Minutes Exhibit B
Minutes Exhibit B Port Commission Regular Meeting: Ton Regis Justis VRQ WORLD PRIVACY FORUM 3 Monroe Parkway Suite P #148 Lake Oswego, OR 97035 www.worldprivacyforum.org Testimony of Pam Dixon to the Port of Seattle Commission regarding the Commission Proposal Regarding Facial Recognition Port of Seattle Commission Commission Chambers Pier 69 2711 Alaskan Way Seattle, WA 98121 2 December 10, 2019 Dear Commissioners: Thank you for the opportunity to comment on biometric policy at this important meeting. Regrettably, we did not learn of the Port of Seattle Commission's earlier meetings regarding biometrics until a week ago. As such, | acknowledge that we are later to the discussion than | would like. Nevertheless, the World Privacy Forum is pleased to submit comments to the Port of Seattle regarding its biometric policy agenda item at this meeting. WPF is one of the top ten global organizations working on digital identity, including biometrics. | have conducted extensive peer-reviewed field research in biometrics, including on India's Aadhaar biometric system, which is the largest biometric system in the world. Our research regarding India's biometric identity system was published in Nature Springer and was cited twice in India's landmark Aadhaar Supreme Court Ruling of 2018. Pam Dixon, A Failure to Do No Harm: India's Aadhaar biometric ID program and its inability to protect privacy in relation to measures in Europe and the U.S., Springer Nature, Health Technology. DOI 10.1007/s12553-017-0202-6. http://rdcu.be/ tsWv. Open Access via Harvard- Based Technology Science: https://techscience.org/a/ 2017082901/. All biometric data, including genetic data, rises to the level of high sensitivity. As such, WPF proposes that biometrics be designated as a technology of very high concern, and be subjected to meaningful safety guardrails. We define biometrics using a modern, technically-aware definition that we developed with leading global biometricians for use in policy settings: Biometric data means an individual's physiological, biological or behavioral characteristics that can be used, singly or in combination with each other or with other Comments of WPF, page 1 of 5 identifying data to establish individual identity. These include but are not limited to imagery of iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template (e.g. a faceprint or a minutaie template or voiceprint, etc ) can be extracted as well as keystroke patterns or rhythms, gait patterns or rhythms, sleep health or exercise data that contain identifying information. The US is one of the few countries where biometric technologies have not yet been as pervasively implemented as in other jurisdictions. But it is very unlikely that the US will fully escape the use of biometrics, as seen in airport biometric entry/exit programs, among other biometrics programs. Because of the significant risks inherent in the uses of the technology, biometrics including facial recognition should be classified as a high-risk technology, and procedural safety protections that are well-tested and understood in other high-risk contexts should be adapted for biometrics and put in place as guardrails. The guardrails we are proposing are similar to those found in existing safety regulations in the US and Europe. We encourage you to consider and adapt these procedures, as they have been discussed by core stakeholders, and have been refined based on many conversations. Regulatory Safety Structures that Act as Guardrails for Biometric Systems (Facial Recognition) The protections fall into three key areas: pre- and post-market safety and quality regulations, use controls, and a consumer complaint mechanism. Pre-and Post Market Safety and Quality Regulations The following pre and post-market safety regulations for biometrics are derived from the existing legislative models of RoHS, REACH, and the Chemical Safety for the 21st Century Act (updates US Toxic Substances Control Act) as well as the Fair Credit Reporting Act. Finally, the consumer complaint mechanisms at the CFPB and CDC provide the model for the post-market consumer complaint reporting. . Classification: Biometrics would be classified as a "technology of very high concern." . Applicable to full supply chain: The regulations would apply to the full supply chain and to any entity that produces, develops, sells, assembles, distributes, installs, and uses biometric systems. " ID risks and reporting requirements: Biometric entities would be required to identify risks in the technology and document and report those risks to the applicable government body. . Testing requirements: Biometric technologies available for use would be required to be tested and evaluated by NIST for accuracy and bias on a regular basis, at a minimum, this review would be updated annually. Comments of WPF, page 2 of 5 Proven safe prior to launch: The technology must be proven safe and fit for purpose prior to launch, and must be cleared for market by the appropriate government oversight body. For facial recognition, a non-discrimination analysis would need to be performed. Product labeling: The biometric product would be labeled for accuracy and for bias. (Facial recognition.) Certification and training requirements would apply. Ongoing monitoring: The full supply chain of vendors and implementors must agree to ongoing monitoring and documentation for compliance. Monitoring can be in real time, or near real-time. Benchmarking program metrics: the stated goals of the biometric installation or program should be tested against benchmarks to factually determine effectiveness and capture hot spots. Use controls: Biometric technology is deployed in specific use cases. Some use cases are not objectionable, however, some uses cases are objectionable and pose serious threats of either discriminatory impact or harm. Use case controls derive from the model of the Fair Credit Reporting Act. Some use cases of biometrics would not be allowed due to safety considerations, or lack of functionality. For example, body cameras equipped with real-time facial recognition are viewed by biometricians and a majority of law enforcement as a high-risk use case. This particular use case has both legal and technical problems. Allowed use cases would have significant definitional controls and procedural requirements. For example, biometrics used in law enforcement investigatory settings would be subject to the procedures set forth at the Federal level. At the state level, the Bureau of Justice Assistance procedures for biometrics use, for example, could be required. https://www.bja.gov/Publications/Face-Recognition-Policy-Development- Template-508-compliant.pdf. Voluntary Consensus Standards could be used in conjunction with legislation to establish ongoing multistakeholder evaluation of emerging use cases. Post-Market Consumer Complaint Reporting: + Voluntary Consensus Standards could be used in conjunction with legislation to eUsing the adverse event reporting model and the consumer complaint model, biometrics technologies would have a dedicated post-market monitoring mechanism at the federal level. " Consumers and others would be able to submit complaints to a central structure. " As with the structure of the existing Consumer Financial Protection Bureau (CFPB) consumer complaints database, complaints would be available for viewing within a matter of a week, and the complaints would be available for download and analysis. This data will provide ongoing insight into problem areas and detailed implementation feedback. Comments of WPF, page 3 of 5 Key Underlying Safety Statutes RoHS: EU Directive, also implemented in some US states. As of July 2019 all RoHS deadlines active; Directive is now applicable to any business that sells electrical or electronic products, equipment, sub-assembilies, cables, components, or spare parts directly to RoHS-directed countries, or sells to resellers, distributors or integrators that in turn sell products to these countries, is impacted if they utilize any of the restricted 10 substances. Requires products to be cleared for market prior to launch and meaningful compliance documentation/recordkeeping from all parties in the supply chain, regularly updated information, mandatory compliance labeling. In the US, California, Colorado, Illinois, Indiana, Minnesota, New Mexico, New York, Rhode Island, and Wisconsin have enacted RoHS-like and e-waste regulations. REACH: EU Regulation Applies to essentially every product manufactured, imported, or sold within the EU. REACH regulates chemical substances, particularly those known as Substances of Very High Concern (SVHC). Substances considered carcinogenic, mutagenic, toxic for reproduction, or bioaccumulative fall under SVHC criteria. EU manufacturers and importers are required to register all substances produced above a set yearly volume to: ID risks associated with the substances they produce Demonstrate compliance in mitigating the risks to ECHA Establish safe use guidelines for their product so that the use of the substance does not pose a health threat. Chemical Safety for the 21st Century Act: US, federal Requires pre-manufacture notification for new chemical substances prior to manufacture. Where risks are found, requires testing by manufacturers, importers, and processors Requirements for certification compliance Reporting and record keeping requirements Requirement that any person manufacturing (including imports), processes, or distributes in commerce a chemical substance or mixture and who obtains information which reasonably supports the conclusion that such substance or mixture presents a substantial risk of injury to health or the environment to immediately inform EPA, except where EPA has been adequately informed of such information. The EPA screens all TSCA b8(e) submissions. Thank you for your attention to our comments. Biometrics are systems of various technologies, and they are complex. We are deeply invested in how to establish flexible, future-proof (as much as is possible) biometric guardrails. Thank you for your consideration. We look forward to having further discussions with you and working with the Commission regarding this important topic. s/ Comments of WPF, page 4 of 5 Pam Dixon Executive Director, World Privacy Forum Comments of WPF, page 5 of 5
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.