FBI Wants to Remove Privacy Protections from its Massive Biometrics Database
EFF and 44 Other Organizations Call for More Time to Respond
Since 2008, the FBI has been assembling a massive database of biometric information on Americans. This database, called Next Generation Identification (NGI), includes fingerprints, face recognition, iris scans and palm prints—collected not just during arrests, but also from millions of Americans for non-criminal reasons like immigration, background checks, and state licensing requirements. Now the FBI wants to exempt this vast collection of data from basic requirements guaranteed under the federal Privacy Act—and it’s giving you only 21 business days to object.
Today, EFF, along with 44 other privacy, civil liberties, and immigrants’ rights organizations, sent a letter to the FBI demanding more time to respond.
What is NGI?
NGI contains well over 100-million individual records that include multiple forms of biometric data as well as personal and biographic information. Although many people assume the FBI’s files only include fingerprints and other data associated with criminal activity, much of these records—nearly 50-million individual files—contain data collected for non-criminal purposes. For example, in some states, you’ll need to give the government your prints if you want to be a dentist, accountant, teacher, geologist, realtor, lawyer or even an optometrist. And, since 1953, all jobs with the federal government have required a fingerprint check—not just jobs requiring a security clearance, but even part-time food service workers, student interns, designers, customer service representatives, and maintenance workers.
Just last year, the FBI announced that for the first time it would combine almost all of this non-criminal data with its criminal data in NGI. This means that now, if you submit fingerprints for licensing or for a background check, they’ll most likely end up living indefinitely in NGI—to be searched thousands of times a day for any crime, no matter how minor, by over 20,000 law enforcement agencies across the country and around the world.
And while the FBI has said—for now—it’s keeping non-criminal photographs separate from criminal photos in NGI, if you’re ever arrested for any crime—even for blocking a street as part of a First Amendment-protected protest—your non-criminal photographs will be combined with your criminal record and will become fair game for the same criminal database searches as any mug shot photo. As of December 2015, over 8-million civil records were also in the criminal database.
NGI Disproportionately Impacts People of Color
NGI does not affect everyone equally. Thanks to years of well-documented racially biased police practices, the system includes a disproportionate number of African Americans, Latinos, and immigrants. Face recognition—NGI’s cornerstone biometric technology—is notoriously inaccurate across the board. (According to the FBI, NGI may produce a false match—indicating someone is a suspect for a crime they didn’t commit—at least 15% of the time). But research suggests that face recognition may also misidentify African Americans and ethnic minorities, young people, and women at higher rates than whites, older people, and men, respectively. So even though FBI says NGI’s face recognition isn’t designed to positively identify anyone (it produces a ranked list of possible candidates), there’s a very good chance that an innocent person will be put forward as a suspect for a crime just because their image is in NGI—and an even better chance this person will be a person of color.
NGI’s disparate impact is not limited to facial recognition inaccuracy because FBI records as a whole are also notoriously unreliable. At least 30 percent of people arrested are never charged with or convicted of any crime. But according to the National Employment Law Project, as much as 50 percent of the FBI’s arrest records fail to include information on the final disposition of the case—whether a person was convicted, acquitted, or if charges against them were dropped. If these arrest records aren’t updated with final disposition information, hundreds of thousands of Americans searching for jobs could be prejudiced and lose work. And due to disproportionately high arrest rates, this uniquely impacts people of color.
For Years, FBI Failed to Produce Basic Information about NGI as Required Under Federal Law
EFF and other organizations called for years for the FBI to release more information about NGI and how it impacts your privacy. But the FBI didn’t update its Privacy Impact Assessment for its face recognition program until last September—a full year after its entire “Interstate Photo System” was online and fully operational and as many as seven years after the FBI first started incorporating face recognition-compatible photos into NGI
In fact, the FBI has only this month released a “System of Records Notice” (SORN) about the NGI system as a whole. The federal Privacy Act requires all federal agencies to produce a SORN for any system that collects and uses Americans’ personal information, and this document is supposed to describe exactly how that data is being used and protected. But for years FBI skirted the Privacy Act—instead of producing a new SORN for NGI, it relied on outdated SORNs and Privacy Impact Assessments describing very different systems.
There’s Still A Lot We Don’t Know About FBI’s Plans for NGI
Although the FBI has finally produced a SORN for NGI, there’s still a lot we don’t know. For example, a request for proposals the FBI released last year indicated the agency planned to allow law enforcement officers to collect fingerprints, iris scans, and face recognition data right out in the field and submit that data directly to NGI. This directly contradicts 2012 congressional testimony where an FBI official said NGI would only include “criminal mug shot photos.” A photograph taken in the field before someone is arrested is not a “mug shot.“
The FBI may also decide to use face recognition in other ways. The Bureau indicated in a 2010 presentation that it wants to use NGI to track people’s movements to and from “critical events” like political rallies, to identify people in “public datasets,” and to identify “unknown persons of interest” from photographs. This use of NGI would clearly impact First Amendment-protected activities and would chill speech.
The database could also eventually incorporate photos from other sources like security cameras, social media, or even from state drivers license databases. While NGI is only supposed to include mug shot photos, there don’t appear to be any technical controls to prevent an officer from uploading photos from other sources. We also know that at least 37 states use face recognition for drivers licenses, and the FBI has a whole team working with the states to get access to this data.
What Are We Doing About This?
Despite huge delays in producing federally-mandated information to the public, the FBI now says we only have 21 business days to respond to its proposal to exempt much of NGI from the basic protections of the Privacy Act. These protections allow you to learn what data an agency has on you and require the agency to correct inaccurate data. They also allow you to sue if the agency doesn’t comply with these requirements.
Americans need more than 21 days to comment. The FBI’s SORN and proposal to exempt NGI from the Privacy Act are both complicated. This is why we’ve joined with 44 other privacy, civil liberties and immigrants’ rights organizations in a letter to the FBI requesting at least 30 additional days to respond. Only with that additional time do we think we can perform a thorough analysis of both proposals to ensure the FBI doesn’t do more to violate your civil liberties. After years of delay and stonewalling, the FBI owes it to the public to grant this request.