The providers of the technology and services behind biometrics are gung-ho about selling their goods to law enforcement: a typical story, from cloud-based biometrics company M2SYS, comes headlined with the promise that “Cloud-Based Biometrics Will Change the Face of Law Enforcement.”
That well may be so, but the face of law enforcement is changing in pitch blackness.
There’s little transparency into how police are using technologies, which they’re using, how accurate they are, nor what, if any, policies are being used to protect our rights.
To shed light into this murky area, the Electronic Frontier Foundation (EFF) and MuckRock on Tuesday put out a form that they’ll use to get some answers out of US police departments regarding how they track our fingers, face, DNA, and more.
From their announcement:
As biometric technologies have advanced — with fingerprint scanners now standard on many phones and DNA testing becoming a consumer industry — private companies have become increasingly aggressive about selling these services to law enforcement groups. And just as technology that powers your cell phone has shrunk in both size and cost, mobile surveillance and tracking tools are now being deployed more cheaply than ever before — and with less oversight.
The EFF and MuckRock have undertaken a national census, via public records requests, to ask agencies what technologies they have and how they’re using them.
This should help fill some blanks, given that there’s currently no national database that tracks who’s using what, how well it’s working, or what policies are in place to protect our freedoms, the groups said.
Filling out the form generates what the groups say is a legally binding public records request, customized to the jurisdiction specified by a given signer.
The groups provided this example of a request, which in the example is for the Boston Police Department.
They’re looking for this information:
- Purchasing and procurement documents
- Policy, procedural, and training documents, including but not limited to: use policies, standard operating procedures, training materials, presentations, privacy assessments, data retention policies, and other guidelines
- Programming documents, including but not limited to: funding opportunity announcements, grant applications and grantor status/progress reports, reports to legislative bodies, annual reports
- Audit documents, including but not limited to: audits of the system, misuse reports, and reports to oversight bodies
- The total number of individuals whose biometric data has been collected over the last three years
- The total number of biometric data points contained in the agency’s database
- The retention period for biometric data
- The number of mobile biometrics devices purchased and in use
- The total number of authorized users of the mobile biometrics devices
- Which external agencies and entities have access to biometric data in the database and under what conditions
- Whether biometric data is combined with biographic data such as name and address in the database
- The process by which data is entered into the database.
This is important information, not only to hold public servants accountable to taxpayers for what they’re buying with our money, and not only to determine how they’re protecting people from data misuse, but also because, as we already well know, biometrics technologies are inherently fallible.
It’s one thing when misplaced trust in biometrics as a foolproof authentication system leads to people’s phones getting hacked.
But it’s another thing entirely when police – well, do what? Detain, arrest, serve warrants upon, indict? – people based on potentially erroneous information.
Transparency into these practices will be a welcome thing.
I already signed the petition.
Here’s the link if you’re in the US and want to find out what your local police are up to.