For several years, a little-known start-up based in New York has been amassing a database of billions of our faceprints — unique biometric identifiers akin to a fingerprint or DNA profile — drawn from personal photos on our social media accounts and elsewhere online. The company has captured these faceprints in secret, without our knowledge, much less our consent, using everything from casual selfies to photos of birthday parties, college graduations, weddings, and so much more.
 
Unbeknownst to the public, this company has offered up this massive faceprint database to private companies, police, federal agencies, and wealthy individuals, allowing them to secretly track and target whomever they wished using face recognition technology.
                                                     
That company is Clearview AI, and it will end privacy as we know it if it isn’t stopped. We’re taking the company to court in Illinois today on behalf of organizations that represent survivors of sexual assault and domestic violence, undocumented immigrants, and other vulnerable communities. As the groups make clear, Clearview’s face surveillance activities violate the Illinois Biometric Information Privacy Act (BIPA), and represent an unprecedented threat to our security and safety.
 
Face recognition technology offers a surveillance capability unlike any other technology in the past. It makes it dangerously easy to identify and track us at protests, AA meetings, counseling sessions, political rallies, religious gatherings, and more. For our clients — organizations that serve survivors of domestic violence and sexual assault, undocumented immigrants, and people of color — this surveillance system is dangerous and even life-threatening. It empowers abusive ex-partners and serial harassers, exploitative companies, and ICE agents to track and target domestic violence and sexual assault survivors, undocumented immigrants, and other vulnerable communities.
 
By building a mass database of billions of faceprints without our knowledge or consent, Clearview has created the nightmare scenario that we’ve long feared, and has crossed the ethical bounds that many companies have refused to even attempt. Neither the United States government nor any American company is known to have ever compiled such a massive trove of biometrics.
 
Adding fuel to the fire, Clearview sells access to a smartphone app that allows its customers — and even those using the app on a trial basis — to upload a photo of an unknown person and instantaneously receive a set of matching photos.
 
Clearview’s actions clearly violate BIPA. The law requires companies that collect, capture, or obtain an Illinois resident’s biometric identifier — such as a fingerprint, faceprint, or iris scan — to first notify that individual and obtain their written consent. Clearview’s practices are exactly the threat to privacy that the legislature intended to address, and demonstrate why states across the country should adopt legal protections like the ones in Illinois.
 
In press statements, Clearview has tried to claim its actions are somehow protected by the First Amendment. Clearview is as free to look at online photos as anyone with an internet connection. But what it can’t do is capture our faceprints — uniquely identifying biometrics — from those photos without consent. That’s not speech; it’s conduct that the state of Illinois has a strong interest in regulating in order to protect its residents against abuse.
 
If allowed, Clearview will destroy our rights to anonymity and privacy — and the safety and security that both bring. People can change their names and addresses to shield their whereabouts and identities from individuals who seek to harm them, but they can’t change their faces.
 
That’s why we’re teaming up with lawyers at the ACLU of Illinois and the law firm of Edelson PC, a nationally recognized leader in consumer privacy litigation, to put a stop to Clearview’s egregious violations of privacy. We are asking an Illinois state court to order the company to delete faceprints gathered from Illinois residents without consent, and to stop capturing new faceprints unless it complies with the Illinois law.
 
There is a groundswell of opposition to face surveillance technology, and this litigation is the latest chapter in an intensifying fight to protect our privacy rights against the dangers of this menacing technology. Across the nation, the ACLU has been advocating for bans on police use of face recognition technology, leading to strong laws in places like Oakland, San Francisco, and Berkeley, California, and Springfield and Cambridge, Massachusetts, as well as a statewide prohibition on use of the technology on police body cams in California.
 
We won’t let companies like Clearview trample on our right to privacy.

Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project

The COVID-19 pandemic has swept the globe and upended normal life. In the four months since the first U.S. case was reported, more than 1.5 million people have been infected and 100,000 people have died in the United States. To mitigate risk, public health authorities tell us to get our groceries and prescriptions delivered, wave to grandma from the window, and generally avoid all unnecessary trips and close physical interactions outside the home.        
 
Consistent with these guidelines, federal agencies have taken every opportunity to encourage telemedicine use and give clinicians the flexibility to forgo unnecessary in-person encounters in accordance with their clinical judgment. They have waived various rules requiring in-person visits, even for controlled substances like opioids.
 
But there is one striking exception: The U.S. Food and Drug Administration (FDA) continues to subject mifepristone, a safe, effective prescription medication used to end an early pregnancy or treat a miscarriage, to a uniquely burdensome restriction that is jeopardizing the health and lives of patients and clinicians, with particularly dire implications for low-income communities and communities of color.
 
The FDA requires that the mifepristone pill be dispensed only in a hospital, clinic, or medical office: Patients who have already been evaluated by a clinician through telemedicine or at a prior in-person visit are not allowed to fill their prescription by mail. Instead, they must travel to one of these clinical settings to pick up the pill — even if they are receiving no in-person medical services at that time, and even if they will swallow the medication later at home (as the FDA permits).
 
For months, leading medical authorities have implored the FDA to suspend this restriction and give clinicians who provide abortion and miscarriage care the flexibility they need to protect their patients during this crisis. But the administration is intransigent.
 
That’s why today we filed a lawsuit on behalf of a coalition of medical experts and reproductive health, rights, and justice advocates, led by the American College of Obstetricians and Gynecologists (ACOG), challenging the FDA rule that forces patients to take on unnecessary COVID-19 risks as a condition of receiving medication abortion and miscarriage care.
 
Of the more than 20,000 drugs regulated by the FDA, mifepristone is the only one that patients must obtain in a clinical setting, yet may self-administer unsupervised at home. It’s easy to see why no other drugs carry this restriction: There is no medical reason to dictate where a patient is standing when handed a pill they will put in their pocket to swallow later at home.
 
There is likewise no reason to impose this requirement on mifepristone, which has been FDA approved for 20 years and used by more than 4 million people. In the FDA’s words, mifepristone’s “efficacy and safety have become well established by both research and experience, and serious complications have proven to be extremely rare.” In fact, the FDA permits mifepristone to be sent to patients’ homes, in larger quantities and doses, when used for a purpose other than early pregnancy termination. 
 
Yet the FDA has maintained this unnecessary restriction throughout the pandemic — despite CDC guidance specifically encouraging patients to fill prescriptions by mail-order delivery wherever possible, and despite a national medical consensus that mifepristone prescribers need the same flexibility as other clinicians to forgo medically unnecessary in-person visits, consistent with their best clinical judgment, during this crisis.
 
As is virtually always the case when it comes to restrictions on abortion, the harm here is not borne equally. Low-income people and people of color, who comprise a majority of people seeking abortions, bear the brunt of the FDA’s restrictions. At the best of times, arranging transportation and child care in order to travel to a health care facility to pick up a pill is difficult or impossible for many patients. Some must travel hundreds of miles — or even take a flight — causing severe delays and blocking some patients from accessing abortion care at all.
 
Now, during a historic unemployment crisis with many schools and day cares shuttered, the FDA is forcing patients to take on life-threatening — and entirely unnecessary — risks in order to access essential health services. This is particularly dangerous for communities of color, who, due to longstanding inequities in access to and quality of health care and other manifestations of structural racism, are dying from COVID-19 at drastically higher rates.
 
Our coalition of plaintiffs represents tens of thousands of clinicians providing abortion and miscarriage care to patients across the nation, and the department chairs of obstetrics and gynecology at nearly 150 universities. It includes activists and organizers dedicated to removing barriers to high-quality pregnancy-related care that disproportionately harm marginalized communities. They have asked the FDA to do the right thing on mifepristone, but the agency has refused.
 
Pregnant people should not have to needlessly jeopardize their safety in order to access essential medication abortion and miscarriage care during the pandemic. We’re going to court to ensure that in this time of crisis, people do not have to subject themselves to unnecessary risk to access the reproductive health care they need.

Julia Kaye, Staff Attorney, Reproductive Freedom Project

For years, immigration enforcement agencies have been using invasive cell phone surveillance technology known as Stingrays in near-total secrecy. To find out more, the ACLU and New York Civil Liberties Union filed a lawsuit under the Freedom of Information Act, and now we’ve forced the agencies to turn over documents revealing new details about the agencies’ practices. Today, we are publishing more than a thousand pages of record we’ve received from U.S. Immigration and Customs Enforcement (ICE) about their purchase and use of Stingray technology. The documents reveal some significant gaps in public knowledge about the agency’s practices and raise significant privacy concerns.
 
Stingrays, also known as cell site simulators or IMSI catchers, track and locate cell phones. The devices mimic cell phone towers by sending out signals that trick cell phones in the area into transmitting their unique identifying information, ensnaring not only a target’s cell phone but also those of nearby bystanders. Using those transmissions, government agents can precisely locate phones, and can learn the identities of all phones in a particular area.
 
We initially submitted a FOIA request to ICE and Customs and Border Protection (CBP) in 2017, after the Detroit News reported on a case where ICE used a cell site simulator to locate and arrest an individual on immigration-related charges. That request was met with two years of near silence from the agencies, so last December we filed a lawsuit asking a federal court to order ICE and CBP to produce a range of records about their use, purchase, and oversight of the technology. ICE has since handed over more than a thousand pages of documents. CBP, on the other hand, maintains that it can’t find a single page dealing with cell site simulators, despite public evidence that the agency has spent millions on them. On Friday, we filed a motion asking the court to compel CBP to live up to its legal obligations regarding transparency under the FOIA.
 
There’s good reason to demand transparency from these agencies. Through the documents we received from ICE alone, here’s what we’ve learned:

• ICE upgraded their cell site simulator devices from the Harris Corporation’s Stingray II to a new model called Crossbow. Prior to release of these records, the existence of the Crossbow model was not publicly known. As of January 2020, ICE was still using Crossbows. Although records obtained through FOIA and other litigation in recent years has revealed some information about the costs and capabilities of the Stingray and other models of cell site simulators, we don’t know what the Crossbow can do, or whether it raises different concerns than other versions of the technology.
• In September 2017, ICE said it had used cell site simulators 223 times, including 95 times to “apprehend” people and 104 times to “gather evidence relevant to a case against any apprehended individual.” From Jan. 1, 2019 to Oct. 7, 2019, ICE deployed cell site simulators 134 times, which located at least 80 people and resulted in 22 arrests. Fifty-one pages of weekly reports chart ICE’s use of this technology over time. From the piecemeal reported totals we received in sets of documents dated from 2017 to 2019, we can surmise that ICE used cell site simulators at least 466 times. These figures supplement data previously reported by  Buzzfeed News showing that from Jan. 1, 2013 to Oct. 11, 2017, Homeland Security Investigations, a branch of ICE, used cell site simulators 1,885 times.
• For all of law enforcement officials’ talk about the need to maintain secrecy around law enforcement use of cell site simulators, a presentation by DHS’s National Cybersecurity & Communications Integration Center acknowledges that “hackers” and others can also obtain access to cellular communications data using Stingrays, and discusses a pilot program to deploy sensors to detect this technology in the National Capitol Region. The presentation reveals that in 2016, DHS “Detected likely IMSI catcher monitoring/tracking phones.” This document suggests that excessive government secrecy about cell site simulators may be self-defeating, by failing to alert American cell phone users about threats to the privacy and security of their communications.
• Although DHS and ICE acknowledge that cell site simulators can interfere with cell phone calls in the area, the documents reveal that “Neither ICE nor USSS (United States Secret Service) has funded independent interference testing.” The FBI has similarly stated that it “does not test or measure the interference levels” of its cell site simulators. This stands in contrast to federal police in Canada, whose tests revealed that cell site simulators could interfere with more than 50 percent of 911 calls, leading the agency to mandate limitations on use of the technology. Senator Ron Wyden has repeatedly raised this problem with federal law enforcement agencies, but unless something has changed since the dates of these documents, DHS and the FBI don’t seem to be taking it seriously.
• DHS requires all of its components that use cell site simulators, including ICE and CBP, to implement policies governing use of the technology. ICE’s policy governing the use of the technology is now public for the first time. According to the policy, ICE recognizes that it normally needs to get a search warrant before using a cell site simulator, except when there are “exigent circumstances.” But it is unclear if ICE regards this as the only exception to the warrant requirement, as both DHS’s policy and ICE training materials also say “exceptional circumstances” can justify bypassing the warrant requirement. The manner in which ICE has defined both “exigent” and “exceptional” circumstances in the training materials provides law enforcement officers with little guidance as to what these terms mean or when the agency considers them properly invoked. This is concerning because it raises the prospect that agents may be short-circuiting the need for judicial oversight when in circumstances where there is no true emergency.

There can’t be accountability without transparency. The release of these records — albeit with redactions — provides some helpful insights into what was previously an extremely secretive surveillance practice. For example, the documents provide multiple assertions that ICE and CBP are not using cell site simulators in civil immigration investigations.
 
That’s good news, but concerns remain. We know that despite claiming not to use Stingrays for civil immigration enforcement, ICE does use the technology in its ever-expanding category of “criminal” immigration investigations, including arrests for the crimes of illegal entry and reentry. And although the requirement to get a warrant is positive, we still don’t know what the agency believes qualifies as an “exigent” or “exceptional” circumstance that lets agents avoid the warrant requirement. Those are just a few of the outstanding questions.
 
We also continue to know virtually nothing about CBP’s use of this technology. CBP has stated that it searched for records three times in response to our FOIA request and has not identified a single responsive record. But the agency’s no-records response is impossible to square with publicly available information as well as the documents we received from ICE. A 2016 Congressional Report reveals that as of four years ago, CBP had spent $2.5 million to purchase 33 cell site simulator devices. And, in 2017 letters to Sens. Ron Wyden and Al Franken (redacted versions of which were provided to us for the first time in this case), DHS stated that CBP has used cell site simulators and was in the process of drafting a policy to govern their use.
 
We’re demanding the court order CBP to explain how it conducted its prior searches for records responsive to our FOIA request and to conduct a new search for responsive records.
 
The use of powerful, surreptitious surveillance equipment is concerning in any context. But when agencies such as ICE and CBP, with a long history of abusive practices, evade requests for information and then obfuscate provided information, we should all be concerned.

Alexia Ramirez, Fellow, ACLU Speech, Privacy, and Technology Project