As of a year ago, the FBI had not fully adhered to privacy laws and policies, and did not take sufficient action to help ensure the accuracy of its facial recognition technology, the Next Generation Identification-Interstate Photo System (NGI-IPS), according to a new Government Accountability Office (GAO) audit report update based on its May 2016 audit of the FBI’s use of facial recognition technology, Diana Maurer, Director, Homeland Security and Justice at GAO, told a House Committee on Oversight and Government Reform hearing Wednesday.
The committee said it learned that, “Approximately half of adult Americans’ photographs are in a FRT database” and “18 states each have a memorandum of understanding (MOU) with the FBI to share photos with the federal government, including from state departments of motor vehicles (DMV). The committee identified Maryland and Arizona as having MOUs with the FBI,” and that the FBI intends to “continue to pursue MOUs with states to gain access to DMV images.”
In addition, the committee learned that The Center on Privacy & Technology at the Georgetown school of law “estimated that, when accounting for all of the databases that law enforcement has access to, nearly one in two Americans is in a facial recognition database,” and that NGI-IPS “includes an Interstate Photo System that allows the FBI and selected state and local law enforcement to search a database of over 30 million photos. The FBI also has agreements with at least 17 states that allow it to request a FRT search of state driver’s license databases.”
GAO’s updated audit includes updates to its recommendations made in its May 2016 audit of the FBI’s use of facial recognition technology. At that time, GAO made six recommendations to address these issues. But as of March 2017, the Department of Justice (DOJ) and the FBI disagreed with three recommendations and had taken some actions to address the remainder, but had not fully implemented them,” GAO said in its updated audit.
In May 2016, GAO said it “recommended DOJ determine why privacy impact assessments (PIA) were not published in a timely manner (as required by law) and take corrective action.”
GAO made this recommendation “because the FBI did not update the NGI-IPS PIA in a timely manner when the system underwent significant changes, or publish a PIA for Facial Analysis, Comparison and Evaluation (FACE) Services before that unit began supporting FBI agents.”
DOJ disagreed with GAO on assessing the PIA process, stating it established practices that protect privacy and civil liberties beyond the requirements of the law.
GAO also recommended DOJ publish a System of Records Notice (SORN) and assess that process. “DOJ agreed to publish a SORN, but did not agree there was a legal requirement to do so,” GAO found, saying it “believes both recommendations are valid to keep the public informed on how personal information is being used and protected by DOJ components.”
The committee said it was revealed during its hearing Wednesday “the FBI used facial recognition technology (FRT) for years without first publishing a privacy impact assessment, as required by law … and went to great lengths to exempt itself from certain provisions of the Privacy Act.”
“Privacy Impact Assessments for the FACE Services Unit and the NGI-IPS have been prepared by the FBI, approved by the DOJ, and posted" on the FBI’s website. "These PIAs provide to the public an accurate and complete explanation of how specific FBI components are using face recognition technology in support of the FBI’s mission to defend against terrorism and enforce criminal laws, while protecting civil liberties, Kimberly J. Del Greco, FBI Deputy Assistant Director leading the Information Services Branch within the Criminal Justice Information Services Division, told the committee, noting, “The PIAs also reflect many of the privacy and civil liberties choices made during the implementation of these programs.”
Continuing, Greco testified that, “The FBI performs audits as they serve an important role in identifying and mitigating risks associated with users of information systems not meeting policy requirements.” She noted that the “recent audit of the FBI’s use of FR by GAO, the FBI advised that the NGI-IPS operated in a limited capacity as a pilot program from December 2011 through April 2015. While the early stages of planning for formal NGI-IPS audits began during the system’s pilot phase and prior to GAO’s review, the formal draft audit plan was completed on schedule in summer 2015 and approved by the CJIS APB in June 2016.”
“The FBI Criminal Justice Information Services Division’s CJIS Audit Unit currently executes the formal audits to assess compliance with requirements primarily derived from the NGI-IPS Policy and Implementation Guide,” said Greco, who’s served the government for 26 years and developed the Biometric Center of Excellence for exploring and advancing biometric and identify management technologies, and today provides leadership over the Biometric Services Section, the National Instant Criminal Background Check Section and the Information Technology Management Section.
Greco said, “The audit is conducted in conjunction with existing National Identity Services Audits externally at State Identification Bureaus and federal agencies, and may include reviews at a selection of local agencies that access the NGI-IPS. The NGI-IPS audit plan also provides for an internal audit of the FACE Services Unit to be conducted in accordance with existing procedures for FBI internal audits associated with CJIS system access. Procedures for both external and internal audits include review of NGI-IPS system transaction records and associated supporting documentationprovided by audit participants.”
GAO had recommended FBI conduct audits to determine if users of NGI-IPS and biometric images specialists in FBI’s FACE Services unit are conducting face image searches in accordance with DOJ policy requirements. The FBI began conducting NGI-IPS user audits in 2017.
Accuracy testing is also limited, GAO reported. In May 2016, GAO “recommended the FBI conduct tests to verify NGI-IPS is accurate for all allowable candidate list sizes to give more reasonable assurance that NGI-IPS provides leads that help enhance criminal investigations.”
GAO reported it “made this recommendation because FBI officialsstated they do not know, and have not tested, the detection rate for candidate list sizes smaller than 50, which users sometimes request from the FBI.” GAO “recommended the FBI take steps to determine whether systems used by external partners are sufficiently accurate for FBI’s use.”
“By taking such steps, the FBI could better ensure the data from external partners do not unnecessarily include photos of innocent people as investigative leads,” GAO stated, adding, however, that the “FBI disagreed with these two recommendations, stating the testing results satisfy requirements for providing investigative leads and that FBI does not have authority to set accuracy requirements for external systems.”
Greco said, “The FBI conducted a trade study of FR products, leveraging the NGI Integrator Lockheed Martin, which led to the determination of MorphoTrust as the best cost solution in Fall 2010. The FBI has tested and verified that the NGI FR Solution returns the correct candidate a minimum of 85 percent of the time within the top 50 candidates.” She also told the committee that, “To date, no users have submitted concerns to the FBI regarding the accuracy of face searches conducted on the NGI-IPS.”
In response, GAO said it “continues to believe [its] recommendations are valid because the recommended testing and determination of accuracy of external systems would give the FBI more reasonable assurance that the systems provide investigative leads that help enhance, rather than hinder or overly burden, criminal investigation work.”
GAO also “recommended the FBI conduct an annual operational review of NGI-IPS to determine if the accuracy of face recognition searches is meeting federal, state and local law enforcement needs and take actions, as necessary. DOJ agreed, and in 2017 FBI stated they implemented the recommendation by submitting a paper to solicit feedback from NGI-IPS users on whether face recognition searches are meeting their needs.”
However, GAO said it “believes these actions do not fully meet the recommendation because they did not result in any formal response from users and did not constitute an operational review. GAO continues to recommend FBI conduct an operational review of NGI-IPS at least annually.”
GAO said it “reviewed federal privacy laws, FBI policies, operating manuals and other documentation on its face recognition capability,” as well as interviewing “officials from the FBI and the Departments of Defense and State, which coordinate with the FBI on face recognition.” GAO also interviewed two state agencies that partner with FBI to use multiple face recognition capabilities.