EPIC v. FBI (Biometric Data Transfer Agreements)

• Background |
• EPIC's Interest |
• FOIA Documents |
• Legal Documents |
• News

Top News

• EPIC Urges FBI to Limit Fingerprint-Based Background Checks: In response to a request for comments, EPIC has urged the FBI to expand its use of name-based — rather than fingerprint-based — background checks for noncriminal purposes, such as employment. The FBI currently uses fingerprints, stored in the Next Generation Identification (NGI) database, to conduct non-criminal background checks. "Names checks" were only conducted for individuals whose fingerprints failed the NGI matching requirements. EPIC told the FBI that the "name-based background check accomplishes the same purpose as the fingerprint-based background check without requiring the collection of sensitive biometric information." EPIC has opposed the expansion of the NGI system for non-law enforcement purposes. EPIC has also pursued a series of Freedom of Information Act requests to assess the reliability of the NGI system. (Jan. 9, 2018)
• FBI Issues Final Rule on Biometric Database, Exempts Itself From Privacy Act Protections: The FBI has released a final rule claiming several Privacy Act Exemptions for the Next Generation Identification System, a database that contains the biometric data of millions of Americans, much of which is unrelated to law enforcement. EPIC had criticized the FBI's proposal to remove Privacy Act safeguards and urged the FBI to limit the scope of data collection and reduce the retention of data. However, in issuing the final rule the FBI repeatedly stated that exemptions would be used responsibly and in accordance with FBI policies and procedures. Through a FOIA lawsuit, EPIC obtained documents that revealed the NGI database contained an error rate of up to 20% on facial recognition searches. EPIC has identified several problems with the NGI database in statements to Congress oversight Committees, which have indicated strong concern about the FBI's facial recognition program. (Aug. 1, 2017)
More top news »
EPIC Urges Congress to Examine FBI's Biometric Identification Program » (Jun. 20, 2017)
EPIC has sent a statement to the House Appropriations Committee in advance of a hearing on the FBI's budget. EPIC urged the Committee to examine the FBI's Next Generation Identification program. EPIC explained that the program "raises far-reaching privacy issues that implicate the rights of Americans all across the country." The FBI biometric database is one of the largest in the world, but the Bureau proposed to exempt the database from Privacy Act protections. EPIC and others supported strong safeguards for the program. In an early FOIA case against the FBI, EPIC obtained documents which revealed high error levels in the biometric database. EPIC has recently filed a FOIA lawsuit against the FBI for information about the agency's plans to transfer biometric data to the Department of Defense.
EPIC FOIA: EPIC Obtains Secret Inspector General Reports » (Nov. 21, 2016)
Through a Freedom of Information Act lawsuit EPIC has obtained nonpublic reports from the Department of Justice's Inspector General. The documents include audits of drug control funds. Another set of documents include audits of other grant programs, as well as a list of information security audits conducted since 2005. EPIC also obtained a previously unpublished audit of a state lab's DNA database. The mission of the DOJ Inspector General is "to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel." EPIC also recently sued the Federal Bureau of Investigation to obtain information on the massive biometric database "Next Generation Identification."
EPIC, Coalition Demand Congressional Oversight of FBI's Vast Biometric Database » (Jun. 23, 2016)
Today EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI’s massive biometric database and the risks of facial recognition technology. The letter follows the FBI’s recent proposal to exempt the "Next Generation Identification” database from Privacy Act safeguards—including requirements for accuracy, relevancy, and transparency. The civil liberties organizations said that “the FBI is retaining vast amounts of personal information and exposing millions of people to a potential data breach.” In the EPIC v. FBI FOIA case, EPIC obtained documents which revealed high error levels in the biometric database.
GAO Report: FBI’s Use of Face Recognition Fails on Privacy and Accuracy » (Jun. 15, 2016)
The Government Accountability Office released a report today detailing the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology. EPIC and a coalition of public interest groups recently urged the Justice Department to extend the public comment period for the FBI’s Next Generation Identification database, which includes facial recognition capabilities. Previous Freedom of Information Act requests by EPIC showed that the agency had numerous agreements with states to access driver license photos for facial recognition searches and that technical specifications allowed for a 20% search error rate.
EPIC, Coalition Seeks Time to Review FBI Biometric Database » (Jun. 1, 2016)
EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. Errors plague the NGI database. In a FOIA case, EPIC v. FBI, EPIC obtained documents, which showed that the FBI accepted a 20% error rate for facial recognition matches.
Senate Judiciary Committee Hearing on FBI to Consider Drones, Facial Recognition » (May. 20, 2014)
The Senate Judiciary Committee's oversight hearing of the FBI will take place of Wednesday, May 21. This is the first FBI oversight hearing since James Comey took over as Director. At the last oversight hearing, Director Mueller admitted that the FBI uses drones for domestic surveillance. The FBI promised to establish privacy guidelines but has failed to do so. The FBI has also failed to address the privacy implications of license plate readers and facial recognition technology. The FBI's Next Generation Identification program, a massive biometric system, is set to go fully operational this year; yet the agency has not established civil liberties safeguards. The database will employ facial recognition, iris recognition, and voice recognition. Documents obtained by EPIC under the FOIA indicate the agency is prepared to accept a 20% error rate for recognition techniques. For more information, see EPIC v. FBI - Next Generation Identification.
Spotlight: FBI Pushes Forward with Massive Biometric Database Despite Privacy Risks » (Dec. 10, 2013)
EPIC's Spotlight on Surveillance Project returns to put the spotlight on the Federal Bureau of Investigation's Next Generation Identification program. A billion dollar project to increase the Bureau's ability to collect biometric identifiers on millions of individuals in the United States. The FBI is currently adding facial, iris, and voice identification techniques that will greatly increase the Bureau’s ability to pursue mass surveillance. EPIC is pursuing a Freedom of Information Act lawsuit to learn more about the program. Many of the techniques now being deployed in the US were developed by the US Department of Defense for war zones. EPIC has urged greater Congressional oversight of the program and new privacy safeguards. See EPIC's Spotlight on Surveillance on FBI's Next Generation Identification Program.
EPIC FOIA - FBI Says 20% Error Rate Okay for Facial Recognition » (Oct. 4, 2013)
EPIC's Freedom of Information Act lawsuit has produced new documents about "Next Generation Identification" and the FBI's plans for facial recognition. According to the document obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." That number is much greater than expected. Earlier this year, EPIC received documents from the FBI regarding the use of facial recognition and state DMV photos. The FBI has still not updated a 2008 Privacy Impact Assessment on facial recognition technology despite telling Congress last year that a new assessment was planned. For more information, see EPIC: EPIC v. FBI - Next Generation Identification and EPIC: Face Recognition.
EPIC Sues FBI to Obtain Details of Massive Biometric ID Database » (Apr. 8, 2013)
EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition.

Background

The FBI developed and maintains a biometric identification program called “Next Generation Identification” (“NGI”). The Bureau describes NGI as “the world’s largest and most efficient electronic repository of biometric and criminal history information.” The FBI developed NGI as a successor to the Integrated Automated Fingerprint Identification System (“IAFIS”), a program started in July 1999 that provided to law enforcement “automated tenprint [fingerprint] and latent fingerprint searches, electronic image storage, electronic exchanges of fingerprints and responses, as well as text-based searches based on descriptive information.” In NGI, the FBI incorporated all of the capabilities and data of IAFIS, along with additional capabilities such as the ability to quickly and easily store and search for new forms of biometric data, including iris scans and face-prints.

Since 2014, the FBI has been using NGI at “full operational capability.”

With NGI, the FBI will expand the number of uploaded photographs and provide investigators with “automated facial recognition search capability.” The FBI intends to do this by eliminating restrictions on the number of submitted photographs (including photographs that are not accompanied by tenprint fingerprints) and allowing the submission of non-facial photographs (e.g. scars or tattoos). The FBI also widely disseminates this NGI data. According to the FBI’s latest NGI fact sheet, 24,510 local, state, tribal, federal and international partners submitted queries to NGI in September 2016.

Widespread deployment of facial recognition technology presents a number of significant privacy and security issues. Facial recognition data is personally identifiable information and improper collection, storage, and use of this information can result in identity theft or inaccurate identifications. Additionally, an individual's ability to control access to his or her identity, including determining when to reveal it, is an essential aspect of personal security that facial recognition technology erodes. Ubiquitous and near-effortless identification eliminates individuals’ ability to control their identities, posing special risk to protestors engaging in lawful, anonymous free speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously. See, e.g., Buckley v. American Constitutional Law Foundation, 525 U.S. 182 (1999); Talley v. California, 362 U.S. 60 (1960); NAACP v. Alabama, 357 U.S. 449 (1958). For these reasons, it is vital that the deployment of facial recognition technology be done in a transparent way to ensure adequate public oversight.

One of the FBI’s stated initiatives is for the Bureau, through NGI, to exchange information with other data repositories in real or near-real time. NGI is currently capable of such information transfers with the Automated Biometric Identification System (“ABIS”), a biometric program run by the DOD.

The FBI has acknowledged the existence of a memorandum of understanding, dated September 10, 2009, between the FBI and the DOD pertaining to the transfer of biometric data and other identity management information.

EPIC's Interest

As a centralized government database containing sensitive personal and biometric data on millions of individuals, NGI poses a major threat to privacy rights. Individuals anywhere, and especially those protected by the U.S. Constitution, have “the right to be left alone” (as Justice Brandeis declared over 120 years ago). This means that without individualized suspicion of wrongdoing, no one's personal information should be retained in a law enforcement database without that individual's consent. NGI goes beyond merely storing random pieces of data collected from various law enforcement agencies. Rather, the FBI will use the program to affirmatively seek out and aggregate as many photos, voice prints, and biometric data as possible to create the most comprehensive database in the world. Such data will be vulnerable to misuse by misguided officials, abuse by ill-intentioned government agents, and unauthorized disclosure through data breaches.

In the 2012 case, EPIC v. FBI, EPIC filed a FOIA lawsuit to obtain documents pertaining to NGI. EPIC successfully obtained NGI records from the agency, as well as attorney’s fees for work on the litigation. According to one of the FOIA documents, “NGI shall return an incorrect candidate a maximum of 20% of the time,” a number much greater than expected.

Recently on May 27, 2016, EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. 

FOIA Documents

• EPIC FOIA Request (April 2, 2015)
• FBI Acknowledgment (April 13, 2015)
• EPIC Administrative Appeal (Aug. 11, 2015)
• FBI Appeal Acknowledgment (Aug. 21, 2015)
• FBI Appeal Denial (Aug. 31, 2015)
• FBI Consultation Notice (Sept. 1, 2015)
• Released Documents
  • FBI Memorandums of Understanding
  • Supplemental Release: FBI, DOD, DOS Memorandum of Understanding

Legal Documents, (D.D.C., Case No. 16-2237)

• Complaint (Nov. 10, 2016)
• Answer (Jan. 23, 2017)

News

• Mark Reynolds, eWave: Hunt is on for Pixel-Perfect Criminal IDs, Providence Journal (Dec. 7, 2013)
• Jim Stenman, Embracing Big Brother: How Facial Recognition Could Help Fight Crime, CNN (Nov. 22, 2013)
• The Economist, The People's Panopticon (Nov. 16, 2013)
• Ali Winston, Facial Recognition, Once a Battlefield Tool, Lands in San Diego County, Center for Investigative Reporting (Nov. 7, 2013)
• J.D. Tuccille, Wrong Person May Be Identified 20 Percent of the Time With Facial Recognition Software, Reason (Oct. 8, 2013)
• Ginger McCall, The Face Scan Arrives, N.Y. Times Op-Ed (Aug. 29, 2013)
• Charlie Savage, Facial Scanning Is Making Gains in Surveillance, N.Y. Times (Aug. 21, 2013)
• Natasha Lennard, Government Developing Facial Recognition Surveillance Software, Salon (Aug. 21, 2013)
• Addy Dugdale, The FBI Banks $1 Billion For Facial Recognition Tech , Fast Company (Sept. 7, 2012)
• Michael Kelley, The FBI's Nationwide Facial Recognition System Ends Anonymity As We Know It, Business Insider (Sept. 10, 2012)
• Kevin Lee, The FBI's Next Generation Identification Program Could Spot Faces in a Crowded Street, PC World (Sept. 11, 2012)
• Charlie Osborne, FBI Launches $1B ID Search Program, ZDNet (Sept. 10, 2012)
• Aliya Sternstein, Eye on Crime: The FBI is Building a Database of Iris Scans, Nextgov (June 27, 2012)
• Andrew Rosenthal, Invading Your Privacy, NYT Editorial Page (Mar. 26, 2012)
• Erik Sofge, FBI's Next-Gen ID Databank to Store Face Scans--A Good Idea?, Popular Mechanics (June 30, 2008)
• Grant Gross, Lockheed Wins 10-year FBI Biometric Contract, Washington Post (Feb. 13, 2008)
• Ellen Nakashima, FBI Prepares Vast Database of Biometrics, Washington Post (Dec. 22, 2007)