According to the Electronic Frontier Foundation (EFF), the FBI is developing a facial recognition system that will be able to query a massive database of photos to identify someone based on his or her appearance, regardless of criminal history.
Recently released FBI documents reveal that the bureau is working towards a goal of a fully-operational facial recognition database by the summer of 2014. The EFF was granted these records in response to its Freedom of Information Act lawsuit for information on Next Generation Identification (NGI), the FBI’s growing biometric database that may hold records on as much as a third of the US population. The facial recognition component of this database poses real threats to individual privacy.
Images & Sources
The facial recognition program is just another branch of the FBI’s biometric database that includes a substantial collection of fingerprints of approximately 100 million total records, including retina scans and palm prints. Facial data will be another component of this, along with personal information, such as address, age, race and name. This is a huge database shared with a number of other federal agencies and with the approximately 18,000 tribal, state and local law enforcement agencies across the US.
By 2015, the system will be able to query up to 52 million photos in order to identify people of interest. 46 million of these will be taken from criminal images – such as mugshots – while 4.3 million will be “civil images,” taken from other sources. 215,000 will be from the Repository for Individuals of Special Concern (RISC). Curiously enough, the FBI doesn’t specify where the remaining million photos will come from; 750,000 from the “Special Population Cognizant” category and 215,000 from “New Repositories.”
According to the EFF:
“The FBI does not define either the “Special Population Cognizant” database or the “new repositories” category. This is a problem because we do not know what rules govern these categories, where the data comes from, how the images are gathered, who has access to them, and whose privacy is impacted.”
Criminal and Non-Criminal Images
One of the most worrying aspects about NGI is that it includes both criminal and non-criminal facial images. Currently, if job applicants for a position requiring fingerprinting or a background check of some sort will have their prints sent to and stored by the FBI in its civil print database. Up until now, the FBI has never before collected a photograph along with those prints. This is changing with NGI, as employers could require applicants to provide a mug shot along with their prints. In that case, the FBI will store both facial image and fingerprints along with biographic data on the individual.
Previously, the FBI has never linked the criminal and non-criminal fingerprint databases. With NGI, every record (criminal or not) will have a “Universal Control Number” (UCN) and every search will be run against all records in the database.
State Participation, Massive Expansion
Many states have started participating in the facial recognition component of the FBI’s NGI database. A number of states and law enforcement agencies have been working with the FBI to build out its database of images. In 2012, almost half of US states had at least expressed interest in participating in the NGI pilot program, while several already shared their entire criminal mug shot database with the FBI. It’s the bureau’s goal to bring all states online with NGI by the end of 2014.
The rapid and relatively unbridled expansion of governmental facial recognition programs is a concern for all citizens. The NGI program will enable law enforcement at all levels to conduct a search for non-criminal and criminal face records at the same time. This may cause individuals to be a suspect of criminal cases as a result of a background check for a job application.
Thus far, the FBI and Congress have not enacted meaningful restrictions on what types of data can be submitted to the system, who is able to access the data and how the data can be used. The Privacy Impact Assessment for NGI’s face recognition component has not been updated since 2008, before the current database was even in development. It certainly falls short of addressing all privacy issues that are raised by the NGI.
Although the FBI claims that its ranked candidate list prevents the issue of false positives (i.e. an individual being falsely identified), this certainly isn’t the case. A system that only claims to provide the true candidate in the top 50 candidates 85 percent of the time will obviously return a lot of images of the incorrect individual.
Researchers have shown that the risk of false positives increases as the size of the dataset increases. At 52 million images, the FBI’s facial recognition program contains a very large dataset. This means that many people will be presented as suspects for crimes they didn’t commit. This presents an unacceptable risk and should be monitored closely.
The FBI has released documents revealing its goal of having a fully operational facial recognition database by summer 2014.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) a privacy professional should be comfortable with topics related to this post, including:
- Purposes and uses of PII (I.C.c.)
- Privacy expectations (II.A.)