The FBI’s latest biometric database, which contains a host of identifying information from a wide range of sources, will be exempt from many of the restrictions of the Privacy Act.
In a final rule published this week by the Department of Justice, the FBI announced that the Next Generation Identification system would not be subject to the Privacy Act. That means that even people whose information is contained in the database will not be able to request data on it. The NGI system is a law enforcement database, but it contains records from a variety of non-law enforcement sources. It has fingerprints and other biometric identifiers from some employment records, humanitarian and relief efforts, and from some foreign sources. The FBI last year announced that it was seeking to exempt the NGI from the Privacy Act, arguing that opening it up to public inquiries would harm national security.
“Specifically, the FBI exempts the records maintained in JUSTICE/FBI-009 from one or more provisions of the Privacy Act. The listed exemptions are necessary to avoid interference with the Department’s law enforcement and national security functions and responsibilities of the FBI,” the rule published this week says.
After a period open for public comments, the Justice Department decided that the risks to national security and law enforcement operations outweighed the benefits of allowing the NGI to be covered under the Privacy Act. Privacy advocates and civil liberties organizations have criticized both the collection of so much biometric data in one place and the effort by the FBI to see it secret.
“The increasing aggregation of biometric data in one spot makes the NGI database an enticing target for criminals— especially given the rise of the use of biometrics for secure access and their immutable property. If a Social Security Number is stolen in a breach, one can apply for a new number, and mitigate the interim risk with credit reporting; individuals cannot change their facial features, fingerprints, or other biometric traits. Their security and safety could be compromised for the rest of their lives. As fingerprint and iris scans increasingly replace passwords, there is growing concern that hackers will seek to leverage this information,” the Electronic Privacy Information Center said in comments on the proposed rule.
EPIC filed a Freedom of Information Act lawsuit several years ago to obtain documents on the NGI system, and got a large cache of data in return. Some of the documents showed that the system has an error rate of up to 20 percent on facial recognition searches.
The NGI system isn’t entirely exempt from the Privacy Act. The FBI asked for, and received, exemptions from seven provisions of the law, including the public’s right of access to, and amendment of, records in the database. That’s the key provision, which the bureau says would cause problems for law enforcement and security agencies.
“It is necessary for the FBI to claim these exemptions because the NGI System also contains latent fingerprints, as well as other biometrics, and associated personal information that may be law enforcement or national security sensitive. Compliance with these provisions could alert the subject of an authorized law enforcement activity about that particular activity and the interest of the FBI and/or other law enforcement agencies,” the bureau said in the final rule.
The rule will go into effect on Aug. 31.