Facial Recognition Technology: Federal Law Enforcement Agencies Should Better Assess Privacy and Other Risks

GAO-21-518 Published: Jun 03, 2021. Publicly Released: Jun 29, 2021.
Jump To:
Fast Facts

We surveyed 42 federal agencies that employ law enforcement officers about their use of facial recognition technology.

  • 20 reported owning such systems or using systems owned by others
  • 6 reported using the technology to help identify people suspected of violating the law during the civil unrest, riots, or protests following the death of George Floyd in May 2020
  • 3 acknowledged using it on images of the U.S. Capitol attack on Jan. 6
  • 15 reported using non-federal systems

We recommended that 13 agencies track employee use of non-federal systems and assess the risks these systems can pose regarding privacy, accuracy, and more.

Facial recognition technology

Skip to Highlights
Highlights

What GAO Found

GAO surveyed 42 federal agencies that employ law enforcement officers about their use of facial recognition technology. Twenty reported owning systems with facial recognition technology or using systems owned by other entities, such as other federal, state, local, and non-government entities (see figure).

Ownership and Use of Facial Recognition Technology Reported by Federal Agencies that Employ Law Enforcement Officers

HLP_5 - 103705

Note: For more details, see figure 2 in GAO-21-518.

Agencies reported using the technology to support several activities (e.g., criminal investigations) and in response to COVID-19 (e.g., verify an individual's identity remotely). Six agencies reported using the technology on images of the unrest, riots, or protests following the death of George Floyd in May 2020. Three agencies reported using it on images of the events at the U.S. Capitol on January 6, 2021. Agencies said the searches used images of suspected criminal activity.

All fourteen agencies that reported using the technology to support criminal investigations also reported using systems owned by non-federal entities. However, only one has awareness of what non-federal systems are used by employees. By having a mechanism to track what non-federal systems are used by employees and assessing related risks (e.g., privacy and accuracy-related risks), agencies can better mitigate risks to themselves and the public.

Why GAO Did This Study

Federal agencies that employ law enforcement officers can use facial recognition technology to assist criminal investigations, among other activities. For example, the technology can help identify an unknown individual in a photo or video surveillance.

GAO was asked to review federal law enforcement use of facial recognition technology. This report examines the 1) ownership and use of facial recognition technology by federal agencies that employ law enforcement officers, 2) types of activities these agencies use the technology to support, and 3) the extent that these agencies track employee use of facial recognition technology owned by non-federal entities.

GAO administered a survey questionnaire to 42 federal agencies that employ law enforcement officers regarding their use of the technology. GAO also reviewed documents (e.g., system descriptions) and interviewed officials from selected agencies (e.g., agencies that owned facial recognition technology). This is a public version of a sensitive report that GAO issued in April 2021. Information that agencies deemed sensitive has been omitted.

Skip to Recommendations

Recommendations

GAO is making two recommendations to each of 13 federal agencies to implement a mechanism to track what non-federal systems are used by employees, and assess the risks of using these systems. Twelve agencies concurred with both recommendations. U.S. Postal Service concurred with one and partially concurred with the other. GAO continues to believe the recommendation is valid, as described in the report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Bureau of Alcohol, Tobacco, Firearms and Explosives The Director of the Bureau of Alcohol, Tobacco, Firearms and Explosives should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 1)
Open
As of November 2022, this recommendation remains open. The Bureau of Alcohol, Tobacco, Firearms, and Explosives said it is participating in a Department of Justice working group tasked with developing a department-wide facial recognition policy. Upon completion of the policy, the Bureau will issue its own policy within 180 days, which will include a mechanism to track non-federal systems and assess privacy- and accuracy-related risks. In addition, as of November 2022, the agency said its employees were not authorized to use commercial systems.
Bureau of Alcohol, Tobacco, Firearms and Explosives The Director of the Bureau of Alcohol, Tobacco, Firearms and Explosives should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 2)
Open
As of November 2022, this recommendation remains open. The Bureau of Alcohol, Tobacco, Firearms, and Explosives said it is participating in a Department of Justice working group tasked with developing a department-wide facial recognition policy. Upon completion of the policy, the Bureau will issue its own policy within 180 days, which will include a mechanism to track non-federal systems and assess privacy- and accuracy-related risks. In addition, as of November 2022, the agency said its employees were not authorized to use commercial systems.
Drug Enforcement Administration The Administrator for the Drug Enforcement Administration should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 3)
Open
In August 2022, DEA reported that it had notified its investigators that they were not authorized to use facial recognition technology. Given the potential future use of the technology, DEA is participating in a Department of Justice working group, which will develop department-wide policy on facial recognition technology. As of November 2022, this recommendation remains open.
Drug Enforcement Administration The Administrator for the Drug Enforcement Administration should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 4)
Open
In August 2022, DEA reported that it had notified its investigators that they were not authorized to use facial recognition technology. Given the potential future use of the technology, DEA is participating in a Department of Justice working group, which will develop department-wide policy on facial recognition technology. As of November 2022, this recommendation remains open.
Federal Bureau of Investigation The Director of the FBI should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 5)
Open
As of November 2022, this recommendation remains open. The FBI said its Science and Technology Branch has formed an internal working group. The group is evaluating existing facial recognition policy and potential options to help address this recommendation.? According to the FBI, the working group meets weekly, and includes subject matter experts from multiple investigative divisions, and calls on additional participants as necessary.
Federal Bureau of Investigation The Director of the FBI should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 6)
Open
As of November 2022, this recommendation remains open. The FBI said its Science and Technology Branch has formed an internal working group. The group is evaluating existing facial recognition policy and potential options to help address this recommendation.? According to the FBI, the working group meets weekly, and includes subject matter experts from multiple investigative divisions, and calls on additional participants as necessary.
United States Marshals Service The Director of the U.S. Marshals Service should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 7)
Open
As of November 2022, this recommendation remains open. The U.S. Marshals Service said it is participating in a Department of Justice working group tasked with developing a department-wide facial recognition policy, which will include a mechanism to track non-federal systems and assess privacy- and accuracy-related risks. Upon completion of the department-wide policy, the Service will consider its own policy.
United States Marshals Service The Director of the U.S. Marshals Service should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 8)
Open
As of November 2022, this recommendation remains open. The U.S. Marshals Service said it is participating in a Department of Justice working group tasked with developing a department-wide facial recognition policy, which will include a mechanism to track non-federal systems and assess privacy- and accuracy-related risks. Upon completion of the department-wide policy, the Service will consider its own policy.
United States Customs and Border Protection The Commissioner of CBP should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 9)
Open
In June 2022, U.S. Customs and Border Protection issued a new privacy policy directive that covers employee use of facial recognition technology. According to the agency, under the new directive, all employees must report uses of facial recognition technology to the Privacy Office, which must conduct a Privacy Threshold Analysis. We continue to work with the agency to gather supporting documentation to close this recommendation. As of November 2022, this recommendation remains open.
United States Customs and Border Protection The Commissioner of CBP should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 10)
Open
In June 2022, U.S. Customs and Border Protection issued a new privacy policy directive that covers employee use of facial recognition technology. According to the agency, under the new directive, all employees must report uses of facial recognition technology to the Privacy Office, which must conduct a Privacy Threshold Analysis. We continue to work with the agency to gather supporting documentation to close this recommendation. As of November 2022, this recommendation remains open.
United States Secret Service The Director of the Secret Service should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 11)
Closed – Implemented
In June 2021, we reported on the use of facial recognition technology by agencies that employ federal law enforcement officers (GAO-21-518). We found that between April 2018 and March 2020, the U.S. Secret Service used non-federal facial recognition systems to support investigative activities, without a mechanism to track which systems employees were using. Consequently, we recommended that the Secret Service implement a mechanism to track what non-federal systems employees use to support investigative activities. In January 2022, the Secret Service issued a requirement to its Office of Investigations and field offices, among other divisions. The agency said that the purpose of the requirement was to capture the use of facial recognition systems owned, contracted, and/or operated by partnering law enforcement agencies during an investigation. For example, the requirement states that all personnel who access a partnering law enforcement agency's system must capture that usage within the Secret Service's Incident Based Reporting (IBR) application. In March 2022, the agency provided us evidence of its IBR application updates, including new fields to capture the facial recognition system's name and owner, and the date the system was used. Furthermore, the agency provided a copy of the IBR user guide instructing staff on how to record the use of facial recognition systems. As a result, this recommendation is closed as implemented.
United States Secret Service The Director of the Secret Service should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 12)
Open
According to the agency, the Investigative Support Division and the Criminal Investigative Division will work with the Privacy Office to determine the appropriate frequency of internal case management system audits to review the usage of facial recognition technology by Secret Service employees. In addition to these audits, the agency reported that its Investigative Support Division will collaborate with the Privacy Office to draft a mandatory privacy compliance document. According to the agency, the compliance document will include Privacy Threshold Analyses and Privacy Impact Assessments, allowing privacy risks associated with facial recognition technologies and mitigation strategies to be assessed and documented. As of November 2022, this recommendation remains open. The agency reported an estimated completion date of December 2022.
United States Fish and Wildlife Service The Director of the U.S. Fish and Wildlife Service should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 13)
Closed – Implemented
In June 2021, we reported on the use of facial recognition technology by agencies that employ federal law enforcement officers (GAO-21-518). We found that between April 2018 and March 2020, the U.S. Fish and Wildlife Service used non-federal facial recognition technology to support investigative activities, without a mechanism to track which systems employees were using. Consequently, we recommended that the U.S. Fish and Wildlife Service implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. In July 2021, the agency reported the use of a single non-government technology for all of its facial recognition searches, with access limited to two licensed users. In January 2022, the Assistant Director for Law Enforcement issued a directive providing guidance to the Office of Law Enforcement (OLE) on the use of facial recognition technology for investigative purposes. The directive states that the non-government provider is the only approved system for OLE officers. The directive also requires OLE officers to submit requests to the Wildlife Intelligence Unit for facial recognition searches via an internal case management system. The agency also provided documentation showing the dissemination of this directive to OLE officers. As a result, this recommendation is closed as implemented.
United States Fish and Wildlife Service The Director of the U.S. Fish and Wildlife Service should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 14)
Open
As of November 2022, this recommendation remains open. U.S. Fish and Wildlife Service (FWS) officials said they have temporarily suspended employee use of non-federal facial recognition technology. In addition, FWS officials said the Department of the Interior is drafting department-wide guidance on facial recognition technology which, once implemented, will allow FWS to update its own facial recognition policy and address this recommendation. FWS did not provide an estimated completion date.
United States Park Police The Chief of the U.S. Park Police should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 15)
Open – Partially Addressed
In March 2022, U.S. Park Police issued an interim policy requiring employees to report the use of facial recognition technology owned by non-federal agencies to the Commander of Criminal Investigations. However, the policy was temporary in nature and did not acknowledge the use of commercial facial recognition systems, as required by the recommendation. Officials told us that U.S. Park Police will finalize a permanent policy by March 31, 2023, and that will include all non-federal facial recognition systems, including commercial systems. As of November 2022, this recommendation remains open.
United States Park Police The Chief of the U.S. Park Police should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 16)
Open
In March 2022, U.S. Park Police issued an interim policy requiring employees to report the use of facial recognition technology owned by non-federal agencies to the Commander of Criminal Investigations. However, the policy was temporary in nature and did not acknowledge the use of commercial facial recognition systems, as required by the recommendation. Officials told us that U.S. Park Police will finalize a permanent policy by March 31, 2023, and that will include all non-federal facial recognition systems, including commercial systems. We will continue to work with the U.S. Park Police to close this recommendation with a finalized policy that includes a risk assessment for all non-federal facial recognition systems. As of November 2022, this recommendation remains open.
Bureau of Diplomatic Security The Assistant Secretary of the Bureau of Diplomatic Security should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 17)
Open
In November 2021, the Assistant Secretary for Diplomatic Security reported that the Bureau is developing internal controls and standard operating procedures to ensure that agents' and analysts' access to non-federal systems with facial recognition technology is adequately vetted. Furthermore, the bureau said these controls and procedures would ensure agent and analyst accounts are managed through a centralized account management process. As of November 2022, this recommendation remains open, and the agency estimated it would complete the actions to address this recommendation by the end of 2022.
Bureau of Diplomatic Security The Assistant Secretary of the Bureau of Diplomatic Security should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 18)
Open
In November 2021, the Assistant Secretary for Diplomatic Security reported that the Bureau has ongoing efforts to vet agents' access to non-federal facial recognition technology. In addition to these efforts, the Department said it intends to establish an internal review panel to evaluate and review any non-federal systems with facial recognition technology that employees might use. According to the Bureau, the panel would, for example, assess the provider's privacy assessments and practices and the internal processes for data collection to evaluate the risks of using a system. The Bureau said it also intends to centralize control over contracts and funding to ensure users are not inadvertently encouraged by providers to utilize non-federal systems with facial recognition technology that lack approval and oversight. As of November 2022, this recommendation remains open.
Food and Drug Administration The Assistant Commissioner of the Food and Drug Administration's Office of Criminal Investigations should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 19)
Closed – Implemented
In June 2021, we reported on the use of facial recognition technology by agencies that employ law enforcement officers (GAO-21-518). We found that between April 2018 and March 2020, Food and Drug Administration's (FDA) Office of Criminal Investigations (OCI) used non-federal facial recognition technology to support investigative activities, but did not have a mechanism to track which systems employees were using. Consequently, we recommended that FDA implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. In December 2021, the U.S. Department of Health and Human Services reported that OCI had deployed a module in its primary system of records for investigations to track employee use of facial recognition technology. The agency also said it notified OCI employees of the requirement to use the module to document information about their use of facial recognition technology in an investigation. The notice informed employees that they would be required to include the system name, owner of the system, and how the system supported OCI's mission. As a result, this recommendation is closed as implemented.
Food and Drug Administration The Assistant Commissioner of the Food and Drug Administration's Office of Criminal Investigations should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 20)
Closed – Implemented
In June 2021, we reported on the use of facial recognition technology by agencies that employ federal law enforcement officers (GAO-21-518). We found that between April 2018 and March 2020, the Food and Drug Administration's (FDA) Office of Criminal Investigations (OCI) used non-federal facial recognition technology to support investigative activities, but did not have a mechanism to track which systems employees were using, or an assessment of the risks of using such systems. Consequently, we recommended that FDA, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. OCI assessed the risks associated with law enforcement use of facial recognition technology, which informed a facial recognition technology policy OCI issued in October 2022. Among other things, the policy provides guidance and procedures to minimize risks associated with use of facial recognition technology, including those related to privacy and accuracy. As a result, this recommendation is closed as implemented.
Internal Revenue Service The Chief of the Internal Revenue Service's Criminal Investigation Division should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 21)
Open
In October 2022, Internal Revenue Service Criminal Investigation Division officials told us that the agency has no plans to use non-federal facial recognition technology to support criminal investigations. We continue to work with Internal Revenue Service and monitor the situation to determine whether this posture is temporary, and thus, the technology will be used again in the upcoming years. As of November 2022, this recommendation remains open.
Internal Revenue Service The Chief of the Internal Revenue Service's Criminal Investigation Division should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 22)
Open
In October 2022, Internal Revenue Service Criminal Investigation Division officials told us that the agency has no plans to use non-federal facial recognition technology to support criminal investigations. We continue to work with Internal Revenue Service and monitor the situation to determine whether this posture is temporary, and thus, the technology will be used again in the upcoming years. As of November 2022, this recommendation remains open.
Inspection Service The Chief Postal Inspector of the U.S. Postal Inspection Service should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 23)
Closed – Implemented
In June 2021, we reported on the use of facial recognition technology by agencies that employ law enforcement officers (GAO-21-518). We found that between April 2018 and March 2020, the U.S. Postal Inspection Service (USPIS) used non-federal facial recognition technology to support investigative activities, but did not have a mechanism to track which systems employees were using. Consequently, we recommended that USPIS implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. In October 2021, UPSIS notified inspectors that they are required to enter usage of external organizations' facial recognition tools into a tracking tool called InSite. Within the tool, employees are required to enter the name of the facial recognition system, date used, employee's name, and investigative case number. As a result, this recommendation is closed as implemented.
Inspection Service The Chief Postal Inspector of the U.S. Postal Inspection Service should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 24)
Open
As of November 2022, this recommendation remains open. According to the agency, it plans to analyze the systems used by employees for investigative activities. Specifically, the agency plans to review and analyze one full year of data generated by its tracking mechanism and assess the risks associated with the systems.
U.S. Capitol Police The Chief of Police, U.S. Capitol Police, should implement a mechanism to track what non-federal systems with facial recognition technology are used by employees to support investigative activities. (Recommendation 25)
Open – Partially Addressed
In December 2021, the U.S. Capitol Police reported that it does not possess facial recognition software nor have access to similar software through a third-party vendor; however, the agency said that personnel may use the technology to increase the solvability of investigations. In March 2022, the agency said it issued interim guidance outlining protocols employees must adhere to when requesting the use of facial recognition technology. These protocols include, for example, submitting an email to a direct supervisor explaining the need for facial recognition and a copy of the image in question, according to the agency. Furthermore, the agency said the agent responsible for the investigation would be required to document the use of facial recognition in the records management system, which captures the information for tracking purposes. As of November 2022, this recommendation remains open, and the agency said it is working on final guidance to replace the interim guidance. The agency reported that its plan completion date is December 2022.
U.S. Capitol Police The Chief of Police, U.S. Capitol Police, should, after implementing a mechanism to track non-federal systems, assess the risks of using such systems, including privacy and accuracy-related risks. (Recommendation 26)
Open
In March 2022, U.S. Capitol Police reported that it issued interim guidance outlining protocols employees must adhere to when requesting the use of facial recognition technology. These protocols require agents responsible for investigations to document the use of facial recognition in its records management system, which according to the agency, captures the information for tracking purposes. The agency said that it expects to finalize the interim guidance in December 2022, and that it will assess risks of facial recognition systems after completing the guidance document. As of November 2022, this recommendation remains open.

Full Report

GAO Contacts