Privacy Impact Assessment for the Facial Analysis, Comparison, and Evaluation (FACE) Services Unit
Issued by: Ernest J. Babcock, Senior Component Official for Privacy, FBI
Approved by: Erika Brown Lee, Chief Privacy and Civil Liberties Officer, Department of Justice
Date Approved: May 1, 2015
Section 1: Description of the Information System
The Facial Analysis, Comparison, and Evaluation (FACE) Services Unit of the Biometric Services Section, Criminal Justice Information Services (CJIS) Division provides investigative lead support to FBI field offices, operational divisions, and legal attachés by comparing the facial images of persons associated with open assessments[1] and investigations[2] against facial images available in state and federal face recognition systems. In limited instances, the FACE Services Unit provides face recognition support for closed FBI cases (e.g., missing and wanted persons) and may offer face recognition support to federal partners.
In its support of FBI agents and analysts, the FACE Services Unit accepts unclassified photographs of subjects of, and persons relevant to, open FBI assessments and investigations. These photographs are called “probe photos.” The FACE Services Unit only accepts probe photos that have been collected pursuant to applicable legal authorities as part of an authorized FBI investigation, and in a future expansion of the program, other federal agency investigations. Upon receipt of a probe photo, the FACE Services Unit uses face recognition software to compare the probe photo against photos contained within government systems, such as FBI databases (e.g., FBI’s Next Generation Identification), other federal databases [REDACTED] and state photo repositories [REDACTED].[3]
After comparison and evaluation, which includes both automated face recognition software and manual review by a trained biometric images specialist, the FACE Services Unit may identify photos that are likely matches to the probe photo. These photos are called “candidate photos” because they serve only as investigative leads. Unlike fingerprints, face recognition results do not constitute positive identification of an individual. For probe photos that are searched against state databases, the state agency generally performs the initial comparison and returns candidates to the FACE Services Unit. If the FACE Services Unit identifies or receives candidate photos based on the searching of the federal and state databases, it will perform additional evaluation in order to determine the most likely candidate(s) for return to the FBI case agent or analyst. Additional evaluation includes both face recognition review and text-based searches of non-biometric databases to assist with identification of the candidates. Textual data[4] that accompanies probe photos are searched against other FBI and federal databases, such as the FBI’s National Data Exchange (N-DEx) and DOJ’s Joint Automated Booking System (JABS). In many instances, no candidates are returned. If a likely candidate is found in one of these systems, the FACE Services Unit generally confirms with the record owner[5] that the record is valid and active and requests permission to disseminate the information.
In order to access other agencies’ systems for face recognition purposes, the FACE Services Unit enters into Memoranda of Understanding (MOU) with each agency. These MOUs are implemented with significant information security requirements and privacy obligations. All parties must use secure electronic means to transmit the photos and any associated personally identifiable information (PII). The FBI stores photo images and any associated PII of the most-likely candidate(s) to the probe photo in the FBI case management system. The FBI immediately destroys all other photos and associated information. The other party to the MOU ensures that only authorized personnel receive and process the photos sent by the FBI. These agencies are prohibited from the further sharing and/or dissemination of any information associated with the FBI photos unless required by law. After the face recognition search has been completed, these agencies are required to destroy all probe photo images, and any associated data submitted from the FACE Services Unit.
The FACE Services Unit maintains a Work Log in which it retains the Image Search Requests received from the FBI case agent or analyst. These Image Search Requests generally include the name of the requesting agent, the case number, and some biographic information related to the subject of the probe photo, such as name and date of birth. The Work Log also serves as a workflow management tool for the FACE Services Unit and, as such, documents all work transactions. Information may include the specialist assigned to the case, general comments, dates when probe photo information was added and/or modified, dates and types of search conducted, and disposition of the FACE Services Unit analysis. Notably, the FACE Services Unit maintains only the probe photos and limited biographic information in the FACE Services Work Log. All candidate photos and associated information are returned to the authorized FBI requestors via Sentinel, the FBI’s case management system. In a future expansion of the program, which will be considered within the next few years, candidate photos and associated information will be returned to the requesting federal agency. The FACE Services Unit performs “deconfliction” of the probe photos maintained in the Work Log, meaning that it compares the photos against one another to determine if the same person appears in multiple investigations. If so, the relevant case agents will be informed. Access to the Work Log is limited to the FACE Services Unit and other authorized FBI personnel who require the information for performance of their official duties.
By using face recognition technology to search probe photos for matching candidate photos, the FACE Services Unit provides unique and specialized value to the FBI’s mission to fight crime [REDACTED]. In many instances, face recognition results in information that is not available with any other investigative method. To date, more than 6,000 face recognition leads have been returned to FBI agents and other investigators. Most investigations are ongoing, but two arrests have been made as a result of leads provided by the FACE Services Unit, and two victims from a violent crimes case have been located.
Section 2: Information in the System
2.1 Indicate below what information is collected, maintained, or disseminated. (Check all that apply.)
Identifying numbers |
|||||
Social Security |
X |
Alien Registration |
X |
Financial account |
|
Taxpayer ID |
|
Driver’s license |
X |
Financial transaction |
|
Employee ID |
|
Passport |
X |
Patient ID |
|
File/case ID |
X |
Credit card |
|
|
|
Other identifying numbers (specify): An FBI Case Number is required to verify an open case; all other identifying numbers are optional and may or may not be provided by the FBI agent/analyst or other authorized submitter. |
General personal data |
|||||
Name |
X |
Date of birth |
X |
Religion |
|
Maiden name |
X |
Place of birth |
X |
Financial info |
|
Alias |
X |
Home address |
X |
Medical information |
|
Gender |
X |
Telephone number |
|
Military service |
|
Age |
X |
Email address |
|
Physical characteristics |
X |
Race/ethnicity |
X |
Education |
|
Mother’s maiden name |
|
Other general personal data (specify): When the FBI agent/analyst submits a probe photo for face recognition, he/she completes an Image Search Request form with any known biographic information; however, often, even the name of the subject is not known. Therefore, the above personal data are optional and may or may not be provided to the FACE Services Unit. None of the information is required or necessary to conduct a face recognition search. |
Work-related data |
|||||
Occupation |
|
Telephone number |
|
Salary |
|
Job title |
|
Email address |
|
Work history |
|
Work address |
|
Business associates |
|
|
|
Other work-related data (specify):
|
Distinguishing features/Biometrics |
|
||||
Fingerprints |
|
Photos |
X |
DNA profiles |
|
Palm prints |
|
Scars, marks, tattoos |
X |
Retina/iris scans |
|
Voice recording/signatures |
|
Vascular scan |
|
Dental profile |
|
Other distinguishing features/biometrics (specify): During a face recognition examination, the FACE Services Unit analyzes, compares, and evaluates face features such as the ears, eyes, nose, and mouth. However, the FBI does not specifically collect, maintain, or disseminate individual face features and they are not considered biometrics distinct from face recognition. |
System admin/audit data |
|||||
User ID |
X |
Date/time of access |
X |
ID files accessed |
X |
IP address |
X |
Queries run |
X |
Contents of files |
X |
|
Other information (specify) |
|
|
|
2.2 Indicate sources of the information in the system. (Check all that apply.)
Directly from individual about whom the information pertains |
|||||
In person |
|
Hard copy: mail/fax |
|
Online |
|
Telephone |
|
|
|
|
|
Other (specify) :The FACE Services Unit does not obtain probe photos and associated information directly from individuals; rather, the probe photos are obtained from FBI agents/analysts and other federal partners who have collected the photos under their respective authorities. Candidate photos provided by state and federal partners may have been taken directly from the individuals; however, candidate photos are not maintained in the FACE Services Unit Work Log. |
Government sources |
|||||
Within the Component |
X |
Other DOJ components |
|
Other federal entities |
|
State, local, tribal |
|
Foreign |
|
|
|
Other (specify): At this time, the FACE Services Unit only accepts probe photos from within the FBI; however, the FACE Services Unit may accept probe photos from other DOJ components and other federal agencies in the future. |
Non-government sources |
|||||
Members of the public |
|
Public media, internet |
|
Private sector |
|
Commercial data brokers |
|
|
|
|
|
Other (specify): |
2.3 Analysis: Now that you have identified the information collected and the sources of the information, please identify and evaluate any potential threats to privacy that exist in light of the information collected or the sources from which the information is collected. Please describe the choices that the component made with regard to the type or quantity of information collected and the sources providing the information in order to prevent or mitigate threats to privacy. (For example: If a decision was made to collect less data, include a discussion of this decision; if it is necessary to obtain information from sources other than the individual, explain why.)
The searching and retention of probe photos by the FACE Services Unit presents a privacy risk that the facial images of individuals will be searched for improper purposes. This risk is significantly mitigated because the probe photos have been obtained pursuant to FBI investigations or assessments that have been opened in accordance with the Attorney General’s Guidelines for Domestic FBI Operations (AGG-Dom), the Domestic Investigations and Operations Guide (DIOG), the Privacy Act of 1974, and all relevant laws and policies. In other words, the agent or analyst who is requesting the face recognition search has already met the legal requirements to investigate the subject of the probe photo. The investigative actions taken by the FBI are subject to significant oversight and compliance, exercised both within the FBI and by external entities. On occasion, probe photos provided to the FACE Services Unit may be associated with a wanted or missing person whose case has become “cold” or administratively closed; however, the FBI retains a valid investigative interest in that person. The FACE Services Unit will ensure that any face recognition performed in the future in support of other federal agencies comports with the relevant investigative authorities for those agencies, by requiring MOUs to ensure the security and privacy of all information provided.
Also, although probe photos are retained in the Face Services Unit’s Work Logs, the FACE Services Unit merely retains copies of the same photos that are maintained by the agents and analysts in Sentinel, the FBI’s case management system. The Work Log is limited to authorized users of the FBI’s internal computer system who work within the FACE Services Unit and who possess accounts within the application. Users are further restricted to only those pages allowed by their assigned roles. Server/database access is limited to the application and privileged user accounts on an “as-required” basis for development and maintenance purposes. Moreover, the Work Logs serve as an added level of privacy risk mitigation, as they put users on notice that their activities, including the searching and disseminating of photos, are being recorded.
The searching and retention of probe photos by the FACE Services Unit also presents privacy risks that the facial images will be disseminated for unauthorized purposes or to unauthorized recipients, or that there will be improper access to the photos or misuse of the photos. These risks are mitigated in several ways. For example, the FACE Services Unit personnel receive significant system security and privacy training. These specialists perform the searching of probe photos against FBI databases and also search remotely those federal and state face recognition systems to which they have been granted direct access. In addition, the FACE Services Unit follows stringent physical and system security requirements to ensure that none of the data is lost or compromised. The FACE Services Unit Work Log maintains documentation of the work transactions conducted by the FACE Services Unit and the System Administrator can audit who logs on, when, and from what terminal, as well as additions, edits, and deletions.
In some instances, the FACE Services Unit must send the probe photos to other state and federal agencies to perform the face recognition searching. These searches are conducted pursuant to MOUs that ensure the privacy and security of information as it travels to and from the FBI. The probe photos are handled by select face recognition personnel at the partner agencies. Generally, all photos and text associated with the probe photo requests and the candidate galleries are immediately and permanently destroyed by these state and federal agencies once the searches are completed and the responses returned to the FACE Services Unit via encrypted email. As reflected in the terms of the MOU, the FBI does not permit the probe photos to be searched against face recognition databases that have not received comprehensive legal and policy review and approval.
Finally, the return of candidate photos to the FBI agent or analyst may result in the potential misidentification of a subject. However, this risk is greatly mitigated by both the automated and manual face recognition comparison of the probe photo against the candidate photos. In many instances, no candidate photos are returned because none meet a high enough quality threshold. When a candidate photo is returned to an investigator, he or she is clearly informed that the photo serves only as an investigative lead and may not be used to prove identity. The FACE Services Unit biometric images specialists receive significant training on face recognition and on the handling of evidence. They only consider the candidate photo in conjunction with all other evidence, such as biographic information, physical evidence, and victim and witness statements.
Section 3: Purpose and Use of the System
3.1 Indicate why the information in the system is being collected, maintained, or disseminated. (Check all that apply.)
Purpose |
|||
X |
For criminal law enforcement activities |
|
For civil enforcement activities |
X |
For intelligence activities |
X |
For administrative matters (statistical reporting) |
X |
To conduct analysis concerning subjects of investigative or other interest |
|
To promote information sharing initiatives |
|
To conduct analysis to identify previously unknown areas of note, concern, or pattern. |
|
For administering human resources programs |
|
For litigation |
|
|
|
Other (specify): |
3.2 Analysis: Provide an explanation of how the component specifically will use the information to accomplish the checked purpose(s). Describe why the information that is collected, maintained, or disseminated is necessary to accomplish the checked purpose(s) and to further the component’s and/or the Department’s mission.
As listed below, the FBI has statutory authority to collect, preserve, and exchange biographic and biometric information for criminal and national security purposes. In line with that authority, the FACE Services Unit provides investigative lead support to FBI personnel by comparing facial images of subjects who are the focus of active FBI investigations and assessments. By using face recognition technology to search probe photos for matching candidate photos, the FACE Services Unit provides unique and specialized value to the FBI’s mission to fight crime and terrorism. In many instances, face recognition results in information that is not available with any other investigative method. Candidate photos are used by FBI agents for a variety of reasons, including further investigation of a potential subject, to determine/verify the identity of a subject already in custody, to discover an alias that the subject may be using, to identify associates of the subject, and to eliminate potential subjects.
3.3 Indicate the legal authorities, policies, or agreements that authorize collection of the information in the system. (Check all that apply and include citation/reference.)
Authority |
Citation/Reference |
|
X |
Statute |
28 U.S.C. §§533, 534; 18 U.S.C. §3052 |
|
Executive Order |
|
X |
Federal Regulation |
28 CFR 0.85 |
X |
Memorandum of Understanding/agreement |
MOUs have been implemented between the FACE Services Unit and several states and federal partners. |
|
Other (summarize and provide copy of relevant portion) |
|
3.4 Indicate how long the information will be retained to accomplish the intended purpose, and how it will be disposed of at the end of the retention period. (Reference the applicable retention schedule approved by the National Archives and Records Administration, if available.)
The FACE Services Unit Work Log data will be retained in accordance with the retention schedule approved by the National Archives and Records Administration (NARA). NARA has approved the destruction of Work Log data when queries, photos, or log entries (1) are 20 years old, and (2) are no longer needed for analysis, or (3) if 20 years have passed since last activity, whichever is sooner. Audit log data will be deleted/destroyed when 20 years old. The Work Log maintains only probe photos which are also maintained in Sentinel, the FBI’s case management system, and which also may be maintained in Next Generation Identification (NGI), the FBI’s fingerprint and criminal history system, which now includes other biometrics when associated with fingerprints. Both Sentinel and NGI have significantly longer retention schedules than the FACE Services Unit Work Log and would permit retrieval of the probe photos if needed after deletion from the Work Log.
3.5 Analysis: Describe any potential threats to privacy as a result of the component’s use of the information, and controls that the component has put into place to ensure that the information is handled, retained, and disposed appropriately. (For example: mandatory training for system users regarding appropriate handling of information, automatic purging of information in accordance with the retention schedule, etc.)
The initiative described in this PIA will be subject to extensive security protections, access limitations, and quality control standards. Access to the Work Log is controlled through user identification (i.e., user ID and password) and authentication procedures. Processes are in place to ensure that only authorized users have access to the database and the information is verified through audit logs. User activity may be audited by system administrators.
The FACE Services Unit uses government-issued biometric thumb drives to transfer information between systems and perform a security scan each time data is transferred. The supervisors conduct random checks of the thumb drives to ensure that content is disposed of in accordance with established security procedures. Biometrics Images Specialists (BIS) are assigned a Biometric Thumb Drive that is stored in a locked cabinet located within the FACE Services Unit. All the Biometric Thumb Drives are blank except for when a BIS is assigned live case work. Upon completion of each assigned case, the BIS are mandated by FACE Services and IT Security Policy to remove/delete any and all information from the Biometric Thumb Drive and place the Biometric Thumb Drive back in the locked cabinet daily. No data is retained after the completion of the live case work. All BIS and BIS Supervisors are required to sign an internal FACE Services acknowledgement letter that outlines the rules for handing Biometric Thumb Drives used for processing work in the FACE Services Unit
Every member of the FACE Services Unit has undergone privacy, security, classification, and investigatory training to ensure that information is properly handled. Frequent and random compliancy checks are performed by the BIS Supervisors to ensure that all policies are followed.
Section 4: Information Sharing
4.1 Indicate with whom the component intends to share the information in the system and how the information will be shared, such as on a case-by-case basis, bulk transfer, or direct access.
Recipient |
How information will be shared |
|||
Case-by-case |
Bulk transfer |
Direct access |
Other (specify) |
|
Within the component |
X |
|
|
|
DOJ components |
X |
|
|
|
Federal entities |
X |
|
|
|
State, local, tribal gov’t entities |
X |
|
|
|
Public |
|
|
|
|
Private sector |
|
|
|
|
Foreign governments |
|
|
|
|
Foreign entities |
|
|
|
|
Other (specify): |
|
|
|
|
4.2 Analysis: Disclosure or sharing of information necessarily increases risks to privacy. Describe controls that the component has put into place in order to prevent or mitigate threats to privacy in connection with the disclosure of information. (For example: measures taken to reduce the risk of unauthorized disclosure, data breach, or receipt by an unauthorized recipient; terms in applicable MOUs, contracts, or agreements that address safeguards to be implemented by the recipient to ensure appropriate use of the information – training, access controls, and security measures; etc.)
The records contained in the FACE Services Unit Work Log are generally available only to employees of the FACE Services Unit and the FBI agents and analysts (and in the future, other federal agencies) who require the information in the furtherance of their investigations. Information could also be provided to DOJ components when there is a need for the information to perform official duties, pursuant to 28 U.S.C. § 534 and 5 U.S.C §552a(b)(1). As explained above, FBI personnel have been informed (via the FACE Services Unit’s Face Photo Search Request Form) that candidate photos are intended for lead purposes only, and require further investigation. The Form states: “The information returned in response to this request is provided as an INVESTIGATIVE LEAD ONLY and is NOT to be considered as a positive identification.” Also, as discussed above, probe photos are sent to state and federal partners in order to compare the probe photos against their respective face recognition systems. In these instances, MOUs, which have been negotiated by the FBI, have been implemented and contain strict informational, security, and privacy requirements to ensure that the probe photos and associated information are not subject to unauthorized disclosure or other data breach. The MOUs also require these agencies to delete all probe photo images and any associated data submitted from the FACE Services Unit after the face recognition search has been completed.
Section 5: Notice, Consent, and Redress
5.1 Indicate whether individuals will be notified if their information is collected, maintained, or disseminated by the system. (Check all that apply.)
|
Yes, notice is provided pursuant to a system of records notice published in the Federal Register and discussed in Section 7. |
|
|
Yes, notice is provided by other means. |
Specify how: |
X |
No, notice is not provided. |
Specify why not: Probe photos are potential subjects, victims, or witnesses of/to federal crimes that have been collected pursuant to authorized FBI investigations. |
5.2 Indicate whether and how individuals have the opportunity to decline to provide information.
|
Yes, individuals have the opportunity to decline to provide information. |
Specify how: |
X |
No, individuals do not have the opportunity to decline to provide information. |
Please see Section 5.1. |
5.3 Indicate whether and how individuals have the opportunity to consent to particular uses
of the information.
|
Yes, individuals have an opportunity to consent to particular uses of the information. |
Specify how: |
X |
No, individuals do not have the opportunity to consent to particular uses of the information. |
Specify why not: Please see Sections 5.1 and 5.2. |
5.4 Analysis: Clear and conspicuous notice and the opportunity to consent to the collection and use of individuals’ information provides transparency and allows individuals to understand how their information will be handled. Describe how notice for the system was crafted with these principles in mind, or if notice is not provided, explain why not. If individuals are not provided the opportunity to consent to collection or use of the information, explain why not.
A person under arrest or the subject of a criminal or national security investigation generally has no opportunity or right to refuse the collection of biometrics, including photographs. The privacy risks associated with lack of notice to affected individuals about the collection, maintenance, and use of probe photos are mitigated somewhat by the general notice to the public via the FBI’s published SORNs, PIAs, and other Privacy Act notices. The risk of erroneous information is mitigated because the FBI has a substantial interest in ensuring the accuracy of information in the system, and in taking action to correct any erroneous information of which it may become aware. Additionally, the risk is mitigated because the maintenance and dissemination of information must comply with the provisions of any applicable law, regulation, or policy, including the Privacy Act. Title 28 C.F.R. part 16, subpart A, provides general guidance on access to information in FBI files pursuant to the Freedom of Information Act, and 28 C.F.R. part 16, subpart D, provides general guidance regarding access to, and amendment of, information in FBI files pursuant to the Privacy Act.
Section 6: Information Security
6.1 Indicate all that apply.
X |
A security risk assessment has been conducted. A preliminary security risk assessment and FIPS-199 has been completed. FBINET (which hosts the FACE Log) has a continuous Authority to Operate. |
|
X |
Appropriate security controls have been identified and implemented to protect against risks identified in security risk assessment. Specify: No risks were identified in the security assessment. |
|
X |
Monitoring, testing, or evaluation has been undertaken to safeguard the information and prevent its misuse. Specify: The Work Log has been functionally tested to ensure that no unauthorized access is permitted. |
|
X |
The information is secured in accordance with FISMA requirements. Provide date of most recent Certification and Accreditation: March 13, 2015 for FBINET |
|
X |
Auditing procedures are in place to ensure compliance with security standards. Specify, including any auditing of role-based access and measures to prevent misuse of information: Key-stroke auditing; audit reports of who accessed system and for what purposes. |
|
X |
Contractors that have access to the system are subject to provisions in their contract binding them under the Privacy Act. |
|
X |
Contractors that have access to the system are subject to information security provisions in their contracts required by DOJ policy. |
|
X |
The following training is required for authorized users to access or receive information in the system: |
|
|
X |
General information security training |
X |
Training specific to the system for authorized users within the Department. |
|
|
Training specific to the system for authorized users outside of the component. |
|
|
Other (specify): |
6.2 Describe how access and security controls were utilized to protect privacy and reduce the risk of unauthorized access and disclosure.
The FACE Services Unit is in compliance with all FBI security policies and protocols regarding system security, including 1) assuring security countermeasures that hold all users accountable for their actions while on the computer system, 2) ensuring access control techniques are utilized, by the implementation of a management-approved Standard Operating Procedures guide for supervisors and staff, 3) utilizing security controls such as internal labeling of contents by classification labeling, and 4) utilizing automatic lockout if user inactivity exceeds a specified time frame. The FBINET domain, which the FACE Services Unit utilizes to access the FACE Services Unit Work Log, also complies with these guidelines. Given that the Work Log is hosted by the FBINET, it is within the boundaries of the FBINET Certification and Accreditation, which includes authority to store PII, as well as data classified up to and including the Secret level. In addition, the FACE Services Concept of Operations addresses other security concerns, which include, but are not limited to: security clearances of personnel accessing the FACE Services Unit Work Log, disclosure of information, and PII. An audit log captures information identifying the user, as well as the user’s activities while signed onto the system.
Section 7: Privacy Act
7.1 Indicate whether a system of records is being created under the Privacy Act, 5 U.S.C. § 552a. (Check the applicable block below and add the supplementary information requested.)
x |
Yes, and this system is covered by an existing system of records notice. Provide the system name and number, as well as the Federal Register citation(s) for the most recent complete notice and any subsequent notices reflecting amendment to the system: JUSTICE/FBI-002 Central Records System. |
|
Yes, and a system of records notice is in development. |
|
No, a system of records is not being created. |
7.2 Analysis: Describe how information in the system about United States citizens and/or lawfully admitted permanent resident aliens is or will be retrieved.
The Image Search Requests submitted by the FBI agents/analysts to FACE Services often include the subject’s citizenship status, as this information may assist the FACE Services Unit with the searching of federal databases. However, information in the FACE Services Unit Work Log pertaining to US citizens and permanent resident aliens is generally not retrieved based on citizenship; rather, the information is retrieved based on the personal identifiers, including photo images, as described above in Section 1, “Description of the Information System.”
End Notes
[1] Assessments may be opened to detect, obtain information about, or prevent or protect against federal crimes [REDACTED]. They must have an authorized purpose and clearly defined objectives; they cannot be arbitrary or based on speculation.
[2] [REDACTED].
[3] [REDACTED].
[4] Examples of textual date include, but are not limited to: name, alias, address, height, weight, eye color, driver’s license/personal identification number, date of birth, and social security number.
[5] The federal or state government agency or department that originally collected the candidate photo.