that “an individual’s cardiac signature is unique.”555 After a re- quest by the U.S. Special Forces, a new device was developed for the Pentagon’s Combatting Terrorism Technical Support Office that detects an individual’s cardiac signature with an infrared laser.556 Contact infrared sensors are often used to automatically record an individual’s pulse, but the new device, called Jetson, uses a technique known as laser vibrometry to detect the sur- face movement caused by a heartbeat.557 The MIT Review re- ports that cardiac signatures are already used for security iden- tification in commercial applications using a wrist-worn pulse sensor, but notes that Jetson extends this technology to check vibration from a distance of up to 200 meters.558 Researchers have noted that cardiac radar is a biometric modality of interest because it is non-intrusive and requires no subject cooperation or knowledge.559 These points raise significant privacy concerns. 548 Id. 549 Id. 550 Id. 551 Four Principles of Explainable Artificial Intelligence, Nat’l Inst. of Standards & Tech. (Aug. 2020), https://www.nist.gov/system/files/ documents/2020/08/17/NIST%20Explainable%20AI%20Draft%20 NISTIR8312%20%281%29.pdf. 552 Id. 553 See, e.g., Advancing Artificial Intelligence Research Act of 2020, S 3891, 116th Cong. (2020). 554 David Hambling, The Pentagon has a Laser that can Identify People from a Distance by Their Heartbeat, MIT Tech. Rev. (June 27, 2019), https://www.technologyreview.com/2019/06/27/238884/the-pentagon- has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/. 555 Id. 556 Id. 557 Id. 558 Id. 559 See Daniel Rissacher, et al., Cardiac Radar for Biometric Identifica- tion using Nearest Neighbor of Continuous Wavelet Transform Peaks” Clarkson Univ., https://www.clarkson.edu/sites/default/files/2017-11/ Cardiac%20Radar%20for%20Biometric%20Identification.pdf. The NIST study evaluated 189 software algorithms from 99 developers.533 It focused on how each algorithm performed on two different tasks.534 The first task was confirming that one photo matches a different photo of the same person in a data- base.535 This task is commonly known as one-to-one matching and is used for verification, such as checking a passport. The second task was determining whether a photo has any match in a database.536 This task is commonly known as one-to-many matching and can be used to identify a person of interest. The NIST study measured the two classes of error that soft- ware can make: false positives and false negatives.537 A false positive occurs when software wrongly considered photos of two different individuals to show the same person, while a false negative occurs when software failed to match two photos that show the same person. The NIST study was vast in scale and used four collections of photographs containing 18.27 million images of 8.49 million people.538 The collections came from operational databases of the State Department, the DHS, and the FBI. The study did not use any images “scraped”539 from internet sources such as social media or video surveillance.540 The study shows findings for both false negatives and false positives and organizes its findings by demographic.541 Among the broader findings, the study shows empirical evidence for the existence of demographic differentials in the majority of con- temporary face recognition algorithms that were evaluated.542 The false positive differentials are much larger than those related to false negatives.543 False positive rates often vary by one or two orders of magnitude (i.e., 10x, 100x).544 Yet false negative effects vary by factors usually much less than three.545 The false positive differentials exist broadly, across many, but not all, algorithms.546 The false negatives tend to be more algorithm-specific.547 With regard to false positive demographic differentials, the study found false positives to be between two and five times higher in women than men, the multiple varying with algorithm, country 533 Id. at 1. 534 Id. 535 Id. 536 Id. 537 Id. at 2. 538 Id. at 1. 539 See Bradley Williams, Preventing Unintended Internet Discrimi- nation: An Analysis of the Computer Fraud and Abuse Act for Algorithmic Racial Steering, 2018 U. Ill. L. Rev. 847 (2018) (discussing the concept of scraping). 540 Face Recognition Vendor Test (FRVT Part 3: Demographic Effects, Nat. Inst. Of Standards & Tech., at 9 (Dec. 2019), https://nvlpubs. nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf. 541 Id. at 6-8. 542 Id. 543 Id. 544 Id. 545 Id. 546 Id. 547 Id.

Next: X. INTERPLAY OF PRIVACY AND OPEN GOVERNMENT RECORDS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!