The Senate Judiciary Committee is holding an oversight hearing of the FBI on Wednesday, May 21. There are plenty of things to oversee with respect to FBI's programs, but here are a couple questions that interest me.
What's the status of the various privacy assessments the FBI has committed to performing?
In a previous post, I detailed how documents obtained by EPIC through a Freedom of Information Act ("FOIA") request showed how the FBI was told in early 2012 that the agency needed to do a privacy assessment of its use of License Plate Readers ("LPRs"). The FOIA documents even showed that a rough draft of a privacy assessment had been created. There is no indication that the FBI ever finished its assessment of LPRs.
Similarly, the FBI doesn't seem intent on ever following through on its promise to renew its privacy assessment of facial recognition technology. Something the agency explicitly said it would do in a statement for the record for a hearing on facial recognition technology. I wrote about this issue in a previous blog post too. The short version is that the FBI is "working" on it. This privacy assessment must be the most thorough one ever because the FBI has been "working" on it since July 2012. The lack of an adequate privacy assessment of facial recognition hasn't stopped the FBI from using the technology for its Next Generation Identification program. Did I mention the FBI is willing to accept a 20% error rate for its facial recognition technology?
In the last oversight hearing back in July 2013, the then Director of the FBI, Robert Mueller, admitted that the FBI uses drones for domestic surveillance; furthermore, he indicated that the FBI did not do a privacy assessment prior to implementing the use of drones and did not establish procedures for the use of drones. Director Mueller stated that the FBI was in its initial stages of assessing the privacy implications and implementing some guidelines for the use of drones domestically. The FBI's track record suggests the agency is probably still at the initial stages of developing guidelines.
What is the Surveillance Program Integrated Reporting & Intelligence Tool ("SPIRIT")?
EPIC received a document as part of a larger request for information about the FBI's LPR program that described a central database of raw surveillance called SPIRIT. From the document, "The SPIRIT system will serve as the primary repository for raw investigative and intelligence data collected through surveillance methods across all operational programs, as well as provide for workflow automation relating to FBI surveillance information."
The SPIRIT database, as a repository of raw intelligence, probably requires a privacy assessment. There is none. Additionally, because of the nature of the information likely contained within the spirit database, it most likely also requires what is known as a Systems of Records Notice ("SORN"). There is not one of those either. A SORN is required by the Privacy Act of 1974 when a database has records in it that are retrievable by the name of an individual or some other unique identifier associated with a specific individual. Of course, the existence of an FBI database that contains all of its raw investigative and intelligence data raises a number of other questions too, not the least of which are:
- Who has access to the SPIRIT database?
- Does the database contain bulk surveillance?
- What are the privacy and civil liberty safeguards in place for this database?
There are numerous things for the Senate Judiciary Committee to oversee with respect to the FBI, but I hope some of the issues raised above get addressed.