The government and law enforcement should not be scanning your photos with face recognition technology. But right now, at least half of Americans are likely in government face recognition databases—often thanks to secretive agreements between state and federal government agencies—without any of us having opted in. Although the majority of Americans are in these databases, it’s nearly impossible to know whether or not your photo has been included. Today, EFF is launching a new project to help fight back: Who Has Your Face.

Who Has Your Face includes a short quiz that you can use to learn which U.S. government agencies may have access to your photo for facial recognition purposes, as well as a longer resource page describing in detail the photo sharing we discovered. This project is a collaboration between the Center on Privacy & Technology at Georgetown Law, and aims to shine a light on the photo sharing that has allowed the Department of Homeland Security, Immigration and Customs Enforcement, dozens of Departments of Motor Vehicles, the Federal Bureau of Investigation, law enforcement, and many other agencies to use face surveillance on millions of people without their knowledge. 

Data-sharing agreements made between agencies with little or no room for input from those they affect violate the privacy of thousands of people every day

This work builds on the work that was done in The Perpetual Lineup, a project of the Center on Privacy & Technology at Georgetown Law, and EFF’s research on the growth of government databases like this. To bring this project to you, we reviewed thousands of pages of public records to determine as clearly as possible what government photos of U.S. citizens, residents, and travelers are shared with which agencies for facial recognition purposes. 

A screenshot of the Who Has Your Face Quiz Results

After answering a few short questions, Who Has Your Face will list agencies that likely have access to your image

Individuals Don’t Know They’re In Facial Recognition Databases and Can’t Opt Out

As U.S. government agencies have increased the type of information they collect on individuals, expanding from fingerprints to faceprints, and adding voice data, DNA, scars and tattoos, they’ve also hoovered up more and more information from individuals without their knowledge. Much of this is collected during fairly common practices like applying for a driver’s license. 

The number of people affected by face recognition is staggering: We count at least 27 states where the FBI can search or request data from driver’s license and ID databases. In June of last year, the Government Accountability Office reported only 21. The total number of DMVs with facial recognition is now at least 43, with only four of those limiting data sharing entirely. That puts two-thirds of the population of the U.S. at risk of misidentification, with no choice to opt out. That number is unconscionable. These data-sharing agreements—made between agencies and with little or no room for input from those they affect—violate the privacy of thousands of people every day. 

Data sharing is especially dangerous for vulnerable individuals and populations, and is especially egregious in some states: in Maryland, for example, undocumented individuals are allowed driver’s licenses and IDs, but data sharing agreements also allow ICE to use face recognition on those DMV databases. This turns the legal protection of a driver’s license into a way for ICE to target undocumented individuals for deportation. Florida—the third most populous state in the nation—has the longest-running facial recognition database in the country, and offers over 250 agencies access to DMV photos for facial recognition purposes. 

Lack of Transparency Thwarts Attempts to Learn Who’s At Risk

Despite hundreds of hours of research, it’s still not possible to know precisely which agencies are sharing which photos, and with whom. Each agency across the U.S., from state DMV’s to the State Department, shares access to their photos differently, depending on agreements with local police, other states, and federal agencies. We were continuously thwarted in our research by non-responsive government agencies, conflicting information and agreements, and the generally covert nature of these policies. This is a huge problem: it should be easy to learn who has the personal data that you’ve been required to hand over in exchange for a driver’s license, or for re-entry into the country after visiting family in a foreign nation. 

But agencies all responded differently to requests for transparency: when sent the same public records request, some DMV’s gave the precise number of facial recognition requests that they had received from outside agencies but not which agencies sent them—for example, Wisconsin’s DMV received 238 requests in 2016; Nevada received 788 requests between June 14, 2015, and March 8, 2018. Other DMVs responded with who had made requests and how many: a list of agency requests to Utah’s Department of Public Safety included Immigration and Customs Enforcement, the Department of Homeland Security, various state Fusion Centers, state Secret Service agencies, and the United States Office of National Drug Control Policy. Utah also responded with data about how successful the requests had been.

A screenshot of a spreadsheet of facial recognition requests to the Utah Statewide Information & Analysis Center, with columns for Date Submitted, Ticket ID, Agency, Other, Case Number, and Query Results

A spreadsheet of facial recognition requests to the Utah Statewide Information & Analysis Center

Still others did not respond or regarded the questions as overbroad, or claimed to have no responsive records. Alabama’s DMV, for example, essentially ignored the request until sent an example of the Memorandum of Understanding we believed they had signed. 

Reports also contradict one another: American Association of Motor Vehicle Administrators (AAMVA), a tax-exempt, non-profit organization that serves as an “information clearinghouse” for Departments of Motor Vehicles across the United States and allows members to interactively request and verify license and ID applicant’s images, reported just three months ago that Idaho’s Transportation Department and Oklahoma’s Department of Public Safety have facial recognition, yet both of those states responded to our requests by saying they did not.

Another area of confusion: three of the states that were confirmed to take part in AAMVA’s National Digital Exchange Program but do not have facial recognition systems. Whether they comply with those agreements is unclear. The Real-ID Act, which requires state licenses to adhere to certain uniform standards if they are to be accepted for some federal purposes, also complicates matters. Many states interpret it as requiring them to provide electronic access to all other states to information contained in their motor vehicle database, and to offer some access to federal agencies such as the DHS or ICE. But in some states, sharing this data with the federal government is explicitly forbidden by law. In Utah, for example, the state DMV granted federal access to its database despite the state legislature rejecting the federal info-sharing required under REAL ID. 

This level of confusion and obfuscation is, frankly, unacceptable. It should be simple for anyone to learn who has their private, biometric data, and we must work to make it easier.

It’s Time to Ban Government Use of Face Surveillance

Lack of transparency is, of course, only part of the problem. Face surveillance is a growing menace to our privacy even when the agencies with access to the technology are clear about it. Police worn body cameras with facial surveillance can record the words, deeds, and locations of much of the population at a given time. The Department of Homeland Security and Customs and Border Patrol can use face surveillance to track individuals throughout their travels. Government use of face recognition data collected from private companies, like Clearview AI, poses additional threats. Government must not be allowed to implement this always-on panopticon. 

Thankfully, more and more laws that ban government use of this technology are passing around the country. In addition to the several states that currently don’t allow or don’t have face recognition at DMVs (California, Idaho, Louisiana, Missouri, New Hampshire, Oklahoma, Virginia, and Wyoming), cities like San Francisco, Berkeley, and Oakland in California, and Somerville in Massachusetts have also passed bans on its use by city governments. California has even passed a moratorium on government use of face recognition with mobile cameras. As more cities pass these bans, we hope more states join in protecting their residents, and in being transparent about who has access to every technology that could endanger civil liberties. It’s time to ban government use of face surveillance. 

Learn more about who has your face by visiting Who Has Your Face. To help ban government use of face recognition in your city, visit our About Face campaign.