Jeramie D. Scott Archives

Recently in Jeramie D. Scott Category

May 20, 2014

FBI Oversight Hearing - Will we get some answers?

Jeramie Scott image The Senate Judiciary Committee is holding an oversight hearing of the FBI on Wednesday, May 21. There are plenty of things to oversee with respect to FBI's programs, but here are a couple questions that interest me.

What's the status of the various privacy assessments the FBI has committed to performing?

In a previous post, I detailed how documents obtained by EPIC through a Freedom of Information Act ("FOIA") request showed how the FBI was told in early 2012 that the agency needed to do a privacy assessment of its use of License Plate Readers ("LPRs"). The FOIA documents even showed that a rough draft of a privacy assessment had been created. There is no indication that the FBI ever finished its assessment of LPRs.

Similarly, the FBI doesn't seem intent on ever following through on its promise to renew its privacy assessment of facial recognition technology. Something the agency explicitly said it would do in a statement for the record for a hearing on facial recognition technology. I wrote about this issue in a previous blog post too. The short version is that the FBI is "working" on it. This privacy assessment must be the most thorough one ever because the FBI has been "working" on it since July 2012. The lack of an adequate privacy assessment of facial recognition hasn't stopped the FBI from using the technology for its Next Generation Identification program. Did I mention the FBI is willing to accept a 20% error rate for its facial recognition technology?

In the last oversight hearing back in July 2013, the then Director of the FBI, Robert Mueller, admitted that the FBI uses drones for domestic surveillance; furthermore, he indicated that the FBI did not do a privacy assessment prior to implementing the use of drones and did not establish procedures for the use of drones. Director Mueller stated that the FBI was in its initial stages of assessing the privacy implications and implementing some guidelines for the use of drones domestically. The FBI's track record suggests the agency is probably still at the initial stages of developing guidelines.

What is the Surveillance Program Integrated Reporting & Intelligence Tool ("SPIRIT")?

EPIC received a document as part of a larger request for information about the FBI's LPR program that described a central database of raw surveillance called SPIRIT. From the document, "The SPIRIT system will serve as the primary repository for raw investigative and intelligence data collected through surveillance methods across all operational programs, as well as provide for workflow automation relating to FBI surveillance information."

The SPIRIT database, as a repository of raw intelligence, probably requires a privacy assessment. There is none. Additionally, because of the nature of the information likely contained within the spirit database, it most likely also requires what is known as a Systems of Records Notice ("SORN"). There is not one of those either. A SORN is required by the Privacy Act of 1974 when a database has records in it that are retrievable by the name of an individual or some other unique identifier associated with a specific individual. Of course, the existence of an FBI database that contains all of its raw investigative and intelligence data raises a number of other questions too, not the least of which are:

  1. Who has access to the SPIRIT database?
  2. Does the database contain bulk surveillance?
  3. What are the privacy and civil liberty safeguards in place for this database?

There are numerous things for the Senate Judiciary Committee to oversee with respect to the FBI, but I hope some of the issues raised above get addressed.

April 7, 2014

The FBI is "Working" on an Updated Privacy Statement for Facial Recognition

Jeramie Scott imageFacial recognition technology presents a serious risk to privacy and civil liberties because it can so easily be deployed covertly, from a distance, and on a mass scale. There is little to no precautions that can be taken to prevent collection of one's image. Participation in society inevitably involves exposing one's face, whether it's on the public streets or through social media. Ubiquitous and near-effortless identification eliminates an individual's ability to control their identity and poses special risk to the First Amendment rights of free association and free expression, particularly for those who engage in lawful protests. The FBI's ever expanding use of facial recognition technology could render anonymous free speech virtually impossible.

For at least 10 years, the FBI has been testing and using facial recognition. This is evidenced by a February 19, 2004 Privacy Impact Assessment ("PIA") conducted by the FBI for the "Computer Aided Facial Recognition Project." The project sought to assist the University of Sheffield in its testing of a particular method of facial recognition. The PIA makes clear that the FBI wanted "to develop a semi-automated tool enabling FBI examiners to extract facial landmark measurements from question images (such as, bank Surveillance photos) and conduct one-on-one comparisons with known images of a suspect in custody."

More recently, the FBI has been working on incorporating facial recognition technology into its Next Generation Identification ("NGI") program. Through the NGI program, the FBI is developing a massive biometric identification database that, when completed, will be one of the world's largest. The vast majority of records contained in the NGI database will be of US citizens and millions of those records will be of individuals who are neither criminals nor suspects. The NGI database will include fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and facial images for the purpose of facial recognition.

The FBI deployed a facial recognition pilot as part of the NGI program in February 2012. The addition of facial recognition to NGI is set to be fully operational by the summer of 2014. The NGI program will allow image-based facial recognition searches of the FBI's national repository of criminal mugshots.

The use of facial recognition by the FBI does not stop with comparing suspects against criminal mugshots. The FBI has several Memorandums of Understanding (MOUs) with a number of state DMVs to allow facial recognition searches of the DMV's photo database. The DMV searches amount to a massive virtual line-up of millions of innocent Americans. This is particularly alarming given the FBI's willingness to accept a 20% error rate for facial recognition matches.

The FBI wants to keep pushing the number of use cases for facial recognition. In a 2010 slide deck by the FBI, it cites tracking subjects, identifying subjects in public datasets, and identifying subjects from images in seized systems as uses cases.

Despite the focus on facial recognition technology, the FBI has failed to fully address the privacy implications for the use of this technology. The FBI did conduct a "Privacy Impact Assessment (PIA) for the Next Generation identification (NGI) Interstate Photo System (IPS)" back in 2008, but the document is very limited in the issues raised by the use of facial recognition technology. The 2008 PIA is so lacking in its treatment of facial recognition technology that the FBI committed to updating it in its statement for the record at a Senate Subcommittee hearing in July 2012 on "What Facial Recognition Technology Means for Privacy and Civil Liberties."

Senator Franken, Chairman of the Subcommittee on Privacy, Technology and the Law, held the hearing to raise awareness about facial recognition, its current uses, and its potential to threaten our privacy and civil liberties. Senator Franken, in his opening statement, challenged the FBI to be a leader in addressing the privacy and civil liberty implications, stating, "I have called the FBI . . . here today to challenge them to use their position as leaders in their fields to set an example for others--before this technology is used pervasively." The FBI seemingly agreed to do just that.

In a statement for the record dated July 18, 2012, Jerome M. Pender, Deputy Assistant Director of the FBI's Criminal Justice Information Services Division, said that "the 2008 Interstate Photo System PIA is currently in the process of being renewed by way of a Privacy Threshold Analysis (PTA), with an emphasis on Facial Recognition." The purpose of the update was to "address all evolutionary changes since the preparation of the 2008 IPS PIA." Over a year and a half has passed, and no updated PTA or PIA has been completed yet.

EPIC filed a Freedom of Information Act (FOIA) request on February 28, 2014 for the updated facial recognition PTA and PIA. The FBI acknowledged EPIC's FOIA request on March 11, 2014. On March 19, 2014 the FBI informed EPIC that it could not fulfill the request for the updated PTA or PIA for facial recognition technology because "both documents are currently being drafted." As the FBI moves forward with facial recognition technology, it appears to be dragging its feet with respect to addressing the privacy implications of the technology.

The FBI has a habit of saying they will do a PIA or even starting a PIA but failing to actually follow through with it. I detailed in an earlier blog post how FOIA documents received by EPIC show that the FBI began drafting a PIA regarding its use of License Plate Readers back in early 2012, yet no PIA for LPRs is publicly available. Don't hold your breath for the FBI to finish a new PIA addressing facial recognition any time soon.

January 28, 2014

License Plate Readers - Will the FBI Ever Address Their Privacy Implications?

Jeramie Scott image

The FBI has been testing and using automatic License Plate Readers (LPRs) for years, yet recently received Freedom of Information Act documents indicate that they still haven't fully addressed LPR's privacy implications.

As of March 2011, the Federal Bureau of Investigation has at least 1 federal agency, 10 state agencies, and 71 local agencies participating in License Plate Reader (LPR) projects that compare license plates against the National Crime Information Center (NCIC) database, a electronic clearinghouse of crime data run by the FBI. LPRs are often placed on top of law enforcement vehicles or at strategic locations like the entry points of bridges or tunnels.

In some cities, the placement of LPRs are so dense that they can effectively track a cars movement through the city. In DC, for example, there is roughly one LPR per square mile and roughly 1,800 images are captured every minute. The images captured by the LPRs are stored for various lengths of time depending on the agency that captures them. The DC police retain images for three years.

Earlier Freedom of Information Act documents obtained by EPIC show that Custom and Border Protection are using LPRs at the borders. More recent FOIA documents obtained by EPIC from the FBI indicate that despite years of use, the FBI still has not fully addressed the privacy implications.

On June 8, 2012 EPIC filed a FOIA request with the Department of Justice and its subagencies, including the FBI. EPIC's request asked for, among other things, any privacy impact assessments, privacy impact statements, and protocols performed, both past and present, for the LPR initiative.

EPIC did not receive any Privacy Threshold Analysis (PTA) or Privacy Impact Assessment (PIA)--two types of documents federal agencies use to assess the privacy impact of programs and technology used by the government. The PTA is specifically used to determine whether the privacy implications are great enough to warrant a more thorough assessment, which is done by performing a Privacy Impact Assessment.

The documents EPIC received show the Department of Justice's Privacy and Civil Liberties Unit considers license plates Personally Identifiable Information and that the FBI needed to do a PIA of the LPRs that would be made public.

Furthermore, the FOIA documents show that the FBI was actually working on a PIA for the LPRs in early 2012.

Nonetheless, EPIC did not receive a PIA regarding the FBI's LPR Program and none exists online as of this blog entry.

PIAs serve as a check against the encroachment on privacy by the government. They allows the public to see how new programs and technology the government implement affect their privacy and assess whether the government has done enough to mitigate the privacy risks. Despite years of use of LPRs by the FBI, they still have not informed the public how they will mitigate the privacy risks posed by license plate readers. Will they ever?

About this Archive

This page is an archive of recent entries written by Jeramie D. Scott.

Find recent content on the main index or look in the archives to find all content.