Online Special Report

REPRINT

The FBI’s next generation identification database

Written by Jeremy L. Smith

Imagine a Marine lance corporal in Iraq who has just lifted palm prints off of a defused improvised explosive device (IED) found on the side of the road. The prints are securely forwarded to the FBI, which stores them. Three months later, the Department of Homeland Security (DHS) detains a suspiciously behaving person in the John F. Kennedy International airport. A quick run of the palm prints against the FBI database reveals a match to the IED maker. A terrorist with ill intent is apprehended through a more comprehensive and capable biometric data storage system.

In what some critics might view as a bit Orwellian, the FBI is opening a new front in the war on terrorism by planning to build the largest database of biometric data in the world. This database, known as “Next Generation Identification,” will aggregate and store faces, fingerprints, palms, tattoos, scars and irises, and will give the FBI (and likely other agencies such as the DoD, DHS, and more) unprecedented access to a warehouse of biometric information that far exceeds simple fingerprints. This information will be used in the fight against crime and terrorism.

The Criminal Justice Information Services (CJIS) division of the FBI, headquartered in Clarksburg, WV, has operated a program known as the Integrated Automated Fingerprint Identification System (IAFIS) for many years. This program provides automated fingerprint searching capabilities and other similar services. Agencies who submit a fingerprint query usually receive a fingerprint request in about two hours. The workers currently process around 130,000 fingerprint requests a day. According to its Web site, IAFIS is already “…the largest biometric database in the world, containing the fingerprints and corresponding criminal history information for more than 47 million subjects in the Criminal Master File.” NGI is the much-awaited upgrade to IAFIS.

http://www.fbi.gov/cjisd/cjis.htm

FBI CJIS Assistant Director Thomas E. Bush III noted that the NGI will be the “much-needed upgrade to the IAFIS database.” In a post 9/11 world, he said, the need to build a “bigger, faster, and better” database to warehouse and search criminal and terrorist characteristics is crucial to continued success in this fight. Bush stated that the IAFIS was originally designed to handle around 62,000 fingerprint requests. Today, it currently processes around 130,000. In the future, its numbers may grow as high as 200,000.

The NGI will be designed to address concerns about the volume of requests received as well as take the FBI aggregation and storage capabilities for new forms of biometric data into the future. In specific, the NGI offers the following crime / terrorist fighting benefits:

• More rapid response to traditional services like 10-print fingerprinting, which captures all 10 fingers of a person being fingerprinted;

• More comprehensive coverage of the individual through the use of biometrics such as irises, facial recognition, scars, tattoos, and palm prints;

• And a platform for future and continued development of biometrics technologies.

Why Are They Doing It?
Today, the need to quickly and efficiently identify criminals and terrorists is paramount. Many argue that the tools, technology and operations must evolve along with technology. We live in a technologically interconnected society that allows for the aggregation of large amounts of data. This data can now include biometric characteristics of people across the world. If properly aggregated, stored and controlled, the database could provide near-real-time access to treasure troves of information. This information, when in the right hands, has the ability to quickly identify criminals, known terrorists and others who may be suspected of nefarious activities.

In 2006, FBI Director Robert Mueller stated in an appearance before the Senate Committee on Appropriations, Subcommittee on Commerce, Justice, Science, and Related Agencies that: “While IAFIS was a state-of-the-art system at its inception, technology has since advanced, and we must update IAFIS in order to meet the needs of our customers. The FBI intends to meet these new requirements by implementing a Next Generation Identification system.”

Mueller later stated in a 2007 appearance before the very same committee that: “Access to these crime-solving services (IAFIS) and capabilities is even more important in a post 9/11 environment where the FBI may not always able to devote the level of special agent resources to violent crime as it has in the past. Over the past several years, state and local agencies have been provided grant funding to improve their digital forensic, DNA, automated fingerprint identification, and information-sharing capabilities. One of the consequences of these improved state and local capabilities are increased demand for services and access to the underlying and unifying FBI systems and connectivity.”

The budget for NGI has been reported—although not confirmed by the FBI—as about $1 billion.

NGI also provides a means for enhanced interoperability with other agencies or systems such as the Department of Homeland Security’s IDENT system and potentially foreign agencies in places like the United Kingdom. Britain’s National Policing Im-provement Agency recently announced an FBI-initiated program entitled “Server in the Sky,” where it seeks to interoperate its IDENT1 (not to be confused with the DHS’ IDENT) with the NGI database. The IDENT is a Department of Homeland Security-wide system for the collection and processing of biometric and limited biographic information for DHS national security, law enforcement, immigration, intelligence and other DHS mission-related functions, and to provide associated testing, training, management reporting, planning and analysis, or other administrative uses.

The Process
Bush, CJIS’ assistant director, said the NGI is not a biometric collection system. Rather, it is a database that stores and aggregates information sent to it. This information will come from law enforcement agencies that will do all of the heavy lifting, so to speak. Already today, if a criminal is arrested, his prints are transferred to the FBI. This same methodology will apply to the expanded biometric data the NGI can now store. If a sheriff’s department in Tupelo, MS has the equipment and software to capture an iris scan of an arrestee, that information can be transmitted and stored in the NGI.

This, however, is still a technologically complex effort, and the company that is eventually awarded the NGI contract will have a significant task on its hands. To that end, several technological steps have been undertaken to ensure data can be collected, transferred and stored in a consistent and interoperable manner.

From a technology perspective, NGI will be governed by the Electronic Biometric Transmission Specification (EBTS), which uses the ANSI/NIST-ITL 1-2007 standards from the National Institute for Standards and Technology to clarify communication activities. With an undertaking of this magnitude, standards will be important to ensure some degree of interoperability.

The FBI has updated its previous specification for electronic communication, the Electronic Fingerprint Transmission Specification (EFTS) 7.1, and replaced it with a new benchmark known as the Electronic Biometric Transmission Specifi-cation (EBTS). The EBTS provides an expanded scope to include new biometric capabilities such as iris, palm prints, and facial recognition. The EBTS standard, much like its predecessor, is designed to provide a means for standardized communications and interoperability between the FBI and software vendors who seek to leverage the database or create saleable products. In plain terms, the EBTS specification defines the requirements that an agency’s software must comply with when electronically communicating with the IAFIS. EBTS addresses 10 components:

1. Ten-print services
2. Latent services
3. Special population services
4. Image services
5. Palm print services
6. Photo services
7. Facial recognition services
8. Iris services
9. Rap back services
10. Other biometric services

ANSI/NIST-ITL 1-2007, or by its friendly name, “Data Format for the Interchange of Fingerprint, Facial, and Other Biometric Information,” helps to define “content, format, and units of measurement for the exchange of information that may be used in the biometric identification of a subject.” This standard provides a commonly accepted set of interfaces by which vendors and agencies across the world can abide while still maintaining interoperability. ANSI/ NIST-ITL 1-2007 clarifies units of measurement for the exchange of biometric data, including a list of mandatory and optional fields.

The differences between the EBTS and ANSI/NIST-ITL 1-2007 may not appear clear. The ANSI/NIST-ITL 1-2007 describes the standards by which this type of communication must occur in general and is non-specific to an agency. EBTS is the FBI’s specification that uses the standards described in the ANSI/NIST-ITL 1-2007 to provide a means for people to interoperate with the FBI.

For public safety agencies seeking to buy, upgrade, or maintain equipment or software that interoperates with the IAFIS or NGI, the FBI maintains a list of products on its Web site that are certified to the aforementioned standards.

Current and Future Challenges
An undertaking of this magnitude will certainly be fraught with challenges. A unique characteristic of any database is the aging of records stored in the database. In the case of the NGI, and in particular, facial recognition records, aging of records is a literal concern. As the people on record age or gain weight, or even suffer a disability, the value of the record potentially diminishes. The constant care and feeding necessary to make the images relevant is a formidable challenge.

In an apparent direct response to this concern, the U.S. government has provided an exemption to the NGI database from the subsection (e) (5) of the 1974 Privacy Act that states:

“Each agency that maintains a system of records shall maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.”

However, the exemption states: “…in the collection of information for law enforcement purposes, it is impossible to determine in advance what information is accurate, relevant, timely and complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light. The restrictions imposed by subsection (e)(5) would limit the ability of trained investigators and intelligence analysts to exercise their judgment in reporting on investigations and impede the development of criminal intelligence necessary for effective law enforcement. In addition, because many of these records come from other federal, state, local, joint, foreign, tribal, and international agencies, it is administratively impossible to ensure compliance with this provision.”

Essentially, the government recognizes the difficulty in keeping the database current. Privacy advocates would suggest that it appears that government itself has a lack of confidence in the system.

Arguments Against the Database
The opponents against the NGI, who include privacy advocates, suggest that the creation of the NGI system gives the government too much access to citizen’s personal lives. Beth Givens, a privacy rights advocate and author of numerous books on privacy, as well as the director of the Privacy Rights Clearinghouse, PrivacyRights.org, said, “Imagine this scenario: A large crowd gathers on the Mall in Washington D.C. to protest the war. Law enforcement officers scan the scene with digital cameras. Using the NGI system, the participants are then identified by their iris or facial patterns and are entered into a database of ‘dissidents’ by the federal government. The chilling effect of such a scenario could be immense.”

The crux of this argument stems from the notion that with systems like the NGI and its method of data collection, people are not given the right to choose if they want themselves to be recognized. Opponents of this position would argue that no such right exists, or perhaps that this is a small sacrifice for the greater good by allowing criminals to be identified easier.

The FBI, however, says that privacy opponents have this all wrong. In reality, Bush of the CJIS said, the NGI is an expansion of collection capabilities toward categories of people law enforcement agencies already have the right to target; namely, criminals and terrorists. Today, if you are arrested, law enforcement agencies are allowed to take your photograph, fingerprints, make note of scars, and in many cases, take your DNA. The NGI is simply and expansion of the types of biometric data being collected. Now, that arrestee will potentially provide palm prints, iris scans and more. Bush clearly stated that the NGI is not a wholesale, anonymous collection of biometric data on unsuspecting people. It is simply gathering more data about known or suspected criminals.

Another key argument against biometric databases questions the success rates of technologies like facial recognition. Germany, the world’s largest biometric products producer, conducted a field study of facial recognition scans in 2006. The results were less than stellar. During the day, recognition rates reached an unimpressive 60%. At night, in some cases, they plummeted to a low of 10%. Furthermore, Bush argued that for any biometric system to be effective, it has to be accurate and mature, and the FBI is seeking the highest standards of quality. In general, many law enforcement officials might suggest that any data that increases their chances to any degree would be welcomed in criminal or terrorist investigations.

Finding Precedence
There is some precedence for the NGI system in the United States. The DHS, as previously mentioned, has been experimenting with iris scans in airports as part of its registered traveler program. Of course, the collection of fingerprints themselves, long accepted by our society, is a form of biometric data collection. However, the United States is not alone in its efforts.

The United Kingdom, along with other countries like Canada, is seeking support of its “Server in the Sky” initiative. If successful, the initiative could tie together the UK’s IDENT1 databases with the NGI. Long-time partners from an operational perspective, this level of technological interoperability sets a new standard for cooperation between the FBI, the UK, Canada and other participating countries. For countries seeking new means to combat the increasingly effective criminal or terrorist, biometric data collection is an increasingly attractive proposition.

George Orwell’s “1984” is an image that many folks may associate with the Next Generation Identification database. According to the FBI, this image couldn’t be further from the truth. In reality, the NGI seeks to expand on existing collection capabilities from people they already have the right to collect data from, not an anonymous, “Big Brother” system.

Yet, to be fair, if not properly implemented and controlled, the risk of privacy violations could increase. If successful, the United States will be equipped with a powerful tool that can be highly effective in mitigating the activities of criminals and terrorists.

The Marine lance corporal on the battlefield and the TSA screener at the Kennedy Airport can both benefit from the more comprehensive aggregation and access to new forms of biometric data. Such capability and interagency cooperation has never been seen before from both an operational and technological perspective.

Jeremy L. Smith designs and implements security solutions for 9-1-1 call centers. He frequently writes about security topics in the public safety industry. He holds a Master of Science in IT management, and he is a former Marine.