The FBI's face recognition office can now search databases with more than 641 million photos, including 21 state databases.
In a May 2016 report, we found the FBI hadn't fully adhered to privacy laws and policies or done enough to ensure accuracy of its face recognition capabilities. This testimony is an update on this work and our 6 recommendations, only one of which has been fully addressed.
For example, while the FBI has conducted audits to oversee the use of its face recognition capabilities, it still hasn't taken steps to determine whether state database searches are accurate enough to support law enforcement investigations.
FBI information on whether and to what extent states allow photo searches, as of May 2019
Map of the U.S. showing participating states
What GAO Found
In May 2016, GAO found that the the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) could improve transparency and oversight to better safeguard privacy and had limited information on accuracy of its face recognition technology. GAO made six recommendations to address these issues. As of May 2019, DOJ and the FBI had taken some actions to address three recommendations—one of which the FBI has fully implemented—but has not taken any actions on the other three.
Privacy. In its May 2016 report, GAO found that DOJ did not complete or publish key privacy documents for FBI's face recognition systems in a timely manner and made two recommendations to DOJ regarding its processes for developing these documents. These included privacy impact assessments (PIA), which analyze how personal information is collected, stored, shared, and managed in federal systems, and system of records notices, which inform the public about, among other things, the existence of the systems and the types of data collected. DOJ has taken actions to expedite the development process of the PIA. However, DOJ has yet to take action with respect to the development process for SORNs. GAO continues to believe both recommendations are valid and, if implemented, would help keep the public informed about how personal information is being collected, used and protected by DOJ components. GAO also recommended the FBI conduct audits to determine if users of FBI's face recognition systems are conducting face image searches in accordance with DOJ policy requirements, which the FBI has done.
Accuracy. GAO also made three recommendations to help the FBI better ensure the accuracy of its face recognition capabilities. First, GAO found that the FBI conducted limited assessments of the accuracy of face recognition searches prior to accepting and deploying its face recognition system. The face recognition system automatically generates a list of photos containing the requested number of best matched photos. The FBI assessed accuracy when users requested a list of 50 possible matches, but did not test other list sizes. GAO recommended accuracy testing on different list sizes. Second, GAO found that FBI had not assessed the accuracy of face recognition systems operated by external partners, such as state or federal agencies, and recommended it take steps to determine whether external partner systems are sufficiently accurate for FBI's use. The FBI has not taken action to address these recommendations. GAO continues to believe that by verifying the accuracy of both systems—its system, and the systems of external partners—the FBI could help ensure that the systems provide leads that enhance criminal investigations. Third, GAO found that the FBI did not conduct an annual review to determine if the accuracy of face recognition searches was meeting user needs, and recommended it do so. In 2016 and 2017 the FBI submitted a paper to solicit feedback from system users. However, this did not result in formal responses from users and did not constitute a review of the system. GAO continues to believe that conducting such a review would help provide important information about potential factors affecting accuracy of the system.
Why GAO Did This Study
Technology advancements have increased the overall accuracy of automated face recognition over the past few decades. This technology has helped law enforcement agencies identify criminals in their investigations. However, there are questions about the accuracy of the technology and the protection of privacy and civil liberties when face recognition technologies are used to identify people for investigations.
This statement describes the extent to which the FBI (1) ensures adherence to laws and policies related to privacy regarding its use of face recognition technology, and (2) ensures its face recognition capabilities are sufficiently accurate. This statement is based on GAO's May 2016 report regarding the FBI's use of face recognition technology (GAO-16-267) and includes agency updates to GAO's recommendations. To conduct its prior work, GAO reviewed federal privacy laws, and DOJ and FBI policies and operating manuals. GAO interviewed officials from the FBI and the departments of Defense and State, which coordinate with the FBI on face recognition. GAO also interviewed two state agencies that partner with the FBI to use multiple face recognition capabilities. For updates, GAO reviewed FBI data, as well as materials provided by DOJ and the FBI on the status of GAO's recommendations.
In its May 2016 report, GAO made three recommendations related to privacy, one of which has been implemented. GAO also made three recommendations related to accuracy that the FBI is still working to address.