Prior to deploying the FBI’s deploying the Next Generation Identification-Interstate Photo System (NGI-IPS) — a facial recognition service that allows law enforcement agencies to search a database of over 30 million photos to support criminal investigations – “the FBI conducted limited testing to evaluate whether face recognition searches returned matches to persons in the database (the detection rate) within a candidate list of 50, but has not assessed how often errors occur,” a new Government Accountability Office (GAO) audit report stated.
GAO said, “FBI officials stated that they do not know, and have not tested, the detection rate for candidate list sizes smaller than 50, which users sometimes request from the FBI.”
“By conducting tests to verify that NGI-IPS is accurate for all allowable candidate list sizes, the FBI would have more reasonable assurance that NGI-IPS provides leads that help enhance, rather than hinder, criminal investigations,” GAO reported.
“Additionally,” GAO found, “the FBI has not taken steps to determine whether the face recognition systems used by external partners, such as states and federal agencies, are sufficiently accurate for use by FACE Services [Facial Analysis, Comparison and Evaluation] to support FBI investigations. By taking such steps, the FBI could better ensure the data received from external partners is sufficiently accurate and do not unnecessarily include photos of innocent people as investigative leads.”
The FBI’s FACE unit provides face recognition capabilities, among other things, to support active FBI investigations.
Continuing, GAO, Congress’ investigative arm, revealed that, while the Department of Justice (DOJ) developed a privacy impact assessment (PIA) of NGI-IPS in 2008, as required under the E-Government Act whenever agencies develop technologies that collect personal information, “the FBI did not update the NGI-IPS PIA in a timely manner when the system underwent significant changes or publish a PIA for FACE Services before that unit began supporting FBI agents.”
GAO report that, “DOJ ultimately approved PIAs for NGI-IPS and FACE Services in September and May 2015, respectively. The timely publishing of PIAs would provide the public with greater assurance that the FBI is evaluating risks to privacy when implementing systems. Similarly, NGI-IPS has been in place since 2011, but DOJ did not publish a System of Records Notice (SORN) that addresses the FBI’s use of face recognition capabilities, as required by law, until May 5, 2016, after completion of GAO’s review.”
GAO said, “The timely publishing of a SORN would improve the public’s understanding of how NGI uses and protects personal information.”
GAO recommended the Attorney General determine why PIAs and a SORN were not published as required and implement corrective actions, and for the FBI director to conduct tests to verify NGI-IPS is accurate and to take steps to determine whether systems used by external partners are sufficiently accurate for FBI’s use.
“DOJ agreed with one, partially agreed with two, and disagreed with three of the six recommendations,” GAO stated, noting that, “in response, GAO clarified one recommendation, updated another recommendation and continues to believe that all six recommendations remain valid” as discussed in its audit report.