Massive FBI Biometric Database Must Be Subject to Appropriate Public Scrutiny
Written by Gabe Rottman
If you watch the (sadly ending) series Person of Interest, you know the distinctive graphics that depict the “thinking” of “The Machine”—the artificial intelligence that gives the show’s heroes tips about impending premediated violent crime. The Machine cross references a vast amount of biometric data—fingerprints, face recognition, palm prints, iris recognition, etc.—with location information, electronic communications, and other mass surveillance data to predict when a crime is about to happen.
It’s all quite dramatic, but that kind of database—sans the AI, one hopes—isn’t so far from something the FBI is building right now. The FBI is replacing an older fingerprint database with the “Next Generation Identification” (“NGI”) system. NGI expands the fingerprint database into the realm of biometrics: facial recognition, palm prints, pictures of tattoos and other distinctive marks, and potentially a wide range of other biometric items that can be used to identify and track people.
The scope of the NGI is a big problem. It would be one thing were the database limited to fingerprints and biometrics of individuals actually convicted of a crime. But NGI goes much further. It will collect information—pictures, fingerprints, etc.—from individuals who are just stopped on the street and let go. And, it will include information collected in a huge number of non-criminal contexts, from, for instance, job seekers, individuals in the immigration system, and folks applying for a security clearance.
All of that information will be searched thousands of times a day by law enforcement at the federal, state, local, and tribal levels seeking either positive identification of a suspect or simply investigative leads. The danger of false positives is extreme, both because of the potential unreliability of things like facial recognition, and because the system will include a vast amount of information on individuals who have no connection whatsoever to the criminal justice system.
It gets worse. Although the NGI has been in the works since 2008, the Department of Justice delayed releasing a number of legally mandated reports that describe the system and the information it collects. It finally released the “Privacy Impact Assessment” for the NGI system in September 2015. And, it released the “System of Records Notice” (“SORN”), which contains details about the system’s operation, only this month. The public has 30 days to comment, which is a woefully short timeframe for commenters to adequately catalog the privacy problems with NGI.
And, on the same day of the SORN, the FBI also released a proposed rule that would broadly exempt the NGI system from key elements of the federal Privacy Act of 1974. Passed in response to growing concerns about how the automation of information collection, storage, and analysis by the government could result in abuse (dossiers on political activity, for instance), Congress passed the Privacy Act to give Americans the ability to access and correct data held by the government about them.
While exemptions to the Privacy Act may be appropriate when access would impair an active investigation, there is simply no reasonable argument for barring access to biometric information held in an FBI criminal database that is collected in non-criminal contexts. Such information should also be subject to the Privacy Act when it pertains to individuals who have been “Terry” stopped on the street and let go, who have had charges dropped, or who have been acquitted or otherwise cleared of a charge.
The FBI notes that there is an existing process by which individuals can request their criminal records and seek corrections, but that requires going back to the entity that created the record, which may be a local police department with limited resources. In short, that existing process is inadequate and burdensome, and should not apply at all to the non-criminal records in the NGI system.
Finally, it’s important to point out that while the FBI seeks to exempt the NGI from only select provisions of the Privacy Act, the effect of the proposed rule will be to deny individuals legal recourse were the FBI to violate any provision of the Privacy Act. That’s because the exemptions include 18 U.S.C. § 552a(g), which provides for civil remedies when an agency denies a Privacy Act request or makes a determination not to correct an inaccurate record, among other things.
So, for instance, the Privacy Act bars agencies from maintaining records describing how an individual exercises rights guaranteed by the First Amendment (unless otherwise authorized by law or legitimately relevant to a valid investigation). Such records could easily become part of NGI. Consider, for instance, law enforcement photographs of an arrest at a protest. Based on my reading of the SORN, it seems conceivable that these arrest or detention photos could include pictures of surrounding individuals who are simply attending the protest—clearly First Amendment protected activity.
These images could then be searched by law enforcement and used to generate investigative leads. An individual would not be able to sue to the government were those images maintained in the NGI in violation of this provision (5 U.S.C. § 552a(e)(7), for the curious).
Similarly, 5 U.S.C. § 552a(e)(6)—also not one of the claimed exemptions—requires an agency to make “reasonable efforts” to assure the accuracy and completeness of records before dissemination outside the agency. Were the FBI to share inaccurate or incomplete NGI records in violation of this provision, individuals would likewise not be able to sue.
The Privacy Act was enacted precisely because of the privacy risks inherent in the automated collection, storage, collation, and cross-referencing of information about individuals—the very thing that gives The Machine in Person of Interest the power to do its pre-crime thing. The FBI’s proposed NGI database will collect a vast amount of information about individuals who are not even suspected of committing a crime, and will use that information for law enforcement purposes. It’s crucial that any Privacy Act exemption be narrowly and carefully drawn.
To that end, CDT joined a letter—released today—signed by numerous privacy and civil liberties advocates seeking an extension of the comment period for the proposed Privacy Act rule. At the very least, interested parties must be given an appropriate amount of time to consider and comment on the sweeping exemptions in the rule. We hope the FBI and Department of Justice take heed.