Facial Recognition Services: Federal Law Enforcement Agencies Should Take Actions to Implement Training, and Policies for Civil Liberties

GAO-23-105607 Published: Sep 05, 2023. Publicly Released: Sep 12, 2023.
Jump To:
Fast Facts

Seven law enforcement agencies in the Departments of Homeland Security and Justice reported using facial recognition services that quickly search through billions of photos of faces to help identify a suspect in a crime scene image.

All 7 agencies initially used these services without requiring staff take facial recognition training. Two agencies require it as of April 2023.

Also, some agencies don't have policies specific to facial recognition technology to help protect people's civil rights and civil liberties. DHS plans to finalize a department-wide policy this year, but DOJ has faced delays in issuing one.

Our recommendations address this.

An image showcasing the blue, digital outline of a human being with a box resembling those used for facial recognition outlining the head.

Highlights

What GAO Found

Seven law enforcement agencies in the Departments of Homeland Security (DHS) and Justice (DOJ) reported using facial recognition services provided by commercial and nonprofit entities. The agencies reported using four services in total from October 2019 through March 2022 to support criminal investigations. All seven agencies initially used these services without requiring staff take facial recognition training. GAO found that six agencies had available data and cumulatively conducted about 60,000 searches when they did not have training requirements in place. As of April 2023, two agencies began to require training.

Facial Recognition Services, Use and Training for Selected Agencies, April 2023

HLP_5 v4 - 105607

Note: The figure shows when agencies used the four services covered by this review (services used from October 2019 through March 2022), and when, if at all, agencies implemented training requirements for facial recognition services. The figure provides use and training information as of April 2023. See figure 6 of the report for more detail.

FBI officials told key internal stakeholders that certain staff must take training to use one facial recognition service. However, in practice, FBI has only recommended it as a best practice. GAO found that few of these staff completed the training, and across the FBI, only 10 staff completed facial recognition training of 196 staff that accessed the service. FBI said they intend to implement a training requirement for all staff, but have not yet done so. Such a requirement would help FBI ensure its staff understand how to use these services. Also, clarifying the status of FBI's training requirement would allow stakeholders to fully evaluate use of the service against FBI ethical and privacy standards.

GAO also found that three of the seven agencies had policies or guidance specific to facial recognition technology that address civil rights and civil liberties. The other four agencies—three in DOJ and one in DHS—did not have such policies or guidance. DHS has plans to finalize a department-wide policy by December 2023. DOJ has taken steps to issue a department-wide policy, but has faced delays. Developing a plan with time frames and milestones would help DOJ ensure it issues a policy to support staff in safeguarding civil rights and civil liberties.

Why GAO Did This Study

Law enforcement may use facial recognition services provided by commercial and nonprofit entities to help solve crimes. For example, these services allow users to quickly search through billions of photos to help identify an unknown suspect in a crime scene photo.

GAO was asked to review federal law enforcement's use of facial recognition technology. This report examines, among other issues, the extent to which selected DHS and DOJ law enforcement agencies used facial recognition services to support criminal investigations; required staff to take training on facial recognition technology to use such services; and developed policies and guidance specific to facial recognition technology to help protect civil rights and civil liberties.

GAO selected seven law enforcement agencies within DHS and DOJ based on various factors, including the number of facial recognition technology systems used. GAO reviewed documents, such as training requirements and policies for using facial recognition services. GAO also analyzed training records and interviewed agency officials.

Recommendations

GAO is making 10 recommendations, including that FBI implement a training requirement and clarify the status of its training requirement to stakeholders. GAO also recommends that DOJ develop a plan to issue a facial recognition technology policy addressing safeguards for civil rights and civil liberties. Agencies concurred with all 10 recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Immigration and Customs Enforcement The Director of ICE should establish and implement a process to periodically monitor whether HSI staff using facial recognition services to support criminal investigations have completed training requirements. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Bureau of Investigation The Director of the FBI should clarify the status of its training requirement for staff using Clearview AI to FBI's AI Ethics Council and the Privacy and Civil Liberties Unit. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Bureau of Investigation The Director of the FBI should implement a training requirement for staff using facial recognition services to support criminal investigations. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Customs and Border Protection The Commissioner of CBP should determine the extent that staff use facial recognition services to develop and share information in support of other agencies' criminal investigations (such as number of CBP staff that use the services and how often they do so). (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
United States Customs and Border Protection The Commissioner of CBP should assess whether training would benefit staff using facial recognition services to develop and share information in support of other agencies' criminal investigations, incorporating information on the extent to which staff use such services. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should ensure the Chief Privacy and Civil Liberties Officer works with DOJ components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should ensure the Chief Privacy and Civil Liberties Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should ensure the Chief Privacy Officer works with DHS components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should ensure the Chief Privacy Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 9)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should develop a plan with time frames and milestones for issuing its facial recognition technology policy that addresses safeguards for civil rights and civil liberties. (Recommendation 10)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
See All 10 Recommendations

Full Report

Highlights Page (1 page)
Full Report (73 pages)
Accessible PDF (81 pages)
GAO Contacts
Office of Public Affairs
Topics
Justice and Law Enforcement
Civil libertiesCivil rightsCompliance oversightCriminal investigationsFederal agenciesFederal law enforcementHomeland securityImmigrationInformation sharingInternal controlsLaw enforcementLaw enforcement agenciesPersonally identifiable informationPrivacySecret serviceSecurity investigationsSensitive data