Ohio Attorney General David Yost is directing a systematic review of databases under his office's control, including the driver's license database that stores photos and other identifiable information about Ohioans.
This announcement came after the Washington Post reported how the Federal Bureau of Investigation and Immigration and Customs Enforcement have been using facial recognition software to search through state databases that contain photos of residents.
The information was obtained through a public records request by the Georgetown Law's Center on Privacy and Technology and then provided to the Washington Post.
Ohio permits federal law enforcement agencies and law enforcement in other states to access the state's license database if they demonstrate that they need specific information about a person. According to state regulations, an inquiring agency can gain access to the database for facial recognition searches only if it is being used for an ongoing criminal matter to solve or prevent a crime, to reduce an imminent threat to health, or to identify a person who cannot identify himself or herself.
This review will provide a systematic overview of the databases, evaluate the access to outside agencies and evaluate the statutes and memoranda that regulate how that data is used.
"Ohioans expect that law enforcement at both the federal and state levels use all available legal tools to protect them from threats ranging from terrorism to garden variety crimes," Yost said in a statement.
"No Ohioan expects that work to blossom into a surveillance state," he said. "I am confident that Ohio is not at risk. However, as I have reviewed the level of access granted to our database for federal agencies prior to my administration, the picture has become more complicated and less clear."
Gov. Mike DeWine has faced criticism over the past few days over a memorandum he backed in 2016 when he was the state's attorney general. The memorandum was designed to make it easier for the FBI to gain access to the license database for the purpose of facial recognition.
Dan Tierney, a spokesperson for DeWine, told The Center Square that a 1993 law granted the agency the authority to provide this information to federal law enforcement. He said that these agents were only provided access to the database if their request complied with the state’s regulations.
Abusing the system by accessing the database for reasons not permitted in the state regulations would be a crime that would result in criminal charges. When DeWine was the attorney general, he conducted several reviews of law enforcement access to state databases. Tierney said that no cases of abuse were found regarding facial recognition, but that some abuses were found in other cases and some criminal charges were brought against the guilty party.
Tierney said that DeWine supports Yost's review and that it is continuing DeWine's support for frequent reviews. He said that Ohio has been transparent about this policy and that the policies can be found online by anyone through a Google search. He said that when DeWine was creating policies, his advisory board included two state Supreme Court justices and the media had access to public discussions.
Gary Daniels, chief lobbyist of the Ohio ACLU, told The Center Square that the ACLU has expressed concerns about facial recognition from the beginning, but that their concerns extend further than just facial recognition. He called for more transparency about who is accessing the information and for what purposes.
Although there are regulations in place about how the information can be used, Daniels said that residents deserve answers about what agencies are accessing information, how frequently they are doing so, and for what purposes.
"Why do they need to collect so many photos of so many people?" Daniels asked.
There are some valid reasons to why federal agencies would seek access to this information, Daniels added, but there should be more transparency and stricter rules about when agencies can access it.
The attorney general directed his staff to report back to him within 30 days after he directed the review. When more information is known, his office will chart a course designed to balance safety with privacy.