The Electronic Frontier Foundation is filing comments opposing the Department of Homeland Security’s efforts to expand biometric surveillance.
Surveillance has been something of a hot topic for digital rights advocates for more than a decade now. Debates around surveillance exploded back in 2008 after revelations that the US was engaged in warrantless wiretapping. In September of 2008, the Electronic Frontier Foundation sued the NSA and officials from the Bush Administration over violations of unreasonable search and seizure. This after revelations that the National Security Agency (NSA) had installed a splitter in a secret room at AT&T to collect all data flowing through the ISPs network, thereby obtaining a direct copy of all traffic without a warrant.
Canada wasn’t immune from such debates. This is especially true when Stingray vans were parked in Ontario to intercept and collect all cell phone communications. This resulted in Canada getting its own debate surrounding warrantless wiretapping.
Of course, while wiretapping of communications is the most popular topic in the debates surrounding personal privacy, it’s far from the only one. Another creepy topic is biometric surveillance. Earlier this year, we touched on this when Europe was debating the validity of “immunity passports“.
Last year, the topic of biometric surveillance heated up when the US government began demanding access to databases of genealogy research companies. The database that was the subject of the warrant was GEDmatch. From the Guardian at the time:
Last week, at a police convention in the US, a Florida police officer revealed he had obtained a warrant to search the GEDmatch database of a million genetic profiles uploaded by users of the genealogy research site. Legal experts said this appeared to be the first time an American judge had approved such a warrant.
“That’s a huge game-changer,” observed Erin Murphy, a law professor at New York University. “The company made a decision to keep law enforcement out and that’s been overridden by a court. It’s a signal that no genetic information can be safe.”
At the end of the cop’s talk, he was approached by many officers from other jurisdictions asking for a copy of the successful warrant.
Apart from medical records, your DNA profile is the most sensitive and personal data imaginable. In some ways, it’s more revealing, because it can reveal secrets you don’t know you’re keeping, such as siblings (and sometimes parents) of whom you were unaware. It can also contain information about inherited vulnerabilities that might be of great interest to, say, insurance companies. And, of course, your genetic profile contains information about your ethnic antecedents.
The Electronic Frontier Foundation pointed out that these DNA searches have been known to implicate the wrong people:
DNA has implicated the wrong person in the past. Court records indicate police originally—and mistakenly—suspected an Oregon man was the Golden State Killer based on similar DNA research. In 2014, familial DNA searching led police to suspect that a New Orleans resident had committed a years-earlier Idaho rape and murder. A second DNA test cleared his name. And in 2012, a California man named Lukis Anderson was implicated for murder after his DNA was found at the crime scene, despite a rock-solid alibi.
In cases like these, the person linked through DNA becomes a suspect for a time, facing the very-real indignity of living under a cloud of suspicion until and possibly after their names are cleared. In some cases, like Mr. Anderson’s, they may also spend months in jail.
Advances in DNA technology will likely make these false identifications more common. Increasingly, forensic samples come from “touch” DNA—miniscule samples of DNA deposited on physical surfaces that people have touched—rather than from a single source, such as blood or semen. Touch DNA is less reliable and harder to match both because it may not include enough DNA for meaningful interpretation and because it often contains DNA from multiple people—some of whom may have had no connection to the crime at all. A person’s DNA can remain on an item that has been handled by many others or can be transferred to an item that was never in their possession. For example, in Mr. Anderson’s case, paramedics likely transferred his DNA to the murder victim when they responded to the crime scene hours after dropping Anderson off at the hospital.
But genetic privacy concerns go far beyond criminal justice. Our DNA contains our entire genetic makeup. It can reveal where our ancestors came from, who we are related to, our physical characteristics, and whether we are likely to get a host of genetically determined diseases. Researchers have also theorized DNA may predict race, intelligence, criminality, sexual orientation, and even political ideology.
More recently, the Department of Homeland Security (DHS) has a proposal to greatly expand their biometric database. From the EFF:
On September 11, 2020, the Department of Homeland Security (DHS) announced its intention to significantly expand both the number of people required to submit biometrics during routine immigration applications and the types of biometrics that individuals must surrender. This new rule will apply to immigrants and U.S. citizens alike, and to people of all ages, including, for the first time, children under the age of 14. It would nearly double the number of people from whom DHS would collect biometrics each year, to more than six million. The biometrics DHS plans to collect include palm prints, voice prints, iris scans, facial imaging, and even DNA—which are far more invasive than DHS’s current biometric collection of fingerprints, photographs, and signatures.
Immigrating to the United States, or sponsoring your family member to do so, should not expose your most intimate and sensitive personal data to the U.S. government. But that’s what this new rule will do, by permitting DHS to collect a range of biometrics at every stage of the “immigration lifecycle.” The government does not, and should not, take DNA samples of every person born on U.S. soil—so why should it do the same for immigrants coming to the United States or U.S. citizens seeking to petition a family member?
We cannot allow the government to normalize, justify, or develop its capacity for the mass collection of DNA and other sensitive biometrics. This move by DHS brings us one step closer to mass dragnet genetic surveillance. It also risks that people’s biometric information will be vulnerable to breach or future misuse by expanding the types of biometrics collected from each individual, storing all data together in one database, and using a unique identifier to link several biometrics to each person. The U.S. government has shown time and time again that it cannot protect our personal data. In 2019, DHS admitted that the images of almost 200,000 people taken for its face recognition pilot, as well as automated license plate reader data, were released onto the dark web after a cyberattack compromised a subcontractor. In 2015, the Office of Personnel Management admitted a breach of 5.6 million fingerprints, in addition to the SSNs and other personal information of more than 25 million Americans. We cannot run the risk of similar infiltrations happening again with people’s DNA, voice prints, iris scans, or facial imaging.
Now, the EFF has said that it has filed joint comments with other civil liberty organizations opposing the expansion of these government databases. From the EFF:
EFF, joined by several leading civil liberties and immigrant rights organizations, recently filed a comment calling on the Department of Homeland Security (DHS) to withdraw a proposed rule that would exponentially expand biometrics collection from both U.S. citizens and noncitizens who apply for immigration benefits and would allow DHS to mandate the collection of face data, iris scans, palm prints, voice prints, and DNA. DHS received more than 5,000 comments in response to the proposed rule, and five U.S. Senators also demanded that DHS abandon the proposal.
DHS’s biometrics database is already the second largest in the world. It contains biometrics from more than 260 million people. If DHS’s proposed rule takes effect, DHS estimates that it would nearly double the number of people added to that database each year, to over 6 million people. And, equally important, the rule would expand both the types of biometrics DHS collects and how DHS uses them.
This massive collection of biometric data—and the danger that it could be leaked—places a significant burden on First Amendment activity. By collecting and retaining biometric data like face recognition and sharing it broadly with federal, state, and local agencies, as well as with contractors and foreign governments, DHS lays the groundwork for a vast surveillance and tracking network that could impact individuals and communities for years to come. DHS could soon build a database large enough to identify and track all people in public places, without their knowledge—not just in places the agency oversees, like at the border, but anywhere there are cameras. This burden falls disproportionately on communities of color, immigrants, religious minorities, and other marginalized groups that are the most likely to encounter DHS.
If immigrants and their U.S. citizen and permanent resident family members know the government can request, retain, and share with other law enforcement agencies their most intimate biometric information at every stage of the immigration lifecycle, many may self-censor and refrain from asserting their First Amendment rights. Studies show that surveillance systems and the overcollection of data by the government chill expressive and religious activity. For example, in 2013, a study involving Muslims in New York and New Jersey found excessive police surveillance in Muslim communities had a significant chilling effect on First Amendment-protected activities.
DHS has offered little justification for this massive expansion of biometric data collection. In the proposed rule, DHS suggests that the new system will “provide DHS with the improved ability to identify and limit fraud.” However, the scant evidence that DHS offers to demonstrate the existence of fraud cannot justify its expansive changes. For example, DHS purports to justify its collection of DNA from children based on the fact that there were “432 incidents of fraudulent family claims” between July 1, 2019 and November 7, 2019 along the southern border. Not only does DHS not define what constitutes a “fraudulent family,” but also it leaves out that during that same period, an estimated 100,000 family units crossed the southern border, meaning that the so-called “fraudulent family” units made up less than one-half of one percent of all family crossings. And we’ve seen this before: the Trump administration has a troubling record of raising false alarms about fraud in the immigration context.
The thing about collecting DNA is that you cannot change it. It’s not like a password that you can simply swap out when you feel like you are being watched. Once someone has your DNA for surveillance, they have it. What’s more is that they can know more about you more than you know about yourself. This is a big reason why this is such a major issue for privacy observers. What’s more is that whether or not you believe this is a real issue, the US government certainly believes this is something worth expanding on. As we move forward, this issue only stands to get bigger.
Drew Wilson on Twitter: @icecube85 and Facebook.