EPIC FOIA: DHS Biometric Program
EPIC has obtained several documents regarding the Department of Homeland Security’s plans to implement the use of biometric identification and automated facial recognition systems. This came about as a result of a Freedom of Information Act Request that EPIC has pursued against the DHS seeking, among other documents, the agency's report of the Homeland Security Presidential Direction 24 (HSPD-24). Based on the materials received to date, EPIC believes DHS should not implement any biometric program until the privacy and security problems identified are adequately resolved.
- EPIC Scrutinizes FBI's Massive Biometric Database: In comments to the FBI, EPIC criticized the Bureau’s proposal to remove Privacy Act safeguards from a database containing biometric data on millions of citizens, much of it unrelated to law enforcement. Through a FOIA lawsuit, EPIC obtained documents about the “Next Generation Identification” database that revealed an error rate up to 20% for face recognition searches. EPIC warned the FBI of the privacy and civil liberties risks as well as the potential for data breaches. EPIC urged the FBI to limit the scope of data collection, reduce the retention of data, and maintain the protections of the Privacy Act. (Jul. 7, 2016)
- EPIC, Coalition Demand Congressional Oversight of FBI's Vast Biometric Database: Today EPIC and a coalition of 45 organizations urged Congress to hold a hearing on the FBI’s massive biometric database and the risks of facial recognition technology. The letter follows the FBI’s recent proposal to exempt the "Next Generation Identification” database from Privacy Act safeguards—including requirements for accuracy, relevancy, and transparency. The civil liberties organizations said that “the FBI is retaining vast amounts of personal information and exposing millions of people to a potential data breach.” In the EPIC v. FBI FOIA case, EPIC obtained documents which revealed high error levels in the biometric database. (Jun. 23, 2016)
- GAO Report: FBI’s Use of Face Recognition Fails on Privacy and Accuracy: The Government Accountability Office released a report today detailing the FBI’s failure to conduct a privacy audit of the agency’s use of facial recognition or adequately test the accuracy of the technology. EPIC and a coalition of public interest groups recently urged the Justice Department to extend the public comment period for the FBI’s Next Generation Identification database, which includes facial recognition capabilities. Previous Freedom of Information Act requests by EPIC showed that the agency had numerous agreements with states to access driver license photos for facial recognition searches and that technical specifications allowed for a 20% search error rate. (Jun. 15, 2016)
- EPIC, Coalition Seeks Time to Review FBI Biometric Database: EPIC and a coalition of civil rights, privacy, and transparency groups urged the Department of Justice to extend the public comment period for the FBI’s Next Generation Identification database. The FBI database contains biometric data, such as fingerprint and retinal scans, on millions of Americans and raises significant privacy risks. The FBI is proposing to exempt the database from Privacy Act obligations, including legal requirements to maintain accurate records, permit individual access, and provide civil remedies. Errors plague the NGI database. In a FOIA case, EPIC v. FBI, EPIC obtained documents, which showed that the FBI accepted a 20% error rate for facial recognition matches. (Jun. 1, 2016)
- Senate to Hold Homeland Security Oversight Hearing: The Senate Judiciary Committee will hold an oversight hearing for the Department of Homeland Security. Secretary Jeh Johnson will testify. EPIC has objected to many of the agency's mass surveillance practices, including the secret profiling of American air travelers, the use of drones for aerial surveillance, the amassing of information on Americans into "fusion centers", and the collection of biometric identifiers. EPIC has also warned that the DHS Chief Privacy Officer has failed to safeguard privacy, a legal obligation for that office. According to the DHS, the number of privacy complaints increased in 2013. EPIC has several Freedom of Information Act case pending against the DHS. In an earlier case, EPIC determined the DHS was monitoring social media and news organizations for criticisms of the agency. Another EPIC case led to the removal of the x-ray backscatter devices from US airports. For more information, see EPIC v. DHS - Social Media Monitoring and EPIC v. DHS (Suspension of Body Scanner Program). (Jun. 10, 2014)
- Spotlight: FBI Pushes Forward with Massive Biometric Database Despite Privacy Risks: EPIC's Spotlight on Surveillance Project returns to put the spotlight on the Federal Bureau of Investigation's Next Generation Identification program. A billion dollar project to increase the Bureau's ability to collect biometric identifiers on millions of individuals in the United States. The FBI is currently adding facial, iris, and voice identification techniques that will greatly increase the Bureau’s ability to pursue mass surveillance. EPIC is pursuing a Freedom of Information Act lawsuit to learn more about the program. Many of the techniques now being deployed in the US were developed by the US Department of Defense for war zones. EPIC has urged greater Congressional oversight of the program and new privacy safeguards. See EPIC's Spotlight on Surveillance on FBI's Next Generation Identification Program. (Dec. 10, 2013)
- EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques: Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy. (Jun. 10, 2011)
- National Academies Releases New Report on Biometrics: The National Academy of Sciences has released a report entitled "Biometric Recognition: Challenges and Opportunities." The report concluded that biometric recognition technologies are inherently probabilistic and inherently fallible. Sources of uncertainty in biometric systems include variation within persons, sensors, feature extraction and matching algorithms, and data integrity. The report recommends a more comprehensive systems level approach to the contexts, design, and use of biometric technologies as well as peer-reviewed testing and evaluation of the technologies. EPIC has urged the Department of Defense to establish privacy safeguards for the biometric database the US established of Iraqis. See EPIC - Biometric Identifiers and EPIC - Iraqi Biometric Identification System. (Sep. 28, 2010)
- US Withdrawal from Iraq Raises Questions about Future of Biometric Database: President Obama's address on the end of the combat mission in Iraq has left open the question of what will happen to the massive biometric databases on Iraqis, assembled by the United States, during the course of the conflict. In 2007, EPIC, Privacy International, and Human Rights Watch wrote to Defense Department Secretary Robert Gates to express concern about the creation of secret profiles on hundreds of thousand of Iraqis, tied to unique biometric identifiers, including digital fingerprints, photographic images, iris scans, and even DNA. Citing misuses of secret files and personal data in other conflicts, the organizations warned that the identification practices "contravene international treaties and could lead to potentially devastating consequences." EPIC, PI, and HRW urged the Defense Department to "adopt clear guidelines that incorporate strong privacy safeguards to ensure that Iraqis are afforded basic human rights in their personal information." For more information, see EPIC - Iraqi Biometric Identification System. (Sep. 1, 2010)
- Busted Biometric Traveler ID May Return to US Airports: "Clear," the flawed airport security program that gathered biometric data on hundreds of thousands of travelers before the company went bankrupt, may return with a new operator. The assets of Verified Identity Pass -- including the fingerprints and iris patterns of previous customers -- have been sold at auction to AlClear, which intends to restart the program. In Congressional testimony in 2005, EPIC warned that the Registered Traveler program should be subject to the federal Privacy Act. For more information, see EPIC Spotlight On Surveillance: Registered Traveler Card, EPIC "Clear" (May. 4, 2010)
- Congressional Leaders Press Obama on Privacy Board: Chairman Bennie Thompson and twenty members of the House of Representatives sent a letter to President Obama seeking the immediate nomination of members to the Privacy and Civil Liberties Oversight Board. The Privacy Board was active during the Bush Administration, but the Obama administration has moved slowly to reconstitute the advisory body. No hearings have been held and no reports have been issued. The board is intended to provide advice on the civil liberty implications of programs that effect the rights of citizens, such as the use of Whole Body Scanners by the TSA, biometic identifiers, and cyber security policy. (Mar. 30, 2010)
- Worker Biometric ID Under Consideration in US: Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that "all U.S. citizens and legal immigrants who want jobs" obtain a "high-tech, fraud-proof Social Security card" with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers. For more information, see EPIC: National ID and the REAL ID Act, EPIC: Biometric Identifiers, and the Privacy Coalition’s Campaign Against REAL ID. (Mar. 24, 2010)
- EPIC Urges Increased Privacy for "Global Entry" Registered Traveler Program: On January 19, EPIC filed comments with the US Customs and Border Protection (CBP), urging the agency to “to revise its establishment of the Global Entry program and to reconsider the privacy and security implications of the program.” CBP proposed to make permanent the Global Entry program, under which pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. EPIC urged CBP to ensure that Global Entry complied with the Privacy Act and to conduct a separate Privacy Impact Assessment. Those measures are particularly pressing in light of recent problems, including data breaches and bankruptcy, experienced by “Clear,” a similar registered traveler program. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for registered traveler programs would jeopardize air traveler privacy and security. For more information, see EPIC Global Entry, EPIC Air Travel Privacy, EPIC Biometric Identifiers, EPIC Automated Targeting System, and EPIC Whole Body Imaging. (Jan. 28, 2010)
- Congress Begins Hearings on the "Trouser Bomber" and Intelligence Reform: The Senate Judiciary Committee and the Senate Committee on Homeland Security opened hearings today on airline security and the intelligence failure on December 25. Questions about privacy and civil liberties were raised frequently by senators. Specifically, senators asked about the adequacy of privacy safeguards for the body scanners, database profiling, biometric identification, and the status of the President's Civil Liberties and Privacy Oversight Board. According to documents obtained by EPIC through a Freedom of Information Act request, the body scanners ordered by the TSA are designed to store and record images of American air travelers. EPIC has scheduled a press conference at the National Press Club on January 25 on "Body Scanners and Privacy.” (Jan. 20, 2010)
- DHS Announces "Global Entry" Biometric Identification System for U.S. Airports: Today, the Department of Homeland Security proposed to make permanent Global Entry, a program the agency says will “streamline the international arrivals and admission process at airports for trusted travelers through biometric identification.” Under the proposed system, pre-registered international travelers can bypass conventional security lines by scanning their passports and fingerprints at a kiosk, answering customs declaration questions, and then presenting a receipt to Customs officials. The DHS announcement follows the recent news that Clear, a Registered Traveler program, had entered bankruptcy, raising questions about the possible sale of the biometric database that was created. In 2005, EPIC testified before Congress that the absence of Privacy Act safeguards for Registered Traveler programs would jeopardize air traveler privacy and security. The agency is taking comments on the proposal. For more information, see EPIC Air Travel Privacy, EPIC Biometric Identifiers, EPIC Automated Targeting System, and EPIC Whole Body Imaging. (Nov. 19, 2009)
- Senate Judiciary Committee Considers National Biometric Identification System: Senator Schumer (D-NY) is proposing a new system to track all US workers to determine employment eligibility. The plan for the employment verifiability system involves the collection of biometric information. The Department of Homeland Security would approve or disapprove individuals for employment. Automated biometric identification systems raise questions about the scalability, reliability, accuracy, and security of the data collected. See EPIC Biometric Identification. (Jul. 22, 2009)
- U.S. Now Collects All 10 Fingerprints of Foreign Visitors. Under border control system US-VISIT, the Department of Homeland Security will begin collecting a full set of fingerprints from foreign visitors to the U.S. Since 2004, US-VISIT has only required two-print collection. The database now includes 90 million sets of prints. EPIC has said that the system lacks adequate privacy and security safeguards. For more information, see EPIC's page on US-VISIT. (Feb. 27)
The tragic events of September 11, 2001, have led to a closer examination of security measures that might have foiled those devastating attacks and that might prevent similar attacks in the future. Prominent among the various measures being considered is the use of devices that check a person's identity using biometric identifiers such as fingerprints, iris/retina, or facial patterns. Soon after the attacks, Larry Ellison, head of California-based software company Oracle Corporation, advocated the deployment of mandatory national ID cards with fingerprint information to be matched against a national database of digital fingerprints to confirm the identity of the card's carrier. There have been recent discussions between the United States and the European Union concerning the creation of biometric passports.
Biometric identifiers are of course widely used by people to identify each other one might recognize a friend by the sound of her voice, the color of her eyes, or the shape of her face. Devices using biometric identifiers attempt to automate this process by comparing the information scanned in real time against an "authentic" sample stored digitally in a database. The technology has had several teething problems, but now appears poised to become a common feature in the technological landscape.
The most widely used biometric is the fingerprint identifier. A June 2004 report by National Institute of Standards and Technology (NIST) showed that one-fingerprint identification systems had an accuracy rate of 98.6 percent, while the accuracy rate rose to 99.6 when two fingerprints were used and 99.9 when four, eight and ten fingerprints were used. The report also showed that the accuracy rate for fingerprint identification drops as the age of the person increases, especially for those more than 50 years old.
The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program marked its first anniversary in early January and extended its entry/exit biometric capturing system to 50 of the busiest land ports of entry. The system requires two digital index finger scans as well as a digital photograph of the visitor, which are intended to verify identity and are compared to a vast network of government databases.
There are significant privacy and civil liberties concerns regarding the use of such devices that must be addressed before any widespread deployment. Briefly there are six major areas of concern:
Storage. How is the data stored, centrally or dispersed? How should scanned data be retained?
Vulnerability. How vulnerable is the data to theft or abuse?
Confidence. How much of an error factor in the technology's authentication process is acceptable? What are the implications of false positives and false negatives
by a machine?
Authenticity. What constitutes authentic information? Can that information be tampered with?
Linking. Will the data gained from scanning be linked with other information about spending habits, etc.? What limits should be placed on the private use (as contrasted to government use) of such technology?
Ubiquity. What are the implications of having a electronic trail of our every movement if cameras and other devices become commonplace, used on every street corner and every means of transportation?
On June 5, 2008 the President issued HSPD-24: Biometrics for Identification and Screening to Enhance National Security, which called for reports from the Attorney General, the Secretaries of State, Defense and Homeland Security, and the heads of other appropriate agencies, on the implementation of "mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information." Such reports were due to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on June 5, 2009.
On June 15, 2010, EPIC filed a FOIA Request to the Department of Homeland Security. EPIC was seeking the DHS report related to biometrics produced in response to Homeland Security Presidential Direction 24 (HSPD-24) and related agency records concerning facial recognition technology. Specifically, EPIC requested:
1. The DHS's report in response to Homeland Security Presidential Directive 24.
2. All agreements between DHS and any other entity, dated between June 5, 2009 and present, concerning facial recognition systems.
3. All procurement specifications dated between June 5, 2009 and present, concerning facial recognition systems.
4. All reports dated between June 5, 2009 and present, concerning facial recognition systems.
The DHS September 16, 2010 response contained the following documents:
- Facial Image Quality Improvement and Face Recognition Study Final Report. U.S. Visitor and Immigrant Status Indicator Technology Program, Department of Homeland Security, December 7, 2009.
- Multi-Biometric Fusion Research Plan Briefing. Human Factors/Behavioral Sciences Division, Science and Technology Directorate, U.S. Department of Homeland Security, July 13, 2009.
- BioFuse: A Matlab™ Platform for Designing and Testing Biometric Fusion Algorithms [Final Report]. Center for Identification Technology Research (CITeR) NSF Industry University Cooperative Research Center, Spring 2010.
- Unconstrained Face Recognition Under Non-Ideal Conditions [Final Report]. Center for Identification Technology Research (CITeR) NSF Industry University Cooperative Research Center, October 19, 2009.
- An Acquisition Platform for Non-Cooperative, Long Range Ocular Biometrics Progress Report CITeR Conference. Center for Identification Technology Research (CITeR) NSF Industry University Cooperative Research Center, November 2008.
- Collaborative acquisition of face images and real time face recognition using camera sensor networks. Center for Identification Technology Research (CITeR) NSF Industry University Cooperative Research Center, October 9, 2009.
- 3D Scanning for Biometric Identification and Verification Anselmo Lastra, Henry Fuchs, Greg Welch, University of North Carolina at Chapel Hill.
- Registry of USG Recommended Biometric Standards Version 2.0. NSTC Subcommittee on Biometrics and Identity Management, August 10, 2009.
- Report on the Evaluation of 2D Still-Image Face Recognition Algorithms NIST Interagency Report 7709. Multiple-Biometric Evaluation (MBE), June 22, 2010.
- Supplemental Information in Support of the NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards. NSTC Subcommittee on Biometrics and Identity Management, August 10, 2009.
- Order for Supplies or Services of $200,000.00 to Computer Sciences Corporation (03/15/2010)
- Statement of Work, "Biometric Sample Quality and Performance Testing Technology Subject Matter Expert."
- "Additional DHS and Far Clauses" to DHS Homeland Security Acquisition Regulation Clauses.
- 3 Interagency Agreement to National Institute of Standards and Technology (03/04/2010) (05/12/2009)
- Statement of Work for Human Factors Program, US DHS, Science and Technology Directorate, "Test & Evaluation/Standards".
- A “Modification of Contract” between DHS and Accenture LLP
- “Task Order 018 CLIN 0002 Multimodal Biometric Limited Production Pilot BOM Summary: Technical Objectives, Assumptions, and Dependencies Related to Logical and Physical Diagrams”
- “US-VISIT Expenditure Plan: Fiscal Year 2010 Report to Congress.”
In a separate document, DHS also produced 64 pages from an investigation of the DHS's Office for Procurement Operations. This response included the following documents:
A third round of documents was produced on September 30, 2010. The agency withheld sections of these documents under the (b)4 exemption for “Trade Secrets.” This disclosure included the following documents:
- U.S. Department of State Fact Sheet About Visa Waiver Program, Biometrics, and Machine-Readable Passports. April 7, 2005.
- EPIC's April Spotlight on Surveillance about ID cards with biometrics. April 1, 2005.
- EPIC's comments to the TSA's request for biometric guidance, March 17, 2005.
- Technical report (PDF) to the Council of European Union saying proposed biometric visa scheme is not feasible, November 11, 2004.
- EPIC's comments before the Department of the Treasury in the Matter of
FACT Act Biometric Study, April 1, 2004.
- Letter (PDF) from civil liberties groups to International Civil Aviation Organization regarding their plans to include biometric identifiers such as fingerprints and facial scans on all newly issued electronic passports, March 30, 2004.
- EPIC's Face Recognition page.
- EPIC's National ID page.
- EPIC's July 2002 Congressional testimony concerning ID theft and biometrics, July 18, 2002.
- Use Of Biometric Identification Technology To Reduce Fraud In The Food Stamp Program: Final Report (PDF) U.S. Department of Agriculture, December 1999.
- New Jersey State Assemblywoman Joan Quigley has introduced a bill to regulate biometric identifiers."
- Biometric Access Devices Put to the Test." From Heise Online.
- Connecticut Department of Social Services Biometric ID project (see their newsletter for latest biometric industry news).
- Analysis of biometric technologies from Deutsche Bank Research: "Biometrics-Hype and Reality" (PDF)
- Information on fingerprinting from onin.com.
- San Jose State University National Biometrics Test Center.
- Roger Clarke, an Australian privacy expert, has an excellent guide to the issues involved in the use of biometric identifiers. The guide also contains many useful links.
- Phil Agre, Associate Professor of Information Studies at UCLA, has put together an interesting collection of arguments and news stories about ubiquitous use of biometric identifiers, specifically face recognition cameras. Your Face is Not a Bar Code: Arguments Against Automatic Face Recognition in Public Places. Sept. 7, 2001.
- The Biometric Consortium serves as the US Government's focal point for research, development, test, evaluation, and application of biometric-based personal identification/verification technology. They also have a good collection of links to articles and other publications.
- The International Biometric Industry Association maintains a FAQ and links to other resources on biometric technology.Erik Bowman of Identix, a leading developer of biometric technology, describes biometrics from the industry perspective.
- The RAND Corporation published a short issue paper in mid-2001, entitled "Super Bowl Surveillance: Facing Up to Biometrics".
- The International Biometric Group, a leading integration and consulting firm in the biometric industry, has put together a brief in response to the terrorist attacks in which they caution against thinking of biometric devices as silver bullets and point out various limitations to the use of the technology. IBG's BioPrivacy Initiative.
- DHS taking second look at iris scans for Registered Traveler. GCN, January 30, 2006.
- U.S.Visit biometrics up and running, on time. Washington Technology, December 30, 2005.
- TSA releases guidance on biometrics for access control. Government Computing News, November 15, 2005.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler