The FBI Biometric Database (NGI) Thread
#1
The FBI has just announced that all systems are go for its biometric database.
Quote:The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division announced today the achievement of full operational capability of the Next Generation Identification (NGI) System. The FBI’s NGI System was developed to expand the Bureau’s biometric identification capabilities, ultimately replacing the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) in addition to adding new services and capabilities.
This puts the agency pretty much right on schedule for its stated goal of "full operational capacity in fiscal year 2014." As was to be expected from its earlier foot-dragging, the press release makes no note of the Privacy Impact Assessment that was supposed to precede the roll out.

The system itself has been in the works since 2008. Coincidentally, this is also the last time anyone at the FBI delivered a Privacy Impact Assessment. Since then, the database's sweep and power has increased immensely. The PIA promised in 2012 still hasn't been delivered and there's no indication at the FBI's website that one is right around the corner.

The release notes two other tools that will be folded into NGI.
Quote:As part of NGI’s full operational capability, the NGI team is introducing two new services: Rap Back and the Interstate Photo System (IPS). Rap Back is a functionality that enables authorized entities the ability to receive ongoing status notifications of any criminal history reported on individuals holding positions of trust, such as school teachers. Law enforcement agencies, probation and parole offices, and other criminal justice entities will also greatly improve their effectiveness by being advised of subsequent criminal activity of persons under investigation or supervision.
Rap Back sounds useful but its tracking of people in "trusted positions" does not include some very specific "trusted positions." This 2012 presentation on Rap Back [pdf] clearly delineates between "trusted" civilians and those exempt from ongoing criminal background monitoring.

Here's the relevant info in case you can't read/see the pic, Rap Back ongoing monitoring and notification service only targets these individuals.
Quote:Non-criminal justice applicants, employees, volunteers, and licensees;

Individuals under the supervision or investigation of criminal justice agencies.
Note that "supervision" doesn't mean employees of criminal justice agencies, but rather parolees and those on probation. Presumably, the criminal justice system will police itself, relying only on pre-employment screenings (if that). The problem is that employees with criminal history have been known to jump from agency to agency without their new employers knowing (or caring) about the incidents that forced the job change. Apparently, this is an acceptable situation despite the fact that the DOJ tends to ignore much of the misconduct that occurs in agencies under its command.

The Interstate Photo System sounds like license plates but is actually the FBI's facial recognition database. A high error rate and a flood of too-lo-res-to-be-useful photos hasn't stopped the FBI from pushing this system -- basically a searchable mug shot repository that includes millions of non-criminals just for the hell of it. To reach its lofty goals (52 million pics by 2015), the FBI is including generic federal employee records. The potential for the system to return non-criminals in searches for "candidates" remains high, but the FBI has reassuringly stated that it bears no legal responsibility if any of the 18,000 law enforcement agencies that have access arrest the wrong person.

An unvetted system that can be accessed by thousands is a huge problem. The FBI will join the NSA in hoarding massive amounts of irrelevant data with very little oversight. The hoarding mentality has taken over and everyone involved is hesitant to implement stringent minimization and disposal policies because of the irrational fear that something discarded might be needed later.

If and when the privacy assessment arises, I expect it will be filled with paragraphs that underplay the potential civil liberties violations, lots of explanations as to why there's no expectation of privacy in anything the government collects and some mumbling around the edges about minimization and access control.

While I realize that it's inevitable that the march of technology would lead to this sort of thing -- and while it does have several legitimate uses -- my biggest problem with these advances is that the FBI and others continually stress that it's the only way to keep up with evolving criminal behavior. The justifications deployed point to a constantly-rising criminal threat that has no basis in reality. I cannot buy into the narrative that the best way to combat crime (or terrorism, for that matter) is vast, untargeted databases.

The FBI focuses most of its assets on two opponents: drugs and terrorism. The first is exacerbated by years of bad legislation and policies, and for all the time and money spent, the war doesn't seem to be on the way to being won. The latter has devolved into the FBI's proprietary con game, wherein it sets up a mark or two and takes them down. Now, it's inviting the nation's law enforcement agencies to run searches on a database populated with non-hit data and leave them holding the bag when the inevitable occurs.

An updated privacy assessment isn't going to make this a better idea, especially when the FBI (and the law enforcement agencies that feed info to it) are blithely unconcerned that current background check databases are filled with people who were never criminally charged. An internal change is needed -- one that makes these agencies more accountable to the public for screwing up their lives. But no one up top is interested in fixing what's already broken. They just want to roll out new databases that grab more info. If the FBI insists this is the only way to fight crime effectively, then it needs to exercise the sort of vigilance and internal accountability it's never shown in the past. That starts with a detailed privacy assessment, delivered in a timely fashion. And it's already failed this small step.

Originally Published: Tue, 16 Sep 2014 20:15:12 GMT
source
Reply
#2
As was noted here earlier, the FBI's Next Generation Identification (NGI) system has rolled out, pretty much right on schedule and well ahead of the Privacy Impact Assessment it hasn't updated since the announcement of the "system upgrade" back in 2008.

EPIC has obtained another load of documents from an FOIA request dealing with the "Rap Back" portion of the NGI system, one that provides constant monitoring of certain people -- like suspected criminals, people on parole, employees with security clearances and "trusted positions." Notably, the Rap Back program does not track employees of the criminal justice system, and nothing in what's been obtained even suggests it can be used that way.

The FOIAed documents run 202 pages [pdf link] with tons of duplicate presentation slides and long lists of fully-withheld documents. As is par for the course with sloppy fulfillments like these, the redactions are inconsistent, raising questions about the legitimacy of the exemptions used to justify removal in one place but not another. For instance, two back-to-back copies of the same slide show the FBI has an interest in redacting "DHS" [using exemption b7(e) -- "disclosure of techniques and procedures for law enforcement investigations"], but not a consistent interest.



Elsewhere, the FBI goes into more specifics as to who's included in the term "trusted positions" -- something it offers a lifetime of active monitoring for if that's what the "customer" wishes.
Quote:It is imperative that the FBI maintain a complete CHRI database in order to provide customers with information necessary to make informed decisions regarding the backgrounds of individuals whether for criminal justice purposes, noncriminal justice purposes for employment, licensing, and gun permit matters, or for purposes of national and international security. Disposition data is information pertaining to the resolutions of arrest charges or the custody or supervisory status of subjects subsequent to convictions. Disposition data is the core of the criminal history database.
Further details indicate that "trusted positions" are actually just a variety of caretakers, rather than those in positions that contain a healthy mixture of power and access (i.e., law enforcement members).
Quote:Availability of complete computerized criminal records is vital for criminal investigations, prosecutorial charging, sentencing decisions, correctional supervision and release, and background checks for licensing, purchasing of handguns, and applying for child-care positions or other responsibilities involving children, the elderly, and the disabled.
While it is definitely preferable to have someone with a clean record providing caretaking services, you have to wonder why the FBI is so focused on monitoring this specific group of employees. There's been a push to include this group in its Rap Back program pretty much since the beginning. Further down in the document, presentation slides suggest making inroads with legislators to turn the FBI's monitoring preference into an integral part of federal law.

The FBI wants officials to target legislators as "champions" and includes documentation on existing and upcoming legislation where wording could be inserted to make participation in Rap Back mandatory.
Quote:Bill Name: No Child Left Behind Act of 2007
Designation: S1775
Sponsor: Richard Burr 07/12/07
Cosponsor: 0-D, l-R (as of 08/24/07)

Sections 4222 and 4223 would require the Office of Justice Programs to develop model screening guidelines to include a criminal background check. The Secretary of Education is authorized to award grants to those entities that have conducted background checks on mentors in accordance with these guidelines. The bill does not indicate how these checks would be conducted.

Bill Name: Patient Safety Abuse Prevention Act of 2007
Designation: 1577
Sponsor: Herb Kohl 06/07/07
Cosponsor: (as of 08/24/07)

Section 3 of the bill expands the pilot program, as established under Section 307 of the Medicare Prescription Drug, Improvement, Modernization Act of 2003, to be conducted on a nationwide basis. Section 4 of the bill requires a state and FBI fingerprint criminal history background check on direct patient access applicants and employees of skilled nursing facilities and long-term care facilities. It also requires the state to develop "rap back capability. Section 5 also requires the FBI to develop "rap back" capability by January 1, 2011. The FBI would only be authorized to charge the actual costs of conducting the criminal history background check.
Elsewhere, the documents note that the FBI will be mixing its criminal and noncriminal databases -- for efficiency.
Quote:The existing LAFIS criminal and civil repositories are maintained as separate and distinct databases that do not allow for the automated transfer of records among repositories. The proposed IAFIS design change combines the records from the civil and criminal repositories into an interoperable repository. The repository design will facilitate the transition, search, addition, consolidation, modification, expungement, response generation, and file maintenance of criminal and civil information; provide the ability to search the civil records with remote latent fingerprint submissions; and support user required fingerprint search and notification capabilities. With this initiative, the records from the civil and criminal repositories will be maintained in one interoperable repository.
It also notes that in order to keep its fingerprint database up to date, it will need to pull from civil fingerprint records.

And, finally, sitting by itself, unduplicated anywhere else in the 202 duplicate-ridden pages, is a single slide dedicated to mandatory privacy considerations -- neither of which have been fulfilled even though the program is now fully operational.

There's no discussion included as to why the FBI is so focused on including caretakers and childcare providers in its lifelong monitoring program. In terms of its other stated interests (national security/counterterrorism, support for law enforcement), this seems like a much lower-level concern. While these positions would ideally be filled by citizens with clean records, constant updates from the criminal justice system seems a bit much -- especially when good employees may be forced out of work for unrelated infractions, like being arrested for exercising their First Amendment rights (filming public officials, attending protests) or marijuana possession.

It is notable that a legislative attempt to make this sort of monitoring mandatory for government contractors providing security services in war zones was shot down by the executive branch (p. 143). Apparently, it's more important to track caretakers than it is to ensure those operating security teams overseas (with a minimum of oversight) aren't former (or current) felons.

In all of the pages released, nothing deals directly with the program's privacy impact or its deliberate exclusion of criminal justice employees. No concerns are raised and no suggestions are made that law enforcement entities might do well to include their officers in the Rap Back monitoring system. And, even though the documents range from 2008-2011, there are no updated statistics that suggest the facial monitoring software has improved over its 20% error rate. Presumably, it has, but the FBI seems to feel the error rate isn't worth discussing (or releasing), even though that program actually went live in a four-state rollout three years ago.

The mixing of civil and criminal data should be the biggest concern, especially if the program pulls potential mug shots from both when seeking matches for facial recognition. There's a good reason to keep these separate. Blending both for efficiency's sake only makes the existing problem -- law enforcement's disinterest in ensuring that arrestees that were never charged or had records expunged are removed from the system -- even worse. Now, when Rap Back notifications are delivered, they have a higher potential to return data on noncriminals.

Originally Published: Fri, 26 Sep 2014 11:10:09 GMT
source
Reply
#3
The FBI's Next Generation Identification (NGI) database has been discussed here several times, thanks to its "expeditious" blend of criminal and non-criminal data, its postponed-forever Privacy Impact Assessment the agency has been promising since 2008, the limited, four-state rollout of facial recognition software with a 20% error rate, and its peculiar exclusion of DOJ/law enforcement employees from its lifelong criminal database monitoring.

It appears the FBI isn't satisfied with the wealth of biometric information it already has access to. It's grabbed everything external it can possibly get (faces, distinctive marks, fingerprints, civil/criminal records, voice recordings, iris scans [coming soon!]). Now, it's coming for what's inside you.
Quote:The FBI is preparing to accelerate the collection of DNA profiles for the government's massive new biometric identification database.

Developers of portable DNA analysis machines have been invited to a Nov. 13 presentation to learn about the bureau's vision for incorporating their technology into the FBI's new database.

So-called rapid DNA systems can draw up a profile in about 90 minutes.
DNA has been an integral part of criminal investigations for a number of years now and there's no question it has played an important role both in securing convictions and exonerating the falsely accused. But what the FBI is proposing is adding input from lab-in-a-box setups that return pass/fail DNA matches in a relative instant.
Quote:Rapid DNA analysis can be performed by cops in less than two hours, rather than by technicians at a scientific lab over several days. The benefit for law enforcement is that an officer can run a cheek swab on the spot or while an arrestee is in temporary custody. If there is a database match, they can then move to lock up the suspect immediately.
What used to take days in a secure, sterile lab now can apparently be accomplished in the "field" in a couple of hours. All technological improvements aside, this would appear to be a much less reliable method. Field drug testing kits have been available for years -- which utilize nothing more complex than chemical reactions -- and they've been shown to be far more unreliable than those utilizing them would have you believe. The same can most certainly be said about portable or on-site units wholly divorced from the normal constraints of a lab setting.

The government (so far) realizes this. That's why DNA obtained and analyzed by these units aren't included in the national DNA database. Only results from accredited public-sector laboratories are accepted. The companies manufacturing these devices are obviously interested in seeing this law changed. In the meantime, they've pushed for states to create their own DNA databases.

The FBI would like to see this changed as well, going so far as to issue a statement that is mostly wishful thinking.
Quote:FBI officials say their program does not impact any laws currently governing the operation of CODIS. Rapid DNA techniques in booking stations, “will simply expedite the analysis and submission of lawfully obtained samples to the state and national DNA databases,” [Ann] Todd, the FBI spokeswoman, said.
Except that it would impact laws governing CODIS… as they are today.
Quote:A legislative tweak is needed to allow DNA processed by a portable machine to be entered into the FBI's systems, bureau officials acknowledge.
Again, the FBI places efficiency above everything else. "Tweaking" the law to include portable devices would "expedite" the filling of the FBI's biometric database. Faster is better, even if the analysis method isn't as reliable as that performed by accredited labs. False positives/negatives are just the acceptable collateral damage of "combating crime and protecting the United States."

There's a huge backlog of untested DNA waiting for CODIS-qualified lab analysis. Offloading some of the work to private labs or portable devices sounds like a great way ease that congestion, but it actually could create more problems. If the government believes that only its chosen labs are capable of producing solid analysis, fixes like those suggested by three California Congressional reps would ask law enforcement (including the FBI) to decide which evidence goes the Gold Standard labs and what gets passed along to the lesser, unproven venues.

When presented with this set of options, law enforcement may prioritize cases badly, routing "time-sensitive" evidence through unproven but quicker analysis while sending out anything that can "wait" to the government's labs. Basically, without an across-the-board certification of all methods (with rigid testing and re-testing to ensure quality) as being equal, there's a good chance collected DNA will be treated just as prejudicially as the suspects themselves. And, if the expansion of CODIS inputs isn't handled with rigorous oversight, the chances of the guilty going free and the innocent being imprisoned increases.

Originally Published: Tue, 30 Sep 2014 22:48:00 GMT
source
Reply
#4
Another win for the Electronic Privacy Information Center (EPIC) and the American public in general. A federal judge has ruled the public has the right to know certain details about the FBI's facial recognition database.
Quote:U.S. District Judge Tanya Chutkan said the bureau's Next Generation Identification program represents a "significant public interest" due to concerns regarding its potential impact on privacy rights and should be subject to rigorous transparency oversight.

"There can be little dispute that the general public has a genuine, tangible interest in a system designed to store and manipulate significant quantities of its own biometric data, particularly given the great numbers of people from whom such data will be gathered."
Not only did Chutkan compel the release of documents related to the FBI's Next Generation Identification (NGI) database, but she also awarded $20,000 in legal fees to EPIC. In the opinion [pdf link], she points out that -- despite its arguments to the contrary -- the FBI was anything but "responsive" to EPIC's FOIA request.
Quote:The FBI’s explanation for its delay in producing the requested documents is not unreasonable; the Court is well aware that compliance with FOIA requests can require significant agency time and resources. However, after EPIC narrowed the scope of its Second Request—at the behest of the FBI—the FBI had no further contact with EPIC for six months, until after EPIC filed this lawsuit. The FBI has not advanced any colorable legal reason why, after indicating that it possessed responsive documents and asking for a revised request, it simply ceased all communication with EPIC in October 2012, until EPIC sought recourse in this Court in April 2013.
Despite the FBI being more motivated by lawsuits than FOIA requests, Chutkan softens this blow by stating she saw "no evidence" that the agency behaved "recalcitrantly or obdurately." This is its standard m.o. of many government agencies, FBI included. If it wasn't, there wouldn't be nearly as many lawsuits.

The good news is that courts are recognizing (at least, now and then) that there's a very asymmetrical collection of information going on here. Agencies like the FBI gather up tons of data, much of it personally-identifiable, and then refuses to grant the public even the tiniest bit of access. When members of the public ask to see the data gathered on them (by requesting their own records), they're told that doing so would compromise law enforcement operations and methods.

The public does have a right to know what's being collected and distributed to law enforcement agencies around the nation. The public cannot simply rely on the (limited and often ineffective) oversight of its legislators. True accountability comes from outside the government, not from within it, and FOIA laws are supposed to facilitate that. A few more wins for the public will increase the effectiveness of the accountability tool, something that has been blunted tremendously by government agencies' willful opacity over the past several years.

Originally Published: Tue, 11 Nov 2014 22:36:21 GMT
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Why Even the FBI Gave Up on the Pirate Bay: The Pirtate Bay History 101 RobertX 1 4,885 Jul 23, 2023, 07:58 am
Last Post: rezwaki
  Georgia man arrested in FBI sting for allegedly plotting to attack White House with r Kotter 3 14,233 Jan 18, 2019, 19:20 pm
Last Post: dueda
  FBI denies paying $1 MILLION to Unmask Tor Users Ctrlme 1 12,599 Nov 17, 2015, 11:22 am
Last Post: dolly_cat
  FBI Assists Overseas Pirate Movie Site Raids Ernesto 0 10,489 Jul 15, 2015, 06:46 am
Last Post: Ernesto
  FBI Wants Pirate Bay Logs to Expose Copyright Trolls Ernesto 2 11,993 Jul 04, 2015, 19:36 pm
Last Post: gcjm



Users browsing this thread: 1 Guest(s)