The Identity Project
www.PapersPlease.org

1222 Preservation Park Way, Suite 200
Oakland, CA 94612
510-208-7744 (office)
415-824-0214 (cell/mobile)

Comments of the Identity Project to the Port of Seattle Commission
for the Commission meeting of March 10, 2020, regarding policies
and procurement of systems for automated facial recognition at Sea-Tac Airport

Members of the Port of Seattle Commission, Port of Seattle Commission Committee on
Biometrics, and Biometrics External Advisory Group:

The Identity Project (PapersPlease.org) thanks you for the opportunity to
comment on (1) the proposal to authorize the Executive Director of the Port to approve a
contract for acquisition by the Port of shared-use Port-owned facial recognition systems
for departure gates at Sea-Tac International Airport," and (2) the draft by Port staff of
recommendations proposed to the Biometrics External Advisory Group regarding "Non-
Federally Mandated Biometrics for Passenger Processing Recommendations"?

The proposed procurement and deployment would violate Federal law, the norms
of Fair Information Practices (FIPPs), and the professed "principles", including FIPPs, of
both the Port and US Customs and Border Protection (CBP). It should be rejected, and
the RFP for this project should be withdrawn or, at a minimum, postponed.

1. We have been unable to find any agendas, minutes, or notices of meetings of the Committee
on Biometrics on the Port website.

2. "Authorization for the Executive Director to (1) award and execute a contract for a Biometric Air
Exit system for up to 30 international boarding gates at Seattle-Tacoma International Airport; and
(2) implement Executive policies for regulating the use of biometric air exit systems at Port
facilities. Contract authorization includes (1) procuring hardware, software, vendor
implementation services, and recurring maintenance fees for up to ten years; and (2) using port
staff for construction and implementation; Total project cost for authorization of $5,715,000 is
comprised of project costs of $2,715,000 and recurring maintenance costs for up to ten years
estimated at $3,000,000 budgeted in annual operating budgets." Item 8a of agenda for Port of
Seattle Commission meeting of March 20, 2020, .

3. "Port of Seattle Public-Facing Biometrics Policy, Non-Federally Mandated Biometrics for
Passenger Processing Recommendations, Draft as of February 28, 2020." We have been unable
to find this document anywhere on the Port website, including on the Biometrics External Advisory
Group page, but a copy was provided to us by one of the members of the BEAG. This document
should, of course, be posted for public review and comment before any decision is made about it.

The Identity Project  Comments to the Seattle Port Commission  3/10/2020  page 1 of 5

There is already ample evidence that the proposed biometric departure gate
systems would like the current biometric arrival and departure systems used at Sea-Tac
violate Federal laws,* FIPPs, and the professed principles of the Port and of CBP'.

None of the issues raised in our comments of February 25, 2020, have been
addressed. None of the violations of Federal law by CBP we pointed out have been
corrected.  So far as we can tell, no changes have been made or are contemplated to bring
CBP's actions into compliance with Federal law, with FIPPs, or with either the Port's or
CBP's professed principles, whether or not the Port proposal is approved:

1.  Having the Port, airlines, or any other third party  rather than CBP itself 
operate the cameras and collect photos for CBP use violates the explicit mandate
of the Privacy Act that this data be collected directly from individuals by a
Federal agency if is is used (as it is in this case) as part of the basis for making
decisions about access to Federal rights (such as Federally-licensed air travel).

2. CBP still fails to provide the notices required by the Paperwork Reduction Act 
including notice of the right not to respond to any Federal collection of
information that does not display a valid OMB Control Number  at biometric
arrival and departure stations at Sea-Tac or any other airport.

3.  CBP's regulations exempting the systems of records in which it stores facial
images from the provisions of the Privacy Act regarding rights of access,
accounting for disclosures, and civil remedies render these systems in violation of
FIPPs and the professed principles of the Port and of CBP.

4. See the analysis of ongoing violations of the Privacy Act and the Paperwork Reduction Act in
our February 25, 2020, comments to the Port Commission and the BEAG,
lea;     rg/wp/wp-content/uploads/2020/02/IDP-SEA-Port-Comm-
25FEB2020.pdf>. Neither of these statutes and none of the issues we raised are mentioned in
the RFP, the proposal for action by the Commission, or the Port staff draft of recommendations.

5. FIPPs are expressly endorsed by both the Port "principles" and CBP's "requirements.

6. Port of Seattle Commission, Motion 2019-13, adopted December 10, 2019,


7. U.S. Customs and Border Protection, "Biometric Air Exit Business Requirements, Version 2.0,
January 2020." Although this document is incorporated by reference in the RFP and the proposal
for action by the Port Commission, it has not been posted on the Port website and was first
provided to us on March 8, 2020. On information and belief, this document was not provided to,
and has not been reviewed or discussed by, the members of the BEAG.

8. CBP's "Biometric Air Exit Business Requirements" explicitly incorporate and endorse "DHS
FIPPs" as "Appendix B", including that "DHS should... provide appropriate mechanisms for
access, correction and redress for DHS's use of Pll [Personally identifiable Information]." These
are exactly the rights that CBP has revoked by promulgating Privacy Act exemption rules.

The Identity Project  Comments to the Seattle Port Commission  3/10/2020  page 2 of 5

It isn't just that CBP is violating the Privacy Act, or that collecting facial images
and sending them to CBP would make the Port complicit in this violation of Federal law.
The violation of the Privacy Act by CBP lies specifically in CBP's outsourcing the
collection of this personal data to the Port, airlines, or any other non-Federal entities.

This provision was and is included in the Privacy Act for good reason. The Port
should heed it, and make CBP comply with Federal law by collecting any personal data it
uses for making decisions about individuals, including facial images of travelers, directly
from those individuals. CBP could collect this data itself at Sea-Tac, as it does at some
other airports. It doesn't want to, but it has clearly demonstrated that it could do so.

If there is one lane at a departure gate, or on arrival, where a uniformed CBP
agent is photographing travelers, and one lane without a Federal law enforcement officer
with a camera, travelers will have a much clearer and more informed choice  and one
that, unlike the proposal before the Port Commission, might comply with the Privacy Act.

Some Port staff, in their proposals to the BEAG and the Port Commission, have
suggested that by owning and operating facial recognition systems the Port would have
more control over signage and other notices provided to the public to enable more
informed consent and mitigate the harm to the public of CBP's (illegal) activities.

But in fact, the proposed procurement would have exactly the opposite effect. By
agreeing to comply with CBP's "Requirements"  which are explicitly incorporated by
reference in the RFP and the proposal for action by the Port Commission  the Port
would be tieing its own hands and committing itself to display CBP's signs  regardless
of their truth or falsehood or their compliance with the law  and not to display any
signage, make any announcements, or provide any information not approved by CBP.

Item 8 of CBP's "Requirements" would prohibit the Port from posting any signs
or distributing any communications pertaining to CBP's use of biometrics without CBP's
prior approval.

Item 13 of CBP's "Requirements" would obligate the Port to post whatever
signage CBP demands, regardless of whether the Port considers it inaccurate, misleading,
or incomplete.

In effect, these provisions would amount to a (self-imposed) gag order not to
criticize CBP, and a (self-imposed) agreement to serve as a mouthpiece for CBP
propaganda, regardless of its truth or falsehood. Rather than enabling the Port to mitigate
the harms of CBP's (illegal) practices through more or better signs or announcements, the
proposed action by the Port Commission would prevent the Port from doing so.

If CBP fails as it has failed to date at Sea-Tac and all other airports with
biometric departure gates  to post the notices required by the Paperwork Reduction Act,
informing individuals, regardless of citizenship or immigration status, of their right not to

The Identity Project  Comments to the Seattle Port Commission  3/10/2020  page 3 of 5

respond to any Federal collection of information that does not display a valid OMB
Control Number and PRA notice, the Port itself should post such notices at all gates. But
the Port won't be able to do so without CBP approval (which wouldn't be likely to be
granted) if the Port Commission approves the proposal on your agenda for action today.

The issues discussed above  the illegality of CBP's actions and the
incompatibility of the proposal with FIPPs or with the principles professed by both the
Port and CBP - already provide more than sufficient basis for the Port Commission to
reject the proposal before you, and to direct that the RFP be withdrawn.'

But even if you are not yet prepared to withdraw the RFP (amended to make clear
to potential bidders that the Port is not committed to such a project, and that no final
decision will be made until the Port completes its policy-development process), it would
be premature to approve or authorize approval of any procurement contract.

None of the applicable airline or Port privacy policies (if such exist, which
remains in doubt) or contracts with CBP (again, if such exist) have been disclosed.! The
only relevant CBP documents which have been disclosed are non-binding, aspirational
secondary-source documents. These include Privacy Impact Assessments, which should
be, but in the case of CBP typically are not, descriptions of policies and practices defined
in specified and publicly-disclosed laws, regulations, and contracts. These secondary
sources also include CBP's "Business Requirements", which may or may not accurately
describe the provisions of not-yet-disclosed and possibly nonexistent contracts with
airlines, the Port, and system vendors, and which describes practices directly contrary to
the Fair Information Processing Practices stated by CBP in the same document.

While the item on your agenda for action today concerns the procurement of Port-
owned cameras at departure gates to collect and send photos of passengers to CBP, we
would like to take this opportunity to provide a preliminary comment on the Port staff
draft of recommendations concerning "Non-Federally Mandated Biometrics for
Passenger Processing".

Missing from that draft is any explanation of the purpose or justification for
airlines to identify passengers, independent of any Federal mandate.

9. In our comments to you of February 25, 2020, we pointed out the statements in the RFP
regarding a Port "commitment" to deploy biometric exit systems. Amendment 2 to the RFP states
that, "The airport will be providing a Biometric Air Exit platform at an initial thirty gates for airline
use. The platform will be a multi-use solution of airport provided infrastructure." There is still no
indication in the RFP that the Port might decide not to acquire or deploy such a system. The
continued failure to provide such notice to potential  bidders continues to place in question the
good faith and open-mindedness of Port staff with respect to this decision.

10. The Identity Project still has received no response to our overdue Freedom Of Information Act
request for any CBP contracts with airlines pertaining to facial images of Dagsengess. which was
attached to our comments to you of December 10, 2019, .
The Identity Project  Comments to the Seattle Port Commission  3/10/2020  page 4 of 5

Airlines could, and did, operate for decades without requesting ID from
passengers. Airlines began asking (but not requiring) passengers to identify themselves
only when they were ordered to do so by the FAA (the predecessor of the TSA). The only
lawful reason for airlines to ask passengers for ID is to satisfy a government mandate.

As common carriers, airlines are required to transport all passengers, regardless of
who they are, and are required to sell tickets at prices determined by a public tariff.

An airline cannot lawfully "reserve the right to refuse service". It cannot lawfully
personalize prices or charge different prices based on passengers' identities.

So why do airlines think they "need" to identify passengers at all, by any means?

One cannot assess the justification (or lack thereof) for  biometric  identifi
travelers for non-Federally mandated purposes without first assessing the justification (or
lack thereof) for identification of travelers generally for such purposes.

This assessment is entirely absent from the draft recommendations for Port policy,
but is essential.

We urge you to reject, or at least to postpone until the current policy development
process is complete and the relevant policies and contracts are made public, authorization
of procurement of facial recognition systems for deployment at Sea-Tac.

We remain available to members of the Commission, Port staff, and the
Biometrics External Advisory Group to provide our expertise and assistance.

Sincerely,

Edward Hasbrouck
Consultant on travel-related civil liberties and human rights issues
The Identity Project






The Identity Project  Comments to the Seattle Port Commission  3/10/2020  page 5 of 5