Facial Recognition Services: Federal Law Enforcement Agencies Should Take Actions to Implement Training, and Policies for Civil Liberties
Fast Facts
Seven law enforcement agencies in the Departments of Homeland Security and Justice reported using facial recognition services that quickly search through billions of photos of faces to help identify a suspect in a crime scene image.
All 7 agencies initially used these services without requiring staff take facial recognition training. Two agencies require it as of April 2023.
Also, some agencies don't have policies specific to facial recognition technology to help protect people's civil rights and civil liberties. DHS plans to finalize a department-wide policy this year, but DOJ has faced delays in issuing one.
Our recommendations address this.
Highlights
What GAO Found
Seven law enforcement agencies in the Departments of Homeland Security (DHS) and Justice (DOJ) reported using facial recognition services provided by commercial and nonprofit entities. The agencies reported using four services in total from October 2019 through March 2022 to support criminal investigations. All seven agencies initially used these services without requiring staff take facial recognition training. GAO found that six agencies had available data and cumulatively conducted about 60,000 searches when they did not have training requirements in place. As of April 2023, two agencies began to require training.
Facial Recognition Services, Use and Training for Selected Agencies, April 2023
Note: The figure shows when agencies used the four services covered by this review (services used from October 2019 through March 2022), and when, if at all, agencies implemented training requirements for facial recognition services. The figure provides use and training information as of April 2023. See figure 6 of the report for more detail.
FBI officials told key internal stakeholders that certain staff must take training to use one facial recognition service. However, in practice, FBI has only recommended it as a best practice. GAO found that few of these staff completed the training, and across the FBI, only 10 staff completed facial recognition training of 196 staff that accessed the service. FBI said they intend to implement a training requirement for all staff, but have not yet done so. Such a requirement would help FBI ensure its staff understand how to use these services. Also, clarifying the status of FBI's training requirement would allow stakeholders to fully evaluate use of the service against FBI ethical and privacy standards.
GAO also found that three of the seven agencies had policies or guidance specific to facial recognition technology that address civil rights and civil liberties. The other four agencies—three in DOJ and one in DHS—did not have such policies or guidance. DHS has plans to finalize a department-wide policy by December 2023. DOJ has taken steps to issue a department-wide policy, but has faced delays. Developing a plan with time frames and milestones would help DOJ ensure it issues a policy to support staff in safeguarding civil rights and civil liberties.
Why GAO Did This Study
Law enforcement may use facial recognition services provided by commercial and nonprofit entities to help solve crimes. For example, these services allow users to quickly search through billions of photos to help identify an unknown suspect in a crime scene photo.
GAO was asked to review federal law enforcement's use of facial recognition technology. This report examines, among other issues, the extent to which selected DHS and DOJ law enforcement agencies used facial recognition services to support criminal investigations; required staff to take training on facial recognition technology to use such services; and developed policies and guidance specific to facial recognition technology to help protect civil rights and civil liberties.
GAO selected seven law enforcement agencies within DHS and DOJ based on various factors, including the number of facial recognition technology systems used. GAO reviewed documents, such as training requirements and policies for using facial recognition services. GAO also analyzed training records and interviewed agency officials.
Recommendations
GAO is making 10 recommendations, including that FBI implement a training requirement and clarify the status of its training requirement to stakeholders. GAO also recommends that DOJ develop a plan to issue a facial recognition technology policy addressing safeguards for civil rights and civil liberties. Agencies concurred with all 10 recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Immigration and Customs Enforcement | The Director of ICE should establish and implement a process to periodically monitor whether HSI staff using facial recognition services to support criminal investigations have completed training requirements. (Recommendation 1) |
In September 2023, we reported that U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI) did not have a process to periodically monitor whether staff were taking required training to use facial recognition services to support criminal investigations. We found that many HSI staff had taken the required training to use Clearview AI-a facial recognition service used by the agency. However, HSI did not have an established process to periodically review whether all staff with access to the service received required training. Consequently, we recommended that ICE establish and implement a process to periodically monitor whether HSI staff using facial recognition services to support criminal investigations have completed training requirements. In June 2024, the agency implemented its Clearview Account Validation and Verification Process. This established a process for HSI to ensure that only trained staff can receive access to create a Clearview AI account, including an annual review of this information. As a result, the agency will be better positioned to mitigate the risks that untrained staff using facial recognition technology present.
|
| Federal Bureau of Investigation | The Director of the FBI should clarify the status of its training requirement for staff using Clearview AI to FBI's AI Ethics Council and the Privacy and Civil Liberties Unit. (Recommendation 2) |
In September 2023, we reported that key FBI stakeholders--the AI Ethics Council and the Privacy and Civil Liberties Unit--were not given clear documentation on FBI training requirements for staff using a facial recognition service. Consequently, we recommended that the FBI should clarify the status of its training requirement for these key stakeholders. In December 2023, the FBI finalized its Facial Recognition Technology Use Policy Directive. The policy establishes a training requirement for FBI staff who use facial recognition services. In April 2024, FBI officials told us that FBI components identified as a stakeholder in a specific policy are required to review and provide comments during the collaboration phase of policy development. Because the AI Ethics Council and Privacy and Civil Liberties Unit are explicitly mentioned in the Facial Recognition Technology Use Policy Directive, officials stated that they reviewed and collaborated on the proposed policy. As a result, the AI Ethics Council and Privacy and Civil Liberties Unit can better evaluate whether the use of the facial recognition service complies with FBI ethical and privacy standards.
|
| Federal Bureau of Investigation | The Director of the FBI should implement a training requirement for staff using facial recognition services to support criminal investigations. (Recommendation 3) |
In September 2023, we reported that the FBI did not have a training requirement for staff using facial recognition services to support criminal investigations. FBI officials told GAO that a training requirement would be beneficial, and that the agency intended to implement a requirement, but that the agency had not yet done so. Consequently, we recommended that the FBI implement a training requirement for staff using facial recognition services to support criminal investigations. In December 2023, the FBI finalized its Facial Recognition Technology Use Policy Directive. This policy establishes a training requirement for FBI staff who use facial recognition technology services. According to the policy, the training must follow Facial Identification Scientific Working Group (FISWG) guidance. As a result, the agency will be better positioned to help ensure that staff using facial recognition services understand how to use these services and their limitations.
|
| United States Customs and Border Protection | The Commissioner of CBP should determine the extent that staff use facial recognition services to develop and share information in support of other agencies' criminal investigations (such as number of CBP staff that use the services and how often they do so). (Recommendation 4) |
In September 2023, we reported that U.S. Customs and Border Protection (CBP) did not know the extent that staff used facial recognition services. We also found that CBP did not require staff to complete training on facial recognition technology to access the two services it used and had not assessed whether training on the technology would benefit staff. Consequently, we recommended that CBP determine the extent that staff use facial recognition services and assess whether training would benefit staff using the services to develop and share information in support of other agencies' criminal investigations. In June 2024, CBP's Office of Field Operations (OFO) allowed the two facial recognition services to expire at the end of fiscal year 2023 and sent a memorandum directing all staff to discontinue use of such services. Additionally, OFO developed and deployed a web-based training course for CBP staff who plan to use any type of facial recognition services. The required training covers, for example, facial examination and feature analysis techniques, challenges when conducting facial analysis, and Department of Homeland Security (DHS) and CBP directives on the authorized use of these services. As a result of these actions, OFO will have greater assurance that staff have skills and competencies to use, and mitigate the risks of using, facial recognition services.
|
| United States Customs and Border Protection | The Commissioner of CBP should assess whether training would benefit staff using facial recognition services to develop and share information in support of other agencies' criminal investigations, incorporating information on the extent to which staff use such services. (Recommendation 5) |
In September 2023, we reported that U.S. Customs and Border Protection (CBP) did not know the extent that staff used facial recognition services. We also found that CBP did not require staff to complete training on facial recognition technology to access the two services it used and had not assessed whether training on the technology would benefit staff. Consequently, we recommended that CBP determine the extent that staff use facial recognition services and assess whether training would benefit staff using the services to develop and share information in support of other agencies' criminal investigations. In June 2024, CBP's Office of Field Operations (OFO) allowed the two facial recognition services to expire at the end of fiscal year 2023 and sent a memorandum directing all staff to discontinue use of such services. Additionally, OFO developed and deployed a web-based training course for CBP staff who plan to use any type of facial recognition services. The required training covers, for example, facial examination and feature analysis techniques, challenges when conducting facial analysis, and Department of Homeland Security (DHS) and CBP directives on the authorized use of these services. As a result of these actions, OFO will have greater assurance that staff have skills and competencies to use, and mitigate the risks of using, facial recognition services.
|
| Department of Justice | The Attorney General should ensure the Chief Privacy and Civil Liberties Officer works with DOJ components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 6) |
As of March 2024, this recommendation remains open. DOJ officials said that its Chief Privacy and Civil Liberties Officer and the Office of Privacy and Civil Liberties regularly meets with DOJ components to discuss the privacy requirements, including applicable documentation, that apply to facial recognition technology. Additionally, DOJ officials said that in December 2023, the Department issued an interim policy that requires that components complete an Initial Privacy Assessment for every facial recognition technology system. However, to close this recommendation, DOJ will need to address the outstanding privacy requirements identified in our report and provide related evidence.
|
| Department of Justice | The Attorney General should ensure the Chief Privacy and Civil Liberties Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 7) |
As of March 2024, this recommendation remains open. DOJ officials said that its Chief Privacy and Civil Liberties Officer and the Office of Privacy and Civil Liberties regularly meets with DOJ components to discuss the privacy requirements, including applicable documentation, that apply to facial recognition technology. Additionally, DOJ officials said that in December 2023, the Department issued an interim policy that requires that components complete an Initial Privacy Assessment for every facial recognition technology system. However, to close this recommendation, DOJ will need to ensure the Chief Privacy and Civil Liberties Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services--taking into account the results of our report--and to remediate any deficiencies identified during their evaluation.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure the Chief Privacy Officer works with DHS components continuing to use facial recognition services to address outstanding privacy requirements, and update privacy documentation as appropriate. (Recommendation 8) |
In August 2024, DHS officials told us that the Chief Privacy Officer is working with DHS components to address the outstanding privacy requirements identified in our report and update privacy documentation, as appropriate. As a result, this recommendation remains open.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure the Chief Privacy Officer collaborates with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services—taking into account the results of this report—and to remediate any deficiencies identified during their evaluation. (Recommendation 9) |
In September 2023, we reported that Department of Homeland Security (DHS) components--U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement's Homeland Security Investigations, and the U.S. Secret Service--either did not fully address privacy requirements or determine whether certain privacy requirements apply to the use of their facial recognition services. Consequently, we recommended that the DHS Chief Privacy Officer collaborate with component program, acquisition, and privacy officials to evaluate components' adherence to the department's privacy compliance process for facial recognition services while taking into account the results of our report. In April 2024, several DHS stakeholders, including the Chief Privacy Officer, Officer for Civil Rights and Civil Liberties, and Chief Information Security Officer, completed a review of component adherence to privacy requirements for facial recognition services. The review identified deficiencies for the components in our review, including actions that each component could take and have taken to remediate the deficiencies. As a result of this action, DHS is better positioned to address privacy requirements, thereby increasing transparency in the department's use of facial recognition services.
|
| Department of Justice | The Attorney General should develop a plan with time frames and milestones for issuing its facial recognition technology policy that addresses safeguards for civil rights and civil liberties. (Recommendation 10) |
In September 2023, we reported that the Department of Justice (DOJ) intended to issue a department-wide policy on the use of facial recognition technology and had taken steps to do so. However, DOJ had faced delays in its efforts and did not have a plan with time frames and milestones to issue such a policy. Consequently, we recommended that DOJ develop a plan with time frames and milestones for issuing its facial recognition technology policy. In December 2023, DOJ issued its Interim Policy on the Use of Facial Recognition Technology, which covers information such as the scope of use, developing and implementing training requirements, protecting privacy and civil liberties, and identifying potential risks to civil rights protections. As a result of this action, DOJ is better positioned to safeguard civil rights and civil liberties when using facial recognition technology.
|