FBI Wants to Exempt Biometric Mega-Database From Privacy and Accuracy Rules

(Updated below)

The FBI is building a massive database of Americans’ biometric information, including not only fingerprints but also photos for face recognition and iris patterns. The Next Generation Identification (NGI) system also has the capability to store information on tattoos and such things as voice and gait recognition data. And it collects information not just on those convicted of a crime, but also on many people who are just applying for a job, volunteer position, naturalization, or military commission, and others who need to undergo a fingerprint or photo background check. With the construction of such a powerful surveillance tool, and all the potential for abuse that it brings, comes the need for checks and balances of commensurate strength. Yet the FBI appears to be moving in exactly the opposite direction, seeking to exempt itself even from the limited privacy protections that so far exist in law.

In particular, the Justice Department last week issued a proposed rulemaking that would exempt the NGI from the protections of the Privacy Act of 1974. The Privacy Act, passed when government agencies were first beginning to store up significant amounts of data on American citizens in computerized databases, was intended to give force of law to some basic fair principles for how data should be handled. In particular, it provides four important commonsense protections that the FBI now proposes to strip away. Today, the ACLU has joined with the Georgetown Law Center on Privacy & Technology and numerous other organizations in asking for more time than the short 30-day period the agency has provided for the public to submit comments on their proposal (the Washington Post has a story on our coalition letter).

1. Data about people must be accurate, timely, and relevant before you judge them on it

It doesn’t seem like too much to ask that, as the Privacy Act requires, the FBI maintain records used to make “any determination about any individual” with “such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.” But the FBI complains that ensuring fairness in this way is “impossible,” because “seemingly irrelevant or untimely information may acquire new significance when new details are brought to light.”

While that might be true, it’s also an argument against throwing out anything, ever. There is no piece of information that cannot gain new relevance in light of subsequent events—that is true now, and it was true when the Privacy Act was passed. Yet Congress clearly directed that government agencies should NOT keep “untimely” or irrelevant information. The law specifically resists the urge to keep everything for all time just in case it might someday prove useful—precisely what the FBI now says it wants to do.

And what they keep, they need to make reasonable efforts to ensure is accurate. This, the FBI complains, it cannot do because it gets so much of its information from state and local police. I can see how that would be a difficulty for the FBI—but what about the problem for individuals who are victimized by inaccurate data? Just because inaccurate information about them is circulated among different law enforcement agencies at different levels, are they to have no recourse? The FBI appears eager to escape any lingering burden from the protections of the Privacy Act, but unconcerned that they would create a Kafkaesque nightmare for victims of bad data who cannot get fairness or relief from a circle of unaccountable finger-pointing bureaucracies. It runs against our nation’s values and traditions to make convenience for government agencies more of a priority than fairness to individuals.

Unfortunately, we’ve been down this road before; in 2003 the FBI similarly exempted its NCIC database—the nation’s primary criminal-records database—from the Privacy Act. And people have been badly harmed by inaccuracies in that database. We don’t know what the accuracy rates of the NCIC are, but there is longstanding evidence and discussion of very high error rates. A 1986 study for Congress’s Office of Technology Assessment found that only 46% of NCIC records were “complete, accurate and unambiguous,” as were only 26% of identification records. Meanwhile a full 15% of the warrants in the system were found to be erroneous. As the author of that study put it,

information systems containing inaccurate, incomplete, or ambiguous information not only violate society’s notion of fairness in dealings with individuals, they also threaten specific due-process guarantees that are afforded by the Constitution and statute.

More recently, the National Employment Law Project (NELP) found in 2013 that fully 50% of the FBI’s criminal records fail to include information on the final disposition of a case—such as the fact that a person who was arrested may have been aquitted, or never even charged. About a third of felony arrests do not result in conviction—but if the arrest record only reports the arrest, that’s likely to harm someone who could be completely innocent. An estimated 1.8 million workers a year are subject to FBI background checks, NELP reported.

2. People have the right to see what information the FBI is storing on them

When it comes to the NGI database, we have no idea what the error rates are, or may be in the future. And if the FBI gets its way, we’ll have no way to find out. The Privacy Act gives people a right to see what information the government is holding on them, and I would venture that most Americans would say that it’s only fair that they have a right to see any files that a government (or any other) bureaucracy is keeping on them. But the FBI is proposing to exempt itself from this requirement as well.

The FBI gives a kitchen-sink list of excuses to escape this important protection, arguing that giving people access to data about them could alert suspected wrongdoers of law enforcement investigations, harm the privacy of others, endanger law enforcement officers, confidential sources, or witnesses, or “reveal a sensitive investigative technique.”

Most Americans would obviously support reasonable exceptions to the access right for things like active criminal investigations. But remember that of the many millions of people whose information is in the NGI database, only a relative handful are under some form of investigation at a given time. Again, the NGI contains biometrics not only from those convicted long ago, and those who were arrested but not convicted or even charged—but also people not involved in crime at all.

But there is no reason why the tiny number of requests from those who are under active investigation could not be exempted, or particular information within their files redacted—and likewise with cases where another person’s privacy could be harmed or a confidential source or witness compromised. The FBI already excludes portions of information from Privacy Act requests based on a list of nine exemptions that cover the kinds of scenarios the agency raises here. There is no reason to completely wipe out an important protection for privacy and fairness for tens of millions of people due to a small number of exceptional cases that can be dealt with in more targeted ways.

3. People have the right to correct inaccurate information

The Privacy Act also gives people a right to seek correction when they discover that the government is storing inaccurate information about them. A natural complement to a right of access, this is something most Americans would say is only fair. Nevertheless, the FBI wants an exemption. Not only is the right to correct errors a point of fundamental fairness, it can help government investigators by ensuring that their data is accurate and high-quality.

4. People have the right to take the FBI to court if it doesn’t follow the law

The Privacy Act gives people the right to “bring a civil action against the agency” when the FBI refuses to comply with Privacy Act requests or to comply with any other provision of the Privacy Act. Here again the FBI wants an exemption—one that would apply to citizens’ right to go to court for any violation of the Privacy Act, even those from which the FBI would remain non-exempt under its proposal. One such requirement is that the FBI “make no record describing how any individual exercises rights guaranteed by the First Amendment” unless part of a legitimate law enforcement investigation. Currently, if you find the FBI is keeping records of your peaceful protest activities, you can sue them. The FBI provides no specific argument or justification for why it should receive such a blanket protection from accountability.

These are some of the most significant exemptions the FBI wishes to create, but there are others, such as requirements that subjects be told with whom their information is shared, and that they be informed what their data will be used for.

Remember that the face-recognition images and other biometric information the FBI is collecting will be used not just by the FBI but by a host of host of state and local agencies that have access to the NGI database. And as this FBI powerpoint shows, the agency is continually researching new ways to make use of face recognition in law enforcement, from tracking subjects and their movements to access control to “automated surveillance at lookout locations.”

Finally, oversight of the FBI and its biometric database is especially important for some communities. The NGI will draw biometrics disproportionately from people of color because of existing biases in who is swept up in the criminal justice system. Face recogntion can also be less accurate for people of color, accentuating the importance of the Privacy Act’s accuracy standards and right of access. First Amendment protections are vital for Black Lives Matter activists being surveilled by the FBI. And inaccuracies in the biometric database could prove especially harmful for those in immigrant communities, who are required to undergo biometric background checks in a variety of circumstances.

The FBI’s proposal points to an agency wishing to maximize its ability to gather and use information about large numbers of Americans free from the protections that Congress has rightly enacted. Unfortunately, the Privacy Act is riddled with exemptions, and one of those lets law enforcement agencies exempt themselves from certain requirements of the Privacy Act in some conditions, as the FBI is now seeking to do. If it does, Congress should step in. It should ensure that the enormous power conveyed by this biometric database is subject to commensurate checks and balances, including the protections of the Privacy Act.

Update (8/3/17):
The FBI has issued a final rule implementing this exemption.