Many federal law enforcement agencies are at risk of violating privacy laws and of improperly disclosing details of investigations by failing to track their employees’ use of facial recognition technology owned by third parties, GAO has said.
A witness told a House hearing that in polling 42 federal law enforcement entities, GAO found that eight owned such systems and another 12 used another entity’s system; those other entities included some non-government entities as well as other federal, state or local law enforcement agencies. The technology was used for criminal investigations as well as to support other activities, such as surveillance, traveler verification and area access.
However, only one agency, ICE, “had a mechanism to track what non-federal systems were used by employees,” GAO found. At one of the others, officials had to “work from their memory about their past use of non-federal systems.” At another, officials initially said employees did not use non-federal systems; “however, after conducting a poll, the agency learned that its employees had used a non-federal system to conduct more than 1,000 facial recognition searches.”
“When agencies use facial recognition technology without first assessing the privacy implications, there is a risk that the agencies will not adhere to privacy-related laws, regulations, and policies. There is also a risk that non-federal system owners will share sensitive information (e.g. photo of a suspect) about an ongoing investigation with the public or others,” the witness said.
Further, “although the accuracy of facial recognition technology has increased dramatically in recent years, risks still exist that searches will provide inaccurate results . . . Some members of Congress, privacy groups, and others have expressed concerns that facial recognition technology’s higher error rates for certain demographics could result in disparate treatment, profiling, or other adverse consequences for members of these populations.”
The witness said that agencies generally agreed with GAO’s recommendations that they track what non-federal systems with facial recognition technology are used by their employees and then assess the risks of using such systems.