GAO finds fed agencies ignorant about basic police biometric programs
It is hard not to picture a genie that has escaped its lamp after reading a new government accountability report about the use of facial recognition systems by U.S. federal agencies.
The Governmental Accountability Office has found lax oversight by the leaders of some federal agencies using biometrics for law enforcement. Managers of that subset generally do not track some basic information like which systems are being used by their employees, according to a new GAO report.
The GAO is a non-partisan watchdog agency set up by Congress to monitor the executive branch of the U.S. government.
In this case, investigators sent surveys about the use of facial recognition applications to 42 federal agencies that have law enforcement officers.
They wanted to know which agencies used the systems and, of those that did make use of them, which owned their tools, and which used tools created by non-federal organizations including states and private companies. Last, GAO investigators wanted to know what activities facial recognition systems supported.
(Agencies had the ability to withhold any information that managers felt was too sensitive for public consumption.)
The GAO has recommended agencies that it deemed soft on monitoring the technology’s use make supervision a priority. They also should assess the risks of using someone else’s face biometric technology.
Twenty of the 42 agencies said they either own the technology they deploy or use technology owned by entities other than the federal government.
Some the 20 would surprise few: the Bureau of Alcohol, Tobacco, Firearms and Explosives; the FBI and the Secret Service. Others would not be so obvious: the U.S. Fish and Wildlife Service; the U.S. Park Police and NASA.
Among the roles supported by face biometrics were criminal investigations, surveillance and remote ID verification in response to COVID restrictions, according to Gretta Goodwin, a member of the GAO’s Homeland Security and Justice team.
Fourteen agencies said they have searched pictures as part of criminal investigations. Six of the 14 said they used facial recognition on images taken of “unrest, riots, or protests” after the May 2020 death of George Floyd.
Three said they used the tool to identify people involved what appears to be criminal acts during the January 6 insurrection. Goodwin said it is possible that more federal agencies might be involved in analyzing images from that event, too.
Those three known participants were the Capitol Police, Customs and Border Protection and the Bureau of Diplomatic Security, which is part of the State Department.
All of the 14 said that staff use facial biometric systems owned by entities other than the federal government, according to Goodwin, who spoke on the GAO’s Watchdog Report podcast.
But only one of those agencies knew what those systems were.
“When we asked one of the agencies about its use of non-federal systems,” said Goodwin, “officials told us that they had to poll their employees because the information was not maintained by the agency.”
Among other things, managers of the other 13 do not necessarily have adequate risk-management practices because they may not know how secure, accurate or private the systems are. That could mean that federal policies on those critical data points are not being followed.
There also is the possibility, especially with non-federal systems, that government officials themselves are not following privacy policies or laws, she said. It would be more difficult to monitor and audit actions taken on systems owned by other entities.
The National Institute of Standards and Technology is moving in the opposite direction, broadly opening discussions on how to increase trust.