Two articles separated by +++
With Little Fanfare, FBI Ramps Up Biometrics Programs (Yet Again) Part 1
by Jennifer Lynch
Electronic Frontier Foundation, September 18, 2015
https://www.eff.org/deeplinks/2015/09/little-fanfare-fbi-ramps-biometrics-programs-yet-again-part-1
In the last few years, the FBI has been dramatically expanding its
biometrics programs, whether by adding face recognition to its vast Next
Generation Identification (NGI) database or pushing out mobile biometrics
capabilities for "time-critical situations" through its Repository for
Individuals of Special Concern (RISC). But two new developments--both
introduced with next to no media attention--will impact far more every-day
Americans than anything the FBI has done on biometrics in the past.
FBI Combines Civil and Criminal Fingerprints into One Fully Searchable
Database
Being a job seeker isn’t a crime. But the FBI has made a big change in how
it deals with fingerprints that might make it seem that way. For the first
time, fingerprints and biographical information sent to the FBI for a
background check will be stored and searched right along with fingerprints
taken for criminal purposes.
The change, which the FBI revealed quietly in a February 2015 Privacy Impact
Assessment (PIA), means that if you ever have your fingerprints taken for
licensing or for a background check, they will most likely end up living
indefinitely in the FBI’s NGI database. They’ll be searched thousands of
times a day by law enforcement agencies across the country--even if your
prints didn’t match any criminal records when they were first submitted to
the system.
This is the first time the FBI has allowed routine criminal searches of its
civil fingerprint data. Although employers and certifying agencies have
submitted prints to the FBI for decades, the FBI says it rarely retained
these non-criminal prints. And even when it did retain prints in the past,
they "were not readily accessible or searchable." Now, not only will these
prints--and the biographical data included with them--be available to any
law enforcement agent who wants to look for them, they will be searched as a
matter of course along with all prints collected for a clearly criminal
purpose (like upon arrest or at time of booking).
This seems part of an ever-growing movement toward cataloguing information
on everyone in America--and a movement that won’t end with fingerprints.
With the launch of the face recognition component of NGI, employers and
agencies will be able to submit a photograph along with prints as part of
the standard background check. As we’ve noted before, one of the FBI’s
stated goals for NGI is to be able to track people as they move from one
location to another. Having a robust database of face photos, built out
using non-criminal records, will only make that goal even easier to achieve.
This change will impact a broad swath of Americans. It’s not just
prospective police officers or childcare workers who have to submit to
fingerprint background checks. In Texas, for example, you’ll need to give
the government your prints if you want to be an engineer, doctor, realtor,
stockbroker, attorney, or even an architect. The California Department of
Justice says it submits 1.2 million sets of civil prints to the FBI
annually. And, since 1953, all jobs with the federal government have
required a fingerprint check--not just for jobs requiring a security
clearance, but even for part-time food service workers, student interns,
designers, customer service representatives, and maintenance workers.
The FBI seems to think we should all be OK with this because it has
(ostensibly) given people notice and because the program is limited to only
those people who are required by federal or state rules to provide prints.
But in many parts of the country, this could amount to a very large
percentage of workers (including each and every attorney at EFF)--and for
many people, especially the poor and underemployed, opting out of this
program by choosing a different line of work is truly not a choice at all.
This is not OK. The government should not collect information on Americans
for a non-criminal purpose and then use that same information for criminal
purposes--in effect submitting the data of Americans with no ties to the
criminal justice system to thousands of criminal searches every day. This
violates our democratic ideals and our societal belief that we should not
treat people as criminals until they are proven guilty.
It also subjects innocent Americans to the very real risk that they will be
falsely linked to a crime. In 2004, the FBI mistakenly linked American
attorney Brandon Mayfield to a bombing in Madrid based solely on forensic
fingerprint evidence. The FBI seized his property, and he was imprisoned for
two weeks before agents finally recognized their error and
apologized.Researchers have postulated large face recognition databases
could also result in false matches. This means that many people will be
presented as suspects for crimes they didn’t commit.
Unfortunately, individuals don’t have much recourse. The only way you can
get your prints out of the FBI’s database and stop this repeated invasion of
privacy is either with a court order or if the agency that requires your
prints to be collected also requests for them to be removed. There appears
to be no way for an individual to ask to have their prints removed on their
own[1]
We are disappointed that the FBI chose to go down this path. It could just
as easily have designed its database to keep non-criminal data separate from
criminal data. Or even better, the FBI could go back to its old practices
and not keep the data at all.
[1] Although there may be nothing you can do about the FBI database, local
law enforcement generally faces oversight from local lawmakers and is
susceptible to grassroots pressure. If you want to know whether law
enforcement agencies in your community are using biometric technology, check
out EFF’s Street Level Surveillance Project, where you can file a public
records act request to find out.
+++
With Little Fanfare, FBI Ramps Up Biometrics Programs (Yet Again)--Part 2
By Jennifer Lynch
Electronic Frontier Foundation, September 18, 2015
https://www.eff.org/deeplinks/2015/09/little-fanfare-fbi-ramps-biometrics-programs-yet-again-part-2
As we noted in Part 1 of this story, in the last few years, the FBI has been
dramatically expanding its biometrics programs, whether by adding face
recognition to its vast Next Generation Identification (NGI) database or
pushing out mobile biometrics capabilities for "time-critical situations"
through its Repository for Individuals of Special Concern (RISC). But two
new developments--both introduced with next to no media attention--will
impact far more ordinary Americans than anything the FBI has done on
biometrics in the past. Read about the second development below and the
first here.
The FBI Plans to Populate its Massive Face Recognition Database with
Photographs Taken in the Field
As Privacy SOS reported earlier this month, the FBI is looking for new ways
to collect biometrics out in the field--and not just fingerprints, but face
recognition-ready photographs as well.
The FBI recently issued a request for quotations (RFQ) to build out its
mobile biometrics capabilities. Specifically, it’s looking for software that
can be used on small Android-based mobile devices like Samsung Galaxy phones
and tablets to collect fingerprints and face images from anyone officers
stop on the street.
If the plan goes through, it will be the first time the FBI will be able to
collect fingerprints and face images out in the field and search them
against its Next Generation Identification (NGI) database. According to the
RFQ, FBI’s current mobile collection tools are "not optimized for mobile
operations" because they are large and are limited in scope to determining
if a person has "possible terrorist links (in the U.S. or abroad) or is
likely to pose a threat to the U.S."
This plan appears to be a broad expansion of the FBI’s "RISC" program. RISC
provides mobile fingerprinting tools to determine whether someone is an
"Individual of Special Concern" by allowing access in the field to a
database of "wanted persons, known or appropriately suspected terrorists,
sex offenders, and persons of special interest." The FBI says RISC is
intended for "time-critical situations" and to identify a limited subset of
people within its criminal fingerprint database. But now it appears FBI
intends to use its mobile biometrics collection tools much more broadly.
The biggest concern with this new mobile program is that it appears it will
allow (and in fact, encourage) agents to collect face recognition images out
in the field and use these images to populate NGI--something the FBI stated
in Congressional testimony it would not do.
Specifically, in 2012, Deputy Assistant Director Jerome Pender stated:
Only criminal mug shot photos are used to populate the national repository.
Query photos and photos obtained from social networking sites, surveillance
cameras, and similar sources are not used to populate the national
repository.
But the new RFQ contradicts this because it appears the desired software
would allow officers to submit non-mug shot photos to NGI. The RFQ says the
FBI is looking for a mobile biometrics tool that would, "at a minimum...
include fingerprints and facial photographs for submission and receipt of a
response." Photographs taken in the field are clearly not "mug shot photos"
because they’re taken before booking and possibly even before arrest. And it’s
hard to see how a mobile tool that allows officers to collect these non-mug
shot photos and "submit" them to a database is not also "populating the
national repository."
Unfortunately, as we have noted many times before, we don’t know exactly how
the FBI plans to populate NGI with face images because it hasn’t updated the
Privacy Impact Assessment (PIA) for its photo database since 2008--well
before the development and deployment of NGI’s facial recognition
capabilities. Mr. Pender testified to Congress in 2012 that FBI was in the
process of updating this PIA to "address all evolutionary changes" since
2008. But despite a 2014 letter to then-Attorney General Eric Holder signed
by EFF and 31 other organizations calling for FBI to update the PIA, the
Bureau still fails to explain to Americans exactly how it plans to collect,
use and protect face recognition data. Our calls for an updated PIA are
clearly falling on deaf ears. But without one, it is impossible to tell
exactly how the FBI is limiting its acquisition and use of facial
recognition data now and in the future.
As EFF testified during a Senate Subcommittee hearing on facial recognition,
Americans should be very concerned about the government’s plans to build up
its facial recognition capabilities:
Facial recognition takes the risks inherent in other biometrics to a new
level...[it] allows for covert, remote, and mass capture and identification
of images, and the photos that may end up in a database include not just a
person’s face but also what she is wearing, what she might be carrying, and
who she is associated with.
Given the FBI's broad goals for face recognition data, the time is right for
laws that limit face recognition data collection.
