For the last eight years, the US Federal Bureau of Investigation (FBI) has been quietly building a sprawling biometric database it calls the Next Generation Identification System (NGIS). The NGIS database contains millions of identification elements — biographies, fingerprints, iris scans, palm prints, photographs, tattoos, etc. — of criminals, suspects, and general citizens suspected or convicted of absolutely nothing. The NGIS system went live in late 2014 without a Privacy Impact Assessment that the FBI had promised to deliver by 2012.
To make matters worse, the NGIS database has a very high false positive error rate.
In addition to not providing an updated Privacy Impact Assessment, the FBI is now petitioning the US Congress to exempt it from Privacy Act provisions. The core provision of the Privacy Act around which the FBI wants to route is the requirement that federal agencies share information they collect with the subject of that information, so that the subject can verify and correct the information if necessary.
In its 5 May 2016 notice of proposed rulemaking, the US Department of Justice (DOJ) argues its boilerplate whining about compromising national security as reason for the requested exemptions:
“Also, because making available to a record subject the accounting of disclosures from records concerning him/her would specifically reveal investigative interest by the FBI or agencies that are recipients of the disclosures. Revealing this information could compromise ongoing, authorized law enforcement and national security efforts, and may permit the record subject with the opportunity to evade or impede the investigation.
…
Providing access could compromise sensitive law enforcement information, disclose information which would constitute an unwarranted invasion of another’s personal privacy; reveal a sensitive investigative technique; could provide information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, and witnesses.”
Then the DOJ trots out a relatively new argument: “Most records in this system are acquired from state and local law enforcement agencies and it would be impossible for the FBI to vouch for the compliance of these agencies with this provision [the Privacy Act].”
The DOJ is asking Congress to mandate an allowance for the FBI to amass an enormous biometric database — complete with information for which it will not vouch and an alarming false positive error rate — do with it whatever it likes, and exempt it from any sort of oversight or attempt by individuals to examine the information collected about themselves. What could possibly go wrong?
The comment period for the notice of proposed rulemaking expires on 6 June 2016. You can submit a formal comment on the proposed rule by simply clicking a button and filling out a form.