Facial recognition uproar leads back to legislators’ and Herbert’s desks. They’re shocked. 

by Dr. Ronald Mortensen, Columnist at Utah Standard News / July 11, 2019

Key Points:
– Governor Herbert and legislators were asked during the 2019 legislative session to protect the personal identifying information (PII) of Utah driver license holders but they failed to do so.

– Governor Herbert, legislators and others who failed to protect the PII of Utah driver license holders now express shock! shock! that it was disclosed for facial recognition purposes.

– Over the years, the Herbert administration has overseen the release of the PII of millions of Utahns.

– The bottom line is that elected officials and those who say they are defending our liberties have totally failed to protect Utah drivers’ PII and all of their cries of outrage cannot hide that fact.

When the Washington Post and the New York Times reported that ICE and the FBI were using Utah driver license photos in federal facial-recognition searches, Utah legislators, the governor and lieutenant governor all expressed shock! shock! that such a thing was occurring—despite the fact that they authorized it by enacting HB290, Driver License Record Amendments.

During the 2019 legislative session, I tried to get legislators and the governor to protect the driver license records and to limit their use to legitimate public safety purposes.  However, in spite of my efforts, which included testimony before the House and Senate committees, fact sheets distributed to state senators and discussions with the bill’s sponsors, Representative Lee Perry and Senator Lyle Hillyard, HB290 became law.  In the House the vote in favor of the bill was 73-2 with only Representatives Roberts and Seegmiller voting no. In the Senate the vote was 25 in favor with 4 not voting (Davis, Hinkins, McCay, Weiler).

When I expressed concern directly to Senator Hillyard about giving Utah drivers’ PII to the University of Utah (the U) including social security numbers, dates of birth, mothers’ maiden names, etc., he said that it was being done “for the greater good.”  Click here to see the Memorandum of Agreement between the Driver License Division and the U including Appendix A which lists all PII transmitted to the U.

So what exactly did the legislators and governor do when they passed/signed HB290 into law?  

Well, they authorized the Driver License Division (DLD) to disclose personal identifying information in accordance with 18 U.S.C. Chapter 123.  This includes  “….use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.”

HB290 enumerates who the DLD can disclose a driver license holder’s PII to:

1. a licensed private investigator holding a valid agency license, with a legitimate business need;

2. an insurer, insurance support organization, or a self-insured entity, or its agents, employees, or contractors that issues any motor vehicle insurance;

3. a depository institution [such as a bank, credit union, etc.];

4. the State Tax Commission;

5. the University of Utah for data collection in relation to genetic and epidemiologic research;

6. a government entity, including any court or law enforcement agency, to fulfill the government entity’s functions, or to a private person acting on behalf of a government entity if the division determines disclosure of the information is in the interest of public safety.

18 U.S.C. Chapter 123 allows the release of highly restricted personal information which is an individual’s photograph or image, social security number, medical or disability information to law enforcement without the express consent of the person to whom such information applies just as Utah’s law does.  However, federal law requires that express written consent be obtained before highly restricted PII is released to, for example, the University of Utah for research purposes, to private investigators, and others. However, no express written consent was obtained before the DLD gave the social security numbers of every Utah driver to the U even though this apparently violates federal law.

It is important to note that virtually every person now publicly expressing shock about the use of driver license information for facial recognition purposes either voted for the bill, signed the bill, or failed to help protect drivers’ PII.

When Representative Angela Romero was made aware of the national news stories, she reportedly tweeted “This makes me sick! Where are all my Utah states’ rights friends?” However, she conveniently ignored the fact that she had made the motion to pass HB290 out of committee as drafted in spite of pleas to the committee to strengthen the privacy protections for driver license information.  She then voted for the bill in the full House. Likewise, Representative Mark Wheatly, Senator Curt Bramble, and Representative Brian King, who are now voicing outrage at the use of driver license photos for facial recognition, all voted for HB290.

Governor Gary Herbert signed HB290 in spite of the fact that I brought my concerns about the cavalier treatment of PII, both in person and in writing, to his Deputy Chief of Staff.  Governor Herbert says that he “believes in respecting the privacy of Utah residents” which is hard to accept since during his administration the entire voter database including birth dates was sold by the lieutenant governor and posted to the internet.  In addition, the Herbert administration has overseen massive data breaches including the disclosure of social security numbers of hundreds of thousands of Utahns.  And, if that weren’t enough, the Herbert administration allowed driver license records to be widely shared without any apparent statutory authority to do so.

Lieutenant governor Spencer Cox continues to sell the entire Utah Voter Database in accordance with current legislation for $1,050 so it can be posted to the internet at voterrecords.com.  Cox has never expressed concern about the privacy of the voters whose records he is selling or presented any legislation to protect the records of all Utah voters.

Connor Boyack, president of the Libertas Institute and Marina Low, American Civil Liberties Union of Utah’s legislative and policy director were aware of HB290 but they did not bring up any concerns about it during committee hearings.

The bottom line is that our elected officials and those who say they are defending our liberties have failed to protect Utah drivers’ personal identifying information and all of their cries of outrage cannot hide that fact.

———-

Releases of personal information under the Herbert administration since 2010

Continuously.  The Utah Driver License Division routinely provides the personal identifying information of millions of Utahns to governmental and non-governmental entities.  The personal identifying information released by the Driver License Division includes everything required to assume a person’s identity:  Name, address, social security number, date of birth, place of birth, mother’s maiden names and physical characteristics.

Continuously.  The state of Utah sells the Utah Voter Database with the personal information of around 1.5 million Utah voters who have not personally made their records private to anyone willing to pay $1,050. Information sold includes a registered voter’s name, address, phone number, voter registration number, party affiliation, voting history, etc.  This list continues to be posted on voterrecords.com.  Financial institutions, health care providers, insurance companies, political parties, candidates and other select groups or their agents may obtain voter lists that contain all of the previous information plus the registered voters’ month and year of birth.  The entire voter list complete with full birth dates was posted to the internet in late 2013/early 2014 before the birth date was taken off of the public version sold by the Lt. Governor’s Office.  That was reported on in an article titled Utah Governor sells voters personal information after removing his own

July 2010.  A list containing the personal information of 1,300 people believed to be illegal aliens was released by Utah Workforce Service employees. “Release of such private, sensitive information is deplorable,” Gov. Gary Herbert said in a news release according to CNN.

March 30, 2012.  An estimated 780,000 Utahns covered by Medicaid or thought to be eligible for Medicaid along with those enrolled in the Children’s Health Insurance Plan had personal information stolen by hackers in Eastern Europe who were able to access the Utah Department of Technology Service’s server. Information taken included names, dates of birth, addresses, social security numbers, etc. Herbert was quoted by the Salt Lake Tribune: “As a state government we have failed to honor that commitment [to protect Utah families and their personal data],” he said. “For that, as your governor and as a Utahn, I am deeply sorry.” 

January 2013.  The Utah Health Department revealed that a USB memory stick with 6,000 Medicaid recipients’ protected health information (PHI) was reported lost by a third party contractor.

December 6, 2013.  Up to 97,000 Utahns receiving training funds, unemployment insurance and payroll from Utah’s Workforce Services may have had their personal information compromised due to a data breach. The compromised data includes names, addresses, social security numbers, UCard numbers, passwords, logins and security questions.

March 31, 2016.  Governor Herbert’s campaign was accused of complicity in the release and subsequent posting of Jonathan Johnson’s personal identifying information to the internet–Johnson was opposing Herbert for the Republican Party’s gubernatorial nomination.  July 7, 2019.  The Washington Post and the New York Times reported that ICE and the FBI are using Utah driver license photos in federal facial-recognition searches.  Governor Herbert once again apologized. Lt. Governor Cox joined in saying, “If the reports are true, the governor and I are deeply concerned and not OK with it” even though Governor Herbert signed HB290 which failed to prevent this from happening.  Herbert’s office said, “Gov. Herbert believes in respecting the privacy of Utah residents.