Toss the FBI’s massive facial recognition (FR) databases into the wash, add recommendations about privacy laws that the government watchdog GAO (Government Accountability Office) laid out back in 2016, and set the dial to three years later.
Do you get a shrunken collection of people’s faces at the end of the spin cycle?
No, you get a puffed up database or hundreds of millions of FR photos that the FBI can get at without warrants or reasonable suspicion of wrong-doing.
On Tuesday, the GAO said that the FBI’s FR office can now search databases containing more than 641 million photos, including 21 state databases.
That’s up quite a bit from the 412 million images the FBI’s Face Services unit had access to at the time of the May 2016 GAO report – a massive collection of databases that a House oversight committee seethed over in March 2017, calling for stricter regulation of the technology at a time when it’s exploding, both in the hands of law enforcement and in business.
Seethe away, Congress. Make as many recommendations as you like, GAO. Three years later, the FBI has addressed only one of the GAO’s recommendations, it said on Tuesday.
The GAO noted one example of being ignored on its FR advice when it pertains to the accuracy of searching face databases:
While the FBI has conducted audits to oversee the use of its face recognition capabilities, it still hasn’t taken steps to determine whether state database searches are accurate enough to support law enforcement investigations.
What the FBI’s done and not done about…
Privacy
In 2016, the GAO recommended that the Justice Department (DOJ) develop its privacy documentation, including privacy impact assessments (PIA), which analyze how personal information is collected, stored, shared, and managed in federal systems, and system of records notices, which inform the public about, among other things, the existence of the systems and the types of data collected. The DOJ has taken some action, but there’s still work to be done.
Also, in 2016, the GAO recommended that the FBI conduct audits to make sure that its FR users are conducting face image searches in accordance with those DOJ policies. That’s the one thing that the FBI has accomplished. The GAO thinks its recommendations are still valid and, if implemented, would lead to more transparency about how people’s personal information is being collected, used and protected.
Accuracy (and lack thereof)
This is a big one, and it’s one where the FBI hasn’t done much, the GAO found.
The use of FR by surveillance-happy governmental and law enforcement agencies has been of increasing concern in large part due to its inaccuracy. Last month, the technology-forward but still civil-rights-sensitive city of San Francisco banned the use of facial recognition by police and city agencies, citing inaccuracy as one of multiple reasons.
There’s been plenty of evidence that FR is prone to misidentification. For example, when the American Civil Liberties Union (ACLU) last year tested its use by police in Orlando, Florida, it found that FR falsely matched 28 members of Congress with mugshots.
Another example: After two years of pathetic failure rates when they used it at Notting Hill Carnival, London’s Metropolitan Police finally threw in the towel on FR last year. In 2017, the “top-of-the-line” automated facial recognition (AFR) system they’d been trialling for two years couldn’t even tell the difference between a young woman and a balding man.
Then there’s the oft-cited study from Georgetown University’s Center for Privacy and Technology which found that AFR is an inherently racist technology.
In another study published earlier this year by the MIT Media Lab, researchers confirmed that the popular FR technology it tested has gender and racial biases.
The FBI is still doing little to ensure the accuracy of its FR, the GAO found. For example, it hasn’t assessed the accuracy of systems operated by external partners, such as state or federal agencies. Nor has it been conducting annual reviews to determine if the accuracy of FR searches is meeting user needs.
Why the GAO did this study (again)
It’s not that FR accuracy hasn’t gotten better over the past few decades, helping law enforcement to identify criminals. One notable example is the case of Charles Hollin, a child molester caught in January 2017 after spending 18 years as a fugitive, thanks to FR and the State Department’s database of passport photos.
But while it’s gotten better, questions remain about the technology’s accuracy and the protection of privacy and civil liberties when it’s used to identify people for investigations, the GAO said.
Chairman Elijah Cummings – one of the lawmakers who scathingly took the FBI to task over this issue in 2017 – said in his opening statement at the House Committee on Oversight and Reform on Tuesday:
This technology is evolving extremely rapidly without any real safeguards. There are real concerns about the risks this technology poses to our civil rights and liberties and our right to privacy.
Gretta Goodwin, director of homeland security and justice for the GAO, said that unless the FBI can determine how accurate the data is, there’s no way to know how much use the technology is:
Until FBI officials can assure themselves that the data they receive from external partners are reasonably accurate and reliable, it is unclear whether such agreements are beneficial to the FBI.
Mahhn
Does the FBI comply with EU GDPR PII removal if you have dual citizenship? I don’t want the FBI sitting on my face.
Spryte
If you hold dual citizenship, I’d think the Three Letter Acronym would think it has every right to hold you picture (they make you pay taxes). But I’d hope I’m wrong.
I’m not sure what the Three Letter Acronyms think of EU GDPR rules, or even privacy rules of other countries for that matter.
Also there should be a retention policy in place:
– to securely delete images proven inaccurate (i.e. the Orlando experiment)
– to securely delete images of non-residents after a prescribed time
– to securely delete images immediately taken without warrant or proper authority
And probably other circumstances as well…
Phil Smith III
Heh heh, “sitting on my face”, heh heh. My guess: no, because FBI is not a commercial entity. And doesn’t “do business” in the EU (though of course there are FBI agents operating there, that’s not considered “business”, I suspect). Interesting question!
Anonymous
I think government agencies should be the *first* entities that should have to comply with GDPR-like legislation.
anonymous coward
The deep state doesn’t abide by recommendations or policies or directives. It does what it wants, protected by its size and inertia, against any oversight.
It’s truly rich that Elijah Cummings is complaining about oversight, considering he is himself under investigation for receiving millions in $US from lobbyists, filtered through his wife’s shell companies.
Ironically, he’s correct that the FBI is ignoring the GAO’s reports.