BILL ANALYSIS �
AB 1899
Page 1
Date of Hearing: March 11, 2008
Counsel: Kathleen Ragan
ASSEMBLY COMMITTEE ON PUBLIC SAFETY
Jose Solorio, Chair
AB 1899 (Cook) - As Introduced: February 7, 2008
SUMMARY : Provides that local and regional Remote Access
Network (RAN) boards may manage, at their discretion, biometric
or other automated identification systems in addition to
fingerprint identification files retained in the California
Identification System (Cal-ID), the automated system maintained
by the Department of Justice (DOJ). Specifically, this bill :
1)Provides that local and regional RAN boards may manage, at
their discretion, additional biometric or other automated
identification systems, including facial recognition, DNA, and
iris scanning.
2)Specifies that these additional automated identification
systems shall be funded from sources outside of those mandated
for mobile and fixed location fingerprint identification.
EXISTING LAW :
1)Defines the "California Identification System" or "Cal-ID" as
the automated system maintained by DOJ for retaining
fingerprint files and identifying latent fingerprints. [Penal
Code Section 111121.1(a).]
2)Provides that "Remote Access Network" or "RAN" means a uniform
statewide network of equipment and procedures allowing local
law enforcement agencies direct access to the
Cal-ID. [Penal Code Section 111121.1(b).]
3)States that the "Cal-ID Telecommunications System" means a
statewide telecommunications network dedicated to the
transmission of fingerprint identification data in conjunction
with Cal-ID for use by law enforcement agencies. [Penal Code
Section 111121.1(d).]
4)Requires DOJ to develop a master plan recommending the type,
�
AB 1899
Page 2
number and location of equipment necessary to implement RAN.
(Penal Code Section 111121.2.)
5)Provides that DOJ shall also develop policy guidelines and
administrative procedures to facilitate the implementation and
use of RAN. States that the RAN master plan shall include
reasonable interface specifications to access Cal-ID and shall
be provided to any supplier of automated fingerprint
identification systems interested in bidding on RAN by May 15,
1986.
(Penal Code Section 111121.2.)
6)States that the master plan shall provide for the use of
facsimile and direct image "live read" fingerprint equipment
under RAN, including point of booking terminals. (Penal Code
Section 111121.2.)
7)Requires DOJ to amend the Master Plan to include additional
processing, matching and communications equipment at the DOJ,
and to recommend the type, number, and location of equipment
necessary to implement facsimile and direct image "live read"
fingerprint equipment as part of RAN, including point of
booking terminals. States that funding shall be on a shared
basis between the state and a region, as specified. (Penal
Code Section 111121.2.)
8)States that within each county or group of counties eligible
to receive funding under the DOJ Master Plan for equipment, a
local or regional RAN board shall be established. Provides
that the RAN Board shall determine the placement of RAN
equipment within the county or counties, and coordinate
acceptance, delivery and installation of RAN equipment.
[Penal Code Section 111121.4(a).]
9)Specifies that the RAN board shall develop any procedures
necessary to regulate the ongoing use and maintenance of that
equipment, adhering to the policy guidance issued by DOJ.
[Penal Code Section 111121.4(a).]
10)Provides that the local board shall consider the placement of
equipment on the basis of the following criteria:
a) The crime rate of the jurisdiction or jurisdictions
served by the agency; [Penal Code Section 111121.4(a)(1)];
�
AB 1899
Page 3
b) The number of criminal offenses reported by the agency
or agencies to DOJ; [Penal Code Section 111121.4(a)(2).]
c) The potential number of fingerprint cards and latent
fingerprints processed; [Penal Code Section
111121.4(a)(3).]
d) The number of sworn personnel of the agency or agencies;
[Penal Code Section 111121.4(a)(4).]
11)Specifies the composition of each RAN board, based upon the
population of the county. [Penal Code Section
111121.4(b)(c).]
12)Specifies the pro-ration of equipment costs between the state
and the local government entity, and states that purchases may
be made under the existing Cal-ID contract through the
Department of General Services, or, alternatively at the
discretion of the local board, an independent competitive
procurement may be initiated under specified conditions.
[Penal Code Section 11112.5(a)(b).]
13)Provides that the Cal-ID Telecommunications System shall be
under the direction of the Attorney General and shall be used
exclusively for the official business of the state, and the
official business of any city, county, or other public agency.
[Penal Code Section 1112.6(a).]
14)States that the Cal-ID Telecommunications System shall
provide telecommunication lines to one location in every
participating county. [Penal Code Section 1112.6(b).]
15)Specifies that the Cal-ID Telecommunications System shall be
maintained at all times by DOJ with equipment and facilities
adequate to meet the needs of law enforcement. States that
the system shall be designed to accommodate present and future
data transmission equipment. [Penal Code Section 1112.6(c).]
16)Establishes the DNA and Forensic Identification Data Base and
Data Bank Act of 1998. (Penal Code Section 295 et seq.) That
Act establishes procedures for the collection and handling of
DNA samples, and identifies which criminal offenders are
subject to the collection of DNA specimens and thumb print and
full palm impressions, as well as blood samples and any other
biological samples required.
�
AB 1899
Page 4
FISCAL EFFECT : Unknown
COMMENTS :
1)Author's Statement : According to the author, "AB 1899 would be
of great benefit to law enforcement and the public alike. Law
enforcement would be allowed to utilize modern, more accurate
identification techniques. These modern techniques are not only
easier to catalog, search, and implement, but will improve law
enforcement's ability to identify the correct suspect and free
the innocent. Keeping the public safe and preventing faulty
accusations and convictions is fundamental to the relationship
between the government and the people. AB 1899 will help
accomplish this."
2)Background : According to background information provided by the
author, "Penal Code Sections 11112.1 through 11112.7 define the
California Remote Access Networks (RAN) authority to govern
fingerprint identification procedures, systems, equipment etc.
This statute was written in 1986, at a time when fingerprints
were the most common biometric used for identification purposes.
The current statute limits RAN authority to fingerprints and
does not provide RAN the authority to administer modern
biometric and/or other automated identification systems,
including facial recognition, DNA, iris scanning, and other
yet-to-be-determined forms of biometric and other automated
identification systems.
"There is a need to extend the local and regional RAN Board's
authority in Riverside and San Bernardino Counties to include
additional biometric and/or automated identification systems.
Local and regional RAN Boards responsibilities have historically
included CAL-DNA (see below); AB 1899 represents a natural
extension of this joint relationship, to administer other
biometric and/or aforementioned automated identification
systems.
"Allowing new, more accurate forms of biometrics and/or
automated identification would aid in quickly and correctly
identifying suspects and exonerating the innocent.
3)Iris Recognition Biometric Authentication : Iris recognition uses
camera technology; the set of pixels covering only the iris is
transformed into a bit pattern that preserves the information
�
AB 1899
Page 5
that is essential for a statistically significant comparison
between two iris images. Iris recognition is susceptible to poor
image quality and difficult to perform at a distance larger than
a few meters. A 2004 report by the German Federal Office for
Information Security noted that none of the iris recognition
systems commercially available at the time implemented any live
tissue verification technology. The reliability of any
biometric identification depends on ensuring that the signal
acquired and compared has actually been recorded from a live
body part of the person to be identified and is not a
manufactured template. Many commercially available iris
recognition systems are easily fooled by presenting a
high-quality photograph of a face instead of a real face, which
makes such devices unsuitable for unsupervised applications.
See Iris Recognition, Wikipedia.com.
This bill allows local RAN boards to use, at their discretion, iris
scanning, notwithstanding the ongoing problems with the
technology and the unanswered questions about the legality of
using such technology in given circumstances.
4)Facial Recognition Technology : "In simplified terms a facial
recognition system compares a digital pattern (a computerized
estimate) of the face of a person walking down the street or
standing in a crowd to images stored in a database. Changes in
the environment, such as positioning, lighting and shadows, can
affect biometric data collection. Changes in facial expression,
angle of head to camera, hairstyle, and beards are particularly
effective at confounding facial recognition systems. In one
test, the Government Accountability Office (GAO) found that a
person moving his head slightly to the left and right also
fooled the system. [I]n Congressional testimony, the Electronic
Privacy Information Center (EPIC) Executive Director said the
effectiveness of a system would be determined by how the system
is set up, protected, and maintained. Face recognition system
errors lead to innocent persons being falsely matched to watch
lists or databases, and suspects being able to pass through the
system unrecognized. [See
http://epic.org/privacy/surveillance/spotlight/1105/]
That article reported that Tampa Florida is one of the U.S. cities
that have used facial recognition technology in concert with
camera surveillance to surreptitiously scan the public. A
report by the American Civil Liberties Union found that "the
system never correctly identified a single face in its database
�
AB 1899
Page 6
of suspects, let alone resulted in any arrests? [and its]
photographic database contains a broader selection of the
population than just criminals wanted by the police, including
such people as those who might have 'valuable intelligence' for
the police or who have criminal records." In August 2003, Tampa
stopped using the system, supplied by Identix, because of its
failures. "It's just proven not to have any benefit to us,"
said a police department spokesman.
Boston's Logan Airport ran two separate tests of face recognition
systems, supplied by Viisage Technology and Identix, in 2002.
Both systems had such high error rates that the airport dropped
the technology. Similar systems also failed tests at airports
in Dallas / Fort Worth, Texas, and Fresno, California.
[http://epic.org/privacy/surveillance/spotlight/1105/]
Again, despite the technologic failures of facial recognition
technology to date, this bill provides local RAN boards with
unfettered discretion to use this technology as they see fit.
5)Privacy Concerns of Current Uses : In an article entitled Super
Bowl Surveillance: Facing Up to Biometrics, by John D. Woodward,
Jr., Senior Policy Analyst at RAND, the author stated that law
enforcement officials in Tampa Florida used biometric technology
at the Super Bowl XXXV. Specifically, surveillance cameras
surreptitiously scanned spectator's faces to capture images.
"Algorithms then measured facial features from these images -
such as the distances and angles between geometric points on the
face like the mouth extremities, nostrils, and eye corners - to
produce a 'face print.' This face print was then instantly
searched against a computerized database of suspected terrorists
and known criminals to recognize a specific individual. A match
would have alerted police to the presence of a specific threat."
Id. at p. 3.
"Although the concept of recognizing someone from facial features is
intuitive, facial recognition as a biometric makes human
recognition a more automated, computerized process. It is this
aspect of the use of biometrics that raises fear that we are
losing our ability to control information about ourselves - that
we are losing our right to privacy.
"Does the use of this technology violate legally protected privacy
rights? Legal rights to privacy may be found in three sources:
federal and state constitutions (if the entity invading your
�
AB 1899
Page 7
rights is a government actor), the common law of torts (if the
entity invading your rights is a private actor) and statutory
law.
"Although the word 'privacy' does not appear in the U.S.
Constitution, the concern with protecting citizens against
government intrusions into their privacy sphere is reflected in
many of its provisions (citing examples from the 1st, 3rd, 4th,
5th, and 14th amendments to the Constitution.) [T]he Supreme
Court has cautioned that it is 'not unaware of the threat to
privacy implicit in the accumulation of vast amounts of personal
information in computerized data banks or other massive
government files,' citing Whalen v. Roe , 429 U.S. 589, 605
(1977.)"
"[A]s the technology advances, particularly to the point that many
facial recognition or other biometric databases become
interlinked, then the threat to information privacy has the
potential to increase significantly. With biometric facial
recognition, the loss of information privacy essentially takes
two forms: fears of tracking and clandestine capture. Tracking
refers to the ability to monitor an individual in real time or
over a period of time. In its most extreme incarnation,
tracking could become a kind of 'super surveillance' that lets
the tracker 'follow' a person today as well as search databases
to learn where he was months ago.
"[T]he theoretical possibility that the government could compile
such massive databases, that such databases could be used by law
enforcement, raises the specter of 'Big Brother' tracking its
citizens' every move. [F]acial recognition systems can
surreptitiously track individuals without their knowledge or
permission. Moreover, the information from tracking can be
combined with other personal data, acquired by other means
(through, for example, a social security number) to provide even
more insight into an individual's private life.
"Whether such technological advances as the capability for 'super
surveillance' could render certain applications of this
technology unconstitutional remains to be seen. If the
compilation of information in these databases had a significant
chilling effect on First Amendment rights, such as attending a
political rally, if it impinges on fundamental rights of
decisional privacy, or if the information were insufficiently
safeguarded against unauthorized disclosure, then the
�
AB 1899
Page 8
maintenance of such databases could potentially run afoul of the
law.
"Given these potential concerns, civil libertarians are correct that
we should be mindful of emerging technologies that may invade
our privacy, and it is wise to monitor their development to
forestall potential abuses. We should however also ensure that
perceived or potential threats to our privacy do not blind us to
the positive uses of biometric technologies like facial
recognition.
"Our efforts should focus on identifying potential dangers and
addressing those concerns with specific safeguards. [O]ne
potential danger is function creep; that is, databases designed
for a specific purpose, such as screening for suspected
terrorists at a large sporting event, could easily be
interlinked with databases designed for other purposes, such as
locating those who are delinquent on child support payments or
have overdue library books. The interlinking and
interoperability of massive databases could lead to several
problems. The most serious of these potential problems is that
much more private information is collected and revealed to the
government entity than is necessary to achieve the purpose of
the surveillance. And, as a consequence, the damage caused by
inadvertent disclosure or unauthorized access to the database is
much greater.
"To prevent the unnecessary growth and interlinking of databases,
specific protocols should be established to govern what
information is authorized to reside in that database. At a
minimum, the government entity maintaining the database should
provide an articulable reason why the information is needed, how
long it needs to be retained in the database, and under what
conditions the information may be disseminated or shared with
others. To ensure the accuracy of the information compiled in
the database, a clear set of standards should set forth the
criteria for placing someone on a watch list, and the data
should be reviewed periodically to purge outdated or inaccurate
information.
"To prevent unauthorized disclosures, strict controls to safeguard
information should be required. The database should be made
secure, access to it should be restricted, encryption and other
technical measures should be used to thwart threats, records
should be made of when, by whom, and for what purpose the
�
AB 1899
Page 9
database is accessed, and stiff criminal penalties should be
available for unauthorized disclosure.
"In addition to regulatory controls, it might be useful to explore
less traditional methods to monitor this technology. For
example, as with any new technology, public understanding of its
operation and uses may mitigate many of the fears about Big
Brother. To that end, the government should be encouraged to
use the technology openly, rather than clandestinely. Moreover,
the government entity using biometric facial identification
should provide as much information as possible to the public
about the technology's purposes and capabilities. Finally, some
form of active oversight, either government only or a
cooperative effort between government officials and private
citizens, such as citizen oversight committees, would be useful
to quell fears about the technology's use but also to ensure
that it will not be abused."
The author concluded "Biometric facial recognition can provide
significant benefits to society. At the same time, the rapid
growth and improvement in the technology could threaten
individual privacy rights. The concern with balancing the
privacy of the citizen against the government interest occurs
with almost all law enforcement techniques, however, and we
should not let the fear of potential but inchoate threats to
privacy, such as super surveillance, deter us from using facial
recognition where it can produce positive benefits.
"Biometric facial recognition is by no means a perfect technology,
and much technical work has to be done before it becomes a truly
viable tool to counter terrorism and crime. But the technology
is getting better and there is no denying its tremendous
potential. In the meantime, we, as a society, have time to
decide how we want to use this technology. By implementing
reasonable safeguards, we can harness its power to maximize its
benefits while minimizing the intrusion on individual privacy."
6)Is This Bill Timely ? Automated identification systems such as
facial recognition and iris scanning have not yet been proved to
be widely accepted in the scientific community or sufficiently
scientifically accurate to assist the trier of fact and
therefore to be admissible in court. Moreover, there appears to
be a consensus that additional work is required on these new
automated identification technologies to assure their
reliability, as well as to assure that individual privacy is
�
AB 1899
Page 10
protected.
The bill allows the local RAN boards to manage, at their discretion,
additional biometric systems, but does not provide any
guidelines or limits on the exercise of that discretion. For
example, the bill fails to specify how these systems are
intended to be used or under what circumstances an individual
would be subject to iris scanning or facial recognition
scanning. The bill is silent as to the intended safeguards to
protect this additional data, and to assure that it is used only
for legally sanctioned purposes. At this point, due in part to
the evolving nature of the technology, issues such as the need
for a search warrant prior to subjecting someone to scanning are
unclear.
The United States Supreme Court has held that a key question to be
answered is whether the theory or technique can be and has been
tested. "A pertinent consideration is whether the theory or
technique has been subjected to peer review and publication.
The court should ordinarily consider the known or potential rate
of error of a particular scientific technique. The assessment
of reliability permits but does not require explicit
identification of a relevant scientific community and an express
determination of a particular degree of acceptance within that
community, as a widespread acceptance can be an important factor
in ruling particular evidence admissible, and a known technique
that has been able to attract only minimal support in the
scientific community may properly be viewed with skepticism."
Daubert v. Merrell Dow Pharmaceuticals, Inc ., 509 U.S. 579
(1993.)
The RAND Public Safety study on Biometrics stated "For now, the jury
is still out on the effectiveness of facial recognition systems;
however, the technology is improving. Facial recognition
systems may yet become a part of our daily lives as they improve
and if they become more acceptable." John D. Woodward, Jr.,
Documented Briefing, RAND, " Biometrics: A Look At Facial
Recognition " at p. 16 (2003.)
The RAND study identified a number of difficulties with facial
recognition surveillance, including an uncontrolled background,
the subject's non-cooperation, the subject not looking at the
camera or wearing sunglasses or a hat, or the subject being a
moving target. Additional problems identified were uncontrolled
environmental conditions, such as lighting problems (shadows,
�
AB 1899
Page 11
glare), camera angle and image resolution.
The author concluded that "facial recognition is by no means a
perfect technology and more technical work has to be done before
it becomes a truly viable tool to counter terrorism and crime.
In the meantime, we, as a society, have time to decide how we
want to use this new technology. By implementing reasonable
safeguards, we can harness the power of technology to maximize
its public safety benefits while minimizing the intrusion on
individual privacy." Id. at p. 20.
According to additional background information provided by the
author, "Iris scanning technology is presently being used by the
U.S. Military in the Middle East and a few custodial facilities
in the U.S. The technology could be used any time a positive
identification is needed and the legal right exists to determine
the identification of a subject." This bill does not limit the
use of biometric identification to custodial situations.
The additional background information further states that "facial
recognition is more of an investigative tool for presenting
possible candidates for a crime. A photograph (surveillance or
video) is analyzed by the facial recognition computer and run
against a photo (mug shot) database for a list of candidates
whose identifying characteristics closely matches the
photograph. The officer/investigator must then conduct an
investigation to determine whether one of the candidates
committed the crime. Strictly a tool and not a positive means
of identification." Calling facial recognition merely a tool,
rather than a means of identification, does not respond to the
basic questions of what people are subject to having their faces
scanned or the evidentiary standard to be used prior to
scanning. Are individuals walking down the street subject to
facial scanning or is it limited to persons arrested, or persons
convicted; if so, are there limitations on the amount of time
the data may be kept and who may access the data?
7)The FBI's "Next Generation Identification :" According to an
article in the Washington Post, "the FBI is embarking on a $1
billion effort to build the world's largest computer database of
people's physical characteristics, a project that would give the
government unprecedented abilities to identify individuals in
the United States and abroad." Although digital images of
faces, fingerprints and palm patterns are already being
collected by agencies of the federal government, such as the
�
AB 1899
Page 12
Department of Homeland Security, "the FBI intends to award a
10-year contract that would significantly expand the amount and
kinds of biometric information it receives. In coming years,
law enforcement authorities around the world will be able to
rely on iris patterns, face shape data, scars and perhaps even
the unique ways people walk and talk, to solve crimes and
identify criminals and terrorists." [Ellen Nakashima, FBI Plans
Giant Database of People's Characteristics, Washington Post,
December 23, 2007.]
"The increasing use of biometrics for identification is raising
questions about the ability of Americans to avoid unwanted
scrutiny. It is drawing criticism from those who worry that
people's bodies will become de facto national identification
cards. Critics say that such government initiatives should not
proceed without proof that the technology can really pick a
criminal out of a crowd.
"If successful, the system planned by the FBI, called Next
Generation Identification, will collect a wide variety of
biometric information in one place for identification and
forensic purposes. [S]oon, the server at Criminal Justice
Information Services headquarters will also compare palm prints
and eventually, iris images and face-shaped data such as the
shape of an earlobe. [R]esearchers are working on capturing
images of people's irises at distances of up to 15 feet, and of
faces from as far away as 200 yards. Soon, those researchers
will do biometric research for the FBI."
The article also discusses the world's first large-scale scientific
study on how well face recognition works in a crowd. The German
government found that the technology, though promising, was not
yet effective enough to allow its use by police. The study was
conducted from October 2006 through January 2007 at a train
station in Mainz, Germany, which draws 23,000 passengers daily.
The study found that the technology was able to match traveler's
faces against a database of volunteers more than 60% of the time
during the day, when lighting was best. But the rate fell to 10
to 20% at night.
"Privacy advocates worry about the ability of people to correct
false information. 'Unlike, say, a credit card number,
biometric data is forever,' said Paul Saffo, a Silicon Valley
technology forecaster. He said he fears that the FBI, whose
computer technology record has been marred by expensive
�
AB 1899
Page 13
failures, could not guarantee the data's security. If someone
steals and spoofs your iris image, you can't just get a new
eyeball,' Saffo said."
If the FBI is successful with its "Next Generation" plan, will the
federal law authorizing the "Next Generation" plan preempt state
or local laws on the same subject?
8)Would This Bill Require Changes to the DOJ Master Plan ? As
stated above, the law implementing the RAN board's
recommendations which required DOJ to develop a master plan
recommending the type, number and location of equipment
necessary to implement RAN. It also required that DOJ also
develop policy guidelines and administrative procedures to
facilitate the implementation and use of RAN. The law states
that the RAN master plan shall include reasonable interface
specifications to access Cal-ID and shall be provided to any
supplier of automated fingerprint identification systems
interested in bidding on RAN by May 15, 1986. (Penal Code
Section 111121.2.)
According to the DOJ Master Plan, DOJ is to make a recommendation to
the Attorney General for the type, number and location of
equipment necessary to implement the RAN; and the plan also
identifies interface specifications to access Cal-ID for any
supplier of automated fingerprint identification systems
interested in bidding on RAN.
Additionally, the Master Plan states that the State Department of
General Services (DGS) is responsible for purchasing RAN
equipment for local agencies under an existing Cal-ID state
contract, or, alternatively, serving with DOJ on an evaluation
team when a local RAN Board initiates an independent procurement
of equipment pursuant to Penal Code Section 11112.5(b).
This bill vests all authority with respect to biometric
identification systems in the local RAN boards, without regard
to the statutory requirements establishing the responsibilities
of other state agencies, such as DGS and DOJ.
9)"National Dragnet Is A Click Away," Robert O'Harrow, Jr. and Ellen
Nakashima, The Washington Post March 6, 2008: According to this
article, "several thousand law enforcement agencies are creating
the foundation of a domestic intelligence system through
computer networks that analyze vast amounts of police
�
AB 1899
Page 14
information to fight crime and root out terror plots. As
federal authorities struggled to meet information-sharing
mandates after the September 11, 2001, terrorist attacks, police
agencies from Alaska and California to the Washington region
poured millions of criminal and investigative records into
shared digital repositories called data warehouses, giving
investigators and analysts new power to discern links among
people, patterns of behavior and other hidden clues.
"Those networks will begin expanding further this month, as some
local and state agencies connect to a fledgling Justice
Department system called the National Data Exchange, or N-DEX.
Federal authorities hope N-DEX will become what one called a
'one-stop shop' enabling federal law enforcement,
counterterrorism and intelligence analysts to automatically
examine the enormous caches of local and state records for the
first time."
The article reported that almost 1,600 law enforcement agencies use
a commercial data-mining system called Coplink. "With Coplink,
police investigators can pinpoint suspects by searching on
scraps of information such as nicknames, height, weight, color
of hair and the placement of a tattoo. They can find hidden
relationships among suspects and instantly map links among
people, places and events. Searches that might have taken weeks
or months ? are now done in seconds."
According to the article, search data warehouses have been built by
Coplink in San Diego and Orange counties in California, and
these warehouses have agreements to share data with other law
enforcement agencies. "The expanding police systems illustrate
the prominent role that private companies play in homeland
security and counterterrorism efforts. They also underscore
how the use of the new data - and data surveillance - technology to
fight crime."
The article also underscores the privacy concerns raised by these
new data storage systems. "Authorities are aware that all of
this is unsettling to people worried about privacy and civil
liberties. Mark D. Rasch, a former federal prosecutor who is
now a security consultant for FTI Consulting, said that the
mining of police information by intelligence agencies could lead
to the improper targeting of U.S. citizens even when they've
done nothing wrong.
�
AB 1899
Page 15
"Some officials avoid using the term intelligence because of those
sensitivities. Others are open about their aim to use
information and technology in new ways. One widely used Coplink
product is called Intel Lead. It enables agencies to enter new
information, tips or observations into the data warehouses,
which can then be accessed by people with proper authority.
Another service under development, called 'predictor' would use
data and software to make educated guesses about what could
happen.
"To allay the public's fears, many police agencies segregate
information collected in the process of enforcing the law from
intelligence gathered on gangs, drug dealers and the like.
Projects receiving federal funding must do so. Nearly every
state and local jurisdiction has its own guides for these new
systems, rules that include restrictions intended to protect
against police intrusiveness, authorities said. The systems
also automatically keep track of how police use them.
"N-DEX, too, will have restrictions aimed at preventing the abuse of
the data it gathers. FBI officials said that agencies seeking
access to N-DEX would be vetted, and that only authorized
individuals would have access. Audit trails on whoever touches
a piece of data would be kept. And no investigator would be
allowed to take action - make an arrest, for instance - based on
another agency's data without first checking with that agency.
"But even some advocates of information-sharing technology worry
that without proper oversight and enforceable restrictions the
new networks pose a threat to basic American values by giving
police too much power over information. Timothy Sample, a
former intelligence official who runs the Intelligence and
National Security Alliance, is among those who think
computerized information sharing is critical to national
security but fraught with risks. 'As a nation, our laws have
not kept up,' said Sample, whose group serves as a professional
association of intelligence officials in the government and
intelligence contracting executives in the private sector.
"Thomas McNamara, Chief of the Federal Information Sharing
Environment Office, said a top goal of federal officials is
persuading regional systems to adopt most of the federal rules,
both for privacy and to build a sense of confidence among law
enforcement authorities who might be reluctant to share widely
because of security concerns. 'Part of the challenge is to
�
AB 1899
Page 16
leverage these cutting-edge tools so we can securely and
appropriately share that information which supports efforts to
protect our communities from future terrorist attacks,' McNamara
said. 'Equally important is that we do so in a manner that
fully protects the information privacy and legal rights of all
Americans.'
"[T]he Tucson police chief said there is no overstating the utility
of Coplink for his force. But he too acknowledges that such
power raises new questions about how to keep it in check and
ensure that the trust people place in law enforcement is not
misplaced. 'I don't want the people in my community to feel we
are behind every little tree and surveilling them'. If there is
any kind of inkling that we are misusing our power and our
technology, the trust will be destroyed.' he said."
10)By Vesting Sole Discretion in the Local and Regional RAN Boards
to Manage Additional Biometric Identification Systems, Does This
Bill Invite Inconsistent and Inappropriate Application ?
Without providing specific criteria or procedures for the use of
this information, this bill lacks the specific guidance
necessary for the consistent, statewide collection and
protection of the data. In the RAND author's opinion, "Our
efforts should focus on identifying potential dangers and
addressing those concerns with specific safeguards." Id. at p.
12. Some of those safeguards are procedures to prevent
unauthorized disclosure; safeguards against "function creep" or
distribution of the information more widely than necessary;
overuse of interlinking and interoperability of databases;
establishment of specific protocols to govern what information
is authorized to reside in a particular database; limitations on
the amount and type of data collected to that strictly necessary
to achieve legitimate government purposes; provision by the
government entity of an articulable reason why the information
is needed, how long it needs to be retained, and under what
conditions the information may be shared with others. It is
further recommended that to ensure the accuracy of the
information compiled in the database, a clear set of standards
should set forth the criteria for placing someone on a watch
list, and the data should be reviewed periodically to purge
outdated or inaccurate information.
Further, to prevent unauthorized disclosures, controls to safeguard
information should be required. The database should be made
secure, access to it should be restricted, and encryption and
�
AB 1899
Page 17
other technical measures should be used to thwart threats.
Records should be made of when, by whom, and for what purpose
the database is accessed, and stiff criminal penalties should be
available for unauthorized disclosure. Governmental and/or
public/private oversight committees are also suggested.
The RAND article provides merely some examples of the kind of
procedures and protocols that would be necessary in order to
make the generalized system proposed by this bill truly workable
and trustworthy. This bill contains no discussion of any
criteria, procedures, and protocols to protect the data, and has
no limitations on the dissemination and sharing of this data.
Because of the lack of specific details, this bill contains
insufficient information to constitute sustainable law.
11)Alameda County Sheriff Plans to Scan Irises of Sex Offenders : In
an article in the San Francisco Chronicle dated November 5,
2007, it is reported that "The Alameda County Sheriff's Office
is preparing to become the first public agency in the Bay Area
to force some convicts to submit to iris scanning, a strategy
that may jump-start debate about how police should use a
powerful and emerging technology. Each human iris has a unique
texture, and its contours can be mapped in a searchable
database. Proponents of the technology say it won't replace
fingerprinting, but that it offers a speedier and more accurate
way to identify people - whether they are suspects of a crime or
inmates being freed.
"Authorities plan to begin scanning the irises of the county's 2,500
sex offenders within a few weeks - when they register during a
move or when they check in annually as required by law. There
are no plans yet to expand the scanning to others."
A sheriff's department spokesperson stated that the program carries
no cost because a company donated the first iris scanner. The
sheriff's department wants to test the technology and prepare
for a future in which many police agencies scan irises and
officers carry handheld scanners.
Experts on iris recognition technology are cited as stating that the
debate over its use will depend largely on how police decide to
store, share, and protect data, and whether they use iris
scanning more broadly than fingerprinting, which is usually done
after someone is arrested. Another issue, they said, will be
the pace of the advancement of iris-scanning technology.
�
AB 1899
Page 18
Experts predict that, within a few years, iris-scanner companies
will produce devices capable of scanning eyes from several yards
away, even without a person's knowledge. If that happens, there
are sure to be arguments about when and how police will be
allowed to do so.
"Stuart Hanlon, a San Francisco defense attorney, said he was
concerned about the potential for iris scanners to intrude on
people's privacy. 'I don't know why police would start this
without some legislation to back it up.'
"Alameda County's scanner, which retails for $9,995, was donated by
BI{+2} Technologies of Plymouth, Mass., which gave cameras to
six agencies around the country and is banking on a further
expansion of the technology. The firm's scanners have also
captured the eyes of children so that they can be identified if
they are abducted."
This article raises similar problems as those discussed in the RAND
article on facial recognition technology. As stated in the
article, the iris scanning equipment was donated to the Alameda
Sheriff's Department by the developer of this technology.
Obtaining iris scanning cameras by donation, without first
developing a plan for their legitimate use, and using it "to
prepare for a future in which police agencies carry handheld
scanners" raises the specter cited in the RAND article of "Big
Brother" tracking its citizens' every move. A wiser use of the
donated equipment may have been to place it in storage until the
appropriate procedures and protocols could be developed for its
use.
12)Donation of Equipment by Automated Technology Vendors : The
Alameda County article also underlines the potentially dangerous
implications of allowing each local RAN board to establish its
own uses of biometric technology, without regard for legislative
concurrence or oversight, and failing to consider what
limitations should reasonably be placed on the use, storage,
sharing and safeguarding of the data collected through the use
of the donated iris scanner. It also underscores the potential
difficulties that may occur when vendors of biometric equipment
"donate" their equipment to a department that apparently had
previously seen no real need to engage in iris scanning. Having
been given the scanning equipment, a previously non-existent
need was effectively created. The department moved from a
position of not using iris scanning to preparing for a future
�
AB 1899
Page 19
where each of its officers carries handheld scanners. In this
instance, and probably in many others, the industry (which will
profit economically from the future "need" for their equipment)
is the driving force behind a newly-discovered need to scan the
irises of sex offenders.
If the biometrics industry creates the need for use of its
technology, the industry has the potential to profit from huge
economic gains. Is such an atmosphere compatible with the
creation of appropriate procedures and protocols for the use of
this technology and the protection of the privacy rights of the
people who are subjected to being scanned? Genuine law
enforcement needs, supported by appropriate research and study,
should be the driving force behind expansion of biometric
identification, rather than the mere possession of the
equipment, donated by an industry seeking to obtain future
business. The economic interests of biometric technology
equipment should not be the driving force behind the expansion
of the use of this technology. Because of this potential
danger, the need for established criteria limiting the exercise
of the RAN boards' discretion is clearly obvious.
13)Arguments in Support :
a) San Bernardino County Sheriff-Coroner states, "There is
a need to extend the local and regional RAN board's
authority in Riverside and San Bernardino counties to
include additional biometric and/or other automated
identification systems (facial recognition, DNA, iris
scanning). Our local and regional RAN boards'
responsibilities have historically included Cal-DNA and
there is an anticipation of continuing this joint
relationship to administer other biometric and/or other
automated identification systems in the future, possibly
facial recognition, iris scanning, etc. Other local and
regional RAN boards in California, now or in the future,
may be faced with the same option.
"The current statute was written in approximately 1986 at a
time when fingerprints were the most common biometric used
for identification purposes. It limits RAN authority to
fingerprints and does not provide RAN the authority to
administer modern biometric and/or other automated
identification systems to include facial recognition, DNA
and iris scanning.
�
AB 1899
Page 20
"This bill will expand our authority to allow for these other
biometric systems, which will help tremendously in
conducting criminal investigations."
b) The San Diego Sheriff's Department states, "RAN Boards
were created in California in 1986 to provide local
oversight to the application of identification technologies
in the criminal justice system. The aim of the legislature
was to assure that throughout California law enforcement
was deploying the most effective technology to identify
suspects, to populate the State's fingerprint
identification system, and to solve crimes.
"At that time the principle form, indeed the sole form, of
identification technology in the criminal justice system
was to facilitate fingerprint comparison. It was not
envisioned then that identification would be made using
other technologies. Fingerprint technology remains
critical-as a source of identifying known persons within
the system and as a means of solving crimes through latent
print development and identification. But now it shares
the stage with other technologies; facial recognition, iris
scanning, and DNA. These advances create a serious need to
expand the purview of the RAN Board and its resources to
encompass 21st century technology.
"In San Diego County we are aggressively expanding the
application of DNA technology to solve crimes.
Significantly, that effort is dependent upon tapping
California's DNA database or known offenders, CODIS, a
system that in turn relies upon its fingerprint database to
confirm the identity of a suspect. Thus, identifications
through DNA technology and fingerprint methods are today
interdependent. AB 1899 recognizes the interdependence and
its passage would assure a greater deployment of
identification
technologies to solve crimes and to protect the public."
c) Office of the Sheriff, Contra Costa County states,
"[T]hese additional biometric technologies are expensive,
as is the automated fingerprint technologies. The
expansion of RAN Board authority to other identification
biometrics should consider an expansion of the funding
mechanism to prevent a dilution of the existing funding
�
AB 1899
Page 21
sources. The dilution of the existing funding mechanism
could hamper law enforcement from deploying the most
effective technologies available and prevent attaining
programmatic goals relative to identifying suspects and
solving crimes."
7)Arguments in Opposition :
a) The American Civil Liberties Union states, "The
government's creation of databases of individuals in our
society raises critical privacy and civil liberties
concerns. Furthermore, giving local law enforcement
agencies unfettered discretion to create biometric
databases of people who are not convicted or charged with
any wrongdoing is extremely troubling.
"The California Constitution explicitly grants California
citizens the right to privacy, providing in Article I,
Section 1 that 'All people are by nature free and
independent and have inalienable rights. Among these are ?
pursuing and obtaining ? privacy.' The California right of
privacy was specifically added to the Constitution by an
Initiative, which stated it intended to 'prevent government
and business interests from stockpiling unnecessary
information about us and from misusing information gathered
for one purpose in order to serve another purpose or to
embarrass us.'
"The California Supreme Court in Hill v. National Collegiate
Athletic Association (NCAA) stated that '? if sensitive
information is gathered and feasible safeguards are
slipshod or non-existent, or if defendant's legitimate
objectives can readily be accomplished by alternative means
having little or no impact on privacy interests, the
prospect to actionable invasion of privacy is enhanced.'
[ Hill v. NCAA (1994) 7 Cal. 4th 1, at 38.]
"The Department of Justice currently has comprehensive
systems and procedures in place for gathering fingerprints
and DNA from people and for identification of criminal
suspects using fingerprints or DNA obtained from crime
scenes. See Penal Code Section 11112.l1 et seq. and Penal
Code Sections 295 et seq.
"Allowing every local law enforcement entity to create its
�
AB 1899
Page 22
own rules and procedures will lead to disparate privacy
standards not to mention different qualities of information
gathered. For example, facial recognition software is
easily tripped up by changes in hairstyle or facial hair,
by aging, weight gain or loss, and by simple disguises.
There are high rates of both 'false positives' (wrongly
matched people with photos of others) and 'false negatives'
(not catching people in the database.)
"Furthermore, without any limitations on the discretion or
use of these technologies, it is likely that local law
enforcement may be tempted to repeat dragnet-type
activities scanning people in the general population
similar to the surveillance that took place at the Super
Bowl in 2001. The Tampa Police scanned 100,000 Super Bowl
fans into a computerized police line-up without their
knowledge or consent, and apparently only identified a few
minor criminals such as scalpers.
"Unfortunately, between the high-tech companies and the
government there is a huge amount of money to be made, and
a huge amount of privacy to be lost. While we do not
suggest that there is not a need for additional databases,
the state should consider standardizing procedures and
privacy protections for any new databases it considers
worthy of implementation by law enforcement agencies."
b) Taxpayers for Improving Public Safety states, "In
considering the capture, retention and use of all
personally identifiable information, it is in all of our
best interests to assure that uniform policies are in place
throughout the state to protect against inaccuracies, as
well as intentional misuse or even negligence. There are
legitimate concerns that some of these technologies are as
unreliable as polygraph, and may lead to false positives.
"Beyond this, consider the type of information these RAN
Boards seek to collect, and what would happen in the event
this information fell into the wrong hands. In these times
of economic hardship when all public entities must address
budgetary shortfalls, what would prohibit one of the local
or regional RAN Boards from authorizing the sale of
identifying information to a private interest to offset
their budget? Would it be appropriate for a marketing
company to purchase the information, and then sell it to a
�
AB 1899
Page 23
department store to use in tracking private purchasing
habits of its customers?
"If AB 1899 is successful through your Committee, we ask that
certain protections first be in place such as a uniform
statewide standard for how the information is collected and
securely stored, what activities are considered permissive
use, and of course, a prohibition on selling or
inappropriately sharing any of the gathered information."
c) California Attorneys for Criminal Justice state, "Giving
local law enforcement agencies unfettered discretion to
create biometric databases of people who are not convicted
or charged with any wrongdoing is extremely troubling.
"The Department of Justice currently has comprehensive
systems and procedures in place for gathering fingerprints
and DNA from people and for identification of criminal
suspects using fingerprints or DNA obtained from crime
scenes (See Penal Code Section 11112.1 et seq. and Penal
Code Section 295 et seq.)
"Allowing every local law enforcement entity to create its
own rules and procedures will lead to disparate privacy
standards not to mention different qualities of information
gathered. For example, facial recognition software is
easily tripped up by changes in hairstyle or facial hair,
by aging, weight gain or loss, and by simple disguises.
There are high rates of both 'false positives' (wrongly
matching people with photos of others) and 'false
negatives' (not catching people in the database.)
"While cutting edge technologies may be appealing to use,
unproven and inconsistent use of these strategies can
unfortunately result in wrongful criminal accusations
whereby innocent individuals will be faced with criminal
prosecution. California's concern for wrongful
prosecutions should outweigh the desire to adopt seductive
yet unproven technologies."
Prior Legislation : SB 169 (Bowen) of the 2001-02 Legislative
Session, proposed to restrict the use of facial recognition
technology in order to protect personal privacy and the security
of the data collected. SB 169 failed passage in the Senate
Judiciary Committee.
�
AB 1899
Page 24
REGISTERED SUPPORT / OPPOSITION :
Support
San Bernardino County Sheriff-Coroner
San Diego Sheriff's Department
Contra Costa County Sheriff's Department
Peace Officers Research Association of California
Opposition
American Civil Liberties Union
California Attorneys for Criminal Justice
California Public Defenders Association
Taxpayers for Improving Public Safety
Analysis Prepared by : Kathleen Ragan / PUB. S. / (916)
319-3744