If the FBI Has Your Biometrics, It Doesn't Have to Tell You

A new rule will prevent millions of people from finding out if their fingerprints, iris scans and other biometric information is stored in a massive federal database.

The FBI’s Next Generation Identification system stores the biometric records of people who have undergone background checks for jobs, volunteer positions and military service, as well as of those who have criminal records. Effective Aug. 31, that database will be exempt from certain parts of the Privacy Act, a law that allows people whose records are held by the federal government to request more information about which records those are.

The exemption means the FBI doesn't have to acknowledge if it is storing the biometric records of an individual in that database; the bureau has argued that notifying people that they were in the database could compromise investigations.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The FBI published the final rule this week.

Under the rule, individuals won't be able to find out what types of records the FBI may have of because it could “specifically reveal investigative interest by the FBI or agencies that are recipients of the disclosures.”

Most of the criminal records in that database are obtained from state and local agencies at the time of arrest, so the FBI cannot always collect information directly from the individual or notify them that their records are being included. "It is not feasible," the final rule said. 

The FBI posted a draft of that rule last year. In that draft, the bureau argued that some records it keeps might seem irrelevant to ongoing investigations, but could eventually end up being necessary for “authorized law enforcement purposes."

The Electronic Privacy Information Center, an advocacy group in Washington, has tried to persuade the FBI to reduce its data collection and the exemptions from the Privacy Act. After suing the FBI for information about the information stored in the Next Generation Identification System, EPIC concluded that the database has an up to 20 percent error rate for facial recognition searches.

Though it’s not clear exactly how many records are in the system, the Electronic Frontier Foundation, another advocacy group, estimated in 2014 that it could contain up to 52 million facial images by 2015.

One of the most troubling consequences of the final rule is that people in the database might become the subject of investigation without being notified, Jeramie Scott, EPIC’s Domestic Surveillance Project director, told Nextgov. A person whose image is erroneously called up in a search for a different individual might also find themselves being investigated, he explained.

The FBI is “now in a position as the determiner of when the exemption applies,” he said.