Comments on FBI’s Proposed Exemption from the Privacy Act for Next Generation Identification System

The Center for Democracy and Technology (“CDT”) respectfully submits these comments urging the Department of Justice (“DOJ”) and the Federal Bureau of Investigation (“FBI”) to reconsider the proposal in CPCLO Order No. 003-2016 to broadly exempt the Next Generation Identification (“NGI”) biometric system1 from key provisions of the Privacy Act of 1974.2 CDT also offers comments on the modified system of records notice in CPCLO Order No. 002-2016.

CDT is a nonprofit public interest group that seeks to promote free expression, privacy, individual liberty, and technological innovation on the open, decentralized internet. CDT supports laws, corporate policies, and technical tools that protect the civil liberties of internet users. CDT represents the public’s interest in an open internet and promotes the constitutional and democratic values of free expression, privacy, and individual liberty.

While the FBI may be able to articulate instances where criminal records in the NGI could properly be exempted under specific provisions of the Privacy Act, an exemption of the scope proposed—which would cover, for instance, records about individuals who have never encountered the criminal justice system in any form, let alone been convicted of a crime—is inappropriate and poses significant peril for privacy and civil liberties.

Currently, the NGI includes a number of different biometrics, including fingerprints, face recognition data, iris scans, and palm prints. These records may be collected not just during arrests, but also during any “criminal inquiry” or “lawful detention.” Additionally, the NGI contains entirely civil records, such as fingerprints and other biometrics of individuals in the military, individuals applying for immigration “or other governmental” benefits, individuals seeking permanent residency or citizenship, individuals who have applied for a security clearance, and individuals at all levels of government who have been fingerprinted as part of licensing or a background check for employment.

In the NGI Privacy Impact Assessments (“PIAs”) published in 2015,5 the FBI announced that it would create a single identity file that would link criminal and civil fingerprint data, and would permit the searching of certain civil records in criminal contexts. In practice, we understand this to mean that if one applies for a security clearance or for a job even at a state or local level, for instance, fingerprints submitted as part of the application would be searched thousands of times a day by federal, state, local, tribal, territorial, and international law enforcement agencies for investigative leads.

As described in the SORN, the NGI database represents a sea change in how the government collects, stores, retains, and disseminates biometric data in the pursuit of crime. The SORN erases the line between civil records, collected from individuals who have done nothing wrong and who have never interacted with law enforcement, and verifiable criminal biometrics. Under the SORN, both can now be searched, cross-referenced, linked and then used to generate investigative leads or, if the civil record contains a ten-print fingerprint, used to positively identify suspects.

As discussed in greater detail below, we offer comments on a number of different issues with the NGI:

• The Privacy Act is an essential check against government misuse of personal data. Enacted in the wake of Watergate and revelations that elements of the intelligence community, military, and law enforcement had collected dossiers on individuals based on the exercise of their First Amendment rights, the law gives individuals the ability to access their records and correct mistakes. It also gives individuals the ability to take legal action against a government entity that, for instance, maintains dossiers based on First Amendment activity. The proposed exemption would eliminate these protections.
• The FBI cannot rely on the general exemptions of 5 U.S.C. § 552a(j) (2012) for the civil records in NGI. By their terms, the general exemptions are only permissible for Central Intelligence Agency and law enforcement records.
• The multi-biometric NGI is a much more powerful and intrusive database than its fingerprint-based forebears. Accordingly, the risks of false positives, which have been documented already in this context, are significant. This danger can be at least somewhat ameliorated by the provisions of the Privacy Act that permit individuals to access and correct inaccurate records, which would be exempted under the FBI’s proposal (and would be unenforceable as the remedies section would also be exempt).
• Broadly, the existence of the NGI could chill the exercise of First Amendment rights. There are indications that the NGI database will include biometrics gathered in the field, including biometrics from individuals who are wrongly arrested, or who are subject to “lawful detention” but not arrested or charged. These elements of the system may be particularly burdensome for protesters and other individuals engaged in protected First Amendment activity.
• Finally, as is the case with “big data” in the non-law enforcement context, inherent systemic biases will creep into NGI if not guarded against through procedural protections like the Privacy Act. Disparities in the criminal justice system can only be amplified by NGI. Limiting any Privacy Act exemptions will mitigate this risk.