Today the federal Government Accountability Office (GAO) finally published its exhaustive report on the FBI’s face recognition capabilities. The takeaway: FBI has access to hundreds of millions more photos than we ever thought. And the Bureau has been hiding this fact from the public—in flagrant violation of federal law and agency policy—for years.
According to the GAO Report, FBI’s Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to FBI’s Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, it also has access to the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the drivers license databases of at least 16 states. Totaling 411.9 million images, this is an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes.
The FBI has done little to make sure that its search results (which the Bureau calls “investigative leads”) do not include photos of innocent people, according to the report. The FBI has conducted only very limited testing to ensure the accuracy of NGI’s face recognition capabilities. And it has not taken any steps to determine whether the face recognition systems of its external partners—states and other federal agencies—are sufficiently accurate to prevent innocent people from being identified as criminal suspects. As we know from previous research, face recognition is notoriously inaccurate across the board and may also misidentify African Americans and ethnic minorities, young people, and women at higher rates than whites, older people, and men, respectively.
As the Report points out, many of the 411.9 million face images to which FBI has access—like driver’s license and passport and visa photos—were never collected for criminal or national security purposes. And yet, under agreements we’ve never seen between the FBI and its state and federal partners, the FBI may search these civil photos whenever it’s trying to find a suspect in a crime. As the map above shows, 18 more states are in negotiations with the FBI to provide similar access to their driver’s license databases.
The states have been very involved in the development of the FBI’s own NGI database, which includes nearly 30 million of the 411.9 million face images accessible to the Bureau (we’vewritten extensively about NGI in the past). NGI includes more than 20 million civil and criminal images received directly from at least six states, including California, Louisiana, Michigan, New York, Texas, and Virginia. And it appears five additional states—Florida, Maryland, Maine, New Mexico, and Arkansas—can send search requests directly to the NGI database. As of December 2015, FBI is working with eight more states to grant them access to NGI, and an additional 24 states are also interested.
The GAO Report spends a significant number of pages criticizing FBI for rolling out these massive face recognition capabilities without ever explaining the privacy implications of its actions to the public. Federal law and Department of Justice policies require the FBI to complete a Privacy Impact Assessment (PIA) of all programs that collect data on Americans, both at the beginning of development and any time there’s significant change to the program. While the FBI produced a PIA in 2008, when it first started planning out the face recognition component of NGI, it didn’t update that PIA until late 2015—seven years later and well after it began making significant changes to the program. It also failed to produce a PIA for the FACE Services unit until May 2015—three years after FACE began supporting FBI with face recognition searches. As GAO notes, the whole point of PIAs is to give the public notice of the privacy implications of data collection programs and to ensure that privacy protections are built into the system from the start. The FBI failed at this.
The single bright spot in the report reiterates that FBI decided not to allow searches of civil photos enrolled in NGI to “better protect individuals’ privacy.” This is a hollow victory, however, because if you’ve ever been arrested for any crime at all—including blocking a street as part of a public protest—your civil photos will be linked to your booking photo and subject to face recognition searches along with all the other 29.7 million images in NGI.
The GAO’s findings are especially shocking, given the timing. Just over a month ago the FBI demanded its face recognition capabilities be exempt from several key provisions of the federal Privacy Act—and provided the public with only 30 days to respond. Over and over, the FBI’s secret data collection practices confirm why we need more transparency, not less. In the coming weeks, we’ll be asking you to sign on to our comments to the FBI’s proposal. Help us send a message to the FBI that its practices are unacceptable and must change.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.