Privacy Impact Assessment Integrated Automated Fingerprint Identification System (IAFIS)/Next Generation Identification (NGI) Biometric Interoperability
Section I – Introduction
This Privacy Impact Assessment (PIA) addresses the establishment of biometric interoperability between the Integrated Automated Fingerprint Identification System (IAFIS)/Next Generation Identification (NGI) of the Department of Justice (DOJ)/Federal Bureau of Investigation (FBI) and the Automated Biometric Identification System (IDENT) of the Department of Homeland Security (DHS)/United States Visitor and Immigrant Status Indicator Technology (US-VISIT) Program.1 The IAFIS/NGI is a component of the FBI Privacy Act system of records currently titled “Fingerprint Identification Records System” (FIRS) (JUSTICE/FBI-009) (64 Federal Register (FR) 52343, 52347; 66 FR 33558; 70 FR 7513, 7517; 72 FR 3410).2
Biometric interoperability will result in: 1) enhanced access to, and in some cases acquisition of, the IAFIS/NGI information by the IDENT and its users and 2) the reciprocal enhanced access to, and in some cases acquisition of, the IDENT information by the IAFIS/NGI and its users. The privacy impact of these enhancements is described below.
Pursuant to the authority provided by 28 USC § 534, the FBI acquires, collects, classifies, and maintains identification, criminal identification, crime, and other records. Pursuant to the same authority, the FBI exchanges such records and derived information with authorized personnel at Federal, State, local, tribal, foreign, and international criminal and noncriminal justice agencies, and with authorized agencies, organizations, entities, and persons in either the public or private sector, domestic or foreign, where such disclosures may promote, assist, or otherwise serve law enforcement and other lawful purposes. Currently authorized purposes include criminal justice (such as identifying criminals, locating criminal history record information (CHRI), enhancing the safety of law enforcement personnel, and solving crimes), national security, homeland protection, employment and military service suitability, licensing, security assessments, visa processing, immigration, naturalization, responding to emergencies and disasters, and other humanitarian assistance.
The FBI’s Criminal Justice Information Services (CJIS) Division was established to serve as the FBI’s focal point and central repository for carrying out the above responsibilities. The CJIS Division provides authorized users identification, verification, information, investigation, notification, and data management services via a family of automated systems and infrastructure comprising a “System of Services” (SoS). These systems include the IAFIS/NGI, the National Crime Information Center (NCIC), and the national criminal history record index known as the Interstate Identification Index (III).
To meet the growing demand for automated fingerprint identification, the FBI developed and implemented the IAFIS in 1999. The IAFIS houses the largest collection of digital representations of fingerprint images, features from the digital fingerprint images, and criminal history information in the world. Categories of fingerprints currently maintained by the FBI include: persons fingerprinted as a result of arrest, incarceration, or other authorized criminal justice purpose; persons fingerprinted for employment, licensing, security assessments, or other authorized noncriminal justice purpose, such as authorized Federal background check programs and military service; persons fingerprinted for visa, alien registration, immigration, naturalization, or related Department of State (DOS) or Department of Homeland Security (DHS) purposes; persons desiring to have their fingerprints placed on record with the FBI for personal identification purposes; individuals fingerprinted for authorized national security purposes (including known or suspected terrorists and military detainees). The IAFIS also includes footprints, palmprints, photographs, or other biometric identifiers that have been taken for the authorized purposes enumerated above and latent fingerprints, palmprints, photographic images, or other biometric indicators from locations or items associated with criminal activity or a lawful investigative or national security interest.
The IAFIS provides three major services to its customers. First, the IAFIS is a tenprint-based3 national electronic repository of identification records and associated event histories relating to the various categories of information authorized for FBI acquisition, collection, and maintenance. Second, the IAFIS provides automated biometric search functionality to positively link a single identity within the IAFIS repository to a tenprint submission taken directly from a person for an identity confirmation/records check, or to generate a ranked list of potential IAFIS identities based on a submission of “latent” fingerprints of an unknown person. Third, the IAFIS provides automated biographic search functionality to generate a list of potential IAFIS identities based on a descriptive information query using text-based parameters such as names, dates of birth, social security numbers, distinctive body markings, and identification numbers.4 All three of these services will continue under IAFIS/NGI.
The FBI’s NGI program recognizes that although the IAFIS is compliant with existing uniform biometric standards, the future of identification services is rapidly advancing beyond existing capabilities and modalities. NGI is a compilation of capabilities that will improve and expand IAFIS biometric identification services by incorporating rapidly advancing identification technologies to better address the emerging needs of civil users, criminal law enforcement, national security, and homeland protection for more efficient and robust identity solutions.
I.4. Interstate Identification Index (III)
The III is a cooperative federal-state national network that functions as an index-pointer system connecting the criminal history repositories of the FBI and of participating States/territories to facilitate the exchange of automated criminal history record information (CHRI, or “rap sheets”). All information in the III is supported by fingerprint submissions. The FBI maintains the III index of persons arrested for felonies or misdemeanors under either State or Federal law. The index includes identification data such as name, birth date, sex, aliases, physical descriptors, distinctive body markings, fingerprint classifications, and the names of the agencies maintaining the CHRI. In addition, the index contains FBI Numbers (FNUs) and State Identification Numbers (SIDs) from each State that has criminal justice information about an individual. Each FNU and SID is tied to a single person positively identified by fingerprints.
Biographic III inquiries can be made by law enforcement agencies throughout the country using their agency computer terminals. An authorized user may submit a general inquiry using an individual’s personal identifiers (name, social security, date of birth, SID, FNU, etc.). Such an inquiry searches III to determine if it contains a corresponding criminal history record index. To obtain an actual criminal history record, an authorized requesting agency must make a separate record request for the specific individual using the applicable FNU or SID. Such record requests will generate criminal history reports from all III participants maintaining criminal history records tied to the FNU or SID used.
III information may also be retrieved via fingerprint-based inquiries. In these cases, the submitted fingerprints are compared to the IAFIS/NGI repository of criminal fingerprints. If there is a match, the FNU or SID (or unique identifier) of the existing IAFIS/NGI record so identified is used to retrieve III information related to the record.
I.5. Biometric Interoperability Overview
In 1999, Rafael Resendez-Ramirez, a Mexican citizen, was apprehended by the Border Patrol and released into Mexico despite the fact he was wanted for murder–information that would have been available with an IAFIS search. The IAFIS and the DHS IDENT were not integrated, and the Border Patrol did not learn of the outstanding warrant. Following his return to Mexico, Resendez-Ramirez reentered the U.S. and murdered four individuals.
In 2002, Mexican citizen Victor Manuel Batres was detained by the Border Patrol on two separate occasions for illegally entering the United States. On each occasion, the Border Patrol returned him voluntarily to Mexico. The apprehending Border Patrol agents did not learn of Batres’s extensive criminal record or past deportation. If his full history had been available through an integrated IAFIS/IDENT search, Batres would have been detained and prosecuted. Instead, after his voluntary return to Mexico, Batres illegally reentered the United States and traveled to Oregon where he brutally raped two nuns, killing one.
These high profile cases and the September 11, 2001, terrorist attacks prompted significant legislative action to ensure the interoperability of the IAFIS/NGI and the IDENT and to ensure that the criminal and immigration information contained therein is accessible to and shared among other international, Federal, State, and local law enforcement agencies. Examples of this significant legislative action include:
- In a 1999 conference report (House Report 106-479) for Fiscal Year (FY) 2000 DOJ appropriations, Congress directed the DOJ to provide an implementation plan “to integrate the INS IDENT and the FBI IAFIS systems.”
- The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 (Public Law 107-56 Section 403) required a “fully integrated means to share law enforcement and intelligence information.”
- Section 302 of the Enhanced Border Security and Visa Entry Reform Act of 2002 (Public Law 107-173) stated that the integrated entry/exit system must “make interoperable all security databases relevant to making determinations of admissibility under Section 212 of the Immigration and Nationality Act.”
- In the conference report (Senate Report 108-280) for the DHS Appropriations Bill for Fiscal Year (FY) 2004, Congress directed that “[t]he biometric infrastructure being built [US VISIT] must be a viable long-term solution fully interoperable with the FBI Integrated Automated Fingerprint Identification System [IAFIS] that meets biometric standards of the National Institute of Standards and Technology [NIST].”
- Homeland Security Presidential Directive (HSPD) 24, June 5 2008, establishes a framework to ensure that Federal executive departments and agencies use mutually compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals in a lawful and appropriate manner.
To implement these mandates, the DHS, DOJ/FBI and DOS/Bureau of Consular Services entered into a Memorandum of Understanding (MOU) for Improved Information Sharing Services (hereinafter, “Interoperability MOU”) in 2008. The Interoperability MOU establishes the framework for the sharing of information in accordance with the agreed-upon technical solution for expanded IDENT/IAFIS/NGI Interoperability, which will provide access to additional data for a greater number of authorized users. At the same time, the Interoperability MOU contains restrictions on the use and disclosure of information to make clear that data shall not be retained, shared or further disseminated in violation of federal law, regulation, or applicable system of records notices (SORNs); that data shall only be accessed by authorized users for authorized uses; that the parties shall use their best efforts to ensure that personally identifiable information is accurate, relevant, current, and complete and that any discovered errors are corrected in a timely manner; and that the parties will maintain reasonable safeguards to protect the shared data against loss, theft, or misuse.
The first phase of Biometric Interoperability, entitled the interim Data Sharing Model (iDSM) 5, achieved interoperability between the DHS’s IDENT and DOJ/FBI’s IAFIS. This PIA covers more robust interdepartmental projects:
(1) Like the iDSM, the Shared Data Component will make copies of relevant subsets of each agency’s fingerprint image data and minimal biographic data available at the other agency’s location to allow the other agency to rapidly and efficiently conduct biometric comparisons. The FBI-maintained subset of biometric and biographic data shared with DHS includes information on individuals for whom biometric information exists (a) with outstanding warrants (“Wanted Person File”) or (b) certain individuals who are categorized as known or suspected terrorists or others of special interest. The DHS subset shared with DOJ includes information on individuals who are DOS Category One Visa Refusals and aliens who have been categorized as Expedited Removals (ERs) from the United States. The subsets may be expanded as jointly agreed upon by the DOJ/FBI and DHS.
When an IDENT submission searched against the IAFIS data results in a match, appropriate notification and information (name, date of birth, gender, fingerprint image, record type, FBI identifier) will be returned to the IDENT user, based on the purpose of the search (different information may be returned depending on whether the purpose of the search is criminal justice (law enforcement) or non-criminal justice (determining benefits eligibility)).When an IAFIS submission searched against the IDENT data results in a match, the IAFIS user receives a notification and the appropriate DHS Immigration and Customs Enforcement (ICE) office is notified. Like the iDSM, the Shared Data Component will utilize the existing infrastructure that allows each criminal justice agency to obtain related biographic, criminal history, and immigration history data from the other agency as a follow-up to a fingerprint identification, while at the same time allowing the source agency to maintain control over the criminal history (FBI) or immigration history data (DHS) maintained in its System of Records.
(2) The Shared Services Component will initiate reactive and proactive searches of the IDENT. Shared Services permits, via a single biometric submission, IAFIS/NGI users to initiate direct searches of the IDENT.6 When an IAFIS/NGI user’s search results in a match within IDENT, the IAFIS/NGI generates an Immigration Alien Query (IAQ) to the DHS ICE Law Enforcement Support Center (LESC). Based on the results from the biometric-based IAQ, ICE may conduct an investigation which may result in a detainer being issued and/or removal proceedings.
In addition to reactive searching, the FBI CJIS Division has identified various data sets to be searched in a proactive manner. For example, Identification for Firearms Sales 7 (IFFS) records (a firearm purchase disqualifier), Sexual Offender Registry (SOR) individuals and select foreign records contained within the IAFIS/NGI could be used by DHS in making admissibility determinations at ports of entry (POE). The update of the record with the IFFS/SOR designations is not the result of a biometric submission. The preemptive searching of these subsets does not result in a change to the information available at a POE; it merely changes the sequence of when this information is available. These records are searched against the IDENT via the Shared Services infrastructure. If this search results in a match in the IDENT and there is an independent DHS encounter, then a new encounter will be created in the IDENT. The new encounter will include a pointer—an indicator within the IDENT record to “point” a user to another information source but will not contain contextual criminal history information. The IDENT may update its records with the following IAFIS/NGI-maintained descriptive information: full name, date of birth, gender, 10-fingerprint images, record type and FBI identifier.
If there is no match, then the information will not be retained. As noted in the Interoperability MOU, the IDENT is prohibited from retaining such descriptors (biographics and biometrics) unless it has had prior independent encounters and the search was conducted for criminal justice purposes. Also, for searches conducted by the IAFIS/NGI users, the IDENT will return an IDENT Data Response (IDR) that contains the following information for multiple encounters: full name, date of birth, place of birth, gender, record identifier and photograph.
(3) Additional participating agencies may be included in this initiative as agreed to by the parties, within the auspices of the Interoperability MOU. Although the number of participating agencies will increase as technical capabilities advance, the categories of authorized entities having access to the information will not be affected. All privacy and security requirements will remain the same, regardless of the number of participating agencies.
IDENT/IAFIS/NGI Interoperability will enable the rapid and seamless sharing of biometric and related biographic, criminal history, and immigration information to meet the respective agencies’ missions. Specific benefits will include better terrorism and crime prevention via improved identification of high-risk individuals and persons of special interest, improved immigration management and enforcement, improved determination of individual eligibility for positions of public trust, privileges or benefits, and increased officer safety. This interoperability will also reduce the amount of personal identification information required to prove an individual’s identity and speed the vetting process for employment and during law enforcement and immigration encounters.
Section 1.0 –
The System and the Information Collected and Stored within the System
1.1. What information is to be collected?
No new data will be collected for either the Shared Data Component or the Shared Services Component of IAFIS/IDENT Interoperability. Instead, existing fingerprints and biographic data on identifiable groups of individuals currently maintained in either IAFIS or IDENT will be used to populate the Shared Data Component and to search via the Shared Services Component. This also includes automated updating of data in one system based on new data entries in certain categories of records in the other system.
In the Shared Data Component, the FBI will be sharing fingerprint images, names, dates of birth, gender, record type, and FBI identifiers of individuals with outstanding warrants for whom biometric information exists (“Wanted Person File”) and certain individuals who are categorized as known or suspected terrorists or others of special interest. In the Shared Data Component, the DHS subset will include information on individuals who are DOS Category One Visa Refusals or aliens who have been categorized as ERs from the United States. The data to be shared may be expanded as jointly agreed upon by the DOJ/FBI and DHS.
In addition, individuals encountered by law enforcement during an arrest situation, individuals encountered for noncriminal justice purposes, individuals on the SOR, individuals with an IFFS disqualifier notation, and select foreign records will be searched against the IDENT. If a criminal justice search results in a match in the IDENT based on an independent DHS encounter, then the IDENT will update its own records with the IAFIS/NGI-maintained descriptive information (this information will not contain contextual criminal history information). If there is no match, then the information will not be retained. For the search generated because of a law enforcement encounter involving an arrest, information received from IDENT currently is not retained, but under the Shared Data Component, a link between the two systems will be identified and maintained in each for record linking purposes.
1.2. From whom is the information collected?
As already explained, this initiative does not expand the categories of individuals from whom biometric and related biographic information is collected by the IAFIS/NGI. The IAFIS/NGI already includes biometric and related biographic information from persons fingerprinted for authorized criminal justice and national security purposes. Some of this information may be obtained directly by the FBI, and some may be provided to the FBI by the Department of Defense, the Intelligence Community, other federal agencies, or foreign governments.
Section 2.0 – The Purpose of the System and the Information Collected and Stored within the System
2.1. Why is the information being collected?
The information is being collected to carry out the information sharing mandates established by Congress. Users of each system will have more efficient access to information in the other system, thereby making available more rapid, complete information that may be relevant or even critically important. For example, a criminal justice agency will be able to use an IAFIS/NGI inquiry to also check for any biometrically-related biographic data from the IDENT or other biometric system to determine if an individual arrested locally has previously identified himself using a different name or date of birth.
- What specific legal authorities, arrangements, and/or agreements authorize the collection of information?
The statutory authority for the information sharing at issue is described in the introduction to this PIA.
2.3. Privacy Impact Analysis: Given the amount and type of data collected, as well as the purpose, discuss what privacy risks were identified and how they were mitigated.
This initiative does not expand the categories of individuals from whom biometric and related biographic information is being collected, nor does this initiative expand the users authorized access to the IAFIS/NGI or to the IDENT or modify the rules governing their use. Privacy risks therefore arise from any potential vulnerability presented by the new interoperability processes. We have identified several such potential risks:
Duplication of the data shared between the IAFIS/NGI and IDENT or any other external biometric system in an interim holding repository presents the potential risk that information may be compromised as a result of any vulnerabilities in the new processes or infrastructure for moving the data to and from the existing systems and/or from compromise of data while stored in the interim repository. This risk and its mitigation are discussed in subsection 8.9 below.
There is a potential risk if the systems to share data are not sufficiently compatible, resulting in degradation of the quality of biometrics that are transferred and the potential for misidentification as a result. This risk is mitigated by each agency’s use of a common compression standard for the fingerprint image, thereby eliminating the potential for quality degradation when messaging between the two systems. This risk is further mitigated by the fact that the exchange of biometrics was deployed in the iDSM operation prototype and found to work as conceived.
There could be risks in refreshing data about a person in one system using data from the other system. A risk would exist if the refresh processes are insufficiently reliable to positively identify the entries in each system as applying to the same person. A related risk would exist if the refresh processes are insufficiently reliable to ensure that relevant information about the person in the one system is accurately transmitted to the other system and accurately linked to that person in the other system. This risk is mitigated by the use of automated record updates for shared data subsets, providing notification of changes for previously shared records. This risk is further reduced through the policies by which DHS components make admissibility decisions. Admissibility decisions are based on the totality of the information available, past and present, and will be properly adjudicated prior to making a decision.
The refreshing of records in one system by adding information from the other system will result in the refreshed system’s acquiring and retaining an increased amount of information. Increased retention of personally identifiable information (PII) presents a correspondingly increased risk that there will be more information in the system subject to loss or unauthorized use. This risk is mitigated by the strong security features and robust audit processes already present in the IAFIS/NGI system (which are addressed in more detail in section 8 below). Moreover, this risk is counterbalanced in that the increased information should make the system’s records more accurate.
The enhanced search, refresh, and retrieval capabilities create additional privacy issues, as they provide an increased ability to locate information about a specific person that might not otherwise be discovered as quickly or as efficiently, or might never be discovered at all. This privacy issue is mitigated by the advantages of being able to better locate responsive information about a specific person, permitting more complete and timely investigative analysis, including more effective and efficient identification of perpetrators and generation of leads to potential suspects, which in turn can also protect individual privacy by decreasing the number of misidentifications.
Section 3.0 – Uses of the System and the Information
3.1. Describe all uses of the information.
As discussed above, this initiative does not expand the categories of individuals from whom biometric and related biographic information is already being collected by the IAFIS/NGI and by the IDENT, does not involve collection of new categories of information from the relevant persons, and does not involve new users of the collected information. Whether or not an external biometric system’s user will be provided information will depend on whether the user would be authorized to have access for that type of query under the system’s rules and would be subject to any limitations on the use or retention of the information applicable to the system. Similarly, the authorized underlying uses of the information in IAFIS/NGI remain as provided in the SORN and applicable PIAs. (See subsection I.2 above.)
In addition, information made available via this initiative may be used to refresh records in one system with shared biometrics and basic biographic information from the other system that are also appropriate for retention by the receiving system, and pointer or link information may be added to one system indicating the presence of additional information about a person in the other system. As a result, biometric interoperability will make it easier and faster for users using a single query to access information in multiple systems or at least to identify the existence of relevant information to be pursued via subsequent queries. As detailed in subsections I.3 and 2.1 above, this increased efficiency and speed will permit greater practical application of the underlying uses already established for information in these systems.
3.2. Does the system analyze data to assist users in identifying previously unknown areas of note, concern, or pattern (sometimes referred to as data mining)?
No. Biometric interoperability only involves biometric-based searching and sharing of information related to specific persons.
3.3. How will the information collected from individuals or derived from the system, including the system itself be checked for accuracy?
The CJIS Division Audit Unit regularly checks a representative sample of Federal, State, local, and nongovernmental authorized recipients to ensure only authorized fingerprint submissions have been forwarded to the CJIS Division for criminal history record checks. The authorized recipient is responsible for ensuring accurate and complete biographical information is included on these submissions and the fingerprints must meet quality standards for the system. This initiative contractually requires the recipient to “ensure fingerprint submissions are properly and adequately completed” prior to submission to the FBI. Authorized recipients are allowed to resubmit fingerprints that are determined to be of insufficient quality.
In addition, all transactions between the IAFIS/NGI and the IDENT are maintained in audit logs. These logs include requests to add, update, or delete data, along with acknowledgements of request receipt and request processed. Periodic analysis and auditing of these logs can identify if the potential for inaccurate data exists. Findings from these formal audits will be addressed by the US-VISIT Program.
Further, the Interoperability MOU provides that the Parties shall individually and collectively use their best efforts to ensure that information is accurate, relevant, current, and complete, and that upon notice from the respective data owner the Parties shall, in a timely manner, correct any errors discovered.
3.4. What is the retention period for the data in the system? Has the applicable retention schedule been approved by the National Archives and Records Administration (NARA)?
NARA has approved the destruction of fingerprint cards and corresponding indices when criminal subjects attain 99 years of age, or seven years after notification of death. NARA has determined that automated FBI criminal identification records (rap sheets) are to be permanently retained. Biometrics and associated biographic information may be removed from the IAFIS/NGI earlier than the standard NARA retention period pursuant to a request by the submitting agency or the order of a court of competent jurisdiction.
3.5. Privacy Impact Analysis: Describe any types of controls that may be in place to ensure that information is handled in accordance with the above described uses.
Each authorized user seeking the IAFIS/NGI information through the IDENT, and with whom the IDENT shares information, must be fully disclosed upon request to the FBI CJIS Division, along with the details of the information shared. This disclosure is recorded in an electronic or manual audit log. The FBI CJIS Division Audit Unit conducts periodic internal and external on-site audits of user agencies to assess and evaluate compliance with the FBI CJIS Division Security Policies. Both the FBI CJIS Advisory Policy Board and the National Crime Prevention and Privacy Compact Council have Sanction Committees to review all audit findings of possible non-compliance. Training on the proper use of the data received on the IDENT response is provided to the users of IAFIS/NGI.
Section 4.0 – Internal Sharing and Disclosure of Information within the System
4.1. With which internal components of DOJ is the information shared?
When full biometric interoperability is realized, every authorized IAFIS/NGI user within the DOJ (e.g., the FBI, the Drug Enforcement Administration (DEA), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the Federal Bureau of Prisons (BOP), the United States National Central Bureau INTERPOL, and the United States Marshals Service (USMS)) will be able to access appropriate IDENT information via the IAFIS/NGI searches. Similar access will be available for any other systems with which biometric interoperability may subsequently be established.
4.2. What information is shared and for what purpose?
In furtherance of the purposes and goals of biometric interoperability described in subsection 2.1 above—sharing for criminal justice and other lawful purposes—when full biometric interoperability is realized all the information in the IDENT will be potentially available to all authorized IAFIS/NGI users within the DOJ. However, whether individuals have actual access to this information will be dependent upon whether the user would be authorized to have access for that type of query under the system’s rules and would be subject to any limitations on the use or retention of the information applicable to the system.
4.3. How is the information transmitted or disclosed?
See discussion in subsection I.5 above.
4.4 Privacy Impact Analysis: Given the internal sharing, discuss what privacy risks were identified and how they were mitigated.
See subsection 2.3 above and section 8 below.
Section 5.0 – External Sharing and Disclosure
5.1. With which external (non-DOJ) recipient(s) is the information shared?
When full biometric interoperability is realized, every federal, state, local, tribal, foreign, or international governmental IAFIS/NGI authorized user will have access to the IDENT information via the IAFIS/NGI searches, and every IDENT user authorized to access the IAFIS/NGI information will be able to do so via the IDENT searches.
5.2. What information is shared and for what purpose?
The information shared with external recipients and the purposes for sharing that information are the same as described in 4.2. for internal recipients.
5.3. How is the information transmitted or disclosed?
Electronically. See the discussion in subsection I.5 above.
5.4. Are there any agreements concerning the security and privacy of the data once it is shared? If possible, include a reference to and quotation from any MOU, contract, or other agreement that defines the parameters of the sharing agreement.
Biometric Interoperability is supported by the Interoperability MOU (discussed above in subsection I.3) and by a US-VISIT and FBI Interconnection Security Agreement. See the discussion in Section 8 regarding security by the Parties to the MOU. Additional provisions of the MOU provide specific limitations regarding disclosures to third parties of information derived from interoperability. These limitations identify if a source system’s information is pre-approved for disclosure to third parties, and typically provide that no other information from the source agency may be disclosed to third parties without first obtaining the source agency’s approval and/or any conditions for the proposed disclosure.
5.5. What type of training is required for users from agencies outside DOJ prior to receiving access to the information?
The Interoperability MOU provides that all persons who receive access to data pursuant to the MOU shall be appropriately trained regarding the proper treatment of PII to ensure the overall safeguarding of the information in accordance with existing policies of the Parties. DHS/US-VISIT provides privacy and security training to the IDENT users accessing the IAFIS/NGI data stored by the IDENT. CJIS also provides privacy and security training to IAFIS/NGI users. Training on the proper use of the data received on the IDENT response is provide to the users of IAFIS/NGI, whether those users are DOJ or other agency users of the system.
5.6. Are there any provisions in place for auditing the recipients’ use of the information?
Yes. See Section 8 below
5.7. Privacy Impact Analysis: Given the external sharing, what privacy risks were identified and how were they mitigated?
See subsection 2.3 above and section 8 below.
Section 6.0 – Notice
No new information is being collected for this initiative. General notice regarding the collection of biometrics in IAFIS/NGI has been provided to the public through the FIRS SORN and previous privacy documentation of interoperability initiatives. Publication of this PIA will also contribute to general notice.
At its initial collection, individuals may or may not be aware of the collection of biometrics, depending on the environment in which the biometrics are collected.
6.2. Do individuals have an opportunity and/or right to decline to provide information?
N/A. Biometric Interoperability does not result in the additional collection of information from individuals.
6.3. Do individuals have an opportunity to consent to particular uses of the information? If such an opportunity exists, what is the procedure by which an individual would provide such consent?
See previous answer.
6.4. Privacy Impact Analysis: Given the notice provided to individuals above, describe what privacy risks were identified and how you mitigated them.
The lack of specific notice creates a risk that individuals may not be aware of how the FBI is using or sharing their information; however, this risk is mitigated by the publication of SORNs and PIAs by the FBI and DHS.
Although individuals generally have no opportunity to object to the collection or dissemination of the IAFIS/NGI information under biometric interoperability, the information has been collected and will be disseminated under lawful authority and will be subject to various protective provisions of the Interoperability MOU. The MOU emphasizes that the information shall not be shared, handled, or further disseminated in a manner that would violate Federal law, regulation, or applicable SORNs; that the collection, use, disclosure, and retention of the information shall be limited to that which is relevant and necessary for purposes of the Parties; and that the information shall be accessed only by authorized users with a need to know the information to carry out national security, law enforcement, immigration and border management, or intelligence, or to conduct background investigations for national security positions and certain positions of public trust.
Section 7.0 – Individual Access and Redress
7.1. What are the procedures which allow individuals the opportunity to seek access to or redress of their own information?
The Interoperability MOU provides that each Party will utilize its own redress procedures to process requests by individuals seeking access or correction, or both, of data collected by that Party.
The IAFIS/NGI is part of the FBI’s FIRS, certain records of which are exempt from access and amendment under the Privacy Act. However, 28 CFR §§ 16.30-16.34 and 20.34, establish alternative procedures for the subject of an FBI identification record to obtain a copy of his or her own record for access and correction.
In addition, 28 CFR § 50.12 provides that officials at the governmental institutions and other entities authorized to submit fingerprints for making determinations of suitability for licensing or employment shall provide the applicants the opportunity to complete, or challenge the accuracy of, the information contained in the FBI identification record.
7.2. How are individuals notified of the procedures for seeking access to or amendment of their information?
Procedures for seeking access to or amendment of the IAFIS/NGI information are available to the public at 28 C.F.R. §§ 16.30-34 and 20.34, which can be accessed at www.fbi.gov. In addition, 28 C.F.R. § 50.12 provides that officials at the governmental institutions and other entities authorized to submit fingerprints and receive FBI identification records must notify the individuals that their fingerprints will be used to check the criminal history records of the FBI. These officials also must advise the applicants of procedures for obtaining a change, correction, or updating of an FBI identification record that are set forth in 28 C.F.R. § 16.34.
- If no opportunity to seek amendment is provided, are any other redress alternatives available to the individual?
7.4. Privacy Impact Analysis: Discuss any opportunities or procedures by which an individual can contest information contained in this system or actions taken as a result of agency reliance on information in the system.
See discussion in subsection 7.1 above. The data exchanged as a result of interoperability is not used as the sole basis for law enforcement or other government action against an individual. The agency users of the data are trained to conduct a comprehensive investigation, to consider the totality of the circumstances, and to obtain other relevant information.
Section 8.0 – Technical Access and Security
8.1. Which user group(s) will have access to the system?
Access to IAFIS/NGI and/or IDENT is governed, in the first instance, by the rules of behavior for each system. Users authorized to access the IDENT information will be able to do so via the IAFIS/NGI searches, and every IDENT user authorized to access the IAFIS/NGI information will be able to do so via the IDENT searches. Similar access will be available for other external systems with which biometric interoperability may subsequently be established. However, whether or not another system’s user will be provided information will be dependent upon whether the user would have authorized access for that type of query under the system’s rules and would be subject to any limitations on the use or retention of the information applicable to the system.
8.2. Will contractors to the Department (DOJ/FBI) have access to the system?
Yes, some Information Technology (IT) contractors have limited access to the IAFIS/NGI data. The extent of access will vary based on the need to fulfill the requirements of the contract under appropriate non-disclosure and use limitations. In addition, and where applicable, FBI contracts will contain the following Privacy Act clauses mandated by the Federal Acquisition Regulation (FAR): FAR 52.224-1, and 52.224-2.
8.3. Does the system use “roles” to assign privileges to users of the system?
Yes. The IAFIS/NGI is only available to users who have a unique Originating Agency Identifier (ORI) Number. Each entity may only access information for purposes that have been authorized for its ORI.
8.4. What procedures are in place to determine which users may access the system and are they documented?
The applicable FBI CJIS System Officer (for a user agency) or appropriate FBI official must document each request for an ORI and reference the statute, regulation, or order that authorizes such access.
In addition, the Interoperability MOU specifically details restrictions and/or conditions on the use and disclosure of information. Each authorized user obtaining the IAFIS/NGI information through the IDENT must be fully disclosed upon request to the FBI CJIS Division, along with the details of the information shared. These disclosures are to be effected via documentation in an electronic or manual audit log. The Interoperability MOU further provides that each Party is responsible for ensuring that it provides data received under this MOU (and that it did not originate) only to authorized users, that the purpose for obtaining data by such users is for an authorized use, and that its authorized users maintain, use, and retain such data in compliance with the terms and conditions of the MOU.
8.5. How are the actual assignments of roles and rules verified according to established security and auditing procedures?
All federal, state, and local IAFIS/NGI users are subject to periodic audits conducted by both the system users and the FBI CJIS Division Audit Unit. In addition, each IAFIS/NGI system user must designate an Information System Security Officer (ISSO) assigned to the system (IAFIS/NGI). The ISSO is responsible for ensuring that operational security is maintained on a day-to-day basis within the user agency and that auditing measures are in place and conducted as dictated by the FBI security requirements. The roles and rules are tested as part of the security certification and accreditation process. Also, all users are required to sign Rules of Behavior forms on an annual basis as part of security awareness training. In addition, the FBI CJIS Computer Security Incident Response Capability (CSIRC) defines processes and procedures for responding to, and handling, computer and data misuse.
Further, the Interoperability MOU provides that each party will maintain a log of all data received and sent, including name or Originating Agency Identifier (ORI) of the recipient and sender, as well as date and type of transmission. Each Party may make a written request for a copy of this log at any time to ensure compliance with this provision. The Interoperability MOU also provides that in addition to the Parties’ regular audit schedules, audits shall be conducted upon written request by any Party and the results of such audits shall be exchanged with the other Parties.
8.6. What auditing measures and technical safeguards are in place to prevent misuse of data?
See discussion in subsection 8.5 above.
8.7. Describe what privacy training is provided to users either generally or specifically relevant to the functionality of the program or system?
The Interoperability MOU provides that all persons who receive access to data pursuant to the MOU shall be appropriately trained regarding the proper treatment of PII to ensure the overall safeguarding of the information in accordance with existing policies of the Parties.
8.8. Is the data secured in accordance with FISMA requirements? If yes, when was Certification & Accreditation last completed?
Yes. The IAFIS/NGI Certification and Accreditation was last completed in October 2009.
8.9. Privacy Impact Analysis: Given the access and security controls, what privacy risks were identified and how they were mitigated.
A breach of PII or loss of data is a potential privacy risk. This initiative does not change the core infrastructures of the IAFIS/NGI, nor does it expand the users authorized access to the systems. User access and data security will remain subject to the same extensive security protections, access limitations, and quality control standards already in existence for the respective systems and reinforced by the Interoperability MOU. To mitigate existing risks in these areas, the IAFIS/NGI data and infrastructure are maintained within FBI-controlled, secure restricted areas and are accessible only by authorized personnel. Each FBI employee receives a complete background investigation prior to being hired. Other authorized system support personnel (such as contractors) receive comparable vetting. Users agencies have signed User Agreements to abide by the FBI CJIS Security Policy, are held responsible for safeguarding information within their respective infrastructures, and are required to adopt comparable safeguards designed to prevent unauthorized access to the system data and/or unauthorized use of its data.
Any new privacy risks for biometric interoperability thus would arise from any potential vulnerability presented by the new interoperability processes and any supplemental infrastructure. We have identified several such potential risks and address them below.
Duplication of the data shared between the IAFIS/NGI and the IDENT shared data for retention in the temporary holding repository presents the potential risk that information may be compromised as a result of any vulnerabilities in the new processes or infrastructure for moving the data to and from the existing systems and/or from compromise of data while stored in the interim repository. This risk is mitigated by the use of a multi-layer strategy to implement information exchange security. The existing CJIS Wide Area Network connection will be used providing an encrypted two-way interconnection between the agencies. This risk is further mitigated because data will only be stored in these holding repositories temporarily, after which the duplicated data in them will be completely purged.
The ability to access the information in a source system via a single search originating in the other system also presents the potential risks that the originating system’s users may not be sufficiently familiar with any limitations applicable to use or disclosure of information from the source system, and that the source system may not be able to adequately audit the proper use of its information by the other system or the other system’s users. This risk is mitigated through the Interoperability MOU. Subsections 2.3, 5.4-5.7, and 8.3-8.7 above discuss further mitigations applicable to these risks.
Section 9.0 – Technology
9.1. Were competing technologies evaluated to assess and compare their ability to effectively achieve system goals?
Biometric Interoperability is an extension of existing systems, the IAFIS/NGI and the IDENT, and is based on commercial-off- the-shelf hardware and software that has been modified to meet the needs of this particular implementation. The hardware and software needed for the iDSM was obtained from the GSA schedules and/or existing CJIS contracts awarded through full and open competition. The equipment used for iDSM was to be architecturally in line with existing equipment deployed in support of the CJIS System-of-Systems.
9.2. Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.
Data integrity, privacy, and security remain a significant part of the enhanced system and the Biometric Interoperability efforts. The developers are required to follow all FBI CJIS Division guidelines, appropriate regulations, and specific statutes. Those agencies and entities with electronic connectivity must comply with requirements contained in the FBI CJIS Division’s Security Policy.
9.3. What design choices were made to enhance privacy?
The NGI Program Office chose to enhance the IAFIS/NGI by utilizing existing channels and established security measures instead of developing an entirely new system. With continued input from the CJIS Advisory Policy Board (APB) and participating agencies, the development of the IAFIS/NGI was designed to comply with the already extensive privacy protection built into the existing infrastructure, including access controls, and physical security measures.
Privacy was also enhanced by structuring biometric interoperability to provide only for direct sharing of a limited amount of basic biometric and biographic information, and the use of “pointers.” Pointers strike an appropriate balance by providing users immediate notice of the availability of potentially relevant additional information, while requiring the user to use existing procedures of the source system (subject to the source system’s validation and security and access validation protections) to obtain substantive details about the additional information.
Privacy risks such as disclosure to third parties, data security, and authorized use, were further addressed via numerous protective conditions and limitations in the Interoperability MOU.
The IAFIS/NGI already contains biometric data, criminal identification data, and other lawfully authorized records. Strong privacy protections have been built into system infrastructure and processes during the past several decades and have been memorialized in the FBI CJIS Division Security Policy with which all users must comply. Access may be terminated for improper access, use, or dissemination of records obtained from the system of records.
As previously discussed (see subsection 2.3 above), biometric interoperability does present certain privacy risks. However, these risks can be appropriately mitigated. Mitigation elements include the long-standing technology protections already present in the underlying IAFIS/NGI and IDENT systems, the existing eligibility limitations and careful vetting of system users, and the existing access policies, training requirements, and audits. Mitigation elements also include the additional provisions of the Interoperability MOU.
Biometric Interoperability initiatives do not impact or circumvent any of these long standing FBI CJIS policies and agreements. The data made available to DHS through biometric interoperability has always been accessible to DHS agencies; biometric interoperability simply provides a more efficient mechanism to share this information to better meet national priorities.
Issued by James J. Landon, Chief Privacy and Civil Liberties Officer, Federal Bureau of Investigation
Reviewed by Vance E. Hitch, Chief Information Officer, Department of Justice
Approved by Nancy C. Libin, Chief Privacy and Civil Liberties Officer, Department of Justice
Approved January 18, 2012
1 Today, IDENT is managed by the DHS US-VISIT Program and stores and processes biometric and biographic information for DHS national security, law enforcement, immigration, intelligence, and other DHS mission-related functions. As the system owner of IDENT, US-VISIT maintains data provided by other DHS components and external agencies, including, among others, U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement (ICE), U.S. Citizenship and Immigration Services (USCIS), the Transportation Security Administration (TSA), and the U.S. Department of State (DOS). The current IDENT system of records notice (DHS/US-VISIT-012) is published at 72 FR 31080.
2 This PIA encompasses records in DOJ/FBI systems that may pertain to persons who are not individuals covered by the Privacy Act. We do this to provide a more informative description of the biometric interoperability initiative, but it is not intended by the DOJ/FBI and should not be construed to extend the protections of the Privacy Act to such persons within these systems.
3 Tenprint” refers to systems which include prints from all ten of a person’s fingers. For many decades, tenprints submitted to the FBI were obtained by rolling each inked finger on the fingerprint card. Recently, however, there has been increased interest in using flat fingerprints. Based on the 2004 National Fingerprint-Based Applicant Check Study (N-FACS), the National Crime Prevention and Privacy Compact Council (Compact Council) accepted the recommendation that ten-flat fingerprints comprise another standard for determining positive identification for noncriminal justice purposes so long as the reliability meets or exceeds the FBI’s CJIS Division’s IAFIS specifications and there is no degradation of IAFIS services. Accordingly, IAFIS/NGI may now include, and be searched by, both rolled and flat fingerprints.
4 Text-based searches do not result in positive identifications; instead, they are used as investigative tools to identify candidates within IAFIS warranting further focus by trained examiners to confirm or rule out candidate identities.
5 The FBI iDSM PIA is available on the FBI’s Internet website at http://www.fbi.gov/foia/privacy-impact-assessments/idsm. The counterpart DHS PIA (interim Data Sharing Model (iDSM) for the Automated Biometric Identification System (IDENT)/Integrated Automated Fingerprint Identification System (IAFIS) Interoperability Project, September 1, 2006) is available at the DHS Internet website at www.dhs.gov/xlibrary/assets/privacy/privacy_pia_usvisit_phase1ioc.pdf.
6 DHS has published a PIA that permits IDENT users to initiate direct searches of IAFIS/NGI. This PIA may be found at https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nppd_visit_update-b.pdf.
7 The IFFS flag indicating a disqualifier, for certain states, is populated with records of individuals who have been prohibited from purchasing or owning a firearm. The reasons for these prohibitions align with crimes of moral turpitude as defined in the Grounds for Inadmissibility and Deportability, as identified by our Customs and Border Patrol (CBP) user group in alignment with the Immigration and Nationality Act.