The tech privacy gap: When the law isn’t ready for a killer app

It’s always the case: big secrets make big news. Immigration and Customs Enforcement officials as well as other law enforcement agencies have, for years, worked closely with state DMVs to implement facial recognition technology in the commission of their work. The process has involved the raiding of millions of driver’s license and state identification photographs. The recent revelation of this protocol set off a furor around the nation.

And rightly so. As is often the case, facial recognition technology has made possible actions (and sadly depredations of constitutionally protected areas like privacy, legal search and seizure) that were unimaginable when the framers mapped out the greatest democratic experiment in the history of the world. Try applying the Ten Commandments to half of what passes for legal nowadays, and you will quickly come to see that even the broadest laws are limited. Technological advances in particular have lent poignancy to the old saw: There ought to be a law.

Law enforcement is not in the business of making laws, just enforcing them. And we all know that our enforcers are perfectly capable of doing things that are borderline legal to get their collar — which is precisely why they often have to check with a judge before engaging in certain kinds of surveillance, as well as searches and seizure of property, data, or anything else that can be used in the prosecution of a criminal.

In other words, even criminals have rights in the United States of America. But the latest law enforcement incursion on privacy not only denies the rights of the suspect, but of anyone and everyone living in the same state or municipality as the suspect.

Are the identifiers of the innocent fair game?

Georgetown’s Law Center on Privacy and Technology helped break a story that highlights the need for tech and laws to get on the same page.

Using public records requests filed by the Center and provided to the Washington Post, it was revealed that ICE and the FBI, as well as other agencies, have, in some cases for years, searched the photo databases of state DMVs in the pursuit of particular individuals. In doing so, these agencies also had access to the photos of millions of innocent citizens.

This digital deep dive was done without the knowledge or permission of the people in those photos, and as such, the tactic represents a serious breach of the public trust. The Post detailed how since 2011, the FBI had “logged more than 390,000 facial-recognition searches.” And further: “The FBI’s facial-recognition search has access to local, state and federal databases containing more than 641 million face photos.”

While some states and municipalities have banned the use of DMV records in facial recognition searches citing privacy concerns — among them San Francisco and Somerville, Mass. — many others are waiting for legislation to say what’s what.

As the Post put it: “The records show the technology already is tightly woven into the fabric of modern law enforcement.”

The quandary in which we find ourselves as a nation is not new. Law enforcement has long used a variety of identification tools — including biometrics ranging from unique body measurements to fingerprints — but this latest deep dive into identifiable data goes way beyond the “usual suspects.” And that’s the point. The data of those “usual suspects” is on file precisely because they’ve had a run-in with the law.

The problem here is that the millions of photos getting sifted today in aid of law enforcement are associated with citizens who have done nothing wrong — their only “crime” was abiding by the laws of their state’s DMV. When you submit to be photographed for a license, it is solely for the purpose of identification — on the spot. Using it to locate third parties amounts to a form of theft.

The most recent development in this on-going story was a hearing in which the House Homeland Security Committee discussed the use of facial recognition and biometric technologies at Homeland Security. We can only hope they get this right. It seems straightforward, but then again, so does “Thou shalt not steal.”

Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com. He is a former director of the New Jersey Division of Consumer Affairs and is the author of Swiped: How to Protect Yourself In a World Full of Scammers, Phishers, and Identity Thieves, which debuted at #1 on the Amazon Hot New Releases List.