In the last few years, the FBI has been dramatically expanding its biometrics programs, whether by adding face recognition to its vast Next Generation Identification (NGI) database or pushing out mobile biometrics capabilities for  “time-critical situations” through its Repository for Individuals of Special Concern (RISC). But two new developments—both introduced with next to no media attention—will impact far more ordinary Americans than anything the FBI has done on biometrics in the past. Read about the second development below and the first here.

FBI Plans to Populate its Massive Face Recognition Database with Photographs Taken in the Field

As Privacy SOS reported earlier this month, the FBI is looking for new ways to collect biometrics out in the field—and not just fingerprints, but face recognition-ready photographs as well.

The FBI recently issued a request for quotations (RFQ) to build out its mobile biometrics capabilities. Specifically, it’s looking for software that can be used on small Android-based mobile devices like Samsung Galaxy phones and tablets to collect fingerprints and face images from anyone officers stop on the street.

If the plan goes through, it will be the first time the FBI will be able to collect fingerprints and face images out in the field and search them against its Next Generation Identification (NGI) database. According to the RFQ, FBI’s current mobile collection tools are “not optimized for mobile operations” because they are large and are limited in scope to determining if a person has “possible terrorist links (in the U.S. or abroad) or is likely to pose a threat to the U.S.”

This plan appears to be a broad expansion of the FBI’s “RISC” program. RISC provides mobile fingerprinting tools to determine whether someone is an “Individual of Special Concern” by allowing access in the field to a database of “wanted persons, known or appropriately suspected terrorists, sex offenders, and persons of special interest.” The FBI says RISC is intended for “time-critical situations” and to identify a limited subset of people within its criminal fingerprint database. But now it appears FBI intends to use its mobile biometrics collection tools much more broadly.

The biggest concern with this new mobile program is that it appears it will allow (and in fact, encourage) agents to collect face recognition images out in the field and use these images to populate NGI—something the FBI stated in Congressional testimony it would not do.

Specifically, in 2012, Deputy Assistant Director Jerome Pender stated:

Only criminal mug shot photos are used to populate the national repository. Query photos and photos obtained from social networking sites, surveillance cameras, and similar sources are not used to populate the national repository.

But the new RFQ contradicts this because it appears the desired software would allow officers to submit non-mug shot photos to NGI. The RFQ says the FBI is looking for a mobile biometrics tool that would, “at a minimum . . . include fingerprints and facial photographs for submission and receipt of a response.” Photographs taken in the field are clearly not “mug shot photos” because they’re taken before booking and possibly even before arrest. And it’s hard to see how a mobile tool that allows officers to collect these non-mug shot photos and “submit” them to a database is not also “populating the national repository.”

Unfortunately, as we have noted many times before, we don’t know exactly how the FBI plans to populate NGI with face images because it hasn’t updated the Privacy Impact Assessment (PIA) for its photo database since 2008—well before the development and deployment of NGI’s facial recognition capabilities. Mr. Pender testified to Congress in 2012 that FBI was in the process of updating this PIA to “address all evolutionary changes” since 2008. But despite a 2014 letter to then-Attorney General Eric Holder signed by EFF and 31 other organizations calling for FBI to update the PIA, the Bureau still fails to explain to Americans exactly how it plans to collect, use and protect face recognition data. Our calls for an updated PIA are clearly falling on deaf ears. But without one, it is impossible to tell exactly how the FBI is limiting its acquisition and use of facial recognition data now and in the future.

As EFF testified during a Senate Subcommittee hearing on facial recognition, Americans should be very concerned about the government’s plans to build up its facial recognition capabilities:

Facial recognition takes the risks inherent in other biometrics to a new level...[it] allows for covert, remote, and mass capture and identification of images, and the photos that may end up in a database include not just a person’s face but also what she is wearing, what she might be carrying, and who she is associated with.

Given the FBI's broad goals for face recognition data, the time is right for laws that limit face recognition data collection.