Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 49 1. Illinois Illinois has one of the most comprehensive regulatory schemes in the country regarding biometrics. The Illinois Bio- metric Information Privacy Act (Illinois BIPA)464 is seen as offering some of the most robust protections of biometric data in the United States One of the key express legislative findings is the recognition that [b]iometrics are unlike other unique identifiers that are used to ac- cess finances or other sensitive information. For example, social security numbers, when compromised can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at a heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.465 The Illinois BIPA is notable in that it contains a statutory def- inition of a âBiometric Identifierâ as being âa retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.â466 Likewise, it contains expressly defined exclusions for âwriting samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demo- graphic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.â467 Significantly, given the COVID-19 pandemic and the increased use of air passenger temperature screenings, the Illinois BIPA does not state that a biometric identifier includes an individualâs temperature.468 The four main Illinois BIPA compliance requirements in- clude retention, collection, disclosure, and destruction.469 The collection component has the following three requirements: (1) the entity must inform the subject or the subjectâs legally author ized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) the en- tity must inform the subject or the subjectâs legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) the entity must re- ceive a written release executed by the subject of the bio metric identifier or biometric information or the subjectâs legally author ized representative.470 The Illinois BIPA creates a civil right of action and pro- vides for statutory damages and attorneyâs fees for a prevailing party.471 As a result, it has generated substantial litigation. The seminal decision by the Illinois Supreme Court regarding the Illinois BIPA is Rosenbach v. Six Flags Entertainment Corp.,472 where the Court held that âan individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an âaggrievedâ person 464 740 ILCS 14/1 et seq. 465 740 ILCS 14/5. 466 740 ILCS 14/10. 467 740 ILCS 14/10. 468 740 ILCS 14/10. 469 740 ILCS 14/15. 470 740 ILCS 14/15(1)-(3). 471 740 ILCS 14/20. 472 2019 IL 123186. New Mexico and Rhode Island essentially follow the structure of the CCPA model in their legislative proposals.461 In contrast, the legislative proposals in New York and North Dakota do not follow the CCPA model, but do contain much of the same statu- tory language.462 In further contrast, the Washington state bill is modeled after the GDPR rather than the CCPA.463 That the majority of the proposed state legislation adopts the CCPA model reveals certain trends, such as a focus on con- sumer rights, including a right to demand deletion of data and to opt-out of disclosures to third parties other than service pro- viders. Also, the definition of consumer information has greatly expanded in the proposed state legislation. Finally, under the proposed state legislation, even businesses that collect informa- tion only on the internet must designate multiple methods for consumers to submit requests, including maintaining a toll-free number. H. Conclusions The structure of data protection and privacy laws in the United States creates a patchwork of legal requirements that can vary by jurisdiction. This patchwork creates significant legal and logistical challenges in dealing with data collection and use practices that cross state (and international borders). Airports and airport stakeholders need to engage counsel to assist in nav- igating the requirements of not only the laws in their state, but also the laws in other states to ensure that their data protection and privacy programs properly mitigate legal risk. IX. DEVELOPING STATE AND LOCAL LAWS, AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE With the growing use of facial recognition technology and the development of governmental programs to introduce it into the traveler screening process, there is increased airport focus on biometrics, in general, and facial recognition, in particular. Outside of the airport industry, there is also significant court and legislative activity addressing biometrics and facial recognition. A. State Law Developments State laws regarding biometric information are increasing. The following states have varying regulatory schemes. Some have comprehensive regulatory schemes, while others regulate certain aspects of biometric information collection. 461 S.B. 418, 2019 Leg., 30th Sess. (Haw. 2019); S.B. 613, 2019 Reg. Sess. (Md. 2019); S.D. 341, 191st Leg., Reg. Sess. (Mass. 2019); H.B. 1253, 2019 Leg., Reg. Sess. (Miss. 2019); S.B. 176, 54th Leg., 1st Sess. (N.M. 2019); S. 0234, 2019 Gen. Assemb., Reg. Sess. (R.I. 2019); Cal. Civ. Code Â§Â§ 1798.100â1798.199. 462 S. 224, 2019-2020 Gen. Assemb., Reg. Sess. (N.Y. 2019); H.B. 1485 2019 Leg., 66th Sess. (N.D. 2019) (enacted); Cal. Civ. Code Â§Â§ 1798.100-1798.199. 463 S.B. 6281, 66th Leg., 2020 Reg. Sess. (Wash. 2020).
ACRP LRD 42 51 surveillance technology.505 The San Francisco ordinance de- fines surveillance technology to include âbiometric software or technology, including facial, voice, iris, and gait-recognition software[,] and databases . . . .â506 The San Francisco ordinance is broader in scope than the statewide CBCAA because San Francisco ordinance applies to all city departments and covers various biometric information, while the CBCAA only applies to facial recognition technology used in law enforcement body cameras.507 On June 13, 2019, Oakland, California, enacted an ordi- nance508 similar to the San Francisco ordinance in that it ap- plies to all City departments, but narrower in its technical reach in that it applies only to facial recognition.509 Significantly, the Oakland ordinance contains several findings as the bases for the Oakland City Councilâs action, one of which refers to a 2018 report by the Massachusetts Institute of Technology Media Lab that concluded facial recognition systems produced error rates of up to 34.7% in persons other than white males.510 On June 27, 2019, the City of Somerville, Massachusetts, enacted an ordinance banning the use of facial recognition technology by any city official.511 The Somerville ordinance, un- like the San Francisco and Oakland ordinances, provides for a cause of action for injunctive or declaratory relief, or for a writ of mandate.512 On December 10, 2019, the Port of Seattle Commission ap- proved a moratorium on new biometric technology programs at the portion of the Seattle-Tacoma International Airport over which it has control.513 The Commissionâs action established a set of principles for guiding the development of biometric tech- nology and established a working group to further examine the issue. The Motion specifically noted that its actions did not af- fect programs of the federal government. The moratorium will not apply to the plan of the U.S. CBP Agency to install facial rec- ognition cameras at the airport in July 2020, because that part of the airport is controlled by the federal government.514 Similarly, the moratorium will not affect the CLEAR program authorized for use by the Transportation Security Administration, which 505 S.F. Admin. Code Ch. 19B. 506 Id. at 19B.1. 507 Compare Cal. Penal Code Â§ 832.19, with S.F. Admin. Code Ch. 19B.2. 508 Oakland Mun. Code 9.64. 509 Id. at 9.64.045. 510 Joy Buolamwini & Timnit Gebru, Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification, Proceedings of Machine Learning Research 81:1-15, Conference on Fairness, Accountability & Transparency (2018), http://proceedings.mlr.press/ v81/buolamwini18a/buolamwini18a.pdf. 511 Somerville Ord. No. 2019-16, Â§ 9-25. 512 Id. Â§ 9-25(c). 513 Motion 2019-13, A Motion of the Port of Seattle Commission, Port of Seattle Comân Meeting (Dec. 10, 2019), https://meetings. portseattle.org/index.php?option=com_meetings&view=attachments &Itemid=235#key=39057rol. 514 Id. 3. Washington In 2017, Washington became the third state to enact a bio- metric information privacy act.495 The Biometric Identifiers Act also lacks many of the key components of the Illinois BIPA. Like the Texas Act, it applies only to a âperson,â and no âentityâ is referenced.496 Unlike both the Illinois BIPA and the Texas Act, the Biometric Identifiers Act does not provide for any private civil action, but instead provides that it âmay be enforced solely by the attorney general under the consumer protection act.â497 On March 31, 2020, Washington enacted a separate act regulating facial recognition usage by both state and local gov- ernment.498 Among other requirements, the Facial Recognition Act requires that state and local government agencies submit ac- countability reports on facial recognition systems detailing the rate of false matches, data security measures, and procedures for testing and feedback.499 4. California The CCPA500 expanded Californiaâs privacy and information regulatory scheme to include biometric data. Additionally, on October 8, 2019, California enacted the Body Camera Accountability Act (CBCAA)501 which bans the use of facial recognition technology with law enforcement body cameras. The CBCAA states that it will remain in effect until January 1, 2023.502 5. Oregon While Oregon does not have a comprehensive bio metric information privacy act, it does regulate law enforcement agency policies and procedures regarding video and audio re- cordings and has an express âprohibition on the use of facial recognition or other biometric matching technology to analyze recordings obtained through the use of the camera.â503 6. New Hampshire New Hampshire does not have a comprehensive biometric information privacy act, but it has banned the use of facial rec- ognition technology with police body cameras.504 B. Local Restrictions A growing number of cities have banned the use of facial recognition by city agencies, including the police. On May 14, 2019, San Francisco became the first city to ban the use of 495 Wash. Rev. Code Ch. 19.375. 496 Id. 497 Wash Rev. Code Â§ 19.375.030. 498 Wash. Rev. Code Ch. 257. (eff. July 1, 2021). 499 Id. at Â§ 3. 500 Cal. Civ. Code Â§ 1798.100. 501 Cal. Penal Code Â§ 832.19. 502 Cal. Penal Code Â§ 832.19(e). 503 Or. Rev. Stat. Â§ 133.741(1)(D). 504 N.H. Rev. Stat. Â§ 105-D:2.
52 ACRP LRD 42 traveler will proceed through the TSA security checkpoint and to their departure gate as usual.â525 On June 21, 2018, the CBP announced that Orlando Inter- national Airport became the first U.S. airport to commit to processing all arriving and departing international travelers with facial recognition technology.526 The CBP also indicated that it has facial recognition operations in Miami, Atlanta, New York JFK, San Diego, Houston (Intercontinental and Hobby), Washington Dulles, Las Vegas, Chicago OâHare, and in pre- clearance locations in Aruba, Abu Dhabi, and Ireland (Dublin and Shannon).527 In the Fall of 2019, DHS proposed a rule to amend CBPâs regulations to begin a comprehensive biometric entry-exit sys- tem and to remove the references to pilot programs and port limitations.528 At about the same time, DHS also proposed âto amend the regulations to provide that all travelers, including U.S. citizens, may be required to be photographed upon entry and/or departure.â529 On December 4, 2019, the CBP posted on its website that after its third meeting with leading privacy experts, it deter- mined that âU.S. citizens may opt out of the biometric facial comparison process by notifying a CBP officer or airline representative.â530 The CBP instructed that â[i]ndividuals who opt out simply present their passport for visual inspection, as is standard practice at ports of entry today.â531 Both technical and legal issues relating to facial recognition systems (FRS) in the United States have received national atten- tion regarding the dual concerns of accuracy and privacy. There are currently no industry standards for the development of FRS. The NIST of the U.S. Department of Commerce conducted a detailed study through its Face Recognition Vendor Program and published a report in December, 2019, which evaluated the effects of factors such as race and gender on facial recognition software.532 525 Id. 526 CBP Advances Biometric Exit Mission as Orlando International Airport Becomes First U.S. Airport to Commit to Facial Recognition Tech- nology, U.S. Customs & Border Prot. (June 21, 2018), https://www. cbp.gov/newsroom/national-media-release/cbp-advances- biometric- exit-mission-orlando-international-airport. 527 Id. 528 Collection of Biometric Data from Aliens Upon Entry to and Exit from the United States, Depât of Homeland Sec., Reg. Id. No. 1651-AB12 (Fall 2019). 529 Collection of Biometric Data from U.S. Citizens Upon Entry to and Departure from the United States, Depât of Homeland Sec., Reg. Id. No. 1651-AB22 (Spring 2019). 530 CBP and Privacy Groups Discuss Biometric Entry-Exit Mandate, U.S. Customs & Border Prot. Dec. 4 (2019), https://www.cbp.gov/ newsroom/national-media-release/cbp-and-privacy-groups-discuss- biometric-entry-exit-mandate. 531 Id. 532 59 Face Recognition Vendor Test (FRVT Part 3: Demographic Effects, Nat. Inst. Of Standards & Tech. (Dec. 2019), https://nvlpubs. nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf. uses biometric technology to allow passengers to go to the front a screening line.515 On June 30, 2020, the Mayor of Boston enacted an ordi- nance that had been unanimously approved by the City Council entitled âBanning Face Surveillance Technology in Boston.â516 The ordinance also bans private sector use of this technology when related to a City permit.517 The ordinance provides a pri- vate cause of action as a remedy.518 However, the ordinance is limited to âany department, agency, bureau, and/or subordinate division of the City of Boston.â519 A ban on the use of facial recognition technology was also adopted through two ordinances in the City of Portland, OR on September 9, 2020.520 One ordinance that was effective im- mediately prohibited the use of facial recognition technology by City of Portland governmental units.521 The second ordinance, effective January 1, 2021, prohibits âprivate entitiesââ use of facial recognition in any place of âpublic accommodation.â522 This legislation represents the broadest limitation on use of facial recognition to date. C. Federal Agency Actions and Legislative Proposals In the Spring of 2017, the U.S. Department of Homeland Security (DHS) proposed a rule to amend regulations of the CBP to allow for a nationwide biometric exit program at all ports of entry and to collect biometrics from an expanded scope of persons upon entry to and exit from the United States.523 On October 11, 2017, the CBP announced the development of facial recognition biometric technology at one terminal at John F. Kennedy International Airport for 30 days.524 The an- nouncement indicated that â[w]hen travelers on outbound international flights reach the TSA ticket document checking podium, the TSA officer will review the travelerâs boarding pass and identify documents in accordance with TSAâs standard op- erating procedures and will then direct the traveler to a camera placed next to the podium. After capturing the facial image, the 515 Id. 516 Bos. Ord. No. 16-62. 517 Id. 518 Id. at 16-62(c). 519 Id. at 16-62(a). 520 City Council Approves Ordinances Banning Use of Facial Recogni- tion Technologies by City of Portland Bureaus and By Private Entities in Public Spaces, City of Portland, (Sept. 9, 2020), https://static1. s q u a r e s p a c e . c o m / s t a t i c / 5 9 6 7 c 1 8 b f f 7 c 5 0 a 0 2 4 4 f f 4 2 c / t / 5f3ad787ba3fd27776e444af/1597691785249/Ordinance+to+ban+use+ of+FRT+in+Places+of+Public+Accommodation+plus+code+ amendment+-Final.pdf. 521 Id. 522 Id. 523 Collection of Biometric Data Upon Entry to and Exit from the United States, Deptâ Homeland Sec., Reg. No. 1651-AB12 (Spring 2017). 524 CBP Deploys Facial Recognition Biometric Technology at 1 TSA Checkpoint at JFK Airport, U.S. Customs & Border Prot. (Oct. 11, 2017), https://www.cbp.gov/newsroom/national-media-release/cbp-deploys- facial-recognition-biometric-techno.
ACRP LRD 42 53 of origin, and age.548 This increase is present for most algorithms and datasets.549 For race, false positive rates are highest in West and East African and East Asian people with some exceptions noted in the study.550 In August 2020, as part of its effort to assist in the develop- ment of trustworthy AI, NIST published a draft of Four Prin- ciples of Explainable Artificial Intelligence (NISTIR 8312).551 The four principles are explanation, meaningfulness, accuracy, and knowledge limits.552 NISTâs work to advance the development of AI standards has been the focus of increasing attention in Con- gress to provide funding for a national program to advance AI research.553 Given the demographic differences in the rates of false posi- tives and false negatives for facial recognition data, there may be increased interest in biometric technologies that do not rely upon information ostensibly linked to demography. One such biometric is indicated to be an individualâs âcardiac signature.â554 A Massachusetts Institute of Technology (MIT) Review states that âan individualâs cardiac signature is unique.â555 After a re- quest by the U.S. Special Forces, a new device was developed for the Pentagonâs Combatting Terrorism Technical Support Office that detects an individualâs cardiac signature with an infrared laser.556 Contact infrared sensors are often used to automatically record an individualâs pulse, but the new device, called Jetson, uses a technique known as laser vibrometry to detect the sur- face movement caused by a heartbeat.557 The MIT Review re- ports that cardiac signatures are already used for security iden- tification in commercial applications using a wrist-worn pulse sensor, but notes that Jetson extends this technology to check vibration from a distance of up to 200 meters.558 Researchers have noted that cardiac radar is a biometric modality of interest because it is non-intrusive and requires no subject cooperation or knowledge.559 These points raise significant privacy concerns. 548 Id. 549 Id. 550 Id. 551 Four Principles of Explainable Artificial Intelligence, Natâl Inst. of Standards & Tech. (Aug. 2020), https://www.nist.gov/system/files/ documents/2020/08/17/NIST%20Explainable%20AI%20Draft%20 NISTIR8312%20%281%29.pdf. 552 Id. 553 See, e.g., Advancing Artificial Intelligence Research Act of 2020, S 3891, 116th Cong. (2020). 554 David Hambling, The Pentagon has a Laser that can Identify People from a Distance by Their Heartbeat, MIT Tech. Rev. (June 27, 2019), https://www.technologyreview.com/2019/06/27/238884/the-pentagon- has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/. 555 Id. 556 Id. 557 Id. 558 Id. 559 See Daniel Rissacher, et al., Cardiac Radar for Biometric Identifica- tion using Nearest Neighbor of Continuous Wavelet Transform Peaksâ Clarkson Univ., https://www.clarkson.edu/sites/default/files/2017-11/ Cardiac%20Radar%20for%20Biometric%20Identification.pdf. The NIST study evaluated 189 software algorithms from 99 developers.533 It focused on how each algorithm performed on two different tasks.534 The first task was confirming that one photo matches a different photo of the same person in a data- base.535 This task is commonly known as one-to-one matching and is used for verification, such as checking a passport. The second task was determining whether a photo has any match in a database.536 This task is commonly known as one-to-many matching and can be used to identify a person of interest. The NIST study measured the two classes of error that soft- ware can make: false positives and false negatives.537 A false positive occurs when software wrongly considered photos of two different individuals to show the same person, while a false negative occurs when software failed to match two photos that show the same person. The NIST study was vast in scale and used four collections of photographs containing 18.27 million images of 8.49 million people.538 The collections came from operational databases of the State Department, the DHS, and the FBI. The study did not use any images âscrapedâ539 from internet sources such as social media or video surveillance.540 The study shows findings for both false negatives and false positives and organizes its findings by demographic.541 Among the broader findings, the study shows empirical evidence for the existence of demographic differentials in the majority of con- temporary face recognition algorithms that were evaluated.542 The false positive differentials are much larger than those related to false negatives.543 False positive rates often vary by one or two orders of magnitude (i.e., 10x, 100x).544 Yet false negative effects vary by factors usually much less than three.545 The false positive differentials exist broadly, across many, but not all, algorithms.546 The false negatives tend to be more algorithm-specific.547 With regard to false positive demographic differentials, the study found false positives to be between two and five times higher in women than men, the multiple varying with algorithm, country 533 Id. at 1. 534 Id. 535 Id. 536 Id. 537 Id. at 2. 538 Id. at 1. 539 See Bradley Williams, Preventing Unintended Internet Discrimi- nation: An Analysis of the Computer Fraud and Abuse Act for Algorithmic Racial Steering, 2018 U. Ill. L. Rev. 847 (2018) (discussing the concept of scraping). 540 Face Recognition Vendor Test (FRVT Part 3: Demographic Effects, Nat. Inst. Of Standards & Tech., at 9 (Dec. 2019), https://nvlpubs. nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf. 541 Id. at 6-8. 542 Id. 543 Id. 544 Id. 545 Id. 546 Id. 547 Id.