Surveillance technology ordinance headed to adoption on Monday

After several months of work, this morning the Council moved forward an update to the city’s ordinance regulating use of surveillance technology by SPD and other city departments.

What started out as a fairly simple task, extending the current rules beyond hardware to include software and web services, turned out to be a nearly intractable set of complex issues. In the end the ordinance’s sponsor, Council member Gonzalez, settled for addressing just a subset of the issues in what she referred to this morning as “phase one.”

The Council committee conversation two weeks ago outlined many of the difficult issues, including that using expansive definitions of “surveillance technology” and “surveillance data” could implicate hundreds of technologies and thousands of data files currently in use by the city. Since then, Council members and staff have rewritten several provisions of the ordinance, and this morning adopted those changes in one large substitute version.

Some of the major points in the rewrite:

• It focuses on surveillance technology, and largely kicks the can down the road on surveillance data, which is its own Gordian knot of problems to resolve. Gonzalez noted this morning that to the best of her knowledge no jurisdiction has attempted to regulate surveillance data, because it is so complicated. She did commit to tackling surveillance data in 2018.
• It refines the definition of “surveillance”:
  to observe or analyze the movements, behavior, or actions of identifiable individuals or groups of individuals on public or private property in a manner that is reasonably likely to raise concerns about civil liberties, freedom of speech or association, racial equity or social justice. Identifiable individuals also include individuals whose identity can be revealed by license plate data when combined with any other record. It is not surveillance if an individual knowingly and voluntarily consented to provide the information, or had a clear and conspicuous opportunity to opt out of providing the information.
• There are several exemptions for technology and data (full list below).
• The city must provide a list, updated every quarter, of all surveillance technologies in use. The CTO must also post all proposed and approved surveillance technology requests to the city’s website, with the current status of each request, along with a list of all exempted technologies.
• A department must hold at least one community meeting, with public comment, before asking the Council to approve a surveillance technology.
• If a deployed technology will be visible to the public (such as mounted on a light pole), the city must specify as part of the approval process what markings it will have that allow the public to identify its use, the responsible department, and contact information.
• Third parties (i.e. other law enforcement agencies) that are granted access to the technology are required to abide by any restrictions specified in the Council’s approval — but it’s the city’s responsibility to ensure the third party complies. The original bill required a third party to provide written agreement to comply; the new version isn’t that specific on how third parties should be made to comply.
• The Inspector General for Public Safety and the City Auditor are required to submit a written report on city departments’ compliance with the surveillance technology ordinance and on restrictions placed upon the use of technologies.
• The CTO has enforcement powers, including the ability to issue a “cease and desist” order to a city department regarding its use of a particular surveillance technology if he or she believes it is not in compliance with the ordinance.
• A workgroup must be established to provide guidance to the Council on surveillance technology policy decision-making.

Here are the exemptions and exceptions for surveillance technologies and data in the ordinance:

• Information voluntarily provided, such as in the process of accessing city services (e.g. signing up for service from Seattle City Light).
• Information acquired where a clear and conspicuous opt-out was provided.
• Body cameras and police car dashboard cameras, since they are regulated under a separate ordinance.
• Cameras installed to record traffic violations.
• Cameras on city property for security purposes, or to protect the physical integrity of city infrastructure.
• Monitoring only city employees in the performance of their city functions.
• In an emergency situation that “poses an imminent risk of death or substantial bodily harm.” The use of the technology must end when the risk is removed.
• Patches and upgrades to technologies may be installed in order to mitigate threats to the city’s “environment,” even if those upgrades extend the surveillance functionality beyond what was originally approved by the Council.  The extended functionality can’t be used, however, until Council approval is obtained, unless the CTO determines that it’s “unavoidable.”
• The ordinance doesn’t apply to Seattle Municipal Court.
• The ordinance doesn’t apply to Seattle Public Library, which is regulated separately.

These all seem like reasonable and well-thought-out updates to the regulation. But the scary part is that the scale of work required to implement this is still unknown. Initial estimates are that the CTO’s office will need at least two additional people to process approval requests and to assist other departments with the process. It’s still unknown whether SPD or other departments (including the Inspector General and City Auditor) will need their own resources (SPD probably will). That means the budget implications are not understood; Council staff hope to have guidance on that by Monday when the Council votes on final adoption of the ordinance.

What’s even scarier is that technologies currently in use will all eventually need to be run through the process, and there could be hundreds of them. That could bury city departments, and the Council, in paperwork and bureaucracy for months, if not years, to get through them. There is even disagreement on which order to tackle requests. On one hand, the highest-impact technologies are a top priority for attention. On the other hand, it’s a new process and it’s not clear exactly how the Council will choose to evaluate technologies, and Council member Burgess suggested that they should start with a handful of simple approval requests to work out the kinks in the process before tackling bigger, more controversial ones that could tie up the Council for weeks or months as they debate the issues and potential uses.

As this morning’s session wrapped up, Gonzalez admitted that they have much more work to do, but she still wanted to move “phase one” forward despite requests to delay the full Council vote.  She did commit to exploring the remaining issues around surveillance data in 2018.  The bill passed out of committee by a 3-0 vote, with Gonazlez, Burgess and Bagshaw voting in favor. Needless to say, the other six Council members have a lot of homework to do before they can make an informed voting decision on Monday afternoon.