ICE facial biometrics use boosts investigative capabilities but privacy assessment shows risks remain
The use of biometric facial recognition from third parties by U.S. Immigration and Customs Enforcement (ICE) has “exponentially” improved the agency’s ability to protect the country and enforce immigration laws, and is tightly controlled by departmental policy and federal privacy law, according to a privacy impact assessment carried out by Homeland Security Investigations.
ICE uses facial recognition from government agencies and commercial vendors when it encounters digital images of potential victims or suspects of a crime, but cannot connect them to identifiable information through other methods, according to the privacy impact assessment (PIA).
The PIA explains the differences between different face biometric processes, such as verification and identification, and notes the widely different capabilities and performance of different algorithms and systems. Accuracy rates and similarity scores or confidence levels are discussed, and the PIA makes clear that it does not assess the implications of HSI running its own system, but rather utilizing pre-existing government facial recognition services.
Like police, HSI does not use facial recognition matches as the sole basis for enforcement action, but as leads for corroboration and investigation, the PIA states. Agents are expected to exhaust biographical and other investigative methods, which must be tracked in ICE’s case management system, and only approved facial recognition services can be used. The approval process, including consideration of NIST’s FRVT in evaluating algorithms, is described. The process of submitting images and noting potential matches is detailed, including the use of candidate list size and the requirement that the confidence score for each match be noted.
The PIA lists types of facial recognition services HSI employs, including those operated by state and local agencies, regional and subject matter-specific intelligence fusion centers, federal agency services from DHS’ Office of Biometric Identity Management (OBIM), the Department of State Consular Consolidated Database (CCD), which stores all visa and passport records, the FBI’s Next Generation Identification System (NGI), and the Department of Defense’s ABIS.
Commercial vendors can also be used, with some limitations, including rules against using vendors that have violated the privacy settings of an open source system, as explained in a section that refers specifically to obtaining images by “scraping” websites.
The lengthiest section is on “Fair Information Practice Principles (FIPPs). The section sets out the principles of transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing, with privacy risks and mitigation measures identified for each principle except the last.
Notably, the PIA finds that the risk of a facial recognition service failing to provide adequate notice of how the data it collects will be used is found to not be mitigated, nor is the risk that subjects are unable to amend inaccuracies in commercial vendor collections. HSI has policies that may reduce the risk in both cases, and all others are found to be either mitigated or “being mitigated.”
“ICE HSI’s mandate to safeguard the nation and enforce immigration laws are aided exponentially through the use of third-party services that use facial recognition technology,” HSI concludes. “While the technology itself does have far reaching privacy implications, HSI has established processes and procedures to mitigate the impact of an FRS on individuals. Through proper collection techniques, candidate vetting, and supervisor oversight, HSI endeavors to use FRSs in as much of a privacy sensitive manner as possible.”