Rachel Evans* |
On June 29, 2022, the Subcommittee on Investigations and Oversight for the House Committee on Science, Space, and Technology heard testimony from multiple experts about the expansion of biometric technology and the future of American privacy law. This hearing signals Congress’ intention to consider new legislation aimed at protecting privacy interests while simultaneously encouraging the expansion of biometric technologies.
Chairman Bill Foster (D-IL) opened the hearing with concerns that the broad impact of the U.S. Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision would significantly weaken privacy protections, explaining that “[t]he timing of our discussion … is notable[.] [T]his makes protecting Americans biometric data more important than ever.” Congress’ focus will now “be on how technological solutions can secure our privacy while allowing us to enjoy the benefits of biometric tools.”
Multiple experts then testified to the widespread use of biometric technology at the federal level. Director Candice Wright, the Director of Science, Technology, Assessment and Analytics for the Government Accountability Office (“GAO”), revealed that 18 federal agencies reported to the GAO that facial recognition technology had been used by federal agents for the following reasons:
- Unlocking iPhones;
- Monitoring who is entering/exiting a federal building; and/or
- Generating leads in an investigation.
Although federal agencies often develop biometric technology in-house, or rely on technology of state/local governments, Director Wright revealed multiple agencies purchase biometric technology from commercial vendors. For example, the Department of Homeland Security routinely used Clearview AI to identify victims and perpetrators in child trafficking cases.
Although most federal agencies maintain adequate processes to track the use of biometric technology in federal facilities, some agencies did not have complete information on private biometric technology being used by federal employees. The GAO found “multiple agencies [polled] their employees and discovered they were using nonfederal systems even though the agency initially told [the GAO] otherwise.”
Director Wright ultimately recommended Congress create legislation to improve the process of tracking the use of biometric technologies by federal agencies. If done correctly, this legislation could reduce the risk of privacy violations while simultaneously maintaining federal access to biometric technologies.
Dr. Charles H. Romine, Director of Information Technology for the National Institute of Standards and Technology (“NIST”), also testified, recommending that companies implement the NIST Privacy Framework. “Privacy plays a critical role in safeguarding fundamental liberties such as human autonomy and dignity, as well as civil rights and civil liberties. NIST has prioritized research and the creation of frameworks, guidance, tools, and standards that protect privacy.” “The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative services while protecting initials’ privacy.”
Finally, Dr. Arun Ross, a Computer Science and Engineering Professor at Michigan State University, testified to the rapid development of machine learning and its impact on biometric technology. Dr. Ross emphasized that users of biometric technologies must implement the following safeguards:
- Utilize encryption.
- Engage in a paradigm for cancellable biometrics wherein the biometric data may be intentionally distorted to preempt the possibility of data linkage across apps.
- Perturbing face images so that the biometric utility is retained but the ability to extract different attributes is obscured.
- Increase the difficulty for public images to be scraped from websites and social media platforms.
- Deploy privacy-preserving cameras where acquired images are not interpretable by humans and can only be used in a specific application.
The Final Word
Congress has made it clear that it intends to modernize and leverage biometric identity systems in federal facilities. In doing so, the evolving use of biometric technologies will be subject to continuing regulations and reporting guidelines. Federal agencies should thus anticipate new reporting requirements and, potentially, restrictions on contracts with third-party providers as federal regulation continues to develop. All of this has direct implications for how the private sector will handle such biometric technology as well.
*Rachel Evans served as a Blank Rome 2022 summer associate