WASHINGTON, D.C. – Oregon’s U.S. Senator Jeff Merkley and Senator Cory Booker (D-NJ) are pressing CLEAR, a biometric identification company, for details regarding what privacy practices and precautions are being undertaken for Health Pass—a new product being marketed to businesses to screen their employees and consumers for the coronavirus.
According to CLEAR, Health Pass will allow consumers to verify their identity by taking a selfie before taking a health quiz to screen for possible coronavirus symptoms.
“While we appreciate CLEAR’s contribution to the discussion of safely reopening our nation’s economy, the use of facial recognition technology poses real privacy concerns. Though there are some potential benefits and expediencies, this technology can also be utilized widely and passively in such a way that eludes consumers’ awareness, permission, or the ability to opt out. If over or misused, facial recognition technology risks a state of undetectable, constant government surveillance that can track one’s movements and associations with organizations such as schools and places of worship,” the senators wrote in a letter to CLEAR CEO Caryn Seidman Becker.
Data breaches—including a breach at Clearview AI, a technology company whose main service provides facial recognition software, which housed a database of more than three billion photos—raise serious concerns about the increased risk of potential cyberattacks on technology companies and consumers.
To help protect the privacy of consumers, the senators requested information regarding what privacy and security steps CLEAR is taking, whether the company collects data—including personally identifiable information—concerning their customers, and whether any personally identifiable information is sold. Should CLEAR be collecting personal data, the senators asked whether customers have the ability to delete that data or prohibit future collection of personally-identifiable information. The lawmakers also inquired about alternative methods workers could use—such as QR codes—to identify themselves, and asked the CEO to explain why facial recognition technology is necessary to assessing the health of an individual.
In addition to privacy concerns, the prevalence of racial biases in facial recognition technology has raised serious concerns over the implications of its widespread use. A landmark federal study released in December 2019 found that Asian- and African-American people were up to 100 times more likely to be misidentified by facial recognition than white men. To address these concerns, the senators requested that CLEAR explain what steps it is taking to assess biases in its technology, and asked if CLEAR has submitted its technology to the National Institute of Standards and Technology’s Face Recognition Vendor Test for evaluation.
Earlier this year, Senators Merkley and Booker introduced the Ethical Use of Facial Recognition Act. The legislation would institute a moratorium on all federal government use of the technology until a federal strategy to ensure that any future federal use of facial recognition is limited to responsible uses that protect privacy and promote public safety is created.
The full text of the senators’ letter is available here and follows below.
Dear Ms. Seidman Becker:
We write to inquire about data privacy practices and precautions taken for CLEAR’s new product, Health Pass.
As the nation yields to the unique circumstances brought on by the COVID-19 pandemic, a number of initiatives have been launched with the important goal of allowing our businesses to reopen safely and getting families back to work in a manner consistent with guidance issued by the Centers for Disease Control and Prevention (CDC). Consumers are looking with particular anticipation what steps the travel, entertainment, and food service industries – among others – will take to ensure their safety in a post COVID-19 world.
CLEAR recently announced its new product, Health Pass, which would provide consumers with the ability verify one’s identity by taking a selfie, and to verify one’s health by taking a quiz regarding possible COVID-19 symptoms, and operating separately from efforts around contact tracing. In addition to airports, restaurants, venues, and other places of business will be able to utilize this service by requiring identity and health verification before a customer may board a plane, pass through security, or enter a place of business.
While we appreciate CLEAR’s contribution to the discussion of safely reopening our nation’s economy, the use of facial recognition technology poses real privacy concerns. Though there are some potential benefits and expediencies, this technology can also be utilized widely and passively in such a way that eludes consumers’ awareness, permission, or the ability to opt out. If over or misused, facial recognition technology risks a state of undetectable, constant government surveillance that can track one’s movements and associations with organizations such as schools and places of worship.
Equally concerning is the risk associated with the collection of the personally identifiable information of millions of American consumers. On February 26, 2020, Clearview AI, a technology company whose main service provides facial recognition software, announced that it lost its entire client list as a result of a data breach. This breach of a company whose database contains more than three billion photos raises legitimate concern about the heightened risks of potential cyberattacks on facial recognition technology companies.
The COVID-19 pandemic continues to require swift action and innovative solutions to protect the health of Americans and work to save local and national economies, however it should not enable or encourage reliance on technology that could intentionally or unintentionally threaten the privacy and security of millions of consumers, nor should that technology operate without appropriate protections for its consumers. For these reasons, we request your response to the following questions:
- What steps has CLEAR taken to ensure the privacy and security of its customers?
- Does CLEAR collect data concerning their customers? If so, what personally identifiable information or location data is collected, and for how long may this data be retained?
- Does CLEAR buy, sell or otherwise transfer personally identifiable information or location data to other entities, including both private sector and government agencies?
- If CLEAR does collect data concerning their customers, does CLEAR claim ownership of any personally identifiable information or location data it may collect?
- If CLEAR does collect data concerning their customers, does CLEAR provide customers with the ability to delete their personal data or prohibit future collection of personally-identifiable information or location data?
- Besides expediting identity verification, please explain why facial recognition technology/iris scanning technology are necessary to determine whether an individual has or displays symptoms consistent with COVID-19 (fever, coughing, shortness of breath, etc.)
- Does CLEAR easily allow for alternative methods to verify identity, such as QR codes?
- In reaction to a National Institute of Standards and Technology’s (NIST) report on the accuracy of facial recognition technology, what steps has CLEAR taken to assess biases in its technology? Has CLEAR submitted its technology to NIST’s Face Recognition Vendor Test for an evaluation?
We appreciate your attention to these questions in advance and request a response no later than 30 days from your receipt of this letter.
 National Institute of Standards and Technology. “New Test on the Effect of Masks on Face Recognition Accuracy.” May 1, 2020. Available at: https://www.nist.gov/programs-projects/face-recognition-vendor-test-frvt-ongoing