Power, Pervasiveness and Potential: The Brave New World of Facial Recognition Through a Criminal Law Lens (and Beyond)

TABLE OF CONTENTS

I.    WHAT IS BIOMETRICS AND HOW DOES IT WORK?

II.   WHO USES FACIAL RECOGNITION AND WHY?

III.  CONCERNS THROUGH A CRIMINAL LAW LENS

A.   Fourth Amendment Search and Seizure Issues

B.   Fifth and Fourteenth Amendment Due Process Issues

C.   Fifth Amendment Self Incrimination Issues

D.   Sixth Amendment Right to Counsel Issues

E.   Accuracy of Facial Recognition Software

F.   Perpetuation of Racial Bias and Injustice within the Criminal Legal System

G.   Widespread, Unbridled and Unbeknownst Use

H.   Assault on Personal Privacy

IV.   OTHER CONCERNS AND CONSIDERATIONS

A.   Impingement on General Human Dignity and Privacy

B.   Data Security

C.   Increased Risk of Criminal “Self-Help”

D.   Financial and Employment Concerns

E.   First Amendment Free Speech Issues

F.   Lack of Governing Law

V.   CRIMINAL AND CIVIL CASES DEALING WITH FACIAL RECOGNITION SOFTWARE AND BIOMETRICS

A.   SCOTUS

B.   Federal

C.   States

1.     Virginia

2.     Florida

3.     Illinois

4.     New York State

5.     New Jersey

VI.  LEGISLATION AND REGULATIONS DEALING WITH FACIAL RECOGNITION SOFTWARE AND BIOMETRICS

A.   Federal

B.   States

1.     Illinois

2.     Texas

3.     Washington

4.     California

5.     New York

6.     Arkansas

7.     Massachusetts

C.   Cities

1.     San Francisco, California

2.     Oakland, California

3.     Sommerville, Massachusetts

4.     Berkeley, California

5.     New York, New York

D.   Other Countries

VII.    PRIVATE SECTOR EFFORTS TO REGULATE FACIAL RECOGNITION AND BIOMETRICS

VIII.   FUTURE ACTION AND CONCLUSION

REFERENCES. 23

I. WHAT IS BIOMETRICS AND HOW DOES IT WORK?

• Biometrics is the technical term for body measurements/calculations related to human characteristics.[1] Examples of biometrics include fingerprints, palm prints, facial recognition, DNA, retina/iris, and voice.[2]
• Although it is a technology advanced in the Digital Age, there is evidence of handprint biometrics used as early as prehistoric times as well as in 200s BCE China.[3]
• Biometrics function by comparing a piece of information to a data set to verify one’s identity.[4]  There are both multi and unimodal biometric systems.[5]
• Facial recognition, one form of biometrics, was pioneered in the mid-1960s.[6]  It examines the image of a person’s face and measures its specific facial features to find a possible match to a face within a database.[7]
• Facial recognition algorithms work in a variety of different ways: some measure the distance between facial features (eyes, jawbone, etc.), while others use 3D sensors to scan the face, and others analyze skin texture.[8]  The facial recognition system then compares this information to a database of faces to find a match.[9]

II.  WHO USES FACIAL RECOGNITION AND WHY?

• Generally, biometrics are unique to each individual and thus provide a more reliable identity verifier than “token” or “knowledge” based methods such as ID cards or passwords, respectively.[10]  While facial recognition can be less accurate than other biometrics, such as iris or fingerprint scans, it is less invasive, which has contributed to the sharp rise in its use.[11]
• This rise is also attributable to increased law enforcement and surveillance activity in the wake of 9/11.[12]
• Use of facial recognition software has expanded vastly since this time.  Some entities that use facial recognition software include:
  • Federal, state and local law enforcement (body cameras, lineups, mugshots, surveillance, etc.), including the Federal Bureau of Investigation (FBI) and U.S. Immigration and Customs Enforcement (ICE);
  • Federal government agencies at airports; the Transportation Security Administration (TSA) monitors passengers entering and exiting airports to identify persons under criminal investigation or persons who have overstayed their visas; TSA and U.S. Customs and Border Protection (CBP) are developing a biometric exit program; there are proposals to make airports 100% biometric;
  • Tech companies (i.e. Apple, Samsung, etc.) to unlock mobile devices;
  • Colleges and universities (to take roll in the classroom, combat cheating, and gain entry to sporting events);
  • Social media companies (i.e. Facebook can identify a photo automatically upon upload);
  • Video games (Xbox, Nintendo, etc.);
  • Healthcare (i.e. iris scans to identify a non-verbal patient);
  • Landlords (to monitor tenants in buildings);
  • Music and sports venues (in lieu of scanning tickets);
  • Schools and summer camps (to provide security);
  • Businesses (to monitor/restrict entrance to certain areas and combat wage theft);
  • Retail operations (to identify persons suspected of theft);
  • Religious institutions (to take congregation roll and target donation requests);
  • Airlines (i.e. faces are scanned in lieu of boarding passes); and
  • Marketers and advertisers (i.e. may be used to identify and target certain demographics at concerts, etc.).[13]
• Facial recognition (and other biometrics) are also used in some counties for voter registration.[14]

III.  CONCERNS THROUGH A CRIMINAL LAW LENS

• While facial recognition is more secure than token and knowledge-based security systems and has also been employed for positive purposes (including helping law enforcement locate child sex trafficking victims), its use presents a unique host of legal and ethical concerns.[15]
• Facial recognition is unique from other forms of biometric surveillance in the following ways: it tracks something that is difficult to hide and easy to observe in the open (i.e. one’s face), there already exist vast name and face databases of law-abiding citizens (i.e. driver’s license records) from which to draw datasets, and facial recognition surveillance can be set up using pre-existing camera networks.[16]  These factors help to augment the concerns listed below.[17]

A.    Fourth Amendment Search and Seizure Issues

• While the Supreme Court has ruled that we have no reasonable expectation of privacy with regard to our outward personal characteristics (i.e. our face, voice, etc.) – and thus a lineup is not a “search” with respect to the Fourth Amendment – it has also held that a police “seizure” of a person for the purpose of subjecting that person to an identification procedure does implicate the Fourth Amendment. [18]
• Biometric “virtual lineups” used by law enforcement agencies across the United States—ever-present, latent identifications of persons not in custody for which reasonable suspicion of criminal involvement may not be present— pose possible Fourth Amendment concerns.

B.     Fifth and Fourteenth Amendment Due Process Issues

• The Supreme Court has held that reliability, as opposed to unnecessary suggestiveness, is the key to determining if a criminal identification survives a due process challenge.[19]  The factors used to gauge reliability include: the eyewitness’s opportunity to view the suspect, the degree of attention the eyewitness is able to direct to the suspect, the accuracy of any description the eyewitness gave, the time between the crime and identification, and others.[20]  Use of facial recognition in “virtual lineups” raises due process concerns as it is unclear if the algorithms making these criminal “identifications” are able to meet these factors – especially in the wake of concerns about their ability to function accurately (these concerns are discussed in the following bullet points).
• Additionally, there exists minimal case law that assesses these factors when a lineup was performed by a computer using facial recognition software.

C.    Fifth Amendment Self Incrimination Issues

• In United States v. Wade, the Supreme Court established that the Fifth Amendment protects persons against self-incrimination by testimonial acts.[21]  Testimonial acts are ones that show a person’s mental processes – such as a verbal confession stating “I killed the victim,” or telling someone a password or combination to a safe.  Wade views a person’s physical characteristics – such as a fingerprint, eye color, facial measurements, blood type, handwriting or voice – as non-testimonial, as these characteristics are unique to an individual and largely public.[22]  Non-testimonial acts, which include facial recognition and other biometric identification, are thus outside the scope of Wade’s Fifth Amendment protections.[23]
• Issues arise, however, when more and more companies use this non-testimonial/physical method of biometric identification in place of mental processes or token-based IDs in order to guard electronic devices that contain a wellspring of sensitive and personal information, as well as information that could be germane to an alleged crime.  This issue is discussed, below, with respect to the Baust case and others.

D.    Sixth Amendment Right to Counsel Issues

• The Supreme Court has held that a person’s Sixth Amendment right to counsel attaches if they appear in a lineup after being indicted, as well as if they appear in a pre-indictment showup.[24]
• It is unclear if these “virtual lineups” are more akin to lineups or showups (i.e. scanning faces in a crowd versus focusing on a single person), however, “virtual lineups” trigger potential Sixth Amendment violations as the right to counsel may attach upon the completion of this virtual identification.

E.     Accuracy of Facial Recognition Software

• A 2018 study by a British non-profit found that 95% of facial recognition “matches” by law enforcement wrongly identified innocent people as criminals.[25]
• The Perpetual LineUp (TPL), a study by Georgetown Law’s Center on Privacy and Technology, found that only two agencies conditioned the purchase of their facial recognition software on the accuracy of the technology.[26]
• In general, the utility of facial recognition software is dependent on law enforcement officers’ understanding of how to use it; yet without specialized training, TPL found that persons making decisions on facial matches are wrong about half the time.[27]  TPL also found that only eight of the facial recognition systems it studied had trained personnel reviewing matches (and it is unclear to what extent this training is regulated).
• Although facial recognition software use is widespread amongst government/law enforcement, it is not subject to any real feedback or testing.  While the TSA is proposing to invest significant resources in building largescale surveillance infrastructures at airports, there are no existing standards for the public to assess the accuracy of/provide feedback on such a system; which means that surveillance could increase without any proof that this technology keeps us safer.[28]

F.     Perpetuation of Racial Bias and Injustice within the Criminal Legal System

• Federal, state and local law enforcement agencies across the United States use facial recognition software, and it is estimated that 117 million American adults are in facial recognition networks used by law enforcement.[29]
• A 2018 MIT Media Lab study found that facial recognition algorithms designed by IBM, Microsoft and Face++ had error rates of up to 35% or higher when identifying darker-skinned women as compared to lighter-skinned men (for which the error rates were under 1%).[30]
• The American Civil Liberties Union (ACLU) demonstrated the problems with Amazon’s Rekognition facial recognition system – a real time facial recognition system – when it tested the software on the 535 members of Congress.[31]  Amazon’s system incorrectly matched twenty-eight congresspersons to criminal mugshots; eleven of these twenty-eight false matches misidentified representatives of color (including the late civil rights pioneer John Lewis).[32]
• In Detroit, where African Americans make up a larger portion of residents than in other sizable American cities, studies showed that facial recognition software used by law enforcement was less accurate when attempting to identify persons with darker skin.[33]  These inaccuracies resulted, in part, from the software’s homogenous dataset consisting mostly of white, male faces.[34]
• On a general level, facial recognition software has a higher chance of disproportionately affecting African Americans when used by law enforcement as African Americans are more likely to be enrolled in these database systems and subject to their processing.[35] This reality demonstrates how the shortcomings of facial recognition at once exacerbate and reflect the pre-existing racial bias currently plaguing our legal system.  One aspect of this racial bias includes the rampant over-policing of African American communities and other communities of color which has resulted in individuals from these communities being incarcerated at higher rates than white individuals.[36]
• These concerns have led some software companies to halt the selling of facial recognition software/biometrics to law enforcement.[37]

G.    Widespread, Unbridled and Unbeknownst Use

• Concerns about the use of this technology by individuals are exacerbated by the fact that facial recognition software is at once nascent and burgeoning; the New York Times published an article detailing how its author built a facial recognition software machine for $60 and installed it in Bryant Park (the facial dataset was composed entirely of photos found on public websites, and existing cameras were used).[38]  This machine successfully matched some persons with 89% accuracy and highlights how disturbingly accessible facial recognition software is and how easy it is to track people without their knowledge.[39]
• Law enforcement uses facial recognition technology in body cameras, “virtual lineups,” mugshots, surveillance, etc.  While it is hard to quantify the exact extent to which facial recognition is used across society, Georgetown’s TPL study found that “at least one out of four state or local police departments has the option to run face recognition searches through their or another [agency’s] technology . . . [and] . . . [a]t least 26 states (and potentially as many as 30) allow law enforcement to run or request searches against their databases of driver’s license and ID photos.”[40]  This same study also found that, “. . . 16 states let the FBI use face recognition technology to compare the faces of suspected criminals to their driver’s license and ID photos, creating a virtual line-up of their state residents . . . ” and that “Roughly one in two American adults has their photos searched this way.”[41]
• Both the FBI and ICE use facial recognition to scan millions of drivers’ license photos in state DMV databases without people’s knowledge or consent.[42]
• The New York City Police Department (NYPD) also uses “virtual lineups” to identify teenagers and children using juvenile mugshots as a dataset.[43]  These efforts produced proof that the facial recognition system used has a higher risk of false matches for younger faces.[44]

H.    Assault on Personal Privacy

• NYPD has access to approximately 9,000 cameras in Lower Manhattan, and the extent of other camera systems used by the Metropolitan Transit Authority (MTA) and New York City Department of Transportation (DOT) is unclear.[45]
• One example cited in Georgetown’s TPL concerns Maricopa County, Arizona.  Upon purchasing facial recognition software in 2006, the Maricopa County Sherriff’s Office merged its driver’s license and mug shot databases and the U.S. Department of Justice’s (DOJ) booking database with Honduran drivers’ licenses and booking photos (provided by the Honduran government) to create a large facial recognition database.[46]  Maricopa County did not require reasonable suspicion to run a facial recognition search; furthermore, African Americans are likely overrepresented in the system as they were arrested in Arizona at a rate 170% higher than their population share.[47]  Within the Sherriff’s Office, a Facial Recognition Unit supervises these searches, and employees are instructed to receive supervisor approval before returning possible results.[48]  The TPL, however, found that Maricopa County was not conducting any audits of the system.[49]

IV.   OTHER CONCERNS AND CONSIDERATIONS

A.    Impingement on General Human Dignity and Privacy

• Some academics – including Italian philosopher and author Giorgio Agamben – argue that biometrics fundamentally and permanently alter the relationship between individuals and the state, whereby we are subject to perpetual surveillance by the state through “. . . the enrollment and the filing away of the most private and incommunicable aspect of subjectivity: I mean the body’s biological life.”[50]
• Additionally, this form of tracking/control, historically reserved for persons deemed dangerous or criminal, has ballooned to a widespread, habitual method of state-sponsored surveillance of society at large.[51]
• These concerns are augmented by the normalization of this technology: facial recognition suddenly becomes less threatening when you voluntarily use Snapchat, Facebook, video games, Face ID, etc.[52]  This mindset obscures the reality that facial recognition is becoming at once more customary and more latent.
• While some social media companies provide users with instructions on how to opt out of biometrics use with respect to its products, others do not, and it is not always easy to opt out of facial recognition surveillance.[53] This is true on both the macro and micro levels (i.e. at the airport, as TSA expands its biometric efforts and with the rise of the Internet of Things and the rapid escalation of a nearly complete “connectivization” of our lives/households with smart devices through Machine Learning).[54]
• Companies have developed methods such as glasses to disrupt facial recognition software’s ability to measure one’s face (flu/pollution masks and certain makeup are also effective at disrupting the facial measurement algorithms).[55]
• Large tech companies – such as Google, Facebook and Microsoft – as well as some large R1 Universities have amassed huge biometric data sets (some with millions of images) to develop facial recognition systems.[56]  While these entities currently have no legal obligation to disclose these datasets, some have voluntarily shared this information for purposes of further development/research.[57]

B.     Data Security

• A security breach could have devastating effects on the personal/financial/medical privacy of millions of people, as well as raise concerns about national security.[58]

C.    Increased Risk of Criminal “Self-Help”

• The fact that facial recognition/biometrics are more secure than knowledge or token-based systems may motivate more violent efforts when one wants to gain access to a device secured by biometrics (i.e. physically forcing a person to hold up their face to a scan or cutting off their finger for a fingerprint to gain access, as opposed to stealing a person’s key or password).[59]

D.    Financial and Employment Concerns

• Some large companies use software that measures job applicants’ facial movements, word choices and speaking voice to generate an “employability score” and ranks candidates based on these scores.[60]
• It is unclear what research informs these algorithms and if they are actually accurate/fair/or truly identify which employee will be “best” for a job based on these biometric measurements.[61]

E.     First Amendment Free Speech Issues

• In the wake of Freddie Gray’s death, the Baltimore Police Department employed facial recognition on social media to identify protestors with outstanding warrants.[62] This use of facial recognition software raises concerns that it could chill free speech.
• Georgetown’s TPL observed that of the 52 agencies that it found to use (or have used) facial recognition, only one – the Ohio Bureau of Criminal Investigation – has a policy that expressly prohibits its officers from using facial recognition to track individuals engaging in political, religious, or other protected speech.[63]

F.     Lack of Governing Law

• The current legal landscape (discussed below) is all but void of regulations to address the concerns listed above.
• Additionally, the facial recognition market is expected to grow to $7.7 billion in 2022 from $4 billion in 2017.[64]  This financial incentive may increase opposition by companies toward government efforts to regulate this technology.

V.  CRIMINAL AND CIVIL CASES DEALING WITH FACIAL RECOGNITION SOFTWARE AND BIOMETRICS

• Biometrics and facial recognition are very much unbound technologies that have taken root in an ambiguous legal landscape.

A.    SCOTUS

• While there is caselaw addressing technology and Constitutional Rights (i.e. Kyllo v. United States (the use of a heat sensor to see inside a house is a search per the Fourth Amendment); United States v. Jones (placement of a GPS tracker on a car is a search per the Fourth Amendment); Riley v. California (warrantless search of a cellphone is not permissible); and, most recently, Carpenter v. United States (a warrant is needed for seven or more days of historic cell site information/cellphone location data, as such information is analogous to an ankle bracelet for near-perfect surveillance), there is currently no case law that specifically addresses facial recognition software.[65]

B.     Federal

• Facebook’s DeepFace program – a deep learning recognition system – draws from a database of millions of images uploaded to Facebook and is said to be more accurate than other large-scale facial ID systems.[66]  Facebook rolled out DeepFace in 2015 and the system has since been the subject of several class action lawsuits alleging that it violates Illinois’ Biometric Information Privacy Act (BIPA),[67] the most recent of which was dismissed for lack of jurisdiction/improper venue.[68]
• In Patel v. Facebook, however, the Northern District of California held that a loss of one’s statutory biometric privacy rights is enough to sue a company under BIPA – and that a showing of actual harm is not necessary.[69]  Privacy advocates lauded Patel as a huge BIPA victory and its rationale akin to Rosenbach v. Six Flags, a recent Illinois Supreme Court case, discussed below.[70]  Plaintiffs in Patel are claiming $35 billion in damages.[71]
• Facebook appealed Patel to the Ninth Circuit Court of Appeals, claiming that plaintiffs did not have standing to sue, as Facebook’s biometric analysis of their photos did not cause them to suffer any concrete harm, and that the district court erred in certifying the class.[72]
• In August of 2019, the Ninth Circuit affirmed the District Court’s ruling in Patel, holding that Facebook’s violation of BIPA was equal to a violation of the plaintiff’s substantive privacy rights and was a concrete injury.[73]  In its rationale, the Court looked at the “forest” of recent U.S. Supreme Court Fourth Amendment jurisprudence, which has acknowledged how technology has immensely increased the potential for unreasonable invasion into personal privacy and how these new technologies are not comparable to pre-information age methods of surveillance, etc.[74] It is likely Facebook will appeal this ruling to the Supreme Court.
• There are also a host of class action suits currently pending in the Northern District of California against Facebook in response to the Cambridge Analytica data-sharing scandal.[75]  This scandal concerned the secret harvesting of personal data from millions of Facebook pages by British political consulting firm Cambridge Analytica, which it then sold for political advertising purposes.[76]
• Some federal district courts have followed the rationale similar to that outlined in Commonwealth v. Baust – a Virginia state court decision, discussed below – that seems to limit Fifth Amendment protections against biometric use, while others have ruled in the opposite direction.[77]  In 2016, a federal magistrate judge in California approved a warrant that compelled a defendant to produce her fingerprint to unlock her phone for the FBI, holding that the unlocking of her phone with her finger was a form of authentication of its contents.[78]
• More recently, however, in early 2019, a Northern District of California magistrate judge denied a portion of a warrant that sought to force persons suspected of an extortion scam on Facebook to unlock their iPhones using their fingerprints.[79]  The judge held that technology is outpacing the law at a rapid pace and it is nonsensical that the law considers a verbal communication of a passcode  testimonial, and thus worthy of Fifth Amendment protections,  and not one’s fingerprint or face when used for the exact same purpose.[80]
• This ruling is not binding on any other judge or court in the Northern District of California but is a possible indication of change in how courts view biometrics and Constitutional protections.
• That same year, a federal magistrate judge in the Northern District of Illinois granted the government’s application for a search warrant for a residence for child pornography, but rejected its request to compel any persons in the residence at the time to unlock their iPhones with their fingerprints.[81]  The court held that compelling production of fingerprints from a large group of people present at the execution of a search warrant to unlock seized devices raised Fifth Amendment concerns, specifically for the failure to establish a connection between any specific resident and the alleged crime.[82]  The court further stated that that an act could qualify as testimonial in nature where “. . . the existence, possession and control, and authenticity of information which tends to incriminate . . .” the person in question.[83]  Later in the decision, however, the court emphasized that its ruling was highly fact sensitive and was not meant to mean that the government’s request for forced fingerprinting will always trigger equivalent Constitutional concerns.[84]
• While this case has a host of positive treatment, there are many cases that have refused to follow the Northern District of Illinois’ In re Application for a Search Warrant. Most recently, in the 2019 In the Matter of A White Google Pixel 3 XL Cellphone in a Black Incipio case, the United States District Court of Idaho refused to follow In re application for a Search Warrant, stating that a warrant compelling someone suspected of possession of child pornography to unlock his phone with his finger did not violate his Fifth Amendment rights.[85]  While it acknowledged the intensity of privacy rights associated with today’s cell phones and biometric data, the court in White Google Pixel looked to a host of recent similar cases across district courts which based their rulings in Wade’s (and its robust progeny’s) notion that the Fifth Amendment Right Against Self-Incrimination protects people against the government compelling them to make testimonial acts – or acts that display “the contents of one’s own mind.”[86]  The court concluded that pressing one’s finger to a phone, “is simply the seizure of a physical characteristic”. . . [and] . . . there is no need to engage in the thought process of the subject at all in effecting the seizure . . .. [as] . . .the fingerprint by itself does not communicate anything.”[87]
• On the macro level, White Google Pixel, displays the divergence of federal jurisprudence on Fifth Amendment issues and biometrics and highlights how a well-informed Supreme Court decision might provide much-needed direction on this issue.

C.    States

1.      Virginia

1. In Commonwealth v. Baust, a Virginia state trial court held that while police cannot compel a suspect to provide his passcode to unlock his smartphone – as this is a violation of the Fifth Amendment right against self-incrimination – the police can compel that same suspect to produce his fingerprint to do the same.[88]  Baust distinguishes physical-based (i.e. fingerprint) security from testimonial security (i.e. providing someone with a verbal or written password), deeming it outside the scope of Fifth Amendment protections against self-incrimination.[89]
2. Specifically, the judge in Baust held that producing one’s fingerprint did not require the communication of knowledge, but rather is more akin to being ordered to produce something physical – such as a DNA sample or a key to a safe – which is permitted per United States v. Wade (which holds that the Fifth Amendment “offers no protection against compulsion to submit to fingerprinting).”[90]  Wade deems an act to be “testimonial,” and thus worthy of Fifth Amendment protections, when law enforcement forces a person to reveal his knowledge of facts, thoughts and beliefs relating him to the offense (i.e. “the content of his own mind”); a fingerprint is not testimonial as it does not require the defendant to “communicate any knowledge at all.”[91]
3. While several recent cases refused to follow Baust, a host of recent state rulings reference Baust and mirror its rationale of the Fifth Amendment’s testimonial privilege and biometrics.  In 2017, the Minnesota Supreme Court held in State v. Diamond that the Fifth Amendment does not protect a person from being ordered to provide a fingerprint to unlock a seized cellphone because the compelled act is not a testimonial communication.[92]  Like Baust, the court’s decision hinged on the proposition that providing a fingerprint elicits only physical evidence from a suspect’s body and does not reveal the contents of the person’s mind.[93]

2.      Florida

1. In 2016, a Florida district court cited Baust in Florida v. Stahl, where it held that compelling a fingerprint to open an iPhone is not protected by the Fifth Amendment.[94]
2. Recently, a Florida state appellate court held that a defendant/appellant had no right to view photos of other suspects identified by FACES, a facial recognition software whose search produced a “one star” ID match of the defendant that led to his arrest.[95]  FACES’ ID match was not subject to any accuracy audits.[96]  This case raises several constitutional issues (i.e. Brady Disclosure, Sixth Amendment issues, Daubert issues, etc.) and was appealed to Florida’s Supreme Court.[97]

3.      Illinois

1. BIPA has been the subject of a host of lawsuits by tech giants – such as Google and Facebook – although these efforts, as of this date, have not yielded any success for them.  Facebook has also spent considerable resources lobbying to amend/restructure BIPA.[98]
2. In response to BIPA’s most recent challenge in Rosenbach v. Six Flags – where parents sued Six Flags upon learning that the amusement park fingerprinted their fourteen year old son without their consent – the Illinois Supreme Court found in favor of the family when Six Flags sued to have the suit dismissed.[99]  The court disagreed with Six Flags’ argument that BIPA required that one show an injury beyond loss of statutory privacy rights, and held that that a finding of actual harm under the BIPA was not necessary for purposes of being “aggrieved” and the plaintiffs could proceed with their class action against the park.[100]  The court held that merely losing one’s biometric privacy is sufficient enough harm for purposes of proceeding with an action under BIPA.[101]
3. While advocates lauded Rosenbach as a crucial victory in the fight to preserve personal privacy, critics voiced concerns that it will only encourage what some consider the recent onslaught of BIPA litigation in Illinois in the wake of this lessened standard of harm necessary to pursue a case; over 200 BIPA cases were filed in the two years before Rosenbach, and some of the larger tech companies, such as Facebook, are facing possible damages in the billions.[102]
4. In response to BIPA/Rosenbach, some companies have started including provisions requiring consent to biometric security in employee handbooks.[103]

4.      New York State

1. In 2009, the Court of Appeals ruled in People v. Weaver that the police must first obtain a warrant before tracking a person’s vehicle with a GPS device as it violates the Fourth Amendment protection against unreasonable search and seizures (basically establishing Jones protections three years before SCOTUS).[104]

5.      New Jersey

1. In this regard, Andrews treats Baust negatively in that Baust held that a “password is not a foregone conclusion because it is not known outside of [the defendant’s] mind.”[106]
2. In State v. Andrews, the New Jersey Superior Court held that testimonial aspects of passcodes required to unlock a defendant’s smartphones were a “foregone conclusion,” and thus compelled production of passcodes did not violate the defendant’s Fifth Amendment privilege against self-incrimination under this exception.[105]
3. Like the federal landscape, the state jurisprudence is also very divided on the issue of Fifth Amendment protections and biometrics and federal guidance could help bring consistency.

• There seems to be a lag in jurisprudence with respect to assessing the functionality, as opposed to the physicality, of biometrics as it relates to guarding against self-incrimination. One might argue that while, singularly, a finger print is a physical part of your body, Baust/White Google Pixel/etc. ignore the marked rise in the use of biometrics for forensic passwords/identification as they are harder to fake and better at guarding sensitive information. Viewed in this way, a fingerprint may be more analogous to a password than a key.
• While it is true that, like a key, a fingerprint is a physical thing (versus a testimonial verbalization of a thought), it is the use of this fingerprint and its potential to extract incriminating evidence from a smartphone, for instance, on which the Fifth Amendment analysis should turn. The intended use (function) should be more significant than the physicality (form). Thus, if fingerprints are being used to unlock a device in order to explore the device’s contents, law enforcement should not be permitted to compel persons to do so because this act is tantamount to providing a password and therefore, in effect, testimonial.
• To these points, when the Supreme Court decided Wade in 1967, computer technology was in its infancy.  An updated Supreme Court decision that distinguishes/extends Wade’s definition of a “testimonial” act to include biometrics identifiers would be appropriate to protect our Constitutional rights in the Digital Age.

VI.   LEGISLATION AND REGULATIONS DEALING WITH FACIAL RECOGNITION SOFTWARE AND BIOMETRICS

• Regulation of facial recognition technology/biometrics can apply to the use, storage or retention of biometric data, as well as to the formal technology itself; however, the current regulatory landscape is inadequate across federal, state and local jurisdictions.  This reality augments the concerns listed above.

A.    Federal

• Currently, there exists no federal, all-encompassing law that protects user privacy and regulates the storage of personal data (biometric or other) by the private sector.[107]
• The Electronic Communications Privacy Act of 1986 (ECPA) is a federal statute that sets standards for government monitoring of cell phone and internet communications.[108]  This law, however, deals more with storage of personal data, rather than limitations on the biometric technology itself.[109]  It was also passed long before the extreme technological advancements of the past twenty-five years and thus has many shortcomings with respect to protecting people’s privacy.[110]
• 18 USC 2703(d) allows the government to obtain third party electronic data (i.e. data from Facebook, Uber, Verizon, etc.) if it “offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”[111] This 2703(d) standard is a much lower bar than obtaining a warrant with probable cause.  As with the ECPA, however, this law deals more with long term surveillance/third party/Carpenter surveillance issues (discussed in the pages below), rather than biometrics specifically.
• Senators Roy Blunt (R-MO) and Brian Schatz (D-HI) have introduced the Commercial Facial Recognition Privacy Act of 2019 (S.847), or CFRPA, which would require consent before using biometric ID/tracking on individuals by businesses, but does not apply to local, state or federal governments.[112]
• In late 2019, Senator Maria Cantwell (D-WA) introduced the Consumer Online Privacy Rights Act (S.2968), or COPRA, the first ever comprehensive federal consumer privacy law.[113]  COPRA establishes data and privacy protections, including the right to access and delete one’s personal data held by an entity, and protects individuals by imposing data security requirements on companies to ensure their practices are sufficient to safeguard personal data.[114]  Additionally, COPRA establishes a private right of action for individuals to sue in the event a company violates their privacy as well as empowers state attorneys general to enforce the law.[115]
• In July of 2019, U.S. Representative Yvette D. Clark (D-NY-9) introduced the No Biometric Barriers to Housing Act (H.R. 4008), which would ban the use of biometric technology, including facial recognition, in certain federal rental units.[116]  H.R. 4008 is co-sponsored by Representative Rashida Tlaib (D-MI-13), whose constituents in Detroit have voiced concerns about large scale facial recognition technology use in federal public housing by law enforcement.[117]
• In late June of 2019, Representative Michael McCaul (R-TX-10) and Senator Martha McSally (R-AZ) introduced the Biometric Identification Transnational Migration Alert Program Authorization Act of 2019 (H.R. 3377/S.1933).  These bills direct federal funds to amend the Homeland Security Act of 2002 to establish the Biometric Identification Transnational Migration Alert Program (BITMAP) in the Department of Homeland Security.[118]  BITMAP calls for the use of facial recognition and other biometric data to enhance border security.[119]  The bills direct the U.S. Department of Homeland Security to coordinate with the U.S. Secretary of State, foreign governments, and other Federal agencies, as appropriate, to voluntarily share biometric information collected by foreign nationals in order to screen these persons to identify any potential threats to the United States.[120]
• While H.R. 3377/S.1933 touch on how biometric data of U.S. citizens captured by BITMAP should be expunged from all databases, it makes an exception to retain this data “. . . for specific law enforcement or intelligence purposes.” [121] This exception seems vague and outlines no other details on how the law would curb potential abuses caused by the unbridled gathering of biometric data by the government/law enforcement.
• It is important to note that, with the exception of the No Biometric Barriers to Housing Act (H.R. 4008), the aforementioned federal legislation does not attempt to regulate facial recognition technology itself, but rather proposes limits on the manner in which biometric data is collected/stored. While there are some other federal bills that mention biometric identification, none propose to regulate this technology directly. Additionally, H.R. 4008 does not provide for any kind of uniform/industry-wide standards for facial recognition itself, but rather proposes restrictions on biometrics in a specific situation.[122]
• While the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce, administers the Face Recognition Vendor Test (FRVT), which tests the accuracy of facial recognition software in different scenarios and across various demographics (i.e. age, race, gender), this test is voluntary. The overall role of the NIST is to gather data rather than promulgate regulations.[123] NIST allows companies to send one submission for FRVT assessment every four months.[124]

B.     States

• Most states have not passed any laws regulating biometrics/facial recognition technology. This type of data is being regulated by existing privacy laws, which are not best postured to address the concerns posed by this technology (discussed above). Facial recognition data may be regulated per a privacy policy so long as there is no direct regulation/restriction by a specific federal law (i.e. HIPPA, Privacy Act of 1974, etc.). There are a handful of states, however, that are making efforts to reign in biometrics.
• An important distinction across these various state laws is that some – like Illinois’ Biometric Information Privacy Act (BIPA) – create a private right of action for individuals, or classes, to enforce the law and seek damages, while others, like the California Consumer Privacy Act (CCPA), provide a limited right of action; others are only enforceable by a state’s attorney general.[125]
• How states define “biometric information” varies as well.  Under the CCPA, it is broadly defined to include physiological, biological, and behavioral characteristics – such as also keystroke and gait patterns as well as certain sleep and exercise data – while BIPA and Texas’s Biometrics Privacy Law have a more traditional definition – limited to things such as fingerprints, voiceprints, iris and facial scans.[126]
• There has been a recent trend with respect to states proposing laws that would limit the use of facial recognition and biometric identification technologies, including Alaska, Arizona, Florida, Michigan and Delaware.[127]  Even within these efforts, however, there is divergence between these proposed laws, and perhaps some kind of federal legislative floor is necessary to ensure a uniform statutory landscape.

1.      Illinois

1. Illinois passed BIPA in 2008, back when Facebook was still in its relative infancy and most companies were not thinking about face-recognition technology.[128]  It was the first state in the country to do so.[129]  BIPA requires that entities obtain affirmative consent from individuals before obtaining their biometric information and creates a private right of action for individuals to sue to enforce the law.[130]
2. Under BIPA, a prevailing party may recover actual damages or liquidated damages of $1,000, whichever is greater, for each violation.[131]  If the violation is intentional or reckless, however, these liquidated damages go up to $5,000 per violation.[132]  Injunctive relief and reasonable attorney fees and costs, as well as expert witness fees and other expenses, are also available to a prevailing party.[133]
3. While BIPA has its critics, aims to hold accountable an industry that for years has been collecting individuals’ biometric information with near-total impunity.

2.     Texas

1. Texas’s 2009 Biometrics Privacy Law defines “biometrics” as more traditional physical characteristics (i.e. voice, face, fingerprints, etc.). and allows for civil penalties of up to $25,000.[134] Unlike BIPA, however, only the Texas Attorney General can enforce biometric privacy violations.[135]

3.      Washington

1. In 2017, Washington passed House Bill 1493, becoming only the third state in the country to pass legislation regulating the use and collection of biometric information.[136]  HB 1493 defines “biometric identifier” as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual.[137]
2. Unlike the Illinois and Texas statutes, HB 1493’s definition of “biometric identifier” excludes facial recognition data.[138]
3. Currently, the proposed Washington Privacy Act (SB 5376) would allow consumers the right to access and manage their biometric data held by companies.[139]  The law also proposes setting standards for the use of facial recognition technology.[140] As of January 2020, this bill is still in committee and several amendments have been proposed.[141]
4. By way of House Bill 1071 (HB 1071), Washington recently expanded its existing data breach response law to include biometric data in its definition of personal information.[142]  Passed in May of 2019, HB 1071 goes into effect in May of 2020.[143]
5. This new definition of “personal information” is expansive and includes: “Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”[144]
6. HB 1071 also expands the reporting requirement for entities that “maintain or possess [emphasis added]” personal information; they now must notify affected person(s) of any breach in security with regard to the maintenance of such information.[145]  The law requires that an entity must also notify the Washington Attorney General in the event of a data breach that impacts more than 500 people within 30 days of discovery of such breach.[146]
7. HB 1071 makes an exemption to the notification requirement when a data breach “is not reasonably likely to subject consumers to a risk of harm” or when data was acquired in good faith.[147]  The law defines a “good faith acquisition of personal information” as when “the personal information is not used or subject to further unauthorized disclosure.”[148]

4.      California

1. In mid-2018, California passed the CCPA which allows Californians more control over their biometric data.[149] The law allows persons to see which information businesses collect on them, request this data be deleted, see to whom their data is being sold, and lets persons stop this data from being sold if they so choose.[150]  Set to go into effect in 2020, CCPA also requires that companies get users’ permission before collecting data.[151]
2. The CCPA amends California’s definition of personal information to include biometric data, which the CCPA broadly defines to include physiological, biological and behavioral characteristics.[152]
3. Facebook, Google and other software/social media entities vehemently opposed the CCPA, and its previous iterations.[153]  Big Tech lobbyists have chipped away at the language in the bill to lessen companies’ responsibilities to protect personal information (i.e. including a stipulation that businesses must include a clear button on their websites giving people the ability to opt out of data collection and the requirement that businesses share “accurate names and contact information” for third parties that bought user data over the prior year.[154]  That language has since changed, requiring businesses to merely disclose the “categories of third parties” that bought the data).[155]

5.      New York

1. New York’s proposed Biometric Privacy Act (A.1911/S.1203) provides regulations for entities that store biometric data.[156]  Specifically, private entities in possession of biometric data would have to develop written record retention schedules and guidelines for permanently destroying biometric data “when the initial purpose for collecting or obtaining data has been satisfied or within three years of someone’s last interaction with the company, whichever is earlier.”[157]
2. Like BIPA, the Biometric Privacy Act also proposes a private right of action,.[158] This bill has failed to gain traction and opponents argue that it was a way for abuse by class action lawyers.[159]
3. While New York recently updated its data breach law to include biometric data in its definition of “personal information” (discussed, below), biometric technology itself is not currently regulated directly; however, the New York Department of Labor prohibits the use of forced fingerprinting, “unless allowed by law.”[160]  This law often affects employers who want to use biometric timeclocks to combat wage theft.[161]
4. In July of 2019, Governor Cuomo signed A.5635-B/S.5575-B – the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) – into law.[162]  The SHIELD Act updates New York’s data breach notification law, expanding the types of covered personal information to include biometric data that would trigger notification obligations for entities in possession of “personal information” in the event of a data breach.[163]  SHIELD also broadens the data breach notification requirement by mandating notification of unauthorized access to protected information, rather than just the acquisition of data.[164] While the law does not create a private right of action, it does authorize the New York State Attorney General to seek civil penalties for non-compliance.[165]
5. The proposed A.7790/S.5687 prohibits the use of a facial recognition system by a landlord on any residential premises.[166]
6. In Brownsville, Brooklyn, tenants of two rent-stabilized apartment complexes recently filed a complaint with the New York State Department of Homes and Community Renewal to enjoin their landlord from installing facial recognition entry systems in their buildings.[167]  While the landlord claims these new systems are to ensure tenant safety, tenants insist that their buildings already have sufficient security and cite personal privacy concerns.[168]
7. In the current legislative session, there is a wave of proposed legislation that aims to limit the use of biometrics/biometric data.[169] One of these bills includes A.9767/S.7572.[170]  The bill proposes prohibiting the use of biometric surveillance by law enforcement, as well as establishing a biometric surveillance regulation task force.[171]
8. While many of these proposed bills regulate data and/or limit the way/scope in which facial recognition/biometrics can be used, A.8042, S.5140 and S.6623 (and a few others) call for a fundamental, information-gathering process for biometrics in order to better understand this technology so that it can be more effectively regulated.[172]  There currently exists no analogous legislative efforts at the federal level.

6.      Arkansas

1. In April of 2019, Arkansas passed House Bill 1943 (HB 1943), which amends the state’s Personal Information Protection Act to include biometric data in its definition of “personal information.”[173]  HB 1943 also amends the State Code, requiring an entity in the possession of personal information to notify the Attorney General in the event of a data breach which affects the personal information of more than 1,000 individuals.[174]  This bill is similar to the efforts recently taken by Washington’s HB 1071, described above.

7.      Massachusetts

1. There are currently two bills pending in the Massachusetts legislature (H. 1583 and S. 1385) that would impose a moratorium on government use of biometric surveillance – including facial recognition – until laws are passed regulating who may use it and how.[175]

C.    Cities

1.      San Francisco, California

1. In mid-May of 2019, San Francisco passed a municipal ordinance banning the use of facial recognition technology, becoming the first city in the United States to do so.[176]
2. The grassroots coalition that advocated for the passage of this ordinance cited civil liberties concerns, including widespread use by federal ICE agents, privacy concerns, and perpetuation of racial injustice as reasons for the need to ban facial recognition.[177]

2.      Oakland, California

1. Oakland banned facial recognition technology in July of 2019.[178]

3.      Sommerville, Massachusetts

1. In June of 2019, Sommerville’s City Council banned the use of facial recognition technology in police investigations and municipal surveillance programs.[179]

4.      Berkeley, California

1. In mid-October of 2019, Berkeley, California joined its neighbors and passed a ban on all government use of facial recognition technology.[180]

5.      New York, New York

1. The New York City Council recently passed Int. 0487A-2018 (also referred to as the Public Oversight of Surveillance Technology (POST) Act) and it was enacted into law on July 15, 2020.[181]  The POST Act increases oversight of the NYPD’s use of surveillance technology by requiring reporting and evaluation of surveillance technologies used by the NYPD.[182]  It will require the NYPD to draft a surveillance impact and use policy which will be subject to a public comment period.[183]
2. In late 2018, New York City Councilman Ritchie Torres, head of the council’s Committee on Oversight and Investigations, introduced Int. No. 1170-2018 that would regulate biometric use, to a degree.[184] The bill would amend Section 1, Chapter 5 of Title 20 of the City’s Administrative Code and require businesses to provide notice to persons if they are collecting what the bill defines as biometric data.[185] The bill would not, however, apply to government agencies.[186]
3. Like BIPA, Int. No. 1170 also creates a private right of action and allows for a prevailing party to recover damages of $1,000 per violation against a negligent entity and $5,000 per violation against an entity that was reckless/intentional, and allows for attorney’s fees and “other relief,” including injunctive relief, “that the court deems appropriate.”[187]
4. Additionally, Int. No. 1170 gives the commissioner of the New York City Department of Consumer Affairs authority to implement a civil penalty of $500 per day for a violation.[188]
5. It is important to note that Int. No. 1170 does not apply to government entities; this means that the plethora of constitutional concerns, discussed above, are not addressed by this bill.[189]  Critics on the other side of the spectrum have voiced concerns that Int. No. 1170 will lead to a BIPA-like influx of litigation.[190]
6. In related efforts, Councilman Brad Lander introduced Int. No. 1758-2019 in October of 2019. [191]  This law would define the word “key” in the City Code and require that building owners provide mechanical keys to residents for both the exterior door of their buildings and the doors to their individual apartments.[192] It would also prohibit landlords from forcing tenants to use keyless entry technology to enter their buildings.[193]
7. In August of 2019, Councilman Donovan J. Richards introduced Int. 1672-2019, which requires real property owners to submit registration statements regarding biometric recognition technology utilized on the premises.[194]  The bill would also require the City’s Department of Information Technology to establish a database and provide an annual report to the Mayor and the City Council.[195]

D.    Other Countries

• The European Union (EU) has been more proactive than the United States with respect to regulating biometric data.  In 2016, it passed the General Data Protection Act (GDPA), the world’s strongest data protection law, which came into force in mid-2018.[196]  One of the goals of the GDPA is to modernize data protection and institute uniformity across the EU’s legal landscape.[197]
• The GDPA contains ninety-nine articles that outline the rights of individuals and obligations placed on organizations covered by the law and establishes a penalty scheme and responsibility for organizations to obtain the consent of persons from whom they collect personal data.[198]
• The GDPA defines “personal data” as “. . . any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person . . .” [199]
• The United Kingdom passed its own version of the GDPA – the Data Protection Act of 2018 – which largely mirrors the EU’s law, in anticipation of Brexit.[200]  It currently has no law, however, regulating the formal use of biometric facial recognition cameras, specifically.[201]
• In contrast, the London police force recently instituted a large-scale camera network used for a “perpetual lineup.”[202]  These efforts have been met with protest and pending legal challenges.[203]
• In other counties, use of facial recognition is more widespread. In China, you can use facial recognition to order fast food, while police officers have also begun wearing glasses with facial recognition capabilities that allow them to track and identify individuals within large crowds.[204]
• Chinese tech giant Huawei has installed its “Safe Cities” facial recognition monitoring system in cities across the globe where Chinese companies have made recent, large-scale business investments (such as Belgrade, Serbia and Kampala, Uganda, among others).[205]  These countries often have less power and military infrastructure than China.[206]  In the wake of these efforts, citizens of these nations have voiced privacy concerns, which have been augmented by claims that Huawei’s facial recognition systems will give China unfettered access to its data (because of accusations of government control of the company) which could compromise the privacy of people in poorer countries that may not have the power to stand up to China.[207]  If the people in these nations speak out against China or act in ways that China deems threatening to its business interests, critics claim that China could easily spy on them using Safe Cities technology and crush dissent.[208]  “Safe Cities” is an example of how government and private entities might use facial recognition software to impinge on human rights and repress dissent.  Huawei’s “Safe Cities” systems are found in some 230 cities worldwide.[209]
• Aadhaar – India’s national ID program – is the world’s largest biometric database.[210]  It holds profiles of people for their lifetime and was designed to help government agencies deliver public services securely, to a large group of people, using biometric and demographic data.[211]
• Over 500 million residents are enrolled in the system; however, Aadhaar has come under fire from critics because of data security concerns, errors in record keeping which have led to injury and death, and a general concern about personal autonomy/privacy. These concerns led India’s Supreme Court to establish privacy as a fundamental right.[212]

• Some academics and others have called for a complete ban on facial recognition because of its power, pervasiveness and potential to completely and permanently alter the dynamic between individuals and the state with respect to personal privacy.[213]  They argue that industry guidelines and even legislation itself cannot curb potential abuses of this technology (although a ban at this point seems unfeasible, as the use of facial recognition use is so widespread).[214]  Other arguments favor more regulation, as a ban would prohibit positive uses of the technology.[215]

VII.  PRIVATE SECTOR EFFORTS TO REGULATE FACIAL RECOGNITION AND BIOMETRICS

• At this time, no industry-wide standards exist that would allow for uniform biometric technology use.  While some companies have made efforts to combat bias and inaccuracy in facial recognition software (e.g., IBM is introducing a more diverse dataset in the hopes of combating AI bias), it is unclear how impactful these efforts are.[216]
• Additionally, while not all companies are forthcoming about these efforts, others are informing the public of their contributions to researching and combating these issues.[217]
• Alternatively, Amazon, which came under fire in the ACLU’s report of racial bias in its Rekognition facial recognition system, stated that it would not stop selling the software to a host of government and law enforcement agencies, even in the wake of complaints voiced by its own employees.[218]  Amazon also refused to have NIST assess Rekognition.[219]
• A February 2019 blog post by Michael Punke, VP of Global Public Policy at AWS, highlights Amazon’s concerns associated with AI and called for regulations to increase transparency in its use.[220]
• In 2018, after backlash from its participation in Project Maven – a Pentagon drone project – Google announced that it would no longer work on AI weapons projects and released a set of ethical guidelines for AI use and development (although it continues to work with the US military).[221] Google’s own employees have also voiced concerns about Google’s involvement with this project, with some resigning in protest.[222]
• The Institute of Electrical and Electronics Engineers, a large professional organization, has authored Ethically Aligned Design, a treatise on ethics in AI, and have created a global initiative to set standards to combat AI bias.[223]
• Joy Buolamwini – the researcher at MIT’s Media Lab who discovered high rates of racial bias in a host of recognition algorithms – created the Algorithmic Justice League (AJL) to raise awareness of racial bias in biometric systems and work to combat this issue.[224]
• In an op-ed in the New York Times, House minority Leader Kevin McCarthy (R-CA-23) urged that trustbusting of large tech companies is not the answer to guarding against data breaches but, rather, urges a public/private sector partnership that incorporates technologies such as Cryptonetworks (decentralized platforms governed by the community of users themselves).[225]  In Cryptonetworks, data would be controlled by blockchain encryptions, rather than the platform itself. McCarthy also calls for Congress to set a federal standard for privacy frameworks.[226]

VIII.  FUTURE ACTION AND CONCLUSION

• Facial recognition is, at once, an emerging and rapidly advancing technology that is widely-used with a regulatory framework insufficiently postured to deal with the grave risks it poses to personal privacy, constitutional rights, and racial justice.  These issues take the form of a frightening legal Venn diagram that merges two of the most pressing issues currently facing the legal profession: in one circle you find mass incarceration/racial injustice, and in the other, the inability of society to pass laws and issue judicial decisions that keep pace with technology.
• Considering the disjointed judicial landscape, this issue – particularly with respect to Fifth Amendment testimonial protections – is ripe for Supreme Court intervention, however it has no relevant cases on its docket.
• More uniform, comprehensive federal laws are also needed to fill the regulatory void and set minimum accuracy standards across the industry to attempt to curb the bias that infects facial recognition and other biometric technology.[227]  The legislative scheme of this industry must also be changed from voluntary to mandatory.
• Augmenting NIST into a true regulatory agency will be crucial with respect to reforming our ability to regulate biometrics as this will allow for enhanced oversight of this industry as well as registration, training and testing of this software.  While many of these deep learning algorithms that fuel biometric systems are challenging to send for analysis, because they are extremely large and update in real time, some sort of technological/regulatory scheme needs to be established such that NIST can properly test these systems for bias.[228]  One solution may be that NIST establish a corps of inspectors who can travel to facilities to test software.
• This complex and wide-reaching technology may be best regulated through a multi-pronged approach that applies to both government and private entities.[229]
• While addressing the concerns presented by facial recognition and biometrics is an immense undertaking, these efforts present an opportunity for the legal profession to protect individuals’ personal privacy and advance justice for society at large.

REFERENCES