The Washington Post reported recently that U.S. Immigration and Customs Enforcement (ICE) officials have accessed, without obtaining judicial process, a Maryland facial recognition database that contains photographs of more than 275,000 undocumented immigrants who have obtained special driver’s licenses under a 2013 state law. “It’s a betrayal of immigrants’ trust for the [state] to turn around and let ICE run warrantless searches on their faces,” Harrison Rudolph, a facial recognition expert at Georgetown’s Center on Privacy and Technology, told the Post.
According to a letter from a state official that the Post obtained, over the past two years, ICE has logged more than 50 “sessions” in the Maryland database, known as the Maryland Image Repository System (MIRS). A Maryland government document explains that MIRS, which the state government has operated since 2011, allows law enforcement to compare images of unidentified individuals to images collected by the state’s motor vehicle and criminal justice agencies.
The Post article noted that, unlike arrangements between ICE and other states that require state officials to run the facial recognition searches, “Maryland records show that ICE officials across the country can independently search [the database] without outside approval.” While the legal basis for the agreement has not been made public, according to the Post, Maryland Sen. Clarence Lam had “gleaned from meetings with [state] agency officials that it started with a memorandum of understanding around 2012.” An ICE spokeswoman told the Post that the agency is complying with federal law.
ICE’s use of the Maryland database raises at least two significant legal questions: first, whether ICE has complied with federal laws governing the use of new technologies that implicate privacy rights; and second, whether these searches are subject to the Fourth Amendment. (While the Maryland legislature has not approved ICE’s access to the state database, existing state law seems to permit access for federal law enforcement purposes; lawmakers have recently introduced bills that would require ICE to obtain a warrant to access the system.)
Federal statutes and regulations, meanwhile, grant ICE broad investigative authority. And the federal Driver’s Privacy Protection Act allows for state motor vehicle officials to disclose personal information to federal law enforcement. However, as a Department of Homeland Security guidance document makes clear, two statutes—the E-Government Act of 2002 and the Homeland Security Act of 2002—generally require the government to complete a Privacy Impact Assessment (PIA), a formal document that addresses potential privacy concerns, when it deploys new systems that use personally identifiable information. As the guidance document explains, a PIA “examines how the Department has incorporated privacy concerns throughout its development, design, and deployment of a technology, program, or rulemaking.” To date, ICE has not made public a PIA in connection with its search of state facial recognition databases.
Indeed, that ICE conducted a PIA in 2017 for its use of commercial automatic license plate readers strongly suggests that a PIA is necessary for ICE’s access of state databases. The commercial license plate reader database and the Maryland database share a number of similarities: They are both databases maintained outside of ICE’s control that contain vast amounts of information (including information not relevant to ICE’s purposes), and there is risk that both databases contain inaccurate information. (A recent Government Accountability Office study was critical of the FBI for its use of state facial recognition technology without ensuring its accuracy.) For the license plate database search, ICE’s impact assessment establishes that ICE regulates who may access the database, delineates the purposes for which the information can be used, and creates audit procedures, among other restrictions. (Notably, the ACLU alleges that ICE has not followed its own license plate database regulations.) Clearly, many of those same types of rules are likely necessary to ensure that ICE’s use of the state database is responsive to privacy concerns.
Whether ICE searches of the Maryland database implicate the Fourth Amendment is an open question after the Supreme Court’s landmark decision in Carpenter, which established protections for cell phone location data that exposed an individual’s location history. In Carpenter, the court based its opinion in part on the principle that “a central aim of the Framers was ‘to place obstacles in the way of a too permeating police surveillance.’” According to some scholars, such reasoning is consistent with the idea that the Fourth Amendment is meant to impose limits on surveillance when new technology significantly lowers the costs for the government. And while scholars such as Paul Ohm note that under certain circumstances facial recognition technology that tracks a person’s movements would clearly fall under Carpenter, Andrew Ferguson’s testimony before the House Oversight and Reform Committee illustrates that facial recognition technology has different Fourth Amendment implications depending on its use. Ferguson explained that searches like ICE’s use of the Maryland database are unlikely to receive Fourth Amendment protections under current law, since “[a] facial recognition image match would reveal identity, but not necessarily location, tracking history, or aggregated private details.” Moreover, the Supreme Court has established a high bar for the suppression of evidence obtained in violation of the Fourth Amendment in immigration proceedings.
Given the sweeping ramifications of law enforcement’s use of facial recognition technology, it is striking that ICE has been able to use the technology even without Congress’s or the Maryland legislature’s affirmative sanction of the practice. And, despite the known flaws with facial recognition technology, ICE has proceeded to use it largely out of public sight. At the very least, ICE ought to make public the circumstances in which it uses such technology.