More than 30 privacy and civil-liberties groups are asking the Justice Department to complete a long-promised audit of the FBI's facial-recognition database.
The groups argue the database, which the FBI says it uses to identify targets, could pose privacy risks to every American citizen because it has not been properly vetted, possesses dubious accuracy benchmarks, and may sweep up images of ordinary people not suspected of wrongdoing.
In a joint letter sent Tuesday to Attorney General Eric Holder, the American Civil Liberties Union, the Electronic Frontier Foundation, and others warn that an FBI facial-recognition program "has undergone a radical transformation" since its last privacy review six years ago. That lack of recent oversight "raises serious privacy and civil-liberty concerns," the groups contend.
"The capacity of the FBI to collect and retain information, even on innocent Americans, has grown exponentially," the letter reads. "It is essential for the American public to have a complete picture of all the programs and authorities the FBI uses to track our daily lives, and an understanding of how those programs affect our civil rights and civil liberties."
The Next Generation Identification program—a biometric database that includes iris scans and palm prints along with facial recognition—is scheduled to become fully operational later this year and has not undergone a rigorous privacy litmus test—known as a Privacy Impact Assessment—since 2008, despite pledges from government officials.
"One of the risks here, without assessing the privacy considerations, is the prospect of mission creep with the use of biometric identifiers," said Jeramie Scott, national security counsel with the Electronic Privacy Information Center, another of the letter's signatories. "it's been almost two years since the FBI said they were going to do an updated privacy assessment, and nothing has occurred."
The facial-recognition component of the database, however, is what privacy advocates find most alarming. The FBI projects that by 2015 the facial-recognition database could catalog up to 52 million face photos. A substantial portion of those—about 4.3 million—are expected to be gleaned from noncriminal photography, such as employer background checks, according to privacy groups.
But earlier this month, FBI Director James Comey told Congress the database would not collect and store photos of average civilians and is intended to "find bad guys by matching pictures to mugshots." But privacy hawks remain concerned that images may be shared among the FBI and other agencies, such as the Defense Department and National Security Agency, and even state motor-vehicle departments.
Comey, during his testimony, did not completely refute the suggestion that photos would be shared with states.
"There are some circumstances in which when states send us records, they'll send us pictures of people who are getting special driving licenses to transport children or explosive materials or something," Comey said. "But as I understand it, those are not part of the searchable Next Generation Identification database."
Currently, no federal laws limit the use of facial-recognition software, either by the private sector or the government.
A 2010 government report made public last year through a Freedom of Information Act request filed by the Electronic Privacy Information Center stated that the agency's facial-recognition technology could fail up to 20 percent of the time. When used against a searchable repository, that failure rate could be as high as 15 percent.
But even those numbers are misleading, privacy groups contend, because a search can be considered a success if the correct suspect is listed within the top 50 candidates. Such an "overwhelming number" of false matches could lead to "greater racial profiling by law enforcement by shifting the burden of identification onto certain ethnicities."
Facial-recognition technology has recently endured heightened scrutiny from the anti-government-surveillance crowd for its potential as an invasive means of tracking. Last month, documents supplied by Edward Snowden to The New York Times revealed that the National Security Agency intercepts "millions of images per day" as part of a program officials believe could fundamentally revolutionize the way government spies on intelligence targets across the globe. That daily cache includes about 55,000 "facial-recognition quality images," which the NSA considers possibly more important to its mission than the surveillance of more traditional communications.
When asked for comment, the Justice Department would only say it was reviewing the letter.