MINUTES EXHIB,r -2..._
Port Commission 't:  9 c, (c.,,   -r
Meeting of
tr,br"(A.G/
is,e19H;
The Identity Project
www.PapersPlease.org
1222 PreseNation Park Way, Suite 200
Oakland, CA 94612
510-208-7744 (office)
415-824-0214 (cell/mobile)
Comments of the Identity Project to the Port of Seattle Commission
for the Commission meeting of February 25, 2020, regarding
policies for automated facial recognition at Sea-Tac Airport
Members of the Port of Seattle Commission, Port of Seattle Commission Commillee on
Biometrics, and Biometrics External Advisory Group1:
The Identity Project (PapersPlease.  or:g) thanks you for the opportunity to
comment on the actions being taken to implement your resolution of December 10, 2020,
regarding use of automated facial recognition at the Port of Seattle, including the Request
For Proposals (RFP) posted by the Port for shared-use Port-owned facial recognition
systems for airline use at departure gates at Sea-Tac International Airport2 and the draft
by Port staff of recommendations proposed to the Biometrics External Advisory Group3
We are concerned that:
l.  The Port has, according to the RFP, already made a "commitment" to U.S.
Customs and Border Protection (CBP) to deploy a biometric exit system at all
gates of the new International Arrival Facility (IAF) at Sea-Tac;
2.  The RFP requires bids to be submitted months before the biometrics policies and
procedures which bidders will be required to comply with are finalized;

1. Information about the BEAG has been posted at   . But that Web page does not appear to be linked from anywhere on the
Commission section of the Port website or any of the Port's blog posts or news releases, so it's
not clear how members of the public would find it. We have been unable to find any agendas,
minutes, or notices of meetings of the Committee on Biometrics on the Port website.
2. RFP 19-86, "SEAAirport Biometric Air Exit System", posted January 31, 2020, at
.
3. "Draft, Port of Seattle Public-Facing Biometrics Policy Biometric Air Exit Recommendations,
March 31, 2020, posted February 2020 at .
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 1 of 10

3.  The Port staff draft of recommcndatlons proposed to the Biometrics External
Advisory Group contains material mlsstatements of law and fact; and
4.  Neither the RFP nor the draft recommendations include any of the Port, airline,
biometrics vendor, or CBP policies or notices (if any such policies exist) which
wouJd apply to the collection and use of facial images at biometric exit stations.
According to the RFP4, "SEA has issued a letter of commitment to deploy a
pem1anent biometric system for departing international flights .... TI1e primary objectives
of the Biometric Air Exit system project include: Ability for SEA to meet its committed
obligation to tJ1e CBP of installing a Biometric Air Exit system."
This "letter of commitment" is not included in tJ1e RFP package on tJ1e Port
website, and was not mentioned during the Commission meeting of December 10, 2019.5
Commissioners who voted for the resolution on biometrics adopted at that
meeting stated that the resolution was intended to leave open all possibilities including
that the Port might decide not to permit deployment of any public-facing biometrics. Thqt
suggests either that Commissioners were unaware of the "letter of commim1ent"
mentioned in the RFP, or did not believe that it was binding on the Port.
If Port staff believed that a "letter of commitment" already issued by the Port to
CBP ruled out some policy options being discussed by Commissioners, Port staff should
have raised this during the meeting on December 10, 2019 - if not sooner. The failure to
do so raises a substantial question as to whether the Port has acted in good faith.
Now that it has been pointed out, the Port may wish to disclaim the official
statement in its RFP of this "commitment" - just as, after we pointed it out, CBP
disclaimed the official notice in its regulatory agenda of its intent to promulgate
regulations requiring US citizen travelers to submit to mug shots.6
But even if the RFP is now revised, this statement in the RFP - issued well after
the adoption of the Commission's policy on public-facing biometrics - suggests that
some Port staff didn't get the memo, and still take the outcome of the Port's "review" of
public-facing biometrics for granted. The boosterism toward biometric identification of
travelers evident in this and oiliers of the Port's prior statements regarding these programs
casts further doubt on the impartiality of Port staff and their ability to conduct or oversee
an open-minded assessment of biometric passenger identification systems.
4. Note 2, supra, "RFP 19-86 (SEA Airport Bio Air Exit System).pdf" at 40, 41
5. We understand that a request to the Port for disclosure of this letter pursuant to the
Washington Public Records Act (PRA) is pending.
6. The Identity Project, "DHS postpones plan for mug shots of innocent US citizen travelers"
(December 5, 2019), .
The Identity Project- Comments to the Seattle Port Commission - 2/25/2020 - page 2 of 10
--------------------------------------------- -----

Is the Port's current policy-development process a good-faith effort to determine
what, if any, use of public-facing blomelrics should be pennitted on Port property?
Or is it merely window-dressing for decisions l11at are already {aits accomplls?
The Port cannot legally say one thing about its intentions and commitments (or
lack thereof) to prospective bidders through its formal RFP, while disclaiming the
intentions and commitments in the RFP in other infonnal communications.
Such actions would invite challenges to the eventual contract award, or to the
decision not to award any contract, by disappointed bidders who relied on the RFP.
lf the intentions expressed in the 2018 leuer from the Port which was explicilly
referenced in the RFP no longer reflect the Port's intentions, and if the Port does not
consider itself committed to deploy or procure any public-facing biometric systems, then
a fonnal amendment to the RFP must immediately be issued, explicitly disclaiming the
intentions stated by the Pon in the 2018 letter 10 CBP.
The amendment to the RFP should explicitly infonn potential bidders that the
statements regarding "commitments" in the original RFP are incorrect; that the Port does
not consider itself committed to deploy or procure any public-facing biometric systems;
that no binding contractual commitments will be entered into until after the completion of
the current policy-development process; and that the Port may not award any contract at
all based on the RFP.
Even if it is amended with respect to the Port's (lack of) commitment to biometric
exit systems, the RFP for new biometric exit systems requires bids to be submitted and
contemplates the award of a contract before the Port's policies for biometrics are
finalized. This would prevent vendors from knowing or factoring into their bids what
those policies might require or prohibit. It would also prevent those yet-to-be-determined
policies from forming the basis for the Port's bid assessment and contract award.
If it is not withdrawn entirely, the RFP should be amended so as not to require the
submission of proposals until a reasonable time after the Port completes the current
biometrics policy-development process, and not to contemplate the award of a contract
until a further reasonable time after that, to allow the Port to assess bidders' proposals to
comply with those policies.
Further question as to what previously-undisclosed decisions have already been
made is raised by the statement in the Port staff draft of recommendations proposed to the
Biometrics External Advisory Group7, "SEA's International Arrivals Facility will
incorporate facial recognition for almost all arriving passengers (other than those U.S.
7. Note 4, supra, at 25
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 3 of 10

itlzens, ho opt out.''
It's not clear what the basis is for this statement of what the lAF "will"
incorporate for "almost all"aniving passengers. Many, perhaps most, passengers arriving
at  E  on international nights are U.. citizens.   BP has neither requested nor received
approval from t.he Office of Management and Budget (0MB) for w collection of facial
images or other biometric data pertaining to s!.llY. U.S. citizens traveling by air, whet11er on
anivlng or departing international or domestic lights.
Unless affected individuals are provided wit.h an applicable OMB-approved PRA
notice including an 0MB Control Number, any such collection of information, even if
voluntary, is in flagrant violation of the Paperwork Reduction Act of 1980.
This includes the current illegal collection of biometric (facial image) data of
arriving U.S. citizens at the Automated Passport Control (APC) kiosks at SEA. No 0MB
approval has been obtained and no 0MB Control Number or PRA notice applicable to
collection of photographs of U.S. citizens is provided to APC kiosk users.
This also includes all current collection of biometric data by CBP from departing
airline passengers, regardless of I.heir citizenship or immigration status, including I.he
ongoing illegal CBP biometric exit operations at certain international gates at SEA.8 No
0MB approval has been applied for or granted, and no 0MB Control Number or PRA
notice is provided, at any of the current biometric exit stations at deparrure gates.
Any CBP collection of biometric data from any departing passengers, or from
arriving U.S. citizens, would require new approval from 0MB and new on-site notices.
If CBP has given notice to I.he Pon of Seattle of its intention to seek approval
from 0MB for collection of facial images or other biometric data from arriving U.S.
citizens or any departing passengers, the Port and CBP should fully disclose I.hose plans,
In the meantime, the Port should withhold approval of any CBP or other Federal
collection of biometrics unless and until it is approved by 0MB, and the approved PRA
notices can be reviewed by the Port and members of the public.
The Port staff draft of recommendations proposed to the Biometrics External
Advisory Group falsely claims that, "In fact, U.S. Customs and Border Protection (CBP)
is Congressionally mandated to implement a biometric exit and entry screening process
for all international passengers."9
No basis for this claim is provided, and none exists. In fact, the Congressional
mandate for biometric entry and exit systems is limjted to non-U.S. citizens.
8. Note 3, supra, at 5
9.Note 3, supra, at 3
The Identity Project -Comments to the Seattle Port Commission - 2/25/2020 - page 4 of 10



...------------------------.bW-tffl i,_,_,...  ,"ti '"" WWW__ ,_,,____________

In our written Lestimony submitled lo the Pon of Seattle  omm1ss1on on
December 3, 2019,10 and in a blog pos1 the same day,11 we pointed out tJiat CBP had given
official notice that ii intended to propose regulations requiring U.S. citizens to submit lo
biometric exit processing. WitJ1in two days, in response to public and Congressional
outrage, CBP announced that it had no such intention and would withdraw its notice.12
Since no such regulations have been proposed or reviewed, it would of course be
premarure for the Port of Seattle to assume that, even if proposed, they would be upheld.
The false claim that any collection of biometrics from traveling U.S. citizens is
Congressionally mandated is completely unsupported, and should be removed from the
recommendations of the Biometrics External Advisory Group and other Port documents.
At SEA, as at every other U.S. airport or port of entry, biometric entry and exit is
Congressionally mandated only for non-U.S. citizens. The Pon cannot pass the buck to a
fictitious "Congressional mandate" for the Port's own decision not merely to allow, but to
operate, systems to collect facial images and/or other biometric data about U.S. citizens.
The Port's plans to procure and deploy biometric traveler identification systems,
and to share biometric data of travelers with both CBP and airlines, are especially
troubling in light of tJ1e absence from the draft policies and procedures of any mention of
the Port, CBP, airline, or vendor privacy policies (if any) applicable to such data.
According to the generally accepted norms of Fair Information Practices13,
"transparency", "voluntariness"14, and "ethics" with respect to the collection and use of
personal data - which are among the core principles of the Pon of Seattle Commission's
resolution on public-facing biomerrics - include the right of data subjects to access, on
request, infonnation about themselves.
10. Available at .
11. The Identity Project. "Seattle Port Commission to consider rules for airport facial recognition"
(December 3, 2019), .
12. The Identity Project, "OHS postpones plan for mug shots of innocent US citizen travelers"
(December 5, 2019), .
13. See Pam Dixon, World Privacy Forum, "A Brief Introduction to Fair Information Practices",
.
14. "Voluntariness" depends on consent, and meaningful consent requires informed consent. The
ability to know what data has been collected about oneself, and with whom it has been shared, is
an essential prerequisite to any possibility of informed consent.
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 5 of 10

In the U.S. Privncy Act, t.he European Union General Oat.a Protection Regulations
(GDPR)1S, and Lhe Canadian Personal Information Protection and Electronic DocumenlS
Act (PIPEDA)16, Lhese righLS also include, as tJ1ey should, tJ1e right of a dala subject lo
obtain, on request, an accounLing of disclosures of such data to Lhird parties.
The RFP for biometric exit systems should require Lhe submission of this
information with respect to the bidder and any other data controlJers or processors.
The procedures for review of any current or proposed biomet.ric traveler
idenLificat.ion system, including review of any RFP or proposal, should specificaUy and
explicitly require disclosure to the public and review by the Port of each of the folJowing:
A) The System Of Records Notice (SORN), as published in the Federal Register,
for each system of Federal records in which biometric information pertaining to
travelers and collected through the system is or would be stored;
B) Any Federal regulations or Notice Of Proposed Rulemaking (NPRM)
promulgated by the agency responsible for each such system of records, which
exempts or proposes to exempt the system of records from any of the
requirements of the Privacy Act regarding access to records by individuals,
access to an accounting of disclosures, or civil remedies;
C) The 0MB Control Number and the Paperwork Reduction Act (PRA) notice
approved by0MB as part of its issuance of that control number for each
collection of biometric information from individuals, including voluntary or
involuntary collections of information from U.S. or non-U.S. citizens;
D) The Port privacy policies applicable to personal information generally and
biometric data in particular collected or processed by the Port, including by or at
Port-owned and/or Port-operatedbiometric  entry, exit, or boarding stations,
including the means available to individuals to access information about
themselves and to obtain redress for violations of these policies;
E) The privacy policy of each airline participating in any current or proposed
public-facing biometric system, as stated in its tariff or conditions of carriage,
including the means available to individuals to access information about
themselves and to obtain redress for violations of these policies; and
15. Several airlines based in the European Union operate flights to and from SEA. Personal data
collected or processed at SEA, or anywhere in the world, by or on behalf of EU-based airlines is
subject to the GDPR. "Common-use" systems and equipment for collection or processing of
personal data at SEA must comply with the GDPR if they are to be usable by or for such airlines.
16. PIPEDA applies to personal data pertaining to passengers on flights between the U.S. and
Canada, regardless of the country where the airline operating the flight is based. "Common-use"
systems and equipment for collection of personal data at SEA must comply with PIPEDA if they
are to be usable for such flights.
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 6 of 10

F) The privacy policies of any Pon and/or airline vendors, contractors,
subcontractors, or service providers that will store or process biometric data,
including the means available to individuals to access infonnation about
themselves and to obtain redress for violations of these policies.
Many of these policies and notices do not yet exist, precluding any review by the
Port, much less approval, of biometric systems that lack them.
While CBP has promulgated SORNs for several systems of records in which
biometric data pertaining to travelers is or might be stored, CBP has also promulgated or
proposed rules exempting each of these systems from the requirements of the Privacy Act
for individuals to be able to access infonnation about themselves, to obtain an accounting
of disclosures, and to obtain redress through civil remedies.17
A Federal system of records that has been exempted from these requirements is,
per se, in violation of generally-accepted Fair Infonnation Practices and the Port's criteria
for public-facing biometrics of transparency, voluntariness, and ethics.
So far as we can detennine, no 0MB approval has been applied for or obtained by
CBP for collection of biometric information from U.S. citizens at points of entry or exit
or at departure gates. No PRA notices have been approved, or are in place, for such
collections, including those already ongoing at APC kiosks and departure gates at SEA.18
The absence of any enforceable policies guaranteeing data subjects' rights of
access to their own personal data and to an accounting of disclosures to third parties is
sufficient to establish conclusively that the current and proposed biometric entry and exit
systems do not comply with the norms of Fair Information Practices or the Port's
principles, and should not be approved, acquired, or deployed by the Port of Seattle.
The Port has published a privacy policy applicable to personal information
collected through the PortSeattle.org website. But we have been unable to identify any
Port policy for personal information generally, or biometric data specifically, collected by
the Port about travelers or other Port visitors.
Airline privacy policies we have reviewed do not mention biometric data, and are
freestanding documents not included in airlines' tariffs or conditions of carriage and
therefore of dubious enforceability. As we discussed in our written comments to your

17. See the discussion of these exemptions in our written public comments to the Port of Seattle
Commission of December 10, 2019, note 9, supra.
18. PRA notices are especially critical to voluntariness because they are required to include
explicit notice that individuals are not required to respond to any Federal collection of information
that does not include a valid (and thus publicly verifiable) 0MB control number.
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 7 of 10

11 is for good reason that the Priv11cy Act -- in a provision21 which ha  bctn
omplet ly Ignored by BP in developing and deploying biometric emry, exit, and
depanurc systems - requires that, "Each agency tha1 maintains a syst m of records hall -
...  colic t info1mation 10 the greatest extent praclicable directly from the subject
individual when the information may result ln adverse determinations about an
individual's right , benefits, and privileges under Federal programs."
The Port should heed thls lesson, and require CBP to do its own data collection .
The Port can, and should, require that any collection of biometric data about
travelers by the Port and/or by airlines as Port tenants be comple1ely and explicitly
separate from any collection or sharing of biometric data by or with CBP.
As wen. and other organizations including the ACLU23 have observed, many of
the problems with the emerging common vision24 of airlines, airports, and government
agencies for shared-use biometric systems stem precisely from their shared character.
"Common-use" systems and the commingling of data collected for use by
different entities - some Federal (CBP), some state or local (the Port), some private but
regulated as common carriers (airlines), some private and unregulated (system vendors) -
create particular problems with respect to both transparency and voluntariness.
In such an environment of shared data use and public-private partnerships, it is
much harder for travelers to know which information is being requested or demanded, the
legal bases on which information is requested or demanded, which entities will receive
which information, the policies applicable to its use, and the procedures for redress if
those policies are violated, with respect to each of the "partners" involved.
Especially for foreigners and travelers who are not native speakers of English, it is
difficult even with the clearest separation and signage to be sure which requests for
information by people in uniforms come from the government and which from private
entities, which can be declined without penalty, and which are required by law.
"Informed consent" or "voluntariness" is a sham in such a context.

21. 5 U.S.C. 552a (e)(2).
22. The Identity Project, "CBP expands partnership with airlines on facial recognition" (August 28,
2018), .
23. "U.S. Customs and Border Protection"s Airport Face Recognition Program", White Paper by
Jay Stanley, ACLU's Speech, Privacy. and Technology Project (February 2020).
.
24. The Identity Project. "Airports of the future: surveillance by design" (December 17. 2019),
.
The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 9 of 10

And it ls difficulL or impossible for anyone Lo choose Lo conseni to provide
info1mation Lo some of those entities, but not others. What if, for example, an individual
is willing to provide biometrics to the airline, but not Lo CBP? Or vice versa?
We hope that our comments will help you Lo understand why the public-facing
biometrics principles you have adopted require the rejection of Port participation in the
current and proposed biometric entry, exit, and boarding programs.
We remain available Lo members of the Commission, Port staff, and the
Biometrics External Advisory Group to provide our expertise and assistance.

Sincerely,

Edward Hasbrouck
Consultant on travel-related civil liberties and human rights issues
The Identity Project











The Identity Project - Comments to the Seattle Port Commission - 2/25/2020 - page 10 of 10