EPIC v. FBI (Biometric Data Transfer Agreements)

Top News

Background

The FBI developed and maintains a biometric identification program called “Next Generation Identification” (“NGI”). The Bureau describes NGI as “the world’s largest and most efficient electronic repository of biometric and criminal history information.” The FBI developed NGI as a successor to the Integrated Automated Fingerprint Identification System (“IAFIS”), a program started in July 1999 that provided to law enforcement “automated tenprint [fingerprint] and latent fingerprint searches, electronic image storage, electronic exchanges of fingerprints and responses, as well as text-based searches based on descriptive information.” In NGI, the FBI incorporated all of the capabilities and data of IAFIS, along with additional capabilities such as the ability to quickly and easily store and search for new forms of biometric data, including iris scans and face-prints.

Since 2014, the FBI has been using NGI at “full operational capability.”

With NGI, the FBI will expand the number of uploaded photographs and provide investigators with “automated facial recognition search capability.” The FBI intends to do this by eliminating restrictions on the number of submitted photographs (including photographs that are not accompanied by tenprint fingerprints) and allowing the submission of non-facial photographs (e.g. scars or tattoos). The FBI also widely disseminates this NGI data. According to the FBI’s latest NGI fact sheet, 24,510 local, state, tribal, federal and international partners submitted queries to NGI in September 2016.

Widespread deployment of facial recognition technology presents a number of significant privacy and security issues. Facial recognition data is personally identifiable information and improper collection, storage, and use of this information can result in identity theft or inaccurate identifications. Additionally, an individual's ability to control access to his or her identity, including determining when to reveal it, is an essential aspect of personal security that facial recognition technology erodes. Ubiquitous and near-effortless identification eliminates individuals’ ability to control their identities, posing special risk to protestors engaging in lawful, anonymous free speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously. See, e.g., Buckley v. American Constitutional Law Foundation, 525 U.S. 182 (1999); Talley v. California, 362 U.S. 60 (1960); NAACP v. Alabama, 357 U.S. 449 (1958). For these reasons, it is vital that the deployment of facial recognition technology be done in a transparent way to ensure adequate public oversight.

One of the FBI’s stated initiatives is for the Bureau, through NGI, to exchange information with other data repositories in real or near-real time. NGI is currently capable of such information transfers with the Automated Biometric Identification System (“ABIS”), a biometric program run by the DOD.

The FBI has acknowledged the existence of a memorandum of understanding, dated September 10, 2009, between the FBI and the DOD pertaining to the transfer of biometric data and other identity management information.

EPIC's Interest

As a centralized government database containing sensitive personal and biometric data on millions of individuals, NGI poses a major threat to privacy rights. Individuals anywhere, and especially those protected by the U.S. Constitution, have “the right to be left alone” (as Justice Brandeis declared over 120 years ago). This means that without individualized suspicion of wrongdoing, no one's personal information should be retained in a law enforcement database without that individual's consent. NGI goes beyond merely storing random pieces of data collected from various law enforcement agencies. Rather, the FBI will use the program to affirmatively seek out and aggregate as many photos, voice prints, and biometric data as possible to create the most comprehensive database in the world. Such data will be vulnerable to misuse by misguided officials, abuse by ill-intentioned government agents, and unauthorized disclosure through data breaches.

In the 2012 case, EPIC v. FBI, EPIC filed a FOIA lawsuit to obtain documents pertaining to NGI. EPIC successfully obtained NGI records from the agency, as well as attorney’s fees for work on the litigation. According to one of the FOIA documents, “NGI shall return an incorrect candidate a maximum of 20% of the time,” a number much greater than expected.

Recently on May 27, 2016, EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. 

FOIA Documents

Legal Documents, (D.D.C., Case No. 16-2237)

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy

EPIC Bookstore

Communications Law and Policy

Communications Law and Policy
Jerry Kang and Alan Butler