Facial Recognition Services: Federal Law Enforcement Agencies Should Take Actions to Implement Training, and Policies for Civil Liberties
Fast Facts
Seven law enforcement agencies in the Departments of Homeland Security and Justice reported using facial recognition services that quickly search through billions of photos of faces to help identify a suspect in a crime scene image.
All 7 agencies initially used these services without requiring staff take facial recognition training. Two agencies require it as of April 2023.
Also, some agencies don't have policies specific to facial recognition technology to help protect people's civil rights and civil liberties. DHS plans to finalize a department-wide policy this year, but DOJ has faced delays in issuing one.
Our recommendations address this.
Highlights
What GAO Found
Seven law enforcement agencies in the Departments of Homeland Security (DHS) and Justice (DOJ) reported using facial recognition services provided by commercial and nonprofit entities. The agencies reported using four services in total from October 2019 through March 2022 to support criminal investigations. All seven agencies initially used these services without requiring staff take facial recognition training. GAO found that six agencies had available data and cumulatively conducted about 60,000 searches when they did not have training requirements in place. As of April 2023, two agencies began to require training.
Facial Recognition Services, Use and Training for Selected Agencies, April 2023
Note: The figure shows when agencies used the four services covered by this review (services used from October 2019 through March 2022), and when, if at all, agencies implemented training requirements for facial recognition services. The figure provides use and training information as of April 2023. See figure 6 of the report for more detail.
FBI officials told key internal stakeholders that certain staff must take training to use one facial recognition service. However, in practice, FBI has only recommended it as a best practice. GAO found that few of these staff completed the training, and across the FBI, only 10 staff completed facial recognition training of 196 staff that accessed the service. FBI said they intend to implement a training requirement for all staff, but have not yet done so. Such a requirement would help FBI ensure its staff understand how to use these services. Also, clarifying the status of FBI's training requirement would allow stakeholders to fully evaluate use of the service against FBI ethical and privacy standards.
GAO also found that three of the seven agencies had policies or guidance specific to facial recognition technology that address civil rights and civil liberties. The other four agencies—three in DOJ and one in DHS—did not have such policies or guidance. DHS has plans to finalize a department-wide policy by December 2023. DOJ has taken steps to issue a department-wide policy, but has faced delays. Developing a plan with time frames and milestones would help DOJ ensure it issues a policy to support staff in safeguarding civil rights and civil liberties.
Why GAO Did This Study
Law enforcement may use facial recognition services provided by commercial and nonprofit entities to help solve crimes. For example, these services allow users to quickly search through billions of photos to help identify an unknown suspect in a crime scene photo.
GAO was asked to review federal law enforcement's use of facial recognition technology. This report examines, among other issues, the extent to which selected DHS and DOJ law enforcement agencies used facial recognition services to support criminal investigations; required staff to take training on facial recognition technology to use such services; and developed policies and guidance specific to facial recognition technology to help protect civil rights and civil liberties.
GAO selected seven law enforcement agencies within DHS and DOJ based on various factors, including the number of facial recognition technology systems used. GAO reviewed documents, such as training requirements and policies for using facial recognition services. GAO also analyzed training records and interviewed agency officials.
Recommendations
GAO is making 10 recommendations, including that FBI implement a training requirement and clarify the status of its training requirement to stakeholders. GAO also recommends that DOJ develop a plan to issue a facial recognition technology policy addressing safeguards for civil rights and civil liberties. Agencies concurred with all 10 recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Immigration and Customs Enforcement | 1. The Director of ICE should establish and implement a process to periodically monitor whether HSI staff using facial recognition services to support criminal investigations have completed training requirements. (Recommendation 1) |
As of March 2024, this recommendation remains open. ICE officials said that the agency plans to periodically monitor whether HSI staff using facial recognition services to support criminal investigations have completed training requirements. In February 2024, we requested evidence that shows the periodic monitoring requirement is documented--for example, documented in a policy or guidance. If such evidence is provided, we will consider this recommendation closed and implemented.
|
| Federal Bureau of Investigation | 2. The Director of the FBI should clarify the status of its training requirement for staff using Clearview AI to FBI's AI Ethics Council and the Privacy and Civil Liberties Unit. (Recommendation 2) |
In September 2023, we reported that key FBI stakeholders--the AI Ethics Council and the Privacy and Civil Liberties Unit--were not given clear documentation on FBI training requirements for staff using a facial recognition service. Consequently, we recommended that the FBI should clarify the status of its training requirement for these key stakeholders. In December 2023, the FBI finalized its Facial Recognition Technology Use Policy Directive. The policy establishes a training requirement for FBI staff who use facial recognition services. In April 2024, FBI officials told us that FBI components identified as a stakeholder in a specific policy are required to review and provide comments during the collaboration phase of policy development. Because the AI Ethics Council and Privacy and Civil Liberties Unit are explicitly mentioned in the Facial Recognition Technology Use Policy Directive, officials stated that they reviewed and collaborated on the proposed policy. As a result, the AI Ethics Council and Privacy and Civil Liberties Unit can better evaluate whether the use of the facial recognition service complies with FBI ethical and privacy standards.
|
| Federal Bureau of Investigation | 3. The Director of the FBI should implement a training requirement for staff using facial recognition services to support criminal investigations. (Recommendation 3) |
In September 2023, we reported that the FBI did not have a training requirement for staff using facial recognition services to support criminal investigations. FBI officials told GAO that a training requirement would be beneficial, and that the agency intended to implement a requirement, but that the agency had not yet done so. Consequently, we recommended that the FBI implement a training requirement for staff using facial recognition services to support criminal investigations. In December 2023, the FBI finalized its Facial Recognition Technology Use Policy Directive. This policy establishes a training requirement for FBI staff who use facial recognition technology services. According to the policy, the training must follow Facial Identification Scientific Working Group (FISWG) guidance. As a result, the agency will be better positioned to help ensure that staff using facial recognition services understand how to use these services and their limitations.
|
| United States Customs and Border Protection | 4. The Commissioner of CBP should determine the extent that staff use facial recognition services to develop and share information in support of other agencies' criminal investigations (such as number of CBP staff that use the services and how often they do so). (Recommendation 4) |
As of March 2024, this recommendation remains open. CBP officials said they discontinued use of commercial facial recognition systems for CBP's Office of Field Operations at the end of fiscal year 2023. However, CBP officials said they are working to establish new and updated guidance for analytical research and new employee orientation that support the intent of this recommendation. CBP anticipates completing these actions by May 2024. Once complete, we will review CBP's actions to determine the extent that they address the recommendation.
|
| United States Customs and Border Protection | 5. The Commissioner of CBP should assess whether training would benefit staff using facial recognition services to develop and share information in support of other agencies' criminal investigations, incorporating information on the extent to which staff use such services. (Recommendation 5) |
As of March 2024, this recommendation remains open. CBP officials said they discontinued use of facial recognition systems for CBP's Office of Field Operations at the end of fiscal year 2023. CBP officials also said they are creating a new training course that applies to the use of facial recognition regardless of the tool--government or commercially obtained. CBP anticipates completing these actions by May 2024. Once complete, we will review CBP's actions to determine the extent that they address the recommendation.
|
| Department of Justice | 6. The Attorney General should ensure the Chief Privacy and Civil Liberties Officer works with DOJ components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 6) |
As of March 2024, this recommendation remains open. DOJ officials said that its Chief Privacy and Civil Liberties Officer and the Office of Privacy and Civil Liberties regularly meets with DOJ components to discuss the privacy requirements, including applicable documentation, that apply to facial recognition technology. Additionally, DOJ officials said that in December 2023, the Department issued an interim policy that requires that components complete an Initial Privacy Assessment for every facial recognition technology system. However, to close this recommendation, DOJ will need to address the outstanding privacy requirements identified in our report and provide related evidence.
|
| Department of Justice | 7. The Attorney General should ensure the Chief Privacy and Civil Liberties Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 7) |
As of March 2024, this recommendation remains open. DOJ officials said that its Chief Privacy and Civil Liberties Officer and the Office of Privacy and Civil Liberties regularly meets with DOJ components to discuss the privacy requirements, including applicable documentation, that apply to facial recognition technology. Additionally, DOJ officials said that in December 2023, the Department issued an interim policy that requires that components complete an Initial Privacy Assessment for every facial recognition technology system. However, to close this recommendation, DOJ will need to ensure the Chief Privacy and Civil Liberties Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services--taking into account the results of our report--and to remediate any deficiencies identified during their evaluation.
|
| Department of Homeland Security | 8. The Secretary of Homeland Security should ensure the Chief Privacy Officer works with DHS components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 8) |
In March 2024, DHS officials told us that the Chief Privacy Officer worked with DHS components to address the outstanding privacy requirements identified in our report, and update privacy documentation as appropriate. We requested supporting documentation that shows these steps had been taken. Once the supporting documentation is provided, we will review the information to determine the extent that DHS's actions addressed our recommendation.
|
| Department of Homeland Security | 9. The Secretary of Homeland Security should ensure the Chief Privacy Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 9) |
In March 2024, DHS officials told us that the Chief Privacy Officer collaborated with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services--taking into account the results of GAO's report--and to remediate any deficiencies identified during their evaluation. We requested supporting documentation that shows these steps had been taken. Once the supporting documentation is provided, we will review the information to determine the extent that DHS's actions addressed our recommendation.
|
| Department of Justice | 10. The Attorney General should develop a plan with time frames and milestones for issuing its facial recognition technology policy that addresses safeguards for civil rights and civil liberties. (Recommendation 10) |
DOJ officials told us that the agency has issued an interim policy on facial recognition technology. As of March 2024, we have not obtained or reviewed the policy. Once the policy is provided, we will review the information to determine the extent that DOJ's actions have addressed our recommendation.
|