Follow-up Review of the FBI’s Progress Toward Biometric Interoperability Between IAFIS and IDENT
Evaluation and Inspections Report I-2006-007
Office of the Inspector General
This Background section describes the IAFIS, IDENT, and US‑VISIT systems; past efforts to achieve interoperability among the systems; the key agencies and working groups involved in the efforts to integrate the systems; and the findings from our December 2004 report that examined the status of the IDENT/IAFIS integration project and the disagreements between the Departments of Justice, Homeland Security, and State regarding development of an interoperable system.
Fingerprint Identification Systems
The IAFIS, IDENT, and US‑VISIT systems were designed by different agencies to provide fingerprint identification support for different requirements. A description of each system follows.24
IAFIS. The FBI developed IAFIS to store digitized fingerprints and criminal history records to assist federal, state, and local law enforcement agencies in identifying criminals. The FBI also built IAFIS to conduct non-criminal justice (civil) fingerprint background checks for employment and license applications and immigration benefits. Deployed in 1999, the IAFIS automated fingerprint identification system is operated by the FBI’s Criminal Justice Information Services (CJIS) Division. IAFIS contains the largest criminal biometric database in the world, the Criminal Master File, which stores over 50 million sets of 10 rolled fingerprints and corresponding criminal history information submitted by law enforcement agencies.25 IAFIS also contains a Civil Subject Index Master File, which stores non-criminal fingerprints (e.g., fingerprints of military, government, or authorized non-government personnel), and an Unsolved Latent File, which contains latent fingerprint images found at crime scenes.
IDENT. The former Immigration and Naturalization Service (INS) developed IDENT to identify and track individuals apprehended for illegally crossing the U.S. border and to identify recidivists (i.e., those apprehended more than once).26 Deployed in 1994, IDENT is an automated fingerprint identification system that matches two flat fingerprints from the right and left index fingers of apprehended aliens against similar fingerprint records contained in a database of over 55 million subjects that includes legitimate travelers and immigration violators.27 Those fingerprint records are organized into distinct enforcement- and immigration-related data bases:28
US‑VISIT. The DHS developed US‑VISIT as an entry/exit tracking system to collect, maintain, and share information on foreign nationals (visitors) in the United States so that immigration officials can determine whether these individuals should be prohibited from entering the country, have overstayed or violated the terms of their admission, or should be detained for law enforcement action. Deployed in January 2004, US-VISIT uses IDENT to collect two flat fingerprints and a digital photograph to provide the biometric identification for visitors. The fingerprints are taken either at ports of entry when the visitors arrive or by Department of State (DOS) employees at visa‑issuing consulates before the visitors arrive. The first time a visitor’s fingerprints are taken, they are checked against the US‑VISIT Watch List database (a “one-to-many” comparison) and enrolled into the US‑VISIT Enrollment database by the DHS (at ports of entry) or the DOS (at consulates).30 The US-VISIT Watch List and Enrollment databases contain the following records from IDENT:
Interoperability of Fingerprint Identification Systems
IAFIS and IDENT were not designed to be interoperable.
The FBI and the INS began discussing integrating IAFIS and IDENT in the early 1990s when the two systems were in their development stages. However, the agencies had a difference of opinion, stemming from the different purposes of the systems, as to whether the INS should collect 2 or 10 fingerprints from apprehended aliens. The FBI created IAFIS to automate its Criminal Master File and serve the needs of the law enforcement community. Because fingerprints at crime scenes may be from any finger, the law enforcement standard requires that officers take prints from all 10 fingers of a subject. Conversely, the INS created IDENT as an internal system to track aliens apprehended illegally crossing the border between ports of entry and to subsequently identify those who illegally crossed the border more than once. Because the INS frequently apprehended large groups of aliens that had to be processed quickly, taking 10 rolled fingerprints was deemed too time-consuming, and IDENT therefore was designed to use only 2 fingerprints.
Congress directed that fingerprint identification systems be interoperable.
Since the late 1990s, Congress has expressed concern that IAFIS and IDENT could not share data readily. After the terrorist attacks of September 11, 2001, Congress required that federal fingerprint identification systems be made interoperable so that aliens and visitors to the United States who are criminals or known or suspected terrorists can be more readily identified.
In the 2001 USA PATRIOT Act (Patriot Act), Congress required a “cross-agency, cross-platform electronic system that is a cost-effective, efficient, fully integrated means to share law enforcement and intelligence information necessary to confirm the identity of... persons applying for a United States visa....”32 The Patriot Act specified that this system be “readily and easily accessible” to all consulates, federal inspection agents, and law enforcement and intelligence officers responsible for investigating aliens.
In the Enhanced Border Security and Visa Entry Reform Act of 2002 (Border Security Act), which amended several provisions of the Patriot Act, Congress changed the description of the electronic system from integrated to interoperable. The Border Security Act, in its description of an “interoperable data system,” required that immigration authorities have “current and immediate” access to information in federal law enforcement agencies’ databases to determine whether to allow aliens to enter the United States.33
Congress directed that the NIST develop a technology standard for interoperability.
One of the requirements in the 2001 Patriot Act was for the Attorney General and the Secretary of State, working jointly with the National Institute of Standards and Technology (NIST), to develop a technology standard for verifying the identity of foreign nationals when they apply for visas at U.S. consulates and when they arrive at ports of entry.34 In response to this requirement, the NIST issued a Technology Standard in January 2003 for collecting fingerprints from foreign nationals. The NIST Technology Standard called for 10 flat fingerprints to be collected for initial enrollment into automated systems and for 2 flat fingerprints and a digital photograph to be used to verify an individual’s identity against an existing enrollment record.
US-VISIT did not incorporate the NIST Technology Standard.
Notwithstanding the NIST’s January 2003 recommendation of 10 flat fingerprints as the Technology Standard for enrolling individuals in automated systems, on July 18, 2003, the Homeland Security Council Deputies Committee approved US-VISIT’s use of 2 flat fingerprints and a photograph to enroll individuals during the system’s initial deployment at sea and air ports of entry.35 In September 2003, the DOS began deploying single-finger scanners at its consulates to prepare for the enrollment of visa applicants into US‑VISIT. On January 5, 2004, the DHS launched US‑VISIT at air and sea ports of entry.36
Integrated IDENT/IAFIS Workstations
In 2004, the DHS began deploying integrated IDENT/IAFIS workstations that allow DHS personnel to directly search IAFIS using 10 rolled fingerprints, and simultaneously enroll individuals into IDENT using 2 fingerprints.37 The purpose of the integrated workstations was to provide immigration authorities with access to criminal history information in IAFIS. Border Patrol agents use those workstations to check all aliens apprehended crossing the border illegally. In addition, inspectors at ports of entry use the workstations to check a small number of aliens who are referred to secondary inspection and denied admittance into the United States. However, the integrated workstations do not meet the goal of full interoperability because they are not multi‑directional; the FBI and other law enforcement agencies do not have direct access to the DHS’s IDENT.
When the DHS transmits an alien’s fingerprints to IAFIS using the integrated workstations, it uses a transaction referred to as a Ten-Print Rap Sheet (TPRS). TPRS transactions provide a quick response to searches of aliens’ fingerprints. When the DHS transmits an alien’s fingerprints to IAFIS, the system searches its Criminal Master File for a potential “hit” or match. If the alien’s fingerprints generate a potential match, IAFIS returns the criminal history file.
Key Agencies and Working Groups
Department of Justice. The Department’s Justice Management Division (JMD) has maintained oversight of the integration of IAFIS and IDENT since 1999. The Department’s Chief Information Officer (CIO) manages the integration project for the Department and represents the Department in meetings with the DHS and other agencies. The FBI’s CJIS Division maintains and operates IAFIS.
Department of Homeland Security. The DHS’s Bureau of Customs and Border Protection (CBP) employs Border Patrol agents and inspectors, whose mission includes preventing terrorists and criminal aliens from entering the United States and apprehending individuals attempting to enter the United States illegally. The US‑VISIT Program Management Office (US-VISIT office) manages US‑VISIT and is responsible for communicating with Department of Justice representatives and participating in interagency meetings. CBP and the US-VISIT office report directly to the DHS Deputy Secretary.
Department of Commerce. Scientists at the Department of Commerce’s NIST have been working with the FBI for over 30 years to research, develop, and improve fingerprint-matching procedures. They are currently working with representatives from the Department of Justice, the FBI’s CJIS Division, DOS, and DHS in regular interagency meetings and joint studies regarding fingerprint biometrics.
Department of State. The DOS’s Bureau of Consular Affairs is responsible for administering laws, formulating regulations, and implementing policies relating to consular services and immigration, including issuing visas (both immigrant and non-immigrant), and passports to U.S. citizens. Representatives from the Bureau of Consular Affairs work with the Department of Justice and the DHS on biometrics issues and participate in the interagency meetings regarding fingerprint identification issues.
Homeland Security Council Deputies Committee. The Homeland Security Council Deputies Committee is responsible for ensuring coordination of all homeland security-related activities among executive departments and agencies. It is the senior sub-Cabinet interagency forum for consideration of policy issues affecting homeland security, including fingerprint biometrics, and comprises officials at the deputy level (or their designees) from the Department of Justice, DHS, DOS, and other agencies. The Deputies have met regularly since January 2004 to discuss security issues, including the interoperability of IAFIS, IDENT, and US‑VISIT.
Policy Coordination Committee. Formed in January 2004, the Policy Coordination Committee reports to the Homeland Security Council Deputies on various executive branch issues, including current and future use of the fingerprint data contained in IAFIS, IDENT, and US‑VISIT. The Policy Coordination Committee is managed by the Office of Management and Budget, and its participants include representatives from the Department of Justice, DHS, and DOS.
Integrated Project Team. Formed in May 2005, the Integrated Project Team’s (IPT) mission is to achieve interoperability of biometric (e.g., fingerprint) information in the databases of the FBI and the DHS, and to share related biographic (e.g., name, date of birth, social security number), criminal history, and immigration information in real time or near real time with each other and federal, state, and local law enforcement agencies.38 The IPT includes representatives from the CJIS Division, the US-VISIT office, and the DOS, with occasional participation from the NIST and other officials. Within the Department of Justice, the Office of the CIO is responsible for monitoring the IPT and its progress and the CJIS Division is the lead component responsible for system development activities.39
The IPT consists of an Executive Committee and three sub‑teams: Business Requirements, which ascertains requirements from interoperability stakeholders and establishes operational consensus; Information Technology, which reviews the stakeholders’ requirements and advises the IPT on the most feasible technical solutions and logical approaches to design, development, and implementation; and Strategy and Policy, which ensures that the interoperability plan is consistent with FBI and DHS strategies and policies.
In September 2005, the IPT created two working groups to address different aspects of the interoperability effort. The Unique Identity IPT, led by the DHS, is addressing the modifications needed to enable US-VISIT (via IDENT) to make the transition to a 10-fingerprint enrollment standard.40 The Interoperability IPT, led by the FBI, is addressing all other issues related to making IAFIS interoperable with the DHS’s systems. Officials from the FBI and the DHS participate on both working groups and are responsible for jointly implementing interoperability between IAFIS and IDENT.
December 2004 OIG Report on the Integration of IAFIS and IDENT
In our 2004 review, we reported that efforts to achieve full interoperability had stalled because of two major barriers. The Department, DHS, and DOS still had not agreed on either a uniform method for collecting fingerprint information or on the extent to which federal, state, and local law enforcement agencies are to have access to the DHS’s immigration records. We also found that the DHS was using data extracted from IAFIS to supplement IDENT and was checking most visitors’ fingerprints against only IAFIS extracts, which created a risk that criminal aliens or terrorists could enter the United States undetected. Regarding the FBI, we found that IAFIS capacity was sufficient to handle the DHS’s projected daily workload, but the FBI was not prepared to process a large volume of flat fingerprints from the DHS and was not meeting its IAFIS availability requirement of 99 percent.
The Department, DHS, and DOS did not agree on a fingerprint collection standard.
The first major barrier to achieving interoperability between IAFIS and IDENT that we identified in 2004 was that the Department, DHS, and DOS had not agreed on a standard for collecting fingerprint information from foreign nationals applying at consulates for visas to visit the United States or seeking admission to the United States at ports of entry. The Department endorsed the NIST Technology Standard of 10 flat fingerprints for enrolling visa applicants and visitors in US‑VISIT because 10 fingerprints would reduce the number of false positives and offer more options for system design and interoperability.41 We also reported that the agencies were using various fingerprint collection methodologies:
See Appendix I for a table comparing the fingerprint collection methods used by the three agencies.
The Department, DHS, and DOS did not agree on how to provide law enforcement agencies with access to the DHS’s immigration records.
The second major barrier to achieving interoperability that we identified in 2004 was that the DHS and the Department disagreed on a method of providing federal, state, and local law enforcement agencies with the “readily and easily accessible” access to the IDENT database specified in the Patriot Act and in subsequent congressional legislation. Also, the DHS did not believe that the FBI or other law enforcement agencies should have access to US-VISIT records. The DHS maintained that position for several reasons, including that the information in IDENT is incomplete and could be misinterpreted, and the privacy of visitors enrolled in US-VISIT must be protected. However, the OIG report noted that without direct access to the DHS’s IDENT database, it is more difficult for federal, state, and local law enforcement agencies to identify illegal aliens they encounter.
The DHS used data extracted from IAFIS to supplement IDENT.
In our 2004 review, we described how, because the systems are not interoperable, the FBI is periodically providing the DHS with records extracted from IAFIS to supplement information in the IDENT Lookout database. However, there was some delay between when records are extracted from IAFIS and when they are entered into IDENT. For example, the FBI was providing the Known or Suspected Terrorists records to the DHS approximately once a month.
Further, a Department Metrics Study found some of the extracts to be incomplete and prone to errors, which could allow criminals or terrorists whose data has not been extracted from IAFIS to use falsified identity papers to gain entry into the United States.42 For example, one of the DHS’s selection criteria for referring visitors to secondary inspection relies upon self-reported data (e.g., place of birth), but aliens being arrested may lie about their nationality to avoid deportation. Also, many U.S. citizens have an unknown or foreign place of birth. That selection criteria was particularly problematic for the Wants and Warrants extracts because the records of U.S. citizens may be loaded into the IDENT database, while the records of some non-U.S. citizens and potential criminal aliens are not included. The Metrics Study found that the Wants and Warrants extracts failed to include 22 percent (121 of 541) of criminal aliens with active wants and warrants.
The DHS checked most visitors’ fingerprints only against IAFIS extracts.
Our 2004 report also noted that the DHS was planning to limit direct IAFIS fingerprint searches (TPRS transactions) to a small percentage of visitors who are referred to secondary inspection and not admitted to the United States.43 According to the DHS’s workload projections through 2005, only about 800 visitors per day – or 0.7 percent of the total projected visitors required to be enrolled in US‑VISIT in 2005 – would be subjected to direct IAFIS TPRS searches at ports of entry.44 The other 99.3 percent of visitors enrolled in US‑VISIT would be checked against the US‑VISIT Watch List, which contains extracts from IAFIS, but not against the full IAFIS Criminal Master File. We found that the DHS’s practice of checking 99.3 percent of the visitors’ fingerprints only against the limited data extracted from IAFIS and contained in the US‑VISIT Watch List increased the risk of admitting criminal aliens. As the Metrics Study showed, searching individuals directly against IAFIS resulted in a significant increase in the number of criminal aliens identified.
At the time of our 2004 review, the Department was interested in determining the risk posed by not checking all visitors against IAFIS. The Department proposed conducting a study to compare data from US-VISIT and other relevant immigration biometric databases against IAFIS. Also, we noted that while the IAFIS capacity of 20,000 daily TPRS transactions was sufficient to handle the then-projected DHS daily workload, if the DHS made a policy decision to request TPRS transactions on all visitors sent to secondary inspection, the resulting workload could exceed the IAFIS capacity.
The FBI was not prepared to process flat fingerprints from the DHS.
In 2004, we found that the FBI had recognized that it needed to upgrade IAFIS to begin accepting flat fingerprints (in lieu of rolled) for non-criminal justice (civil) purposes, such as in the case of employment and license applications or immigration benefits. At that time, the FBI had received approval from its National Crime Prevention and Privacy Compact Council to accept flat fingerprints, but had not yet begun receiving them.45 Further, although the FBI planned to begin conducting flat fingerprint searches, it was not prepared to process the large number of searches that would be required if the DHS were to start submitting 10 flat fingerprints from all visitors enrolled into US-VISIT.
IAFIS was not meeting its availability requirement.
In our 2004 review, we found that IAFIS was not meeting its availability requirement of being accessible to users 99 percent of the time. We determined that from November 2003 through April 2004, IAFIS was unavailable for a total of 161 hours, resulting in an average monthly availability of 96 percent. As a result, it was possible that some aliens whose criminal records were in IAFIS but not in IDENT would be released and allowed to enter the United States due to the system’s unavailability. For example, if IAFIS results are not received within about 10 minutes, which may happen if IAFIS is unavailable, immigration officials must make their decisions on whether to further detain aliens based only on the results of IDENT queries. Consequently, some criminal aliens who would have been identified through IAFIS queries may not be detained.
The OIG made six recommendations in our previous report.
In our December 2004 report, we concluded that for the Department to effectively proceed with making IAFIS interoperable with the fingerprint systems of the DHS and the DOS, high-level policy decisions needed to be made regarding who should be subjected to fingerprint searches, the fingerprint collection standard to be used, the databases to be queried, who should have access to the information, how the information should be used, and who should maintain the databases. We recommended that the Department seek to have the federal government address those decisions in a timely way. We made the following six recommendations to the Department:
As described in the Results of the Review section, our current review has found that the Department and the FBI have taken steps that were generally responsive to all of the recommendations we made in our December 2004 report.
|« Previous||Table of Contents||Next »|