Face Recognition Technology: DOJ and FBI Need to Take Additional Actions to Ensure Privacy and Accuracy
What GAO Found
In May 2016, GAO found that the Federal Bureau of Investigation (FBI) had not fully adhered to privacy laws and policies and had not taken sufficient action to help ensure accuracy of its face recognition technology. GAO made six recommendations to address these issues. As of March 2017, the Department of Justice (DOJ) and the FBI disagreed with three recommendations and had taken some actions to address the remainder, but had not fully implemented them.
Privacy notices not timely. In May 2016, GAO recommended DOJ determine why privacy impact assessments (PIA) were not published in a timely manner (as required by law) and take corrective action. GAO made this recommendation because FBI did not update the Next Generation Identification-Interstate Photo System (NGI-IPS) PIA in a timely manner when the system underwent significant changes or publish a PIA for Facial Analysis, Comparison and Evaluation (FACE) Services before that unit began supporting FBI agents. DOJ disagreed on assessing the PIA process stating it established practices that protect privacy and civil liberties beyond the requirements of the law. GAO also recommended DOJ publish a system of records notice (SORN) and assess that process. DOJ agreed to publish a SORN, but did not agree there was a legal requirement to do so. GAO believes both recommendations are valid to keep the public informed on how personal information is being used and protected by DOJ components.
Key Dates of Privacy Notices
GAO also recommended the FBI conduct audits to determine if users of NGI-IPS and biometric images specialists in the FBI's FACE Services unit are conducting face image searches in accordance with DOJ policy requirements. The FBI began conducting NGI-IPS user audits in 2017.
Accuracy testing limited. In May 2016, GAO recommended the FBI conduct tests to verify that NGI-IPS is accurate for all allowable candidate list sizes to give more reasonable assurance that NGI-IPS provides leads that help enhance criminal investigations. GAO made this recommendation because FBI officials stated that they do not know, and have not tested, the detection rate for candidate list sizes smaller than 50, which users sometimes request from the FBI. GAO also recommended the FBI take steps to determine whether systems used by external partners are sufficiently accurate for FBI's use. By taking such steps, the FBI could better ensure the data from external partners do not unnecessarily include photos of innocent people as investigative leads. However, FBI disagreed with these two recommendations, stating the testing results satisfy requirements for providing investigative leads and that FBI does not have authority to set accuracy requirements for external systems. GAO continues to believe these recommendations are valid because the recommended testing and determination of accuracy of external systems would give the FBI more reasonable assurance that the systems provide investigative leads that help enhance, rather than hinder or overly burden, criminal investigation work.
GAO also recommended the FBI conduct an annual operational review of NGI-IPS to determine if the accuracy of face recognition searches is meeting federal, state, and local law enforcement needs and take actions, as necessary. DOJ agreed and in 2017 FBI stated they implemented the recommendation by submitting a paper to solicit feedback from NGI-IPS users on whether face recognition searches are meeting their needs. However, GAO believes these actions do not fully meet the recommendation because they did not result in any formal response from users and did not constitute an operational review. GAO continues to recommend FBI conduct an operational review of NGI-IPS at least annually.
Why GAO Did This Study
Technology advancements have increased the overall accuracy of automated face recognition over the past few decades. This technology has helped law enforcement agencies identify criminals in their investigations. However, privacy advocates and members of the Congress remain concerned regarding the accuracy of the technology and the protection of privacy and individual civil liberties when technologies are used to identify people based on their biological and behavioral characteristics.
This statement describes the extent to which the FBI ensures adherence to laws and policies related to privacy regarding its use of face recognition technology, and ensure its face recognition capabilities are sufficiently accurate. This statement is based on our May 2016 report regarding the FBI's use of face recognition technology and includes agency updates to our recommendations. To conduct that work, GAO reviewed federal privacy laws, FBI policies, operating manuals, and other documentation on its face recognition capability. GAO interviewed officials from the FBI and the Departments of Defense and State, which coordinate with the FBI on face recognition. GAO also interviewed two state agencies that partner with FBI to use multiple face recognition capabilities.
In May 2016, DOJ and the FBI partially agreed with two recommendations and disagreed with another on privacy. FBI agreed with one and disagreed with two recommendations on accuracy. GAO continues to believe that the recommendations are valid.