Accountability & Transparency in Biometrics

Facial recognition is back in the news after the United States House Committee on Oversight and Government Reform held a hearing on law enforcement’s use of facial recognition technology. There were four key takeaways that were widely discussed.

First, let’s notice that this particular meeting was focused on how law enforcement is using biometric face matching — use of the technology by commercial and private organizations is not addressed and that’s an important topic for another day. But honestly, I’m more concerned with what government in general is doing with this data because there is little or no transparency in how government organizations use face matching technology and it literally takes an act of Congress to hold them accountable. I believe that transparency and accountability are key.

So what are our four points?

1. About 50% of the US adult population is already in the FBI’s face recognition technology database. How is that possible? Well, the FBI has agreements with 18 states to share the images from their DMV database and they are aggressively working on establishing agreements with the remaining states. So if you have a driver’s license, you are in the FBI’s database of faces. Did you agree to that? Did you even know? More importantly, do you care?
2. The second issue revealed is that the FBI used facial recognition technology for years without first publishing a privacy impact assessment, as required by law. Yes, truly stunning news.
3. The committee also reported that the FBI’s face recognition technology has problems with accuracy and misidentifies females and African Americans at a higher rate. The system “returns the correct candidate a minimum of 85% of the time.” This does not sound good.
4. Lastly, the report concludes that the FBI went to great lengths to exempt itself from certain provisions of the Privacy Act. More stunning news.

OK, so the part about poor accuracy sounds really bad but it worries me the least. Accuracy is a tricky concept in biometric identification. There are two kinds of errors; false match (innocent person wrongly identified as a criminal) and false non-match (criminal doesn’t get identified). False matches are rare. False non-matches are far more common so being “wrong” for the FBI will almost always mean they failed to match the criminal they were looking for, not that they identified an innocent person as a criminal. That’s good news for criminals, but less of a concern for privacy advocates.

Part of the accuracy problem is the resolution and placement of video cameras — but that’s changing quickly. Another part of the problem is that computers see differently from humans. At the end of the day, even if the computer makes a mistake the final result is verified by a human expert before action is taken.

So the accuracy thing doesn’t bother me as much but the other points are concerning. One key issue is that face recognition technology has advanced and been implemented broadly without public discussion or awareness. That’s not really law enforcement’s job, but it is their problem. You know if your fingerprints are in a government database — I doubt anyone forgets being fingerprinted, even if it was just for job-related reasons. You could argue that it’s not possible to truly opt-out of a being fingerprinted for a background check, but at least you know about it. Also, traditionally fingerprints were only collected from criminals and suspected criminals. Now the FBI is keeping all fingerprints submitted for civil purposes such as background checks. Effectively they are creating a national database with the biometric identity of all Americans, not just criminals.

And the news that the FBI didn’t publish a legally required privacy statement? When pressed, Kimberly J. Del Greco, FBI Deputy Assistant Director leading the Information Services Branch within the Criminal Justice Information Services Division said “Privacy Impact Assessments for the FACE Services Unit and the NGI-IPS have been prepared by the FBI, approved by the DOJ, and posted on the FBI’s website.” I looked and although it was not easy, eventually I found it it here. But there are problems. The document is dated May 2015 and the entire point of a privacy impact statement is nebulous at best. The FBI’s position seems to be that as long as it’s part of investigating a crime, they can pretty much do anything they want.

This kind of disregard for both the spirit of and the letter of the law concerns me. But can you really blame the FBI? They aren’t supposed to be putting the brakes on their own actions — they are supposed to be held accountable by a higher authority. But if the general public doesn’t care about privacy, why should they?

Want to hear more about the intersection of identity & privacy? Subscribe to my blog.