Rules around bulk data purchases by US intelligence, law enforcement reviewed

An insurer must cover an Illinois client’s lawsuit over alleged biometric data privacy violations in a case involving the sale of a massive facial recognition database to police.

A decision by the federal 7th Circuit Court of Appeals and reported by Claims Journal affirms a lower court decision that “catch-all” insurance policy provisions excluding coverage for regulatory violations do not apply to allegations under the Illinois’ Biometric Information Privacy Act.

A data broker called Wynndalco Enterprises sold the Chicago Police Department a database of 3 billion images scraped from social media to use as reference images for facial recognition searches. The source of the images, according to the decision, is Clearview AI. A settlement between Clearview and the ACLU last year stipulated that Clearview would not sell its facial recognition service to state and local police in Illinois for five years.

Including the exclusion would make the provisions overly broad, the court ruled, so Citizens Insurance Company of America must cover Illinois-based Wynndalco’s legal defense costs. The policy promises coverage for “personal and advertising” injuries, rendering the meaning of the clause that would exclude them ambiguous, the appeals panel found, agreeing with the previous ruling of a District Court Judge.

Purchases of consumer data at scale from private brokers may be more common than is commonly recognized.

Bulk data purchase rules recommended

Meanwhile, a report from the Office of the Director of National Intelligence has been declassified, revealing widespread bulk data purchases by America’s intelligence community.

The report to the Director of National Intelligence by the Panel on Commercially Available Information suggests that data collected in the absence of probable cause may be unconstitutional. Special rules are not in place for government agencies using commercial data broker services, or for any other type of organization buying similar services.

Consumer data purchased from commercial entities is sometimes used to identify researchers who may be engaged in espionage, and for background checks on individuals seeking security clearance, according to the report. These uses are identified as examples of the positive value of commercial data-buying arrangements. There are harms as well, according to some.

“We’ve seen police departments work around facial recognition bans by buying that kind of data on the marketplace,” Adam Kovacevich, founder and CEO of tech advocacy group Chamber of Progress told NBC. He also pointed out military tracking of people using Muslim prayer sites and dating apps, and the use of data by Immigration and Customs Enforcement to track migrants.

The panel recommends developing a process for keeping track of the data the intelligence community wants, and then standards and procedures for assessing the acquisition and use of that data.  It also recommends developing guidelines to protect the sensitive personal data it acquires.

Biometric data is explicitly referred to in two places in the report. One is an example of how sensitive data is defined under the EU’s GDPR, and the other identifying specific types of data that might merit “more specific guidance.”

Meanwhile, local police in Evansville, Indiana have been using Clearview regularly for about a year, reports the Indiana Economic Digest. The technology’s use in solving shoplifting cases is emphasized by a law enforcement official.

The software license was signed as a two-year, $2,000 deal in August, 2020. The report suggests that many local officials were unaware of the license.

Article Topics

biometric data  |  biometrics  |  Clearview AI  |  facial recognition  |  law enforcement  |  regulation