The Deseret News recently opined that “In our opinion: Driver’s license and facial recognition — our laws need to keep up.” So, the question is: Where was the Utah news media during the past legislative session while legislators, with just two opposing votes, expanded access to Utahn’s driver’s license records by passing HB290, Driver License Record Amendments?
And why was I the only person to testify against HB290 in House and Senate committees?
And why are Utah legislators, the governor and lieutenant governor expressing shock that driver’s license photos were used for facial recognition purposes when they made it possible by enacting HB290?
After all, HB290 authorizes the Driver License Division to disclose personal identifying information in accordance with 18 U.S.C. Chapter 123. This includes “… use by any … law enforcement agency, in carrying out its functions.”
Specifically allowed in 18 U.S.C. Chapter 123 is the release of highly restricted personal information — an individual’s photograph or image, social security number and medical or disability information — to law enforcement and certain other entities without the express consent of the person to whom such information applies.
In addition, HB290 actually expanded the list of those specifically authorized to access drivers’ personal identifying information. That list now includes:
- A licensed private investigator.
- An insurer, insurance support organization or a self-insured entity, or its agents, employees, or contractors that issues any motor vehicle insurance.
- A depository institution (such as a bank, credit union, etc.).
- (new) The State Tax Commission.
- (new) The University of Utah for data collection in relation to genetic and epidemiologic research.
- A government entity, including any court or law enforcement agency, to fulfill the government entity’s functions, or to a private person acting on behalf of a government entity if the division determines disclosure of the information is in the interest of public safety.
Significantly, legislators did not require the DLD to inform individuals applying for a Utah driver’s license that their personal information may be given to these entities. Nor did the legislation explicitly require the DLD to obtain the express written consent of every Utah driver’s license holder before giving their highly sensitive personal information to, for example, the University of Utah for research purposes in spite of the fact that this is required by 18 U.S.C. Chapter 123.
In fact, a Memorandum of Agreement between the DLD and the University of Utah expressly prohibits the U. from telling driver’s license holders that it is using DLD information to contact them.
This facial recognition uproar shows that Herbert/Cox administration and legislators continue to play loose and free with the personal identifying information of Utahns. Rather than protecting Utahns information, they deliberately make it easy for others to access it.
Don’t forget that in 2013, this administration and state legislators allowed the entire Utah Voter Data Base, complete with birth dates, to be posted to the internet. Now the personal identifying information of 1,943,539 Utah voters can be found on voterrecords.com. In addition, an estimated 780,000 Utahns covered by Medicaid along with those enrolled in the Children’s Health Insurance Plan had their personal information stolen from the state by hackers in 2012.
Fortunately, legislators who truly care about protecting Utahns’ are now working on bills to let citizens know how the state protects their information, who the state is sharing it with and, perhaps most importantly, to force the state to take privacy seriously. They will need strong citizen support if they are to succeed since powerful interests will not easily give up their access to Utahns’ personal identifying information held by the state.