FBI's facial and fingerprint super-database goes live

The FBI: we have your facial and fingerprint templates on file...

ICYMI: Praise for Operation Tovar, Vodafone transparency & Open SSL problems
ICYMI: Praise for Operation Tovar, Vodafone transparency & Open SSL problems
The FBI in the US has announced that its Next Generation Identification (NGI) system - essentially a biometric database of fingerprints and facial templates - is now fully operational.

According to the EFF - the Electronic Frontier Foundation - the FBI's NGI database will eventually contain records on around a third of the 320 million people in the US.

The EFF says that the FBI is aiming to have more than 50 million templates on its systems by the end of next year.

"By 2012, the NGI already contained 13.6 million images representing between seven and eight million individuals, and by the middle of 2013, the size of the database increased to 16 million images," says the EFF's analysis of the NGI system's capabilities, adding that the database is capable of processing 55,000 direct photo enrolments daily and of conducting tens of thousands of searches every day.

The EFF notes, however, that the FBI's NGO operation already has more than 100 million individual fingerprint records and includes multiple forms of biometric data such as palm prints and iris scans.

The EFF also claims the NGI will combine all these forms of data in each file. Each person's file will be linked to personal and biographic data including name, home address, ID number, immigration status, age and race.

The database is also being shared with other US federal agencies as well as with the approximately 18,000 tribal, state and local law enforcement agencies across the United States - something that the EFF is not happy with.
 
As well as being concerned about the NGI data being shared with almost all US government agencies, the EFF says that it also has a major concern with the NGI system about false positives, where someone might be falsely identified.

Because the NGI system only provides the person being searched for in a list of the top 50 candidates 85 per cent of the time, the EFF claims that the NGI could potentially return a lot of images of the wrong people.

"We know from researchers that the risk of false positives increases as the size of the dataset increases-and, at 52 million images, the FBI's face recognition is a very large dataset," says the EFF analysis.

"This means that many people will be presented as suspects for crimes they didn't commit. This is not how our system of justice was designed and should not be a system that Americans tacitly consent to move towards," it adds.

Replacement for the IAFIS

For its part, the FBI's Criminal Justice Information Services (CJIS) Division says that the NGI system was developed to expand the Bureau's biometric identification capabilities, ultimately replacing the FBI's Integrated Automated Fingerprint Identification System (IAFIS) in addition to adding new services and capabilities.
 
According to Sarb Sembhi, a director with Storm Guidance, the real issue with the FBI's NGI system is the rising scope for abuse as more agencies - and their staff - are allowed access to the database.

There are, he says, two ways of approaching the security of large-scale databases such as the NGI system. You can either create an open, but secure system, he adds, or you can start from the premise of a closed system and develop your security accordingly.

"I always draw parallels here with Microsoft Windows 95. The operating system was designed to be open to third parties to allow the development of suitable software, but the end result was an O.S. that was full of holes. It's the same with developing an open but ostensibly secure NGI system, as there is always going to be scope for abuse," he explained.

It is to be hoped, says Sembhi, that the security of the FBI's NGI system is developed from a closed system perspective, as this approach, he adds, is the only sure-fire way of ensuring the best possible security.

Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said he welcomed the development of any system that allows law enforcement professionals to locate and detain criminals, terrorists, and similar miscreant actors.

"We must not, however forget that such intrusive technology will also capture images of innocent citizens going about their dally business - unaware of the fact they have been subjected to an acquisition of their visual profile," he said.

"In the bigger global picture, I am really wondering how cross-border controls - and the application of demographic data protection laws will be maintained and complied with. For me, this is a big question - where will all this data be stored, and is the data being retained without the express knowledge of the subject," he explained.