Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing
Highlights
The events of September 11, 2001, and operations in Afghanistan and Iraq have made it critical for military units to identify individuals they encounter and share this information with other units and federal agencies. Biometrics are unique personal aspects such as fingerprints and iris images used to identify an unfamiliar person. Federal agencies with national security missions, such as the Departments of Homeland Security (DHS) and State (DOS), need access to certain biometrics data gathered by the Department of Defense (DOD). GAO was asked to determine to what extent (1) DOD has guidance on the biometrics data to be collected to support military activities, and (2) there may be gaps in biometrics information shared between DOD and DHS. This is a public version of a For Official Use Only report, GAO-08-430NI, issued in May 2008. GAO examined DOD's guidance for field collection of biometrics data, biometrics sharing agreements, and information on national level efforts to enhance data sharing.
DOD has issued guidance on the biometrics data collected from individuals who are detained or allowed access to U.S. bases in Iraq, but has not issued guidance on data to be collected during field activities where U.S. forces encounter hostile or questionable individuals such as in Afghanistan and Iraq. DOD has allowed commanders to determine the type of data to collect, such as fingerprints or iris images, during their operations. GAO's analysis showed that allowing for this flexibility results in the collection of different data that are not necessarily comparable to each other. Some units may collect iris images while others collect fingerprints, which are not comparable data. Broader national security implications can arise, such as military personnel's inability to identify someone who has harmed or attempted to harm U.S. or coalition forces. These newly collected data are not necessarily comparable with data collected by other units or with federal databases that store biometrics data, such as the FBI's fingerprint database, DOD's biometric database, or the DHS biometric database. Having a standard set of data would help ensure consistent identification and confirmation of an individual's identity thus allowing forces to compare data across multiple databases in different commands. A standard set of data also would allow for comparison of new biometrics data collected in the field with existing biometrics data. DOD shares biometrics data that it collects on non-U.S. persons with other federal agencies through a variety of inter-agency agreements, but some gaps in data sharing may remain. Since the events of September 11, 2001, the President and Congress have issued policies that require agencies to share counterterrorism information, and agencies have in turn issued their own policies. National efforts to develop policies about such information sharing are still in development. In January 2007, the Deputy Secretary of Defense issued a memo that stated that DOD would immediately adopt the practice of sharing, when asked, unclassified DOD biometrics data records with other U.S. agencies that have counterterrorism missions--this includes data related to terrorism information but excludes data pertaining to U.S. persons. According to a DHS memorandum, DHS is not regularly receiving updates on certain types of DOD biometrics data that it could use. DHS officials told GAO they could use such data in various ways, such as to prohibit individuals from entering the United States who are determined to be inadmissible based on these data and other relevant information. GAO found that DHS officials are consulting with DOD on how to obtain additional biometrics data from DOD. Until national level policies are developed, opportunities to reduce gaps in national security through comprehensive data sharing may be lost unless remaining needs for biometrics data are identified and filled as appropriate and in accordance with U.S. laws and regulations and international agreements.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should direct the Secretary of the Army's Executive Manager for Biometrics to establish guidance specifying a minimum baseline standard set of biometrics data for collection during military operations in the field so that biometrics data can be compared across multiple databases in different commands and across federal agencies as appropriate and in accordance with U.S. laws and regulations and international agreements. |
Closed – Implemented
DOD concurred with the recommendation but stated that commanders in the field should be allowed to exercise judgement about biometrics to be collected rather than adhere to a universal standard. DOD has nevertheless since taken a number of actions to implement the recommendation. For example, DOD's Biometrics Task Force began updating DOD-wide standard operating procedures that expand the amount of biometric data collected during detainee enrollments by adding iris images & palm prints to the previous requirement of fingerprints, facial photos, and DNA. DOD further standardized the practice of biometric collections from military detainees through the use of two computer-based applications: Detainee Reporting System & the Biometric Automated Toolset. Finally, DOD issued a handbook (Commander's Guide to Biometrics in Afghanistan) in April 2011 that synthesized lessons learned & provided standards & guidance on why, when, and how biometrics should be collected. Taken together, we believe these actions address the intent of the recommendation.
|
| Department of Homeland Security | Additionally, until a formalized, governmentwide biometrics data-sharing architecture is implemented, the Secretaries of Defense and Homeland Security, in consultation with other federal agencies, such as the FBI and DOS, should determine if biometrics information sharing needs are being met and address, as appropriate, any biometrics data-sharing gaps that may exist, in accordance with U.S. laws and regulations and international agreements, as well as information sharing environment efforts. |
Closed – Implemented
At the time of our review, we reported that DOD and the Department of Homeland Security (DHS) did not have an agreement in place that allowed for direct connectivity between their biometric systems. In March 2011, DHS finalized an agreement with DOD regarding biometric information sharing. We believe the DHS and DOD actions address the intent of the recommendation.
|
| Department of Defense | Additionally, until a formalized, governmentwide biometrics data-sharing architecture is implemented, the Secretaries of Defense and Homeland Security, in consultation with other federal agencies, such as the FBI and DOS, should determine if biometrics information sharing needs are being met and address, as appropriate, any biometrics data-sharing gaps that may exist, in accordance with U.S. laws and regulations and international agreements, as well as information sharing environment efforts. |
Closed – Implemented
DOD concurred with the recommendation and has since reported a number of actions in response. For example, DOD participated in the development of the interagency implementation plan for National Security Presidential Directive-59/Homeland Security Presidential Directive-24, "Biometrics for Identification and Screening to Enhance National Security." At the time of our review, we reported that DOD and the Department of Homeland Security (DHS) did not have an agreement in place that allowed for direct connectivity between their biometric systems. In March 2011 DOD finalized an agreement with DHS regarding biometric information sharing. We believe the DOD and DHS actions address the intent of our recommendation.
|