It's safe to say most Oregonians are neither terrorists, criminals nor illegal immigrants. But the 500,000 people who get their pictures taken for their driver's license each year are having their images stored in a facial-recognition database that exceeds in size and breadth anything Oregon law-enforcement agencies possess.
Last week, the Oregon Department of Motor Vehicles quietly inked a $13 million contract renewal with L-1 Identity Solutions to continue building a database so hush-hush that few Oregonians—or many state leaders—know it exists.
The L-1 contract provides software that records a person's unique facial features, just as police collect criminals' fingerprints. The software scans the image of your face and compares it to earlier DMV file photographs. The software also scans other photos in the database to see if someone is trying to get identification under more than one name.
"If we think they are possible frauds," says DMV spokesman David House, "we refer the case to law enforcement."
Since 2008, when the software went into use, the DMV has alerted police to 940 cases of suspected identity fraud, House says. He doesn't know how many reports resulted in an arrest or conviction.
Critics say the high-tech database threatens privacy.
"Once you have a database like this, there's no telling how it can be used in the future," says Dave Fidanque, Oregon director of the American Civil Liberties Union.
Lawmakers in 2005 passed a contentious bill to tighten controls around who can get a driver's license. About 30 states use similar software.
Former Sen. Gary George (R-Newberg) was the lone member of his caucus to vote against the legislation in 2005.
George says security breaches at state agencies and private companies in recent years, such as Providence Health System, make him more skeptical than ever.
"I was very concerned about where this thing was headed in terms of personal privacy," George recalls. He says security concerns, while legitimate, caused his colleagues to overreact in 2005 when they passed the bill.
"I think a lot of people are now saying, 'Wait a minute, all the rest of us have our freedom and our liberty compromised,'" George says.
Companies such as Facebook have already assembled billions of photos, and surveillance cameras are proliferating. Some retailers already use facial-recognition software to tailor their pitches to customers based on other information they've aggregated.
And yet the most comprehensive data exists in DMV files, which means a merger of L-1, law enforcement subpoena or a security breach could open the floodgates.
A Carnegie Mellon University study earlier this year showed that off-the-shelf facial-recognition programs are already so accurate that users can easily identify strangers and determine their social security numbers.
"A reason for concern with large databases of biometric data is that, once they get assembled at great cost for a legitimate purpose, it becomes easier to argue for their extension into additional, less legitimate applications," says Alessandro Acquisti, Carnegie Mellon professor of information technology and public policy. "So a tool useful for thwarting identity theft can also become an instrument of surveillance and control."
The DMV's House says his agency is sensitive to such concerns and notes that legislators wrote Oregon's law so that only the DMV has access to the photo files. Law enforcement agencies can request individual photos but cannot use the DMV's facial recognition software, House says.
Fidanque is skeptical, however, that existing law provides long-term protection or can reduce the risk of accidental data breaches or hacking.
"The use of the database can be changed or superseded at any time by the legislature," he says.
And since federal law trumps state law, Oregon's database could be easy pickings.
âIf DMV gets a national security letter from the FBI,â Fidanque says, âthey are going to turn over those photographs.â
WWeek 2015