Follow-up Review of the Status of IDENT/IAFIS Integration
E & I Report No. I-2005-001
The Office of the Inspector General (OIG) conducted this review to examine the Department of Justiceís (Department) and the Federal Bureau of Investigationís (FBI) preparations to support the expedited deployment of the initial integrated version of the Department of Homeland Securityís (DHS) Automated Biometric Identification System (IDENT) and the FBIís Integrated Automated Fingerprint Identification System (IAFIS). However, because we discovered significant disagreements between the Departments of Justice, Homeland Security, and State regarding the definition and required elements of an interoperable biometric fingerprint system, we broadened our review scope to include an analysis of these issues. We also reviewed the Departmentís plans to develop and deploy the next version of IAFIS, which will be required to complete the integration project.
In four reviews since 2000, the OIG has reported on the efforts to integrate IDENT and IAFIS. In those reports, we found that integration was moving slowly and would take years to accomplish fully. These reports were:
Since our March 2004 report, the use of IDENT/IAFIS at air, sea, and land ports of entry has been expanded to meet new DHS entry/exit and border security requirements implemented in the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) system. These requirements include an entry/exit tracking system to collect, maintain, and share information on foreign nationals, including biometric identifiers. Several of the principal federal agencies that manage and use biometric databases, including the Department, the DHS, and the Department of State (DOS), are in the process of establishing the common elements of a comprehensive biometric fingerprint policy and its attendant procedures to meet the new requirements of the Enhanced Border Security and Visa Reform Act of 2002 (Border Security Act).
The Background section of this report provides a brief description of the IAFIS, IDENT, and US-VISIT systems; the efforts to integrate the IDENT and IAFIS systems; congressional direction regarding the interoperability of these biometric fingerprint systems; and the DHSís efforts to expedite the deployment of Version 1.2 of IDENT/IAFIS. The Background section also identifies each of the federal agencies involved in the IDENT/IAFIS integration and the sharing of biometric fingerprint information among these agencies.
The Results of the Review section is organized into three parts. Part I describes the FBIís short-term preparations for the DHSís expedited deployment of Version 1.2 of IDENT/IAFIS. Part II describes the barriers to further integration of IDENT and IAFIS, including differing positions on interoperability and the minimum elements required for an interoperable biometric fingerprint system, as defined by the National Institute of Standards and Technology (NIST). Part III describes the Departmentís progress on the recommendations in our March 2004 report.
To supplement the descriptions provided in the Background section, Appendix I contains a complete history of the IDENT and IAFIS systems, including summaries of our four prior reports and the efforts made by the DHS and the FBI to integrate the systems. Appendix II contains a list of acronyms used in this report.
Fingerprint Biometric Identification Systems
The IAFIS, IDENT, and US-VISIT systems were designed by three different agencies to provide biometric identification support for three separate purposes. The uses and basic operation of each system are described below, along with a brief summary of the effort to integrate IDENT and IAFIS.
IAFIS. IAFIS is the FBIís automated fingerprint identification system and criminal history file, operated by the FBIís Criminal Justice Information Services (CJIS) Division in Clarksburg, West Virginia. IAFIS contains digitized records of latent fingerprints (e.g., fingerprints found at crime scenes) and a Criminal Master File of more than 47 million sets of ten rolled fingerprints.16 IAFIS also includes a Civil Subject Index Master File, which contains fingerprints of non-criminals (e.g., military, government, or authorized non-government personnel). IAFIS includes three major components: the Automated Fingerprint Identification System (AFIS), the Identification Tasking and Networking (ITN), and the Interstate Identification Index (III). The AFIS is the search engine that matches fingerprint images, the ITN maintains the fingerprint image repository and manages workflow processes, and the III contains textual criminal history information on arrests and dispositions of criminal subjects.17
IAFIS provides fingerprint identification and criminal history services to the law enforcement community and others needing access to such data through a network of integrated systems. According to the IAFIS System Requirements Definition (SRD) document, the FBI provides "user identification services" to: "(1) authorized customers located at the over 62,000 law enforcement and criminal justice service agencies; (2) others who have an authorized justification (such as members of Congress or United States citizens requesting their own FBI record); and (3) FBI staff members who are identified as service providers [e.g., fingerprint examiners]."18 The five basic user identification services provided by IAFIS are:
TPRS and CAR transactions. In 2001, the CJIS Division developed the special Ten-Print Rap Sheet (TPRS) transaction for the DHS. The CJIS Division designed the TPRS, which refers to the criminal history file associated with an alienís fingerprints, to return a response within 10 minutes.
IDENT. IDENT was developed by the former Immigration and Naturalization Service (INS) to track individuals apprehended for illegal border crossing and to identify recidivists for possible criminal prosecution.21 The system matches two flat fingerprints from the right and left index fingers of detained aliens against similar fingerprint records contained in the following IDENT databases:
US-VISIT. At the direction of Congress, the DHS developed the US-VISIT entry/exit tracking system to "collect, maintain, and share information on foreign nationals, including biometric identifiers, through a dynamic system that determines whether the individual should be prohibited from entering the U.S.; has overstayed or otherwise violated the terms of her/his admission; should be apprehended or detained for law enforcement action; [or] needs special protection/attention (e.g., refugees)."23 The US-VISIT program is designed to provide "end-to-end management of data on foreign nationals covering their interactions with U.S. officials before they enter, when they enter, while they are in the U.S., and when they exit."24 As of November 15, 2004, the US-VISIT database contained the records (two fingerprints and a photograph) of over 10 million enrolled legitimate travelers to the United States.
Approximately 260 million foreign visitors seek admission to the United States annually. In 2005, about 43 million of these visitors (about 118,000 per day) will be subject to enrollment into US-VISIT. The 43 million visitors subject to US-VISIT include most individuals traveling to the United States on a visa and the nationals of the 27 countries participating in the Visa Waiver Program who do not require a visa if their stay for business or pleasure is less than 90 days. Visitors not subject to US-VISIT requirements include those with certain designated visa classifications, children under the age of 14, persons over the age of 79, Mexican nationals to whom the DOS has issued Border Crossing Cards for use along the southern border, and Canadians entering the United States across the northern border.
The DHS designed the US-VISIT system to collect two flat fingerprints and a digital photograph, and to query databases (such as the US-VISIT watch list and, for some visitors who will be refused admission, IAFIS) to ensure that the individual applying for a visa or seeking entry to the United States does not have any criminal or immigration violations before they are permitted to enter this country.25 The fingerprints are taken either at visa-issuing consulates overseas or at the ports of entry when the visitors arrive. According to the DHS Expenditure Plan, this pre-entry processing will establish one "gold standard" identity for each foreign national and will be used in all of his or her future travel to and from the United States.
The first time a visitorís fingerprints are taken, they are checked against the US-VISIT watch list and the visitor is enrolled into the US-VISIT database.26 When visitors subsequently enter or exit the United States, their fingerprints are only matched against their own enrolled fingerprints (a "one-to-one" verification match) to confirm the visitorís identity. In fiscal year (FY) 2003 and FY 2004, the DHS spent approximately $700 million on US-VISIT. The DHS anticipates spending up to $15 billion on the program in the next ten years.
Congress Directed that Biometric Identification Systems Be Interoperable
Beginning in 1999, Congress expressed its concern that the biometric identification systems of the FBI and the INS could not communicate, resulting in the INS encountering criminal aliens wanted by the FBI and releasing them without knowing that they were wanted. As documented in prior OIG reports on the Rafael Resendez-Ramirez and Victor Manual Batres cases, the failure to identify these criminals while they were in INS custody sometimes led to tragic results.
In the USA PATRIOT Act (Patriot Act) enacted on October 26, 2001, Congress directed the Attorney General and the Secretary of State, jointly with the NIST, to develop a technology standard for verifying the identity of visa applicants.27 Congress called for a "cross-agency, cross-platform electronic system that is a cost-effective, efficient, fully integrated means to share law enforcement and intelligence information necessary to confirm the identity ofÖpersons applying for a United States visa.Ö"28 The Department, the DOS, and the NIST were directed to "develop and certify a technology standard that can be used to verify the identify of persons applying for a United States visa or such persons seeking to enter the United States pursuant to a visa for the purposes of conducting background checks, confirming identity, and ensuring that a person has not received a visa under a different name or such person seeking to enter the United StatesÖ." The Patriot Act also specified that the electronic system should be readily and easily accessible to all consular offices, Federal inspection agents, and all law enforcement and intelligence officers responsible for investigating aliens.
The Border Security Act, enacted on January 23, 2002, amended several key portions of the Patriot Act, including the sections regarding the identification of aliens. Section 202(a)(2) of the Border Security Act required an "interoperable electronic data system to provide current and immediate access to information in databases of Federal law enforcement agencies and the intelligence community that is relevant to determine whether to issue a visa or to determine the admissibility or deportability of an alien."29 The Border Security Act also amended the Patriot Act by accelerating the deadlines and expanding the technology standard to be developed by the Department (now the DHS), the DOS, and the NIST (described in the paragraph above) to include "appropriate biometric identifier standards."30 The Border Security Act also required that the Department (now the DHS) and the DOS implement the technology standard at United States ports of entry and overseas consular posts, and to "issue to aliens only machine-readable, tamper-resistant visas and other travel and entry documents that use biometric identifiers."
In more recent legislation, Congress has become increasingly specific in directing that the biometric fingerprint identification systems operated by various federal law enforcement agencies work together. On April 20, 2004, Senator Judd Gregg, Chairman of the Commerce, Justice, State and the Judiciary Appropriations Subcommittee, which initially approved funding for the FBIís IAFIS, spoke about fingerprint compatibility and the continuing need for the DHS to become fully integrated with the FBI. Regarding the deployment of DHSís IDENT/IAFIS Version 1.2 workstations, Senator Gregg stated:
Workstations are only a one-way solution. Workstations give DHS access to IAFIS, but they do not give law enforcement access to immigration records. FBI and State and local law enforcement believe there are situations that require access to immigration records.
Five years have passed and $41 million has been provided and the systems are still not integrated. Extracting a sampling of IAFIS information every two weeks is not enoughÖeven daily extracts cannot substitute real-time information or full interoperability. The extracts do not include criminal histories. The need for criminal histories was made apparent in the 2002 case of Victor Manual Batres.
In reports accompanying the DHSís FY 2004 and FY 2005 appropriations bills, Congress gave specific directions regarding the interoperability of the IAFIS, IDENT, and US-VISIT systems.31 The Congress also urged increased coordination between the Department and the DHS, as shown in the following excerpts:
DHS Appropriations Bill, FY 2004 (Conference Report 108-280): The conferees believe that the success of US VISIT depends on the effective integration of biometrics into its systems and operations. The biometric infrastructure being built must be a viable long-term solution fully interoperable with the FBI [IAFIS] that meets biometric standards of [NIST].
DOJ Appropriations Bill, FY 2005 (Conference Report on H.R. 4818, Consolidated Appropriations Act, 2005): The conferees are troubled by the security gap on the nation's borders caused by delays in linking [IDENT]Ö.and [US-VISIT] with criminal history data contained in the [FBIís IAFIS]...With implementation of a new visa tracking system and enrollment of millions of visitors into US-VISIT, it is essential that the Federal Bureau of Investigation collaborate with the Directorate of Border and Transportation Security to ensure that IDENT and US-VISIT can retrieve, in real time, biometric information contained in the IAFIS database, and that the IAFIS database can retrieve, in real time, biometric information contained in IDENT and US-VISIT.32
The DHS Deployed Version 1.2 of IDENT/IAFIS Workstations to All Border Patrol Stations, and Committed to Deploying the Integrated Workstations at 179 Ports of Entry by December 31, 2004.
The March 2004 Batres report generated significant attention on the status of the integration project. In March 2004, approximately two months after the launching of US-VISIT, DHS officials announced plans for an expedited deployment of Version 1.2 IDENT/IAFIS workstations. In congressional testimony, DHS officials announced that the DHS was planning to expedite the deployment of Version 1.2 IDENT/IAFIS workstations to all Border Patrol stations and the 50 highest volume ports of entry by December 31, 2004.
During a March 4, 2004, hearing of the Homeland Security Subcommittee of the House Appropriations Committee, DHS Secretary Tom Ridge responded to questions regarding findings contained in the OIGís Batres report. When the Committee Chairman asked Secretary Ridge why the Border Patrol did not yet have instant access to the FBIís fingerprint records, Secretary Ridge responded, "ÖI think we can make a significant number of connections between the points of entry in the Border Patrol and the database this year with the dollars available in the budget. I think that can get us up to 65 to 70 percent of those connections."
It was unclear from Secretary Ridgeís congressional testimony whether the "65 to 70 percent" referred only to the Border Patrol stations (there are currently 136 nationwide), or also included the 331 United States ports of entry.33 According to US-VISIT Program Managers we spoke with, they interpreted Secretary Ridgeís reference to "65 to 70 percent" as applying only to Border Patrol stations. While the DHSís overall goal was to deploy IDENT/IAFIS workstations at 70 percent of the Border Patrol locations by the end of the 2004 calendar year, they were likely to exceed this goal and deploy the workstations to all Border Patrol stations by December 31, 2004. These same Program Managers indicated that in addition to deploying IDENT/IAFIS workstations to all Border Patrol stations, the DHS would also deploy the integrated workstations to 179 ports of entry by December 31, 2004. The 179 ports of entry will include all air and sea locations and the 50 largest land ports of entry. The DHS plans to complete deployment by December 31, 2005, when it installs workstations at its ICE investigative offices, detention locations, and the remaining ports of entry.
On September 21, 2004, the DHS issued a press release announcing the early completion of the deployment of the integrated workstations to all Border Patrol stations. Thus, the 1.1 million aliens apprehended by Border Patrol agents annually will now be processed with Version 1.2 of IDENT/IAFIS.34 The following table (Table 1) provides a brief chronology of relevant deadlines and actions taken by the Department, the DHS, and other entities prior to, and immediately following, the issuance the OIG Batres report in March 2004.
Key Agencies in the IDENT/IAFIS Integration
In response to the March 2004 OIG report on the Batres case and the status of the efforts to integrate IDENT and IAFIS, several other agencies, notably the DOS and the Department of Defense (DoD), have become more involved with the Department and the DHS as they decide how fingerprint biometrics should be collected and shared across the government. These agencies have also increased their coordination and communication with each other through participation in various interagency meetings. The following section describes each organizationís role in the IDENT/IAFIS integration, and the interagency meetings held to support the project.
Department of Justice
Justice Management Division. The Justice Management Division (JMD) is the Department component with direct responsibility for the IDENT/IAFIS integration project. JMD has had oversight of the integration project since 1999, when the Attorney General assigned JMD to coordinate the development of a plan to integrate IDENT and IAFIS.35 The Assistant Attorney General for Administration heads JMD, along with four Deputy Assistant Attorneys General (DAAG).
Management and Planning Staff. Within JMD, the Management and Planning Staff, under the DAAG for Policy, Management, and Planning, is responsible for the day-to-day coordination of the IDENT/IAFIS integration project. The Management and Planning Staff is responsible for compiling budget requests, creating project plans, conducting integration studies, publishing reports, attending regular interagency meetings, and working directly with Department and non-Department representatives on IDENT/IAFIS integration issues.
Office of the Chief Information Officer. The DAAG for Information Resources Management is the Departmentís Chief Information Officer (CIO), and is responsible for leading and implementing the efficient acquisition and management of information technology across the Department. The CIO is the highest ranking individual in the Department directly responsible for managing the IDENT/IAFIS integration project. The CIO represents the Department in meetings with the DHS and at high-level policy meetings with other non-Department entities, such as the Office of Management and Budget, the White House Homeland Security Council Deputies, and the CJIS Division.
Joint Automated Booking System (JABS) Program Management Office. The purpose of the JABS is to enable federal law enforcement agencies nationwide to share information on offenders, including fingerprint data. The system receives booking information from law enforcement agencies, stores it, then queries IAFIS for matching fingerprint and biographical data. The JABS Program Management Office ensures that all Department law enforcement components, the DHS, and other federal agencies have access to JABS data, and also oversees the data sharing process.36 The JABS Board of Directors is an oversight group for the JABS program that makes process and policy-related recommendations to the JABS Program Management Office.
FBIís Criminal Justice Information Services Division. The FBIís CJIS Division, located in Clarksburg, West Virginia, maintains and operates IAFIS. The CJIS Division has approximately 2,400 employees organized into the following three branches: Policy, Administrative and Liaison; Communications and Technology; and Operations. The Deputy Assistant Director (DAD) for the Operations Branch is responsible for identifying the funding needs of the various Operations Branchís priority projects and tasks. For the IDENT/IAFIS integration project, the Operations Branch DAD also serves as the FBIís liaison for policy issues with JMD, the DHS, and technical groups outside the FBI. Two of the Operations Branchís sections have direct responsibility for IAFIS -- the Information Technology Management Section (ITMS), and the Identification and Investigative Services Section (IISS).
Within the ITMS, the Requirements Management Unit (RMU) is responsible for identifying IAFIS user needs, developing system specifications, and conducting system testing. The RMU Chief works with other ITMS Unit Chiefs regarding IAFIS-related operations, systems, and technology support issues. The RMU Chief also serves as the technical liaison representing the CJIS Division at regular working group meetings with JMD and DHS staff. The IISS Chief attends meetings with JMD, the DHS, and other entities outside the FBI. The IISS houses the Divisionís approximately 250 fingerprint examiners who, when needed, verify fingerprint matches run through IAFIS. The fingerprint verification service is provided 24 hours a day, 7 days a week.
Department of Homeland Security
On March 1, 2003, the DHS assumed responsibility for national border security and enforcement of immigration laws. The DHS has five major divisions or "directorates." The largest one, the Border and Transportation Security (BTS) Directorate, manages the IDENT and US-VISIT systems. The DHSís operational immigration responsibilities are divided among three bureaus: the Bureau of Customs and Border Protection (CBP), the Bureau of Immigration and Customs Enforcement (ICE) (both units of BTS), and the Bureau of Citizenship and Immigration Services (CIS).
Bureau of Customs and Border Protection. The Border Patrol falls under the DHSís CBP, along with employees from the former U.S. Customs Service, the INS, and the Department of Agriculture. The CBPís mission includes preventing terrorists and criminal aliens from entering the United States and apprehending individuals attempting to enter the United States illegally. Over 40,000 employees, including Border Patrol agents and inspectors stationed at ports of entry, work for the CBP.
US-VISIT Program Management Office. The DHS manages US-VISIT through its US-VISIT Program Management Office. The Office includes the ENFORCE/IDENT Program Management Office, which in turn manages IDENT/IAFIS integration and deployment of integrated workstations.37 The Program Management Office staffís responsibilities include communicating with CJIS Division and JMD representatives and participating in meetings with non-Department entities.
Biometrics Support Center. The Biometrics Support Center is a DHS contractor facility that updates and maintains the IDENT lookout and apprehensions with alert database enrollments. It also provides DHS agents with an immediate response to (non-electronic) queries of subjectsí fingerprints. The Biometrics Support Center is staffed with fingerprint examiners, many of whom are former FBI personnel. The Biometrics Support Center also accepts search requests from local law enforcement personnel through a local immigration officer.
National Institute of Standards and Technology
The Commerce Departmentís NIST has statutory authority, along with the Secretaries of State and Homeland Security, to develop and certify a Technology Standard that includes biometrics, in order to verify the identity of individuals applying for a visa or using a visa to enter the United States. In developing this Technology Standard, the NIST evaluated government and commercial biometric systems, and published the results of its research, including recommendations, in several reports since 2002. Scientists at the NIST have been working with the FBI for over 30 years to research, develop, and improve fingerprint-matching procedures, and have created several fingerprint databases used to test new fingerprint identification algorithms and "live" fingerprint scanners, such as the types used by US-VISIT and IDENT/IAFIS. The NIST works with representatives from the CJIS Division, JMD, the DOS, and the DHS, and participates in regular interagency meetings with them and relevant contractors.
Department of State
To comply with the US-VISIT biometric identifier requirement, the DOS is currently deploying small single-finger electronic fingerprint scanners and digital cameras at all United States visa processing embassies and overseas consulates. The DOS US-VISIT deployment schedule indicates that, as of October 26, 2004, all of the approximately 214 visa-issuing consulates are required to transmit two flat fingerprints to query the IDENT/US-VISIT biometric watch list.38
Bureau of Consular Affairs. The DOSís Bureau of Consular Affairs is responsible for implementing policies relating to the broad range of overseas consular services and immigration, including the management of individuals applying for a United States visa. Representatives from the Bureau of Consular Affairs work with the DHS and the Department regarding biometrics issues, and participate in the interagency meetings regarding fingerprint issues. The Bureau of Consular Affairs is also overseeing several pilot projects with the FBI, in which United States consulates in Mexico (including Guadalajara and Monterrey) are taking ten flat fingerprints from visa applicants.
Department of Defense
The Secretary of the Army is responsible for biometrics within the DoD. The Armyís Biometric Management Office and Biometrics Fusion Center report directly to the Army CIO.
Biometric Management Office. Representatives from the DoDís Biometric Management Office have been working with FBIís CJIS Division since November 2003 to develop standardized policies for collecting, searching and sharing fingerprints collected overseas from military detainees and latent fingerprints gathered from investigation sites. As a result of this collaboration, the DoD is currently upgrading its technology to conform to the electronic fingerprint standards that IAFIS utilizes. The DoD is in the process of configuring its own automated fingerprint identification system and is coordinating with the CJIS Division. The Biometric Management Office representatives also participate in various inter-agency meetings.
Key Working Groups
The above groups have created several interagency committees and working groups to coordinate the sharing of biometric fingerprint information. They address topics ranging from policy and long-term issues, to meetings with working-level participants to discuss technical and operational issues. The committees and working groups include:
Because the scope of this review involves issues beyond the Department, including issues within the DHS, we coordinated this review with the DHSís Office of Inspector General. Our fieldwork consisted of interviews, site visits, and extensive documentation review.
Interviews. We interviewed individuals from the Department, the DHS, the NIST, the DOS, and the DoD. We also spoke to contractors working for the companies responsible for supporting the integration project.
Interviews with Department personnel. From the Department, we interviewed the CIO, his Special Assistant, and a Senior Program Analyst in the CIOís office. From JMD, we interviewed the IDENT/IAFIS and JABS Program Managers, and members of their staff. From the FBI, we interviewed the Assistant Director in Charge of the CJIS Division and members of his staff, including two Deputy Assistant Directors, two Section Chiefs, a Senior Information Technology Specialist, a fingerprint examiner, and several other senior personnel at the CJIS Division.
Interviews with DHS personnel. From the DHSís US-VISIT Program Management Office, we interviewed the Deputy Director of US-VISIT, and several IDENT/IAFIS Program Managers. From the Bureau of Customs and Border Protection, we interviewed the senior Border Patrol Officer responsible for IDENT/IAFIS, an inspector at the Dulles International Airport, and a Program Officer from the executive office of US-VISIT.
Interviews with the NIST, the DOS, and the DoD. From the NIST, we interviewed the chief scientist with principle responsibility for biometrics research. From the State Department, we interviewed the Deputy Assistant Secretary of State for Consular Affairs, and two members of her staff involved in biometrics. From the Defense Department, we interviewed the Director of the DoD Biometrics Management Office, a representative of the DoDís Office of the Assistant Secretary of Defense, and several contractors.
Site visits. We visited the FBIís CJIS Division in Clarksburg, West Virginia in order to interview FBI personnel and observe IAFIS system capabilities. We also visited the DHSís port of entry at Dulles International Airport to observe IDENT/IAFIS operations and US-VISIT entry/exit procedures, and to interview DHS staff. In addition, we attended the Departmentís Fingerprint Vendor Technology Evaluation meeting, and a presentation given by JMD and relevant contractors regarding their assessment of IDENT/IAFIS search accuracy.
Documentation review. We reviewed numerous documents, including the Departmentís and the DHSís updated deployment and budget plans; the most recent JMD Metrics Study; fingerprint biometrics studies conducted by the NIST and the FBI; IDENT/IAFIS integration status reports; recent congressional testimony and reports; FBI and US-VISIT system descriptions and performance data; interagency meeting minutes; and correspondence between representatives from the Departments of Justice, Homeland Security, and State.