Yottabytes: Storage and Disaster Recovery

Jun 22 2016   4:35PM GMT

FBI Facial Database: Big and Broken

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


As you may recall, governments and government agencies such as the Federal Bureau of Investigation (FBI) are building giant databases of faces, using their own sources of faces, such as Department of Motor Vehicle records, and then using facial recognition software with that data to help identify criminals.

As it turns out, the FBI facial database is much bigger than anyone thought, much less reliable, and the FBI doesn’t want to consider it protected information. And that opinion isn’t from some sort of consumer privacy group: It’s from the government itself.

GAO Report

The Government Accountability Office (GAO) released its report, FACE Recognition Technology: FBI Should Better Ensure Privacy and Accuracy in May with this information about the FBI’s Facial Analysis, Comparison, and Evaluation (FACE) program. It was provided to the Senate Subcommittee on Privacy, Technology and the Law in the Committee on the Judiciary. (The whole report is 68 pages long and well worth reading.)

“The GAO found that the FBI has been disregarding some of even the most basic privacy protections and standards,” writes Kia Makarechi in Vanity Fair. “To wit: the driver’s-license photos of the residents of 16 states and some additional 30 million photos from a biometric database are available for the FBI to search at will. Another 18 states are reportedly negotiating with the FBI over the use of driver’s-license images.”

Altogether, the FBI facial database has access to more than 411 million pictures, the GAO reports. “FBI’s Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to FBI’s Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, it also has access to the State Department’s Visa and Passport databases, the Defense Department’s biometric database, and the drivers license databases of at least 16 states,” writes the Electronic Frontier Foundation. “Totaling 411.9 million images, this is an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes.”

In addition, the FBI hadn’t sufficiently notified the public of the technology’s use, the report found. In 2008 the FBI published a PIA [Privacy Impact Assessment] of its plans, the report writes. “However, the FBI did not publish a new PIA or update the 2008 PIA before beginning the NGI-IPS pilot in December 2011 or as significant changes were made to the system through September 2015. In addition, [Department of Justice] DOJ did not approve a PIA for FACE Services until May 2015 — over three years after the unit began supporting FBI agents with face recognition searches.” The DOJ also did not complete a System of Records Notice (SORN) in a timely manner, the report adds.

False Positives

As far as the facial recognition part goes, the FBI had previously said that as many as 20 percent of the identifications were incorrect. It turns out that the agency was wrong, and it actually has no idea how often the software returns false positives – but the FBI contends it doesn’t matter, the GAO writes. “According to FBI officials, because the results are not intended to serve as positive identifications, the false positive rate requirement is not relevant.” The GAO went on to point out how, according to government specifications, that belief is incorrect, and listed several ways that the FBI could have tested this.

In addition, the FBI doesn’t go to any effort to ensure the accuracy of the photos it gets from other sources, such as state databases, saying that it was the responsibility of the external source, the GAO report continues. “However, states generally use their face recognition systems to prevent a person from fraudulently obtaining a drivers’ license under a false name, while the FBI uses face recognition to help identify, among other people, criminals for active FBI investigations,” the report notes. “Accuracy requirements for criminal investigative purposes may be different.” Moreover, other federal agencies such as the Transportation Security Administration (TSA) perform their own accuracy checks, the report adds.

This is particularly an issue because facial recognition software is not created equal. Systems developed in different countries tend to do best with people of the most prevalent race in that country, and less well with minorities, write Clare Garvie and Jonathan Frankle in The Atlantic. For example, in the U.S., the facial recognition algorithms work better with pictures of white people than those of black people.

False positives can create problems down the line, according to the GAO. “Given that the accuracy of a system can have a significant impact on individual privacy and civil liberties as well as law enforcement workload, it is essential that both the detection rate and the false positive rate for all allowable candidate list sizes are assessed prior to the deployment of the system,” the report notes. “According to a July 2012 Electronic Frontier Foundation hearing statement, false positives can alter the traditional presumption of innocence in criminal cases by placing more of a burden on the defendant to show he is not who the system identifies him to be.”

It turns out, also, that facial recognition searches are more common than wiretaps — but don’t have the same protections, notes Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University Law Center. “According to the GAO, the unit fielded approximately 214,920 searches or requests between 2011 and 2015 — 36,420 involving the 16 states’ driver’s-license photos,” Makarechi writes. “Overall, FACE found 8,590 cases in which a ‘likely candidate’ was returned to an FBI agent.”

No Protections

To add insult to injury, the FBI requested in May that its biometrics database – including fingerprints and facial photographs — be exempted from certain provisions of the Privacy Act, a move that the EFF is also fighting.

“The big concern is that the FBI is proposing to exempt NGI from any requirement that they update or correct data about somebody in the future,” Jennifer Lynch, EFF senior staff attorney, tells Ellen Nakashima of the Washington Post. In response to concerns from the EFF and more than 40 other groups, the Justice Department has extended the comment period to July 6, Nakashima adds.

In the meantime, smile. The FBI may be watching.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • adelutri
    Good I'm glad the FBI may be watching and we NEED to begin somewhere - Let it broken and LET US FIX IT! We need to protect all Americans and a Database is the ONLY WAY! Let's just get it done! I'm very willing to help :)
    10 pointsBadges:
  • synchronicity
    I would not worry about the FBI and face recognition there is an update coming to the FBI using a very special AI. There will be no false positives very soon. 
    20 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: