In 2017, the Committee on Oversight and Reform, the primary investigative arm of the U.S. House of Representatives, set its sights on San Diego.
The chair and ranking member wanted to learn more about how the city and the region had been pioneering a controversial form of technology capable of unmasking people’s identities. They’d read news articles suggesting that San Diego’s use of facial recognition was more advanced than other metros.
The task of giving Congress what it wanted fell on Tiffany Vinson, an employee in the city’s Office of Homeland Security.
The San Diego Police Department had been using devices with facial recognition for years. But because the program was managed by the Automated Regional Justice Information System, or ARJIS, a regional law enforcement agency, many of the records the committee requested were actually in the possession of the San Diego Association of Governments, not the city.
Vinson passed along a few dozen documents in a pair of binders sent to Washington, D.C. But as she later alleged in a lawsuit, the binders contained only a portion of the records owed to Congress and she later lost her job for trying to blow the whistle internally.
SANDAG confirmed that ARJIS in 2017 provided records to the city of San Diego on a USB drive in response to the congressional inquiry but couldn’t say for sure what was on it because ARJIS’s executive director has since passed away. Vinson’s attorney, Dante Pride, said someone at the city transferred a select portion of the records onto a disk, dropped it on her desk and instructed her not to save copies but to simply relay the information in physical formats.
Although most of those records originated with ARJIS, and could be easily obtained through ARJIS or SANDAG, the point of not keeping copies of the files on city servers, Pride said, was to avoid creating a paper trail inside the city and deflect attention away from then-Mayor Kevin Faulconer, who’s now running for governor.
In her lawsuit, Vinson portrays a culture within the city that routinely violated the California Public Records Act, one of the main instruments of transparency available to regular people and the powerful alike — in this case, congressional investigators.
“The city hasn’t been forthcoming with many of these requests,” Pride said. “If they can withhold pertinent documents … from the federal government, imagine what they’re doing to victims of police misconduct, people who are trying to get a little bit of oversight, Brown Act violations, etc.”
When NBC 7 first reported on Vinson’s lawsuit last year, SDPD said she misrepresented the way the city responds to records requests. In legal papers filed a few days later, the city denied each of the points she raised.
But at least one of her most damning allegations checks out — that the city deprived Congress of unflattering information about facial recognition, including the technology’s racial bias, and failed to hang onto records, meaning members of the public couldn’t access them in the future.
In April, the committee made a portion of its records, including an index, available on its website in response to my inquiry. I compared the documents the committee received against a larger set released by SANDAG to a variety of sources over the years, and found that the city’s response in 2017 had the effect of downplaying internal concerns over the program.
For starters, the city didn’t share with Congress all of the memos and agreements showing that some of the funding for the devices came from U.S. Department of Homeland Security grants, which was a particular point of interest for the committee. Congressional staffers wanted to know how federal money had aided in the expansion of facial recognition across the country. The program in San Diego went back further than most people realized.
Police have generally maintained that facial recognition is an important investigative tool, especially when the person they’re holding or questioning doesn’t have identification. But widespread concerns over the use of facial recognition, and its implications for the civil rights and liberties of people of color — some of whom have been falsely identified and accused of crimes in other states — led California to temporarily ban police use of the technology in 2020.
There’s now a push at the national level to go even further and ban private use of the technology as well.
San Diego officials have known about the racial bias inherent in the technology for a decade. A privacy impact assessment produced in 2011 and in the possession of ARJIS at the time of the congressional inquiry noted that “certain skin tones may cause problems with specific cameras, local lighting, or other environmental conditions.” It also warned that the government’s ability to identify individuals risked undermining the ability to be anonymous, “an important right in a free society.”
Several of the documents relayed to Congress by the city referred to the privacy impact assessment, and one even mentioned where people could find it online, though the website link no longer works. Instead, the city provided a list of frequently asked questions, including: “Does the race, gender, hair style or hair color affect the results?”
The answer, which contradicted the findings of the privacy impact assessment: “No. For each digital image, the algorithm makes measurements between the eyes, the tip of the nose and other strategic points within the facial structure and counts the pixels between them in order to assign the alphanumeric value to the image.”
Another report produced 2017 and in ARJIS’s possession when the committee reached out, walked through the potential harms that can occur when public agencies gather up little bits of information about people that reveal something larger about their political, social, cultural, philosophical or religious beliefs. The document was an agency-wide review of technology under SANDAG’s purview, not limited to facial recognition, but laid out mitigation strategies in general to avoid abusing the technology.
One section focused on the chilling effects of any institution that pays close attention, in routine and systematic ways, to individuals, thereby becoming a means of social control. It noted: “The mere possibility of surveillance has the potential to make people feel uncomfortable, cause people to alter their behavior, and lead to self-censorship and inhibition.”
A third report in ARJIS’s possession at the time included testimonials from law enforcement personnel in San Diego who’d tested out the technology in 2011 and 2012, some of whom were gushing over its capabilities to unmask individuals who are undocumented. “We went over to the holding cells this morning to try out the TACID software,” one ICE agent wrote. “Pulled out three aliens who were recent jail releases. Took pictures and let the machine do the rest.”
None of those records were relayed to Congress, even though the committee had asked not just for financial records, policies and guidance, but anything “referring or relating to any allegations of misuse of facial recognition technology.” Other testimonials did show up in the city’s response, but typically those involving the unmasking of suspects accused of serious crimes and mentioned as asides in PowerPoint presentations.
It’s possible, of course, that city officials withheld some documents from Congress because they didn’t believe those documents fell within the parameters of the original request. Indeed, a letter the city sent to then-Rep. Jason Chaffetz, the committee chair at the time — who resigned only a few weeks later — and ranking member Rep. Elijah Cummings in 2017 states: “All documents located during the search that are responsive have been produced to the Committee.”
It’s also possible that city officials never viewed the committee’s demands as something rising to the level of the California Public Records Act and therefore outside the obligations of that law. Indeed, the committee has the authority to investigate “any matter” at “any time” under House Rule X, and noted as much in its original letter.
Kurt Bardella, a former committee staffer who contributes opinion pieces to major media outlets, told me that the letter San Diego got amounts to a mere ask for information on a voluntary basis and differs from a subpoena, which is a legally codified request for information. The letter also becomes void once the new representatives are seated.
“Any request that is made from one Congress does not carry over into the next Congress,” he said. “It would have to be reissued.”
But even if the request fell under the rules established by the U.S House of Representatives and not the California Public Records Act, San Diego should have been more forthcoming about what was being withheld and what information was contained within those documents. In the fine print of the committee’s letter, it states that officials needed to provide a log explaining why a document was considered privileged.
The congressional materials I reviewed do not contain any such justifications.
The city’s response also didn’t include a number of statistical reports showing how prevalent the program really was. Its participants included state, local, federal and tribal representatives from across San Diego County.
In late 2013, for instance, there were 178 active devices in the field and 113 registered users from 17 agencies — including Immigration and Customs Enforcement — who ran a total of 5,629 queries. By 2015, there were 433 active devices in the field and 991 registered users from 30 agencies who ran a total of 12,623 queries. They got a match 20 percent of the time.
Again, the same information would have been easily obtainable if the committee had gone directly to ARJIS through SANDAG. But it didn’t. So the city wound up offering a mostly positive glimpse into the program. It told Congress that city personnel were in possession of only 122 devices, which was technically true, but left out the additional context.
The binders sent to Congress do include a PowerPoint presentation from 2014 listing the other local agencies in possession of facial recognition devices at the time as well as the number of queries and matches. The text accompanying that particular slide says, “Success!! 41 documented success stories.”
By the time the Electronic Frontier Foundation, a digital privacy group, demanded that the program be shut down in 2019, the number of devices had grown across the region to 1,309 and had been responsible for 65,500 queries over a three-year period.
Rather, a considerable portion of the city’s response in 2017 included the agendas and minutes of various SANDAG public safety committee meetings between 2012 and 2015 when facial recognition had come up for discussion. There were also federal rules and regulations, grant guidelines, use policies, joint powers agreements and a pair of memos written separately by the ACLU and then-Councilman Todd Gloria, both essentially urging Faulconer to put greater restraints on surveillance. He didn’t.
To this day, the city claims not to have a copy of the binders that Vinson submitted to Congress. By failing to hang on to those materials, San Diego gave itself an out should anyone else go looking. A search of NextRequest, the city’s public records portal, reveals that at least 20 people or organizations have asked for facial recognition records since June 2017.
Some of those requests are specific — for instance, one asked for a list of people who’d been identified on a device using facial recognition. But many of the requests were broad enough that they should have included at least some of records submitted to Congress. Yet several of those inquiries yielded nothing at all.
Vinson deferred questions about her time working for San Diego to her attorney, and her lawsuit doesn’t spell out who exactly gave her the disk containing the records that were ultimately sent to the U.S House of Representatives. Pride, Vinson’s attorney, declined to name names in an interview but said he may reveal more once the fact-finding part of Vinson’s wrongful termination case is completed. He said he plans to depose several current and former officials this summer, and that might include Faulconer.
Fallout
It’s likely that the entire incident would have gone unnoticed if not for another unconnected event — Faulconer’s decision in 2019 to fold the city’s Office of Homeland Security into SDPD. A seemingly benign restructure, the move had the effect of giving police leaders more control over emergency preparedness and training and the distribution of anti-terrorism funds across the region.
Vinson got her start in a City Council member’s office, then went on to become a homeland security coordinator in 2015 and helped integrate drones into civic and commercial life. She reported to John Valencia, then the executive director of the Office of Homeland Security, who ended up losing his job because of Faulconer’s restructure. Valencia was replaced by another official who reported to a police captain rather than the city’s chief operating officer.
Pride said Vinson had complained to Valencia about how the city handled records requests. After Valencia left, she worried that the city’s response to Congress over facial recognition two years prior would come back to haunt her — and she feared becoming the scapegoat.
“The only person left holding the bag in her mind was her,” Pride said.
Vinson’s lawsuit mentions the congressional inquiry but alludes to other potential violations of the California Public Records Act without going into specifics. In court papers, she said employees would share physical copies of documents, or have discussions in person, with the explicit purpose of keeping those conversations and documents private.
SDPD, specifically, she said, would routinely label public records “for official use only” so that members of the public couldn’t access them. She said there was no oversight or review of the internal classification system created by law enforcement personnel to keep information — ostensibly connected to homeland security — a secret.
A separate lawsuit filed late last year by the newspaper La Prensa made a similar allegation and helped vindicate another one of Vinson’s allegations.
The city’s Office of Homeland Security oversees the distribution of anti-terrorism funds every year through a law enforcement working group made up primarily of police and fire personnel. The group has long maintained that it is not a legislative body and so by extension its conversations and records are not subject to public records law. In response to legal pressure, though, the group rewrote its charter earlier this year and the city has started giving up documents that still bear the language “for official use only.”
In her lawsuit, Vinson said she filed a complaint in July 2019, as the Office of Homeland Security was rolled into SDPD, with the city auditor’s fraud, waste and abuse hotline, alleging that several employees, going all the way up to Police Chief David Nisleit, were routinely violating the California Public Records Act. (Shelley Zimmerman was police chief at the time of the congressional request, and Nisleit took over in 2018.)
Those complaints are supposed to be confidential. According to the city’s website, the hotline was set up for employees who don’t feel comfortable going through the chain of command for fear of retaliation. The complaints are reviewed by a committee, and the auditor’s office has its own investigators, who will typically do the investigative work themselves if a manager is suspected of fraud or if the allegation is serious. Otherwise, complaints tend to go to the person in the department who manages the person being accused.
A city auditor’s report from the second quarter of fiscal year 2020 confirms that someone filed a complaint on July 1, 2019, for “Allegation of Public Records Act abuse at a City department.” It’s labeled as “open/unresolved.”
The auditor’s office declined to comment on any complaints Vinson may have filed, citing the ongoing civil litigation and the confidential nature of complaints, but took issue with the way her lawsuit frames the complaint process generally.
Vinson suspects that word of her complaint got back to SDPD, because, she said in court papers, the police captain who took over the Office of Homeland Security fired her a couple days later. According to her lawsuit, she appealed the decision to an assistant city manager who allowed her to come back, but she didn’t have a clear sense of what her job responsibilities might still be. In the weeks that she was out — she’d been scheduled to go on medical leave — the drone program had been given to a contractor.
In an interview, Pride described the work environment upon Vinson’s return as “weird and uncomfortable,” and said it gave her the impression “she wasn’t supposed to be there” — for instance, her email no longer worked. She quit after one day and eventually took another job elsewhere.
SDPD declined to comment, citing the ongoing litigation, and Faulconer couldn’t be reached through his campaign team. A spokesperson for Rep. Darrell Issa, who was a member of the committee in 2017, didn’t return a request for comment either.
Since 2017, the U.S. House of Representatives Committee on Oversight and Reform has met at least three times to take testimony on facial recognition technology. In the transcripts of two hearings from 2019 and one from 2020, San Diego was only mentioned on a single occasion — by Clare Garvie, a senior associate at the Georgetown University’s Center on Privacy and Technology. She testified: “San Diego found that their police used face recognition up to two and a half times more on African Americans than on anyone else.”
I asked Garvie where she got her information and she pointed to an ARJIS presentation that includes a couple more eye-opening stats: 15 percent of women are targeted with facial recognition for “voyeuristic reasons” and 65 percent of teenagers are targeted for no reason at all.
That presentation was given to the SANDAG board in 2015, more than two years before the committee reached out to San Diego. It also wasn’t included in the city’s response to Congress.