The FBI's vast biometric database is even more vast than most people realized. According to a new government report, the FBI can currently run face recognition on 411.9 million photos. They include mugshots, passport photos and driver license photos from 16 states. The FBI plans to expand the database by partnering with 20 additional states to get access to their driver license databases.
The problem with the database is that the FBI has been remiss about talking about it and not done enough to ensure that the face recognition is accurate, according to the Government Accountability Office's new report on FBI facial recognition usage. The report, released on Wednesday and conducted at the request of Senator Al Franken (D-MN), doesn't mince words with its title: "FACE RECOGNITION TECHNOLOGY: FBI Should Better Ensure Privacy and Accuracy."
The FBI's biometric database includes fingerprints, palm prints, and DNA profiles, but the report focuses on its facial recognition components. That includes the Next Generation Identification-Interstate Photo System (NGI-IPS), which is used by the Bureau and, as of December 2015, seven states, as well as the FBI's internal Facial Analysis, Comparison and Evaluation Services group (FACE), which also has access to databases from the State Department, Defense Department, and 16 states. All told, FACE has access to 411.9 million images for facial recognition purposes, which are used to provide leads, though not concrete identification, for investigations.
At the end of its more than year-long audit, which started in January 2015, the GAO has recommendations for FBI to improve the facial recognition system. It says the Department of Justice should look into why the FBI wasn't producing regular privacy reports; that the FBI should be running regular tests for the accuracy of its face recognition; and that the FBI should also be testing the accuracy of the external state and federal databases on which it relies. It also admonishes the FBI for letting people run searches that return just 2 candidate matches for a photo, when its system is run assuming accuracy when 20 results are returned.
The FBI responded to the report saying that it agrees with some of the GAO's recommendations, but that it has "no authority to set or enforce accuracy standards for face recognition technology" performed by external partners, i.e. the state and local agencies with which it works. While the agency emphasizes the fact that searches are simply used to provide leads, it still means there is no standard for accuracy on searches being performed on hundreds of millions of photos of Americans who've done nothing wrong. Between August 2011 and December 2015 the FBI requested 36,420 searches of the external partner databases over which it says it cannot enforce accuracy.
While FBI director Jim Comey and general counsel James Baker have publicly claimed to have learned from the agency's history of illegal and overly broad spying on Americans, this report provides evidence beyond what already exists that that's not the case. Rather, what the FBI seems to have learned is that, at least when it comes to new technology, the key to carrying out mass surveillance is to externalize standards setting as far as possible in order to avoid meaningful scrutiny.
All this news is alarming on its face, but it's made worse by the fact that the FBI wants the biometrics database of which the NGI-IPS is a part exempted from disclosures required by the Privacy Act. The FBI's request, which has been publicly opposed by a coalition of civil society and private groups, would make it so that the FBI wouldn't have to tell individuals what biometric information the FBI has collected about them.
Alvaro Bedoya, the head of Georgetown's Center on Privacy & Technology (and former Chief Counsel to Senator Franken), called the report a "game-changer." He honed in on the scope of the drivers' license database access in particular.
"This report is startling. For years, we’ve known that the FBI was building a database of faces and fingerprints for state and local police and for the FBI itself," Bedoya said in a statement. "Today, we learned that database pales in comparison to a separate FBI program that runs face recognition searches on well over 170 million driver’s license photos from sixteen states."
Facial recognition technologies have improved a lot in recent years, and last summer the GAO also issued a report suggesting that Congress consider improving consumer privacy laws governing their use. However, such technologies remain largely under-or-unregulated, and many of them still have major problems. Researchers have recently raised concerns that many facial recognition softwares have racial bias problems, such as identifying images of black people less accurately.
Beyond the scope of the databases the FBI has access to, the GAO also points out that the Bureau has done a poor job of keeping up with mandatory reporting on their facial recognition programs impact on privacy. There are only two such brief reports on the FBI's website at the moment: one from 2004, and another on FACE that was approved in May 2015.
In a statement issued in response to the report, Senator Franken criticized the FBI's lax auditing.
"[T]he report shows that the FBI hasn't done enough to audit its own use of facial recognition technology or that of other law enforcement agencies that partner with the FBI, nor has it taken adequate steps to ensure the technology's accuracy."
So as more and more photos are being made available for facial recognition searches a federal agency with a history of dodging scrutiny is outsourcing standard-making to state and local agencies. What could go wrong?
Ethan Chiel is a reporter for Fusion, writing mostly about the internet and technology. You can (and should) email him at firstname.lastname@example.org