411mn photos on FBI’s facial recognition database – govt watchdog report
“This GAO report raises some very serious concerns, and reveals that the FBI’s use of facial recognition technology is far greater than had previously been understood,” said US Senator Franken (D-Minnesota) in a statement.
“This is especially concerning because the report shows that the FBI hasn’t done enough to audit its own use of facial recognition technology or that of other law enforcement agencies that partner with the FBI, nor has it taken adequate steps to ensure the technology’s accuracy,” added the top Democrat on the Senate Privacy and Technology Subcommittee, which commissioned the GAO report released on Wednesday.
The GAO said that the FBI’s Next Generation Interstate Identification Photo System (NGI-IPS) is a database that maintains photos and other biometric data that can be used in pursuing criminal cases. It allows law enforcement agencies to search a database containing more than 30 million photos of 16.9 million people, but the agency has been slow to assess privacy issues when changes were made to the database.
Biometrics are biological and behavioral characteristics – including such indexes as faces, fingerprints, eye retinas, and gait, among other descriptors – based on which people can be recognized using automated technology.
In 1999, the FBI used the Integrated Automated Fingerprint Identification System (IAFIS), a national computerized system for storing, comparing, and exchanging fingerprint data in digital format. To populate the database, copies of fingerprints taken as a result of an arrest at the local and state level were submitted voluntarily by authorities to the central repository, to go alongside those from federal arrests.
In 2010, the FBI replaced the IAFIS with Next Generation Identification, which included biometric data and face recognition. That has been updated to the NGI-IPS to provide face recognition service, which allows law enforcement to search criminal photos using a probe photo. The database also contains civil identities (photos submitted for licensing, employment, security clearances, military service, volunteer service, and immigration benefits). Over 80 percent of the photos are of criminals.
keep taking selfies, help improve the accuracy of the database https://t.co/uWfAVfRSse— GHOST COP (@GHOSTCOPNYC) June 16, 2016
The report stated that, as part of a pilot program in 2011, the FBI allowed a limited number of states to submit requests for face recognition searches, which were run against a subset of criminal images. Authorized states ran over 20,000 face recognition searches from December 2011 to December 2015 as part of the pilot.
The database became fully operational in April of 2015, and the agency has had an agreement in place with seven states since December 2015 allowing them to search the NGI-IPS. Those states include Florida, Maryland, Maine, Michigan, New Mexico, Texas, and Arkansas. During the pilot program, one state requested just 20 searches, while another asked for 14,000.
The FBI is working to grant eight more states access to the database, with an additional 24 states interested in connecting.
“The agency isn’t conducting operational tests of the system,” said Diane Maurer, a homeland security director at GAO, in a podcast.
While the FBI has tested the system in controlled settings, “what we don’t know is how accurate it is in real-world use,” she said.
Under current laws, the Privacy Act of 1964 places limitations on the ability of agencies to collect, disclose, and use personal information maintained in records systems. Under the act, an agency is required to publish a document known as a System of Records Notice to disclose which categories of individuals have their information stored in the database and the type of data collected.
Privacy advocates have also balked at the scale of the FBI’s facial recognition program.
The report shows that the FBI has a unit called Facial Analysis, Comparison, and Evaluation (FACE) Services that conducts face recognition on the FGI-IPS and can access external partners’ face recognition systems to support active FBI investigations. The total number of face photos available in all searchable repositories amounts to over 411 million, and the FBI is interested in adding additional federal and state face recognition systems to their search capabilities.
The report said the agency is currently negotiating with 18 other states for access to their driver’s license photos to expand FACE services. Since August 2011 through December 2015, the agency has requested 215,000 searches of the databases of its external partners, of which about 30,000 have included searches of state driver’s license databases.
“This report is startling. For years, we’ve known that the FBI was building a database of faces and fingerprints for state and local police and for the FBI itself,” said Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University’s law school, reported The Hill. “Today, we learned that database pales in comparison to a separate FBI program that runs face recognition searches on well over 170 million driver’s license photos from sixteen states.”
GAO made recommendations to Attorney General Loretta Lynch, including a request that the DOJ determine why notices hadn’t been published under the privacy act. It also advised that a list of laws be compiled requiring the FBI to conduct tests to determine how accurate the database and external systems actually are.
Senator Franken said in his statement that facial recognition is “a new and powerful tool that holds great promise for law enforcement.”
“But if we don’t ensure its accuracy and guard against misuse, I am concerned about the risk of innocent Americans being inadvertently swept up in criminal investigations,” he said. “Minnesotans and people across the country need more information about how this technology is being used and how it will affect their lives, which is why I will be asking tough questions about the FBI’s use of facial recognition technology and its plans to improve the testing, transparency, and privacy protections of its system.”