BY ELECTRONIC MAIL

Acting Commissioner Beth Berlin August 8, 2019

New York State Education Department
89 Washington Avenue
Albany, NY 12234

Dear Acting Commissioner Berlin:

We write to express our continuing concerns with the Lockport City School
District’s (“Lockport” or the “District”) revised draft privacy policy issued July 2, 2019
(the “Revised Draft Policy”) for its proposed use of facial recognition technology in
Lockport schools. 1 The District publicly issued its first draft policy on Monday, November
5, 2018, revised the policy in February 2019, and then again in July 2019. 2

125 Broad St. 19th Fl.

Despite these multiple revisions, the changes made to the policy do little to quell
New York NY 10004 our concerns about violations to students’ privacy and civil rights. Notwithstanding the
(212) 607-3300 District’s public statements suggesting otherwise, students will still be included in the
facial recognition database due to broad language that allows the district to include anyone
Donna Lieberman
Executive Director it chooses. The policy will still allow the school district to have wide discretion of who can
be placed in the database, and allows almost unfettered discretion over the limits of how
Robin Willner long the data can be stored and with whom it can be shared. Regardless of what changes
President
are made to the policy, the issue remains that facial recognition is an inaccurate and biased
tool that will invade the privacy of students, staff, parents, and community members in the
schools.

Given the significant inaccuracy, bias, privacy, and other concerns with the use of
biometric surveillance, the New York State Education Department (“NYSED”) must
prevent more districts from wasting public money and time on obtaining these systems.
The best solution to protect the students of New York is for NYSED to issue a moratorium
on the use of facial recognition technology and other biometric surveillance in schools.

Concerns with Facial Recognition Technology

As you know, the NYCLU has repeatedly raised our concerns with NYSED about
the use of facial recognition technology in schools. With each passing day, there is
additional reporting about precisely how inaccurate this type of technology is, particularly
when used to identify women, young people, and people of color. 3 These systems infringe

1
July 2, 2019, Policy 5685: Operation and Use of Security Systems/Privacy Protections, available at
https://www.lockportschools.org/site/handlers/filedownload.ashx?moduleinstanceid=10176&dataid=29670
&FileName=Policy%20Review%20and%20Adoption%207-10-19%20and%208-7-19.pdf.
2
The Lockport Board of Education read the Revised Draft Policy and adopted it at the August 7, 2019
school board meeting.
https://www.lockportschools.org/site/handlers/filedownload.ashx?moduleinstanceid=10176&dataid=29712
&FileName=Work%20Session%20August%207%202019.pdf.
3
Joseph Goldstein and Ali Watkins, She Was Arrested at 14. Then Her Photo Went to a Facial Recognition
Database., The New York Times, August 1, 2019, available at
https://www.nytimes.com/2019/08/01/nyregion/nypd-facial-recognition-children-
teenagers.html?action=click&module=Top%20Stories&pgtype=Homepage.
on the privacy rights of students, parents, and staff and negatively impact school climate
by potentially turning everyday school interactions into evidence of a crime or school rule
violation. Additionally, the use of facial recognition technology raises significant concerns
about information sharing with law enforcement agencies, including any connection to law
enforcement and federal immigration databases. The District’s Revised Draft Policy
confirms that it will share the information collected with law enforcement and “other
governmental authorities,” which can include immigration enforcement, under almost any
circumstance. 4 Finally, these systems are vulnerable to hacking, thus putting sensitive
student information in jeopardy. 5

Lockport’s Revised Draft Policy is Inadequate

As noted above, Lockport’s Revised Draft Policy does not alleviate our concerns
about the use of facial recognition technology in a school. Lockport has imposed no
meaningful limits on sharing information produced by the system with law enforcement or
“other governmental authorities,” 6 which can include Immigration and Customs
Enforcement (“ICE”) and the Department of Homeland Security. In fact, the Revised Draft
Policy explicitly states that the “alert” produced from the system will be forwarded directly
to law enforcement. 7 The alert information that will be shared includes the “individual’s
name, category under this policy, the individual’s database photo, camera image, date and
time of an alert confirmation, the camera location, risk level, and status of the alert.” 8 That
the image will have been “verified by control room security officers” 9 does little to alleviate
our concerns as it is unclear what, if any, training these “security officers” will receive and
what exactly the verification process entails.

In addition to this direct information sharing, the District may share information
from the system with law enforcement or other governmental authorities “as required or
permitted by law.” 10 Moreover, select employees must turn over requested information to

4
Revised Draft Policy at p. 4 (“such information may be used as appropriate for disciplinary reasons, and
may be shared with law enforcement or other governmental authorities as required or permitted by law.
However, only the above mentioned, select group of District employees, have access to the system and
must turn over information requested as required by law or at the discretion of the Superintendent and
designees.”) (emphasis added).
5
Justin Murphy, School districts on guard against ransomware attacks after recent surge, Rochester
Democrat and Chronicle, July 30, 2019, available at
https://www.democratandchronicle.com/restricted/?return=https%3A%2F%2Fwww.democratandchronicle.
com%2Fstory%2Fnews%2Feducation%2F2019%2F07%2F30%2Fschool-districts-ransomware-attacks-
syracuse-rochester-cybersecurity%2F1806440001%2F (“In some ways, small school districts are the most
tempting target, as they likely have fewer safeguards in place.”).
6
Revised Draft Policy at p. 4 (“such information may be used as appropriate for disciplinary reasons, and
may be shared with law enforcement or other governmental authorities as required or permitted by law.”).
7
Id. (“Following the verification by a person reviewing the image in the alert, the alert is forwarded to law
enforcement via the alert system.”).
8
Id. at p. 3. Much of this information falls within the definition of “personally identifiable information”
under both New York State Education Law § 2-d and the Family Educational Rights and Privacy Act
(“FERPA”), 34 C.F.R. § 99.31.
9
Id. at p. 2 (“Security alerts generated from the AEGIS facial matching system will be verified by control
room security officers before issued to identify staff.”). This sentence may contain a typo as the previous
sentence refers to “identified staff.”
10
Id. at p. 4 (emphasis added).
2
law enforcement “as required by law or at the discretion of the Superintendent and
designees.” 11 The Superintendent, therefore, has unlimited discretion in determining
whether to share personally identifiable information regarding students with law
enforcement and other governmental authorities. This lack of control on information
sharing directly conflicts with the requirements of FERPA, which prohibits the sharing of
information in education records without parental consent except in enumerated, limited
exceptions. 12 This type of unregulated information sharing puts students in danger of
unnecessary and deeply harmful interactions with law enforcement and, in our current
climate, can expose entire families to threats from ICE.

In order to “comfort” 13 NYSED, in the latest version of the policy, Lockport has
removed “suspended students” as an explicit category of individuals whose personally
identifiable information will be included in its database. 14 But the removal is cosmetic. The
District may still include students in its database due to extremely broad language allowing
it to include nearly any individual it chooses. Category (c) of the Revised Draft Policy
includes “any persons that have been notified that they may not be present on District
property” and category (d) includes “anyone believed to pose a threat based on credible
information presented to the District.” 15 These two categories leave the District wide
discretion, and can and will include students, whether already suspended or not. In fact,
school board members and district employees have publicly acknowledged that students
will still be targeted by this system. 16 The District’s policy also states that the Board of
Education will receive a weekly update “when a suspended student or staff member is
added to the database,” 17 thus directly acknowledging that students will still be included in
the system.

Importantly, the Revised Draft Policy has eliminated the prior policy’s provision
mandating that parents be notified when their child’s photo and other personally
identifiable information is placed in the system. The Revised Draft Policy has also
eliminated the prior policy’s provision that mandated removal of the student’s photo from
the system once the suspension has concluded or circumstance has been resolved. In light
of the fact that students’ photographs and personally identifiable information will still be
placed in the system, these omissions are concerning.

In our November 2018 letter, we flagged that the existing policy failed to include
any protocols for situations in which the system produced a false match. The Revised Draft

11
Id. (emphasis added).
12
34 C.F.R. § 99.31.
13
Connor Hoffman, Suspended students may be out for Lockport facial recognition, The Lockport Journal,
July 15, 2019, available at https://www.lockportjournal.com/news/local_news/suspended-students-may-be-
out-for-lockport-facial-recognition/article_1cbe6670-bc8f-52cb-9073-0684415a2ba6.html.
14
Revised Draft Policy at p. 3 (“The input and maintenance of personally identifiable information in the
District’s security systems will be limited to the following individuals…”).
15
Id.
16
See Hoffman, supra note 12 (“Trustee John Craig pointed out that the policy revisions still leave open the
possibility for a person considered a threat to be in the database, and he noted that could include suspended
students that might be a threat to the district….Deborah Coder, assistant superintendent of finance and
management services, said that if there was such an ‘egregious’ issue with a student the policy still gives
the superintendent the ability to put them in the system.”).
17
Revised Draft Policy at p. 3.
3
Policy has been amended to include mention of potential misidentifications but the only
outcome is that “no record of such alert shall be maintained as part of the misidentified
student’s educational record although the alert record shall be otherwise maintained by the
District solely for purposes of continuing audit and review of security system operation.” 18
The policy fails to mention whether any discipline received by the student based on a false
match will be expunged from his or her record and how any criminal or other records and
consequences produced by this misidentification will be corrected. Further, the policy
implies that the only harm from a false match would be to the student’s educational record,
without mentioning the lasting psychological harm associated with being falsely identified,
being told they don’t belong in the school community or that they are a threat, and being
seized and possibly interrogated by law enforcement (potentially repeatedly).

Further, many of our previously raised concerns have still not been addressed in the
Revised Draft Policy. The District still intends to use the system “for disciplinary
purposes,” 19 thus raising the specter that students’ movements and associations will be
reconstructed from months of biometric surveillance data in order to address infractions of
the discipline code. In addition, the Revised Draft Policy contains multiple exceptions that
would allow the data from the system to be stored for longer than the proposed 60 days,
including the information’s use in an investigation. 20

Finally, as stated above, the Revised Draft Policy continues to raise questions about
the District’s compliance with New York Education Law § 2-d and FERPA. Student
images and facial characteristics are clearly a protected part of a student’s biometric record
which is included in the definition of “personally identifiable information” under both
FERPA and §2-d. 21 The District has an obligation to protect this highly sensitive data and
NYSED has a responsibility to ensure its compliance. Conspicuously absent from the
Revised Draft Policy is any mention of which entity maintains or hosts the facial
recognition technology system, and therefore the images and data and personally
identifiable information produced from it. It remains unclear whether the District, the
private company that sold the technology, or another third party will repair the system, if
needed, and whether these vendors qualify as “third party contractors” under § 2-d, and
thus would be subject to its requirements. 22

18
Id.
19
Revised Draft Policy at p. 4 (“…such information may be used as appropriate for disciplinary
reasons...”).
20
Id. (“The security cameras only capture images and no images collected form security systems are stored
for longer than 60 days, unless the information is being evaluated or preserved as part of an investigation,
or retained in conjunction with a log of confirmed security alerts.”).
21
“Biometric record, as used in the definition of personally identifiable information, means a record of one
or more measurable biological or behavioral characteristics that can be used for automated recognition of
an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial
characteristics; and handwriting.” 34 C.F.R. § 99.3.
22
N.Y. Educ. Law § 2-d (1)(k).
4
Conclusion

Despite nine months of revisions, the District’s Revised Draft Policy is still deeply
flawed. 23 Due to the nature of this type of inaccurate, biased, and intrusive technology, it
will be exceedingly difficult to create any policy that sufficiently addresses all of the harms
of biometric surveillance in schools.

We call for NYSED to issue an immediate moratorium on the use of facial

recognition technology and other biometric surveillance against students, in Lockport 24
and elsewhere around the state. NYSED is running out of time to stop this harmful
technology before it produces irreversible consequences.

Again, we request a meeting with you to discuss this urgent matter. I can be reached
at 212-607-3315 or scoyle@nyclu.org.

Sincerely,

Stefanie D. Coyle
Education Counsel

cc: Tope Akinyemi, Chief Privacy Officer, NYSED

Betty Rosa, Chancellor, Board of Regents

23
Many of the changes that have been made to the policy directly reflect the concerns raised by the
NYCLU, NYSED, and parents. It is extremely troubling that the District was not able to identify those
areas of concern by itself and proactively revise the policy without outside pressure.
24
We also believe that it would be premature for NYSED to allow Lockport to move forward with its facial
recognition system pending the final recommendations from the Artificial Intelligence, Robotics and
Automation Commission and given that the regulations under N.Y. Education Law § 2-d have not yet been
finalized. Michael Gormley, NY seeks to regulate artificial intelligence, assess its impact, Newsday, July
24, 2019, available at https://www.newsday.com/news/region-state/cuomo-artificial-intelligence-new-
york-1.34229861.
5