Report: FBI Doing Poor Job Securing 411 Million Facial Recognition Photos

Privacy experts are arguing this week the FBI isn’t doing enough to safeguard the treasure trove of facial recognition photos in its possession.

Privacy experts are arguing this week the FBI, which maintains a vast – and apparently even larger than expected – treasure trove of facial recognition photos, isn’t doing enough to safeguard the databases, many which contain images of innocent citizens.

According to a report released by the Government Accountability Office on Wednesday the FBI has access to a staggering number of photos, 411.9 million images of U.S. citizens; hundreds of millions more than expected. That number takes into account photos that are part of the FBI’s Facial Analysis, Comparison, and Evaluation (FACE) Services unit, the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the driver’s license databases of at least 16 states.

The GAO report, “FACE RECOGNITION TECHNOLOGY: FBI Should Better Ensure Privacy and Accuracy,” (.PDF) assessed the FBI’s use of facial recognition technology and whether or not the agency has followed privacy laws. The report was published last month but wasn’t released to the public until this week.

When it comes to maintaining the databases the report makes it clear that the FBI could do a better job at a lot of things, namely verifying that some of the data it receives from external sources, like states and federal agencies, is accurate and doesn’t include innocent people as leads in criminal cases.

A big problem with the system is that when FBI officials carry out a search in FACE’s Next Generation Identification (NGI) database, there’s no false positive rate, meaning it’s unclear how often innocent individuals pop up in searches.

“FBI officials stated that they have not assessed how often NGI-IPS face recognition searches erroneously match a person to the database,” the report reads.

According to the report the FBI rationalizes that the system can spit out up to 50 potential matches, something that nullifies a “positive identification” and in turn makes false positive rates irrelevant.

Another issue is that a large chunk of the photos, like those taken for driver’s licenses, passports and visas, were never taken for criminal investigative purposes but can still be used in searches in several states.

Some states (Texas, Kentucky, Delaware, etc.) only allow license photos to be searched. Others (Michigan, North Dakota, etc.) allow for license, mugshot, and correction photos to be searched. The report claims the FBI is in talks with 18 other states (Massachusetts, Arizona, Florida, etc.) in order to secure access to individuals’ driver’s license photos.

The GAO condemns the FBI for a handful of things throughout the 68-page report but mostly for being sloppy for deploying facial recognition technology without clearing it with the public first and neglecting to complete the requisite reports and assessments around the technology on a timely basis.

In one section the GAO points out that the FBI failed to perform an audit around usage of the NGI database, instead claiming the tool “has not been operational long enough to undergo an audit,” despite being in use since December 2011.

The report also calls out the agency for failing to produce an updated PIA, or Privacy Impact Assessment, for the NGI system. PIAs are reports designed to notify the public of any privacy risks associated with new technologies. The FBI developed one for the tool back in 2008 but failed to provide an update on the technology until 2015.

“The timely publishing of PIAs would provide the public with greater assurance that the FBI is evaluating risks to privacy when implementing systems,” the report reads.

An updated SORN, or System of Records Notice, would have helped improve the public’s general understanding of the technology as well according to the GAO. SORNs, required under the Privacy Act, are published by agencies whenever any information on individuals is stored and recalled. The FBI didn’t publish a SORN on NGI until May 5 of this year, five years after it began using the tool, shortly after the GAO reviewed its systems.

Before partaking in Wednesday’s 15-hour filibuster, Sen. Al Franken (D-Minn.), who helped commission the report, weighed in, stressing the way the FBI is going about its program lacks transparency.

“This GAO report raises some very serious concerns, and reveals that the FBI’s use of facial recognition technology is far greater than had previously been understood,” Franken said in a statement Wednesday, “This is especially concerning because the report shows that the FBI hasn’t done enough to audit its own use of facial recognition technology or that of other law enforcement agencies that partner with the FBI, nor has it taken adequate steps to ensure the technology’s accuracy.

The sheer size of the databases far exceeds what many privacy advocates expected. The Electronic Frontier Foundation estimated last month that NGI contained roughly 100 million biometric records; it turns out the actual number is more than four times that amount.

Privacy advocates at the EFF have long been troubled by the NGI and the concept of millions of images being stored for non-criminal purposes.

“Over and over, the FBI’s secret data collection practices confirm why we need more transparency, not less,” Jennifer Lynch, a Senior Staff Attorney with the EFF wrote regarding the GAO report Wednesday.

The news is particularly concerning in wake of the FBI’s recent request that the database and some of its facial recognition capabilities be exempt from the Privacy Act, a move that could have huge implications for civil liberties. It was with that in mind that the EFF, along with 44 other privacy and civil liberty groups, sent a letter to the FBI, at the tail end of last month asking for more time to respond to the FBI, which gave 21 business days for anyone to object.

“Only with that additional time do we think we can perform a thorough analysis of both proposals to ensure the FBI doesn’t do more to violate your civil liberties. After years of delay and stonewalling, the FBI owes it to the public to grant this request,” Lynch said at the time.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.