Council continues discussion of surveillance technologies

The City of Seattle’s parking enforcement division uses automated license plate readers to identify cars (and drivers) with multiple parking tickets so they can boot or impound the vehicles as necessary. SPD uses that same data to identify stolen cars, as well as those wanted in relation to specific criminal activities. Back in 2012, New York City took it further: they used cameras on street light poles to track people coming and going from mosques — an act that most people think stepped over the line of acceptable surveillance.

How the City of Seattle acquires and uses surveillance technology — and the data gleaned from it — was the topic of a Council hearing this morning, one of a series in the ongoing process of updating the city’s laws on surveillance.

Formal consideration of the bill to update the current law restricting acquisition of surveillance technology (adopted in 2013) began back in April. The current law only applies to hardware purchases, not to software or services such as the Geofeedia social media surveillance tool. It also doesn’t address workarounds, such as allowing a third party to do the surveillance and simply using the data gathered. But trying to craft a new bill that closes all of those loopholes turns out to be tricky.

The overall intent, as expressed by Shankar Narayan of ACLU Washington, is not specifically to restrict any class of surveillance technology or use of data, but to force the decision-making process into the public sphere so that Seattle residents know what is being discussed and what decisions are being made to surveil them. The bill requires new acquisitions of surveillance technology or data, as well as new uses of existing ones, to have a Surveillance Impact Report (SIR) written and approved by the City Council. It also requires all existing surveillance technology and data to be run retroactively through the SIR process within a certain period of time.

But as Council member Burgess and others pointed out, while everyone’s motives are good, the unintended consequences could be substantial. Some of the issues that were discussed this morning:

  • the definitions of “surveillance technology” and “surveillance data” in the current draft of the bill are very expansive. For example, the Seattle Fire Department keeps a database of hazardous materials stored at locations around the city, along with contact information for the owners/managers of those materials. That information is available to all firefighters responding to an incident — all perfectly sensible and appropriate. But that data fits within the description of “surveillance data” as currently written.  Further, if you were to pay your Seattle City Light bill at the Customer Service Center on the main floor of Seattle Municipal Tower, that would generate a transaction record, including the place and time where you were when you paid that bill — another piece of surveillance data. If you borrow a mobile Internet hotspot from Seattle Public Library, the time and place you picked it up will be recorded, as well as where you use it. If you call into the city’s hotline to request pickup of garbage or needles on city property, that also creates a record connecting you to a specific place and time. City of Seattle CTO Michael Mattmiller said this morning that of the city’s 1500 enterprise IT applications handling general business functions for the city, they have identified about 160 that would require SIR approval, and about 20 general government devices would also need SIRs. Mattmiller also said that there are over 54 million data files on the city’s file shares; they won’t all require SIRs, but they will all need to be reviewed to determine if they do.  SPD COO Brian Maxie stated that the current definition of “surveillance data” in the bill would cover 90-95% of what they do. That’s an enormous amount of work for city staff, and a huge queue of SIR approvals for the City Council.
  • In order to close the “third party” loophole, the bill would require third parties, including SPD’s partner law enforcement agencies, to follow the same set of rules in order to allow data sharing. Maxie argued that the data-sharing partnerships they have in place today are fragile enough that trying to force a set of rules on SPD’s partners would probably cause most of them to simply walk away — leaving Seattle as an island on its own.  And it would tear apart important regional law enforcement partnership work on gangs and drug enforcement.

On the other hand, Council member O’Brien argued that it isn’t acceptable to simply say “we have tons of data, but we don’t know what’s in there.” The public does, in fact, have a right to know what data is being collected about them, how it is being used, and how long it is being kept. “The reality is that we have a lot of data on people,” O’Brien said, “and we don’t know what’s in those files. We need to move from not knowing to having clear notions around what’s in the data… It would be good to have a strategy and a timeline for being able to go through all of the data sets.” Mattmiller agreed, noting that of the 54 million data files, they have already identified 800 most likely to be “critical” and the city’s new Chief Privacy Officer will be digging into those. Mattmiller also noted that the city’s privacy program is focused on data retention policies, which over time will reduce the amount of data being kept.

There were far more questions than answers today, and GESCNA committee chair Gonzalez stated that they need to debate the policy issues and continue to gather information. Nevertheless, she said that she expects to have some initial amendments for consideration at her next committee meeting two weeks from now, and she hopes to pass the ordinance by the end of the summer.