Posted on

FBI Wants to Exempt Its Massive Biometric Database from Federal Privacy Laws

Biometric databases once subject to the 1974 Privacy Act, may soon be unbound from the law if the FBI’s new software, NGI, gets an exemption from Congress. If the FBI gets its wish, you will have no way of knowing what data the government has collected and stored relating to you, how it got it, if it’s accurate, and no way to correct any errors.The Next Generation Identification (NGI) is the FBI’s new software hub created sort through reams of biometric data. It essentially consolidates existing databases including the National Crime Information Center (NCIC), the National Instant Criminal Background Check System (NICS), and the Integrated Automated Fingerprint Identification System (AFIS)

The Privacy Act of 1974?

The Congress passed the Privacy Act of 1974 with the recognition that a person’s personal identifying information is affected by Federal agencies collection, maintenance, use, and dissemination to other agencies. Even though at times agencies will need access to personal information, the risk of harm to an individual’s privacy is magnified by any collection, maintenance, use or dissemination of this personal information.

Under federal law, a person has a right to request information relating to what records the government has “collected, maintained, used, or disseminated by such agencies;” to refuse to allow certain agencies access to records without their consent; to permit an individual to access to his or her records, make copies of records, correct and even amend records;  and to hold agencies accountable that information in the record is current, accurate, and only available for its intended use.

If Congress exempts the new NGI system from this law, you will be completely in the dark. There will exist no way to know about how biometric information is collected and stored in a variety of databases, or how the government uses the information once collected. You may not know, see, nor correct.

Are there any current databases exempted from the Privacy Act?

Yes. The Arrival and Departure Information System (ADIS) and Passenger Name Record (PNR) created by the Department of Homeland Security are currently exempt from the Privacy Act.

Data held in ADIS deals with immigration status, biographical, biometric identification, and encounter data. It is derived from a variety of sources, including other federal agencies within the US besides DHS, and information from foreign governments. This also only authorizes people for travel after PNR and Advanced Passenger Information Data has been verified.

The PNR is information relating to the itinerary of travelers. It includes airlines, hotels, car rental, transfers, and train trips. The European Union and the US have an agreement to share information. PNR is also used to identify high risk passengers that could be potential terrorists, people who have committed serious crimes, and to prevent flight risks to avoid judgement from a court.

Have we seen any abuse of databases exempt from the Privacy Act?

Yes. The information systems have flagged false positive on people for terrorism. The no-fly list, a list compiled through the Terrorist Screening Database (TSDB), feeds into the DHS systems with no oversight nor means to ensure accountability exists.

What types of data will the NGI sort through?

Ava Kofman, a reporter for The Intercept, sums up what types of data the FBI hub will hold.

“Known as the Next Generation Identification system, or NGI, the FBI database houses the world’s largest collection of fingerprints, DNA profiles, palm prints, face images, and other biometric identifiers….

“… the database stores millions of unique identifiers for U.S. citizens who have not been convicted of a crime alongside those who have. Fingerprints taken for an employer’s background checks, for instance, can be stored and searched in the NGI’s system along with those taken for criminal investigations….

“…A “systems of records notice” published by the FBI at the same time as its proposed exemption notice explains that the NGI system collects data from individuals in a range of settings — including state departments of motor vehicles, volunteer and welfare screenings, and visa applications — and stores their records until they turn 110 years old….

“…As of December 2015, the NGI system contained 70,783,318 criminal records and 38,514,954 civil records.”

Controversies relating to the FBI’s exemption request.

Following are the various exemptions the FBI has requested and their ramifications.

Exemption from disclosure to the individual in a named record

The FBI says it doesn’t want to disclose records because it could compromise an ongoing investigation. However, this data isn’t just being compiled from the biomarkers acquired by law enforcement when a person is arrested upon intake into a jail or prison. The biometric data can be collected from REAL-ID compliant driver’s licenses or a background check when a person purchases a firearm. An exemption from mere disclosure prevents Americans from knowing which agencies have what type of personal data in its databases It also assumes everyone is a crook.

Exemption from access and amending records

The FBI claims to take seriously its obligation to maintain accurate records despite its assertion it needs this exemption. It will amend records, “if in its sole discretion, it agrees to permit amendment or correction of FBI records, Then it will share that information in appropriate cases.”

In this passive-aggressive, mission statement of an excuse, the FBI claims sole auditing power and sets itself up as sole keeper of records. But the FBI has reported error rates for each biometric collected. No matter how advanced the technology, errors will happen. Auditing shouldn’t just come from the FBI, but also the person implicated in the record.

However, this isn’t just about correcting a record. If you don’t have access to your record, you have no idea how that record is being handled. Therefore, this passive-aggressive statement by the FBI is actually a direct threat to fundamental rights and circumvents the entire purpose of the Privacy Act, which is to ensure due process, and prevent the abuse and misuse of personal information.

Exemption due to on going investigation, reveal an investigatory technique, enable a person to escape apprehension, constitute a danger to law enforcement, or provide unauthorized access to another person’s information.

This statement features pretty standard lingo when it comes to surveillance. However, that last part about access could lead to a person accessing another person’s data seems out of place. It actually leads to more questions like, is the accuracy of biometric collecting devices understated? Or, is there so much data that even a low error rate produces a lot of false positives? And, if there is a problem with accuracy, shouldn’t there be more than one auditing force with access to this data?

Exemption due to unknown knowledge of relevant and necessary information for law enforcement purposes.

Instead of looking back at evidence and building a case, this database’s existence is built to profile anyone. Agency requirements for this exemption state: “Each agency that maintains a system of records shall maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President. By providing this exemption, the FBI is following in the NSA’s foot tracks of collect it all.

Exemption from communicating with the individual

The FBI claims exemption from communicating with the individual because the majority of criminal history records were collected by state and local agencies. Since your state or local cops collected your information and entered it in a database, the FBI are then freed from providing notice or contacting that individual

It gets better. Wait for it.

“Those persons who voluntarily submit fingerprints into this system pursuant to state and federal statutes for licensing, employment, and similar civil purposes receive an (e)(3) notice.”

Yes, you already received your notice because you wanted a job!

Exemption releasing the categories and sources of a record.

This exemption is only to protect witnesses and informants.

Exemption from disclosing sources of records in the system.

Unfortunately accountability is not even considered in the exemption request, nor professionalism. At one point the FBI claimed it took great pride in maintaining accurate records while at the same time undercutting local and state police in the event that information is incorrect. In this exemption, the FBI again blames local and state law enforcement agencies by saying, “it is impossible to determine in advance what information is accurate, relevant, timely and complete. With time, seemingly irrelevant or untimely information may acquire new significance when new details are brought to light. Additionally, the information may aid in establishing patterns of activity and providing criminal leads.Most records in this system are acquired from state and local law enforcement agencies and it would be impossible for the FBI to vouch for the compliance of these agencies with this provision.”

Basically it comes down to this: the NGI hub stores so much data that the FBI is unwilling and unable to audit the accuracy of every biometric piece of data available to it. For the new system to be legal, the FBI is seeking exemptions to the Privacy Act because it cannot vouch and verify the data. With the help of businesses, and local and state law enforcement it shields itself from responsibility while the people are blinded as to what records are stored on them, who has access to them, and they are prevented from correcting erroneous information.

The potential for abuse is high, while accountability is low.

The purpose of the Privacy Act was meant to bar such abuses and allow the people the right to be informed, the very act the FBI wants to be exempt from.

Photo Courtesy of NEC Corp. from Flickr under creative commons.