Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

FBI's Massive Facial Recognition Database Raises Privacy Concerns

The FBI wants to enhance its existing fingerprint database to make criminal identification easier by adding a range of biometrics, including palm prints, iris scans and facial recognition data
The FBI wants to enhance its existing fingerprint database to make criminal identification easier by adding a range of biometrics, including palm prints, iris scans and facial recognition data

The EFF filed a Freedom of Information Act lawsuit for information on the database, which is optimistically named Next Generation Identification (NGI), and got back a raft of documents detailing the Feds’ plans. Essentially, the FBI wants to enhance its existing fingerprint database – arguably one of the most useful law enforcement tools in existence – in order to make criminal identification easier by adding a range of biometrics, including palm prints, iris scans and facial recognition data. The information would then be collected into a single record that also includes a person’s name, address, ID numbers and demographic information to present a 360-degree view of the person in question. To aid law enforcement efforts across the land, the info would be shared with other federal, tribal, state and local law enforcement agencies from coast to coast.

Clearly, the usefulness of such a database for fighting crime is indisputable. Imagine having the ability to scan a crowd from a surveillance camera, running and analyzing the data in real time to search for a fugitive or a suspected criminal threat. On the other hand, the ability to so easily track citizens is worrying, according to the EFF, and opens the door for abuse.

There’s also a fly in the ointment thanks to the fact that the records will include non-criminal as well as criminal face images.

“We now know that FBI projects that by 2015, the database will include 4.3 million images taken for non-criminal purposes,” it explained in its analysis. It added, “Now every record—whether criminal or not—will have a ‘Universal Control Number’ (UCN), and every search will be run against all records in the database. This means that even if you have never been arrested for a crime, if your employer requires you to submit a photo as part of your background check, your face image could be searched—and you could be implicated as a criminal suspect—just by virtue of having that image in the non-criminal file. “

That’s especially worrying considering that the accuracy of the system is somewhat in doubt. The FBI said that the system can identify the true candidate as one of 50 top candidates only 85% of the time. As such, the FBI said that the results will be treated as investigative leads rather than true identification.

The EFF explains the issues with this:

Because the system is designed to provide a ranked list of candidates, the FBI states NGI never actually makes a “positive identification,” and “therefore, there is no false positive rate.” In fact, the FBI only ensures that “the candidate will be returned in the top 50 candidates” 85 percent of the time “when the true candidate exists in the gallery.”

It is unclear what happens when the “true candidate” does not exist in the gallery—does NGI still return possible matches? Could those people then be subject to criminal investigation for no other reason than that a computer thought their face was mathematically similar to a suspect’s?

The FBI records indicate that the database will have 52 million face images by 2015; at full operational capacity, the database can process 55,000 direct photo enrollments daily and conduct tens of thousands of searches every day.

“There are several reasons to be concerned about this massive expansion of governmental face recognition data collection,” the EFF said. “The FBI and Congress have thus far failed to enact meaningful restrictions on what types of data can be submitted to the system, who can access the data, and how the data can be used. For example, although the FBI has said in these documents that it will not allow non-mug shot photos such as images from social networking sites to be saved to the system, there are no legal or even written FBI policy restrictions in place to prevent this from occurring. As we have stated before, the Privacy Impact Assessment for NGI’s face recognition component hasn’t been updated since 2008, well before the current database was even in development.”

What’s Hot on Infosecurity Magazine?