Quis custodiet ipsos custodes?

In the wake of allegations that the Customs and Border Patrol was running surveillance drones over protest sites in Minnesota and other places, and that government agencies were collecting cell phone data about those who attended BLM protests, that law enforcement agencies are arresting people based on faulty facial recognition algorithm, or that police are using AI algorithms to predict the dangerousness of a particular individual, or that facial recognition software was being linked with social media sites to target First Amendment protected activities, the New York City Council has now passed the POST Act  which would require NYPD to disclose what kinds of technologies they are using for surveillance and to public (and presumably follow) policies that designate how and when they will deploy these technologies. The bill awaits Mayor DiBlasio’s signature.

It is not just a good first step. It is absolutely essential. But it does not nearly go far enough.

The legislation – which applies only to one government agency (NYPD) and only in one jurisdiction (the five boroughs of New York) requires the reporting and evaluation of surveillance technologies used by the NYPD. NYPD would be required to provide a description and capabilities, rules, processes and guidelines, and any safeguards and security measures designed to protect the information collected. Upon publication of the draft surveillance impact and use policy, the public shall have a period of time to submit comments.

Most law enforcement and intelligence agencies are — to say the least turgid when it comes to disclosing what tools and techniques they are using for investigations and surveillance — including mass surveillance. They refuse to respond to FOIA requests for information about contracts they have with providers of surveillance technologies or how they are using AI or algorithms in targeting people for investigation. They cite trade secret law or vendor confidentiality to refuse to disclose the nature of surveillance technologies – even to the point of letting criminals go free rather than disclose what the technology is doing.

The public — voters, citizens, lawmakers, regulators and everyone — needs to know exactly what law enforcement and intelligence agencies are doing with respect to data gathering, surveillance, and threat profiling. In detail. And there need to be binding rules on what data they can collect, how they can collect it, what is necessary for targeting, how they are responding to the data, error rates (false positives and false negatives) how long data collected is stored, used and referenced, and what databases are aggregated and cross referenced. For example, who has access to driver’s license photographs and for what purpose? Currently, almost none of this data is readily available to the public.

The requirements imposed by the NYC council bill should be reflected in a national law, and needs to apply to all government agencies, with the possible exception of US agencies engaged in foreign intelligence gathering (NSA, CIA, etc.) It should apply to the FBI and FBI counterintelligence, and every contract for data collection, gathering, intelligence, coordination, evaluation, and AI and ML. Now and in the future. People need to know what the hell their government is doing.

If that sounds scary, and you think it means that the government won’t be able to do its job, then we need to ask exactly what the job of government is. We are not talking about the government saying “hey, we have a camera on the corner of 41st and Lex, looking north,” or “we have infiltrated a child porn site using the name kidlvr15.” But the tools and techniques of surveillance need to be known by the public so that they can insist on appropriate controls on those tools, and so they can decide whether the risks associated with the surveillance techniques are outweighed by the privacy impacts. Is the government routinely monitoring people’s (not mine) Twitter postings? Are they using a private contractor to do that for them? What kind of analytics are they doing on the data?

The public has a right to know not only the nature of the technologies used to capture data, create intelligence, and enforce the law, but also the techniques being deployed to infiltrate groups, to gather data from social media, to take over existing technology (e.g., webcams, OnStar, etc.) and the agreements police and others have with providers, marketers, data brokers and others to collect, share and analyze information for them.

What the NYC bill does is to require the police to provide:

1. a description of the capabilities of a surveillance technology;

2. rules, processes and guidelines issued by the department regulating access to or use of such surveillance technology as well as any prohibitions or restrictions on use, including whether the department obtains a court authorization for such use of a surveillance technology, and, if so, the specific type of court authorization sought;

3. safeguards or security measures designed to protect information collected by such surveillance technology from unauthorized access, including but not limited to the existence of encryption and access control mechanisms;

4. policies and/or practices relating to the retention, access, and use of data collected by such surveillance technology;

5. policies and procedures relating to access or use of the data collected through such surveillance technology by members of the public;

6. whether entities outside the department have access to the information and data collected by such surveillance technology, including: (a) whether the entity is a local governmental entity, state governmental entity, federal governmental entity or a private entity, (b) the type of information and data that may be disclosed by such entity, and (c) any safeguards or restrictions imposed by the department on such entity regarding the use or dissemination of the information collected by such surveillance technology;

7. whether any training is required by the department for an individual to use such surveillance technology or access information collected by such surveillance technology;

8. a description of internal audit and oversight mechanisms within the department to ensure compliance with the surveillance technology impact and use policy governing the use of such surveillance technology;

9. any tests or reports regarding the health and safety effects of the surveillance technology; and

10. any potentially disparate impacts of the surveillance technology impact and use policy on any protected groups as defined in the New York city human rights law.

The bill is similar to, but somewhat weaker than laws passed in cities like Oakland and San Francisco, both of which require affirmative approval of surveillance he bill lacks the community control rules included in similar Surveillance Equipment Regulation Ordinances (SEROs) like Oakland’s Surveillance and Community Safety ordinance and San Francisco’s Stop Secret Surveillance Ordinance. In those communities, city agencies must get permission from their city councils before acquiring surveillance technologies. Still, the new transparency requirements of New York’s POST Act are an important step forward.

The essence of data privacy is to know what is being collected and how it is being used. As a society, we may agree that surveillance is a good idea (until we ourselves are targeted). But we cannot be informed about technologies and processes we don’t know about. Who watches the watchers? “Nos custodimus”

Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.