Loopholes in Law Enforcement Facial Recognition Bans Reveal Major Legal Blemishes

Posted on June 5, 2024

A new article from The Washington Post reveals how law enforcement bodies in major municipalities are circumventing their jurisdictions’ bans on facial recognition. Specifically, the report used police departments in Austin and San Francisco, both of which prohibit police from using facial recognition, as case studies on the limitations of local government regulation.

As the reporting illustrated, circumvention consisted of variations on the same inherent shortcoming of municipal measures: they can’t restrict the use of facial recognition by other local jurisdictions, state law enforcement, or federal authorities for the benefit of law enforcement in its own jurisdiction. In both police departments profiled in the article, officers solicited departments in neighboring localities to run facial recognition searches on their behalf.

Officers need not even make explicit requests for assistance from departments next door—in some cases, proximal law enforcement agencies execute facial recognition analysis of their own accord and notify the pertinent jurisdiction. As the Post report points out, the Northern California Regional Intelligence Center (NCRIC), which has ties to the San Francisco Police Department, has run crime scene photos through facial recognition and submitted leads to the relevant police department in at least one instance. An executive for NCRIC stated that his organization is comfortable with engaging in this practice of its own accord, irrespective of whether or not a local department it assists allows facial recognition.

And when there is evidence suggesting that police officers violated municipal facial recognition bans, consequences are few. The article noted that facial recognition ban violations are often handled as internal department matters, with at most disciplinary action. Absent an external arbiter, there is little incentive for a police department under a ban to stop its own officers from working around it.

What abuses the Post did uncover constitute only a fraction of what is possible. The piece did outline some possibilities. A former SF district attorney interviewed mused that, if a police department under facial recognition restrictions simply released crime scene photos to the public, it didn’t technically solicit any peer agencies to run facial recognition analysis and notify the originating department.

Yet more notable workarounds exist which the report overlooked. First and foremost, federal agencies, with their wide reach, offer avenues for state and local law enforcement to access more invasive investigative tooling. The FBI already has the infrastructure to cooperate with state and local agencies via its longstanding use of so-called “Fusion Centers”. Pair that with the FBI’s massive face database and they’re ready to help any department that wants it.

Finally, there is the massive trove of face data in the private sector, and the growing savviness among law enforcement on how to access it. As it currently stands, from a legal perspective, the cooperation of third-parties is probably the easiest means of accessing data on American citizens. Police can either issue warrants for, or outright purchase, so-called “business records”. As established in Smith v. Maryland, the “3rd-party doctrine” stipulates that citizens have no expectation of privacy by willingly furnishing data to a third-party, whether it be a bank, a social network, or any other private entity. There are enough social media companies, data brokers, and computer and smartphone manufacturers that law enforcement could conceivably get one of them to run a facial recognition analysis on their data and share the results. Apple and Microsoft both offer features to unlock devices with the user’s face, Facebook has long been able to tag people in photos for users by recognizing their faces—the infrastructure is already present, a turnkey away from law enforcement access.

The crux of the problem confronting civil liberties champions is that, in 10 years, facial recognition has proliferated to a wider extent than the laws governing its use. That multiple municipalities neighboring San Francisco and Austin utilize facial recognition shows how fast, and to what little fanfare in the press, the technology has caught on. The investigation by the Post also proves that one metro area’s prohibition on facial recognition is only as strong as those of its neighbors.

So what recourse remains to institute protections against this invasive tool in actual practice? More expansive regulatory regimes are one approach. A ban on law enforcement employment of facial recognition signed into law at the state level (as Vermont has done) or federal level would make seeking assistance from outside jurisdictions less fruitful, and thus less frequent.

Another approach, which the article alludes to, is working with facial recognition vendors to build in technical safeguards against abuse. Clearview AI, one of the most prevalent facial recognition products, states in its license agreement that it cannot be used to process face data originating from agencies outside the license holder. In practice, the solicited agencies dodge this by using a feature to export results, which can then be sent to other departments. In an instance of civics inducing strange bedfellows, civil liberties advocates can encourage tech companies to lock down their products by appealing to the latter’s profit motive.

You can read the full article from The Washington Post here