« Sometimes In Class Action Settlements Plaintiffs Gain Nothing, But Risk Everything | Home | There Are No OLC Opinions About PRISM or 215, So Who Decided It Was Legal? »

The FBI is "Working" on an Updated Privacy Statement for Facial Recognition

Jeramie Scott imageFacial recognition technology presents a serious risk to privacy and civil liberties because it can so easily be deployed covertly, from a distance, and on a mass scale. There is little to no precautions that can be taken to prevent collection of one's image. Participation in society inevitably involves exposing one's face, whether it's on the public streets or through social media. Ubiquitous and near-effortless identification eliminates an individual's ability to control their identity and poses special risk to the First Amendment rights of free association and free expression, particularly for those who engage in lawful protests. The FBI's ever expanding use of facial recognition technology could render anonymous free speech virtually impossible.

For at least 10 years, the FBI has been testing and using facial recognition. This is evidenced by a February 19, 2004 Privacy Impact Assessment ("PIA") conducted by the FBI for the "Computer Aided Facial Recognition Project." The project sought to assist the University of Sheffield in its testing of a particular method of facial recognition. The PIA makes clear that the FBI wanted "to develop a semi-automated tool enabling FBI examiners to extract facial landmark measurements from question images (such as, bank Surveillance photos) and conduct one-on-one comparisons with known images of a suspect in custody."

More recently, the FBI has been working on incorporating facial recognition technology into its Next Generation Identification ("NGI") program. Through the NGI program, the FBI is developing a massive biometric identification database that, when completed, will be one of the world's largest. The vast majority of records contained in the NGI database will be of US citizens and millions of those records will be of individuals who are neither criminals nor suspects. The NGI database will include fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and facial images for the purpose of facial recognition.

The FBI deployed a facial recognition pilot as part of the NGI program in February 2012. The addition of facial recognition to NGI is set to be fully operational by the summer of 2014. The NGI program will allow image-based facial recognition searches of the FBI's national repository of criminal mugshots.

The use of facial recognition by the FBI does not stop with comparing suspects against criminal mugshots. The FBI has several Memorandums of Understanding (MOUs) with a number of state DMVs to allow facial recognition searches of the DMV's photo database. The DMV searches amount to a massive virtual line-up of millions of innocent Americans. This is particularly alarming given the FBI's willingness to accept a 20% error rate for facial recognition matches.

The FBI wants to keep pushing the number of use cases for facial recognition. In a 2010 slide deck by the FBI, it cites tracking subjects, identifying subjects in public datasets, and identifying subjects from images in seized systems as uses cases.

Despite the focus on facial recognition technology, the FBI has failed to fully address the privacy implications for the use of this technology. The FBI did conduct a "Privacy Impact Assessment (PIA) for the Next Generation identification (NGI) Interstate Photo System (IPS)" back in 2008, but the document is very limited in the issues raised by the use of facial recognition technology. The 2008 PIA is so lacking in its treatment of facial recognition technology that the FBI committed to updating it in its statement for the record at a Senate Subcommittee hearing in July 2012 on "What Facial Recognition Technology Means for Privacy and Civil Liberties."

Senator Franken, Chairman of the Subcommittee on Privacy, Technology and the Law, held the hearing to raise awareness about facial recognition, its current uses, and its potential to threaten our privacy and civil liberties. Senator Franken, in his opening statement, challenged the FBI to be a leader in addressing the privacy and civil liberty implications, stating, "I have called the FBI . . . here today to challenge them to use their position as leaders in their fields to set an example for others--before this technology is used pervasively." The FBI seemingly agreed to do just that.

In a statement for the record dated July 18, 2012, Jerome M. Pender, Deputy Assistant Director of the FBI's Criminal Justice Information Services Division, said that "the 2008 Interstate Photo System PIA is currently in the process of being renewed by way of a Privacy Threshold Analysis (PTA), with an emphasis on Facial Recognition." The purpose of the update was to "address all evolutionary changes since the preparation of the 2008 IPS PIA." Over a year and a half has passed, and no updated PTA or PIA has been completed yet.

EPIC filed a Freedom of Information Act (FOIA) request on February 28, 2014 for the updated facial recognition PTA and PIA. The FBI acknowledged EPIC's FOIA request on March 11, 2014. On March 19, 2014 the FBI informed EPIC that it could not fulfill the request for the updated PTA or PIA for facial recognition technology because "both documents are currently being drafted." As the FBI moves forward with facial recognition technology, it appears to be dragging its feet with respect to addressing the privacy implications of the technology.

The FBI has a habit of saying they will do a PIA or even starting a PIA but failing to actually follow through with it. I detailed in an earlier blog post how FOIA documents received by EPIC show that the FBI began drafting a PIA regarding its use of License Plate Readers back in early 2012, yet no PIA for LPRs is publicly available. Don't hold your breath for the FBI to finish a new PIA addressing facial recognition any time soon.