A recently-released government report sheds light on the extensive use of biometric facial recognition technologies in the U.S. Among 42 federal agencies that were surveyed, 20 use facial recognition technologies for various purposes connected to law enforcement, according to a report that the Government Accountability Office, the counterpart of Israel's Office of the State Comptroller and Ombudsman, submitted to Congress. The survey, which was carried out at the request of a number of Democratic senators and congressmen who raised concerns over improper use, violation of privacy of citizens and misidentification, covered the period between August 2019 and April 2021.
Among the agencies that use biometric identification are the FBI, the Secret Service, the Federal Bureau of Prisons, U.S. Customs and Border Protection, the Pentagon Force Protection Agency, the U.S, Marshalls Service, U.S. Immigration and Customs Enforcement (ICE, which was criticized for having separated parents and their children who attempted to cross the border illegally), the U.S. Capitol Police, the Drug Enforcement Administration, the U.S. Fish and Wildlife Service, the U.S. Postal Inspection Service, the U.S. Park Police and the Criminal Investigation Division of the Internal Revenue Service.
System with three billion photos used for investigation of race riots and the storming of the Capitol
The various agencies reported the use of many systems including biometric technologies, some of which include stored photos. The Bureau of Prisons, for example, as of March 2020, had about 8,000 photos of its employees and contractors in its access control system. The Office of Biometrics and Identity Management reported that its automated biometric identification system included about 836 million facial images as of March 2020. They included passport, visa application and mug shot photos. The controversial Clearview AI company, whose services are used by 10 of the surveyed federal agencies, has about three billion publicly available photos that were all collected from the internet.
Among the 20 agencies, 14 reported that they use these technologies to help investigate crime. Thus, for example, the advanced system used by the FBI includes more than 40 million photos, and helps investigations of violent crime, credit card and identity fraud, missing persons and more. The biometric system of the Department of Homeland Security enables the search of the system for an unknown individual, and offers potential matches – in other words, generation of investigative leads.
On May 25, 2020, a white policeman in Minneapolis murdered African-American George Floyd, leading to civil unrest throughout the country including demonstrations and rioting. Six federal agencies reported that during the period between the murder and August 2020, they used images from those incidents via facial recognition technologies as well as existing systems such as that of Clearview to carry out investigations of criminal acts that were committed (vandalism, looting and other violence). The agencies included the FBI, the U.S. Marshalls Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives.
Another major incident related to extensive use of these technologies was the storming of Capitol Hill on January 6. The Capitol Police used Clearview's system to try to identify some of the attackers, U.S. Customs and Border Protection used its system to conduct searches while cooperating with additional law enforcement agencies, while the Bureau of Diplomatic Security conducted searches using the biometric system of the State Department and shared the information with additional agencies (the published report serves as the unclassified version of what was submitted to Congress two months ago , and does not include all the information about cooperation).
The main problem: lack of control mechanisms
But of course, these technologies were not intended only for law enforcement purposes, but also for extensive surveillance and identification. For example, the Secret Service piloted a system to check whether it is possible to add identification technologies to its security operations; U.S. Courts, Probation and Pretrial Services enabled remote verification of identity during the COVID-19 pandemic for an online meeting with the probation or pretrial officer; and U.S. Customs and Border Protection is testing and deploying the technology in phases for everyone entering or exiting the U.S. by air, sea or land (as anyone who has arrived in the U.S. for a visit in recent years knows), and there are many more uses among the various agencies.
Among the matters of concern arising from the report are that 13 out of the 14 agencies are helped by external facial recognition technologies (that is to say, not of the agency itself but rather of a commercial entity such as Clearview or Israel's Vigilant Technologies), and there is no data on the names of the software or the systems that the employees are using, or they only have partial data and therefore are unable to properly estimate the risks involved in terms of privacy and misidentification (for example, racial bias).
In addition, the lack of supervision as well as the possibility of surveillance of employees on this sensitive issue creates concern over improper use. Those agencies include the FBI, the Secret Service, the Capitol Police, the Postal Inspection Service and others. The writers of the report strongly recommended to set up control mechanisms as soon as possible.
"When agencies use facial recognition technology without first assessing the privacy implications and applicability of privacy requirements, there is a risk that they will not adhere to privacy-related laws, regulations, and policies," the report said. "There is also a risk that non-federal system owners will share sensitive information (e.g. photo of a suspect) about an ongoing investigation with the public or others." The report also notes concerns raised by various organizations regarding breaches that could reveal sensitive data. "Because a person’s face is distinctive, permanent, and therefore irrevocable, a breach involving data derived from a face may have more serious consequences than the breach of other information, such as passwords, which can be changed."