To: The San Francisco Entertainment Commission
From: PrivacyActivism, the Electronic Frontier Foundation, the Privacy Rights Clearinghouse, IP Justice, Patient Privacy Rights, the Center for Financial Privacy and Human Rights, Chip Pitts of Stanford Law School, Beat the Chip, and the Bill of Rights Defense Committee
Re: Proposed Adoption of Rules Related to Security at Places of Entertainment and One Time Events
April 12, 2011
PrivacyActivism, the Electronic Frontier Foundation, the Privacy Rights Clearinghouse, IP Justice, Beat the Chip, and the Bill of Rights Defense Committee submit these comments in opposition to the proposed rules. If passed, rules 3 and 4 would pose a grave threat to the Constitutional rights to free speech, freedom of association, and to the privacy rights of all patrons who wish to attend events at venues with Place of Entertainment permits in San Francisco. These proposed rules should be rejected immediately.
3) All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request. http://www.sfgov2.org/index.aspx?page=2535
The city of San Francisco has a long history of political activism and cultural diversity which would be profoundly threatened by this proposed rule. Events with strong cultural, ideological, and political components are frequently held at venues with Place of Entertainment Permits.
Scanning the ID’s of all attendees at an anti-war rally, a gay night club, or a fundraiser for a civil liberties organization would result in a deeply chilling effect on speech, since participants could not attend without their attendance being noted, stored, and made available on request to government authorities. This would transform the politically and culturally tolerant environment for which San Francisco is famous into a police state.
These proposed regulations raise several problems: they would violate the rights of patrons, enable systemic abuses by law enforcement authorities, allow for troubling secondary uses of the data, and invite theft and fraud by identity thieves and hackers.
The proposed regulations state that personal information shall be made available to local law enforcement upon request, even without a subpoena, warrant, or court order. This co-opting of private surveillance abuses the rights of attendees and violates due process.
A direct pipeline of personal information to the police also invites systemic abuses. The proposed rule would allow police to make a wholesale request for information every fifteen days, creating their own internal database of which individuals visit which particular venues and how often. The last time SFPD created an intelligence unit, a court disbanded it to stop multiple documented abuses. The San Francisco Entertainment Commission should not invite history to repeat itself.
Even if the violation of patrons’ rights freedom of association and due process were not reason enough to discard these proposed rules, there are still serious privacy concerns stemming from the creation of completely unregulated databases full of personal data.
Identification documents contain a vast amount of personal information about the individual, including an address where the individual may be found. Mandating the creation of databases filled with the identifying information of every person attending a venue with a Place of Entertainment permit in San Francisco without mandating any kind of protection, checks and balances, or auditing for such sensitive data creates thousands of new opportunities for abuse and data breach. These databases would be tempting targets for ID thieves and stalkers, not to mention dishonest insiders.
Additionally, the proposed rules contain no explicit ban on secondary uses of information gleaned from scanned driver’s licenses. Without protections for this highly personal information, club owners, marketers, and others are free to collect name, address, height, weight, and birth date and use for whatever purposes they wish. Even if the information is deleted from a data storage system, there is no guarantee that personal information has not been copied over to another device to be used at will by others. Any proposed rules should have an explicit ban on secondary uses of information.
4) High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded database for no less than fifteen (15 days) and made available to local law enforcement upon request. http://www.sfgov2.org/index.aspx?page=2535
Cameras noting when a patron comes and goes are intrusive and oppressive. Because they enable a record of not only the time at which patrons arrive, but also how long they stayed, when coupled with the scanned ID’s of patrons, they can enable a record of associations among patrons, eviscerating their constitutionally-guaranteed right to association.
Requiring venue owners to hand this sensitive information over to law enforcement without a subpoena, warrant, or court order amounts to a breach of patrons’ right to due process.
We are deeply disappointed in the San Francisco Entertainment Commission for considering such troubling, authoritarian, and poorly thought-out rules. The Commission should reject this attack on our most basic civil liberties. San Francisco cannot hope to remain a hub of cultural and political activity if we are stripped of our civil liberties the moment we walk through the door of a venue.