Follow-up Review of the FBI’s Progress Toward Biometric Interoperability Between IAFIS and IDENT

Evaluation and Inspections Report I-2006-007
July 2006
Office of the Inspector General


Executive Summary


This is the Office of the Inspector General’s (OIG) sixth review examining the ability of federal law enforcement and immigration authorities to share automated fingerprint identification information.1 In this report, we describe the progress since December 2004 toward achieving full interoperability between two automated fingerprint systems: the Federal Bureau of Investigation’s (FBI) Integrated Automated Fingerprint Identification System (IAFIS) and the Department of Homeland Security’s (DHS) Automated Biometric Identification (IDENT). We also describe the DHS’s efforts to make its United States Visitor and Immigrant Status Indicator Technology (US‑VISIT) system interoperable with IAFIS. Achieving full interoperability among these systems is intended to provide federal, state, and local law enforcement and immigration officials with direct, real-time access to information in the millions of criminal history and immigration records in IAFIS, IDENT, and US‑VISIT.

U.S. immigration authorities have long recognized the need for an automated fingerprint identification system to quickly determine the immigration and criminal histories of aliens they apprehend. The FBI and the former Immigration and Naturalization Service (INS), now part of the DHS, began discussing integrating IAFIS and IDENT in the early 1990s, when the two systems were under development. However, the agencies had a difference of opinion, stemming from the different purposes of their systems, as to the number of fingerprints to collect from apprehended individuals. The FBI created IAFIS to automate its Criminal Master File of 10 rolled fingerprints and serve the needs of the broader law enforcement community.2 The INS created IDENT using two flat fingerprints to quickly process large groups of apprehended aliens.3 Because of the different fingerprint collection methods, the FBI and INS systems could not initially share information. The inability of these immigration and law enforcement fingerprint identification systems to share information prevented law enforcement agencies from identifying fully the criminals and wanted aliens in their custody, and has led to tragic results. In March 2004, the OIG described one such case, in which border authorities twice released a man with an extensive criminal record attempting to enter the country illegally. He subsequently returned to the United States illegally and traveled to Oregon where he raped two nuns, killing one. Because the federal government’s immigration and law enforcement fingerprint databases were not linked, the immigration agents who stopped and released the man at the border never learned of his criminal record. (See IDENT/IAFIS: The Batres Case and the Status of the Integration Project, March 2004.)

In another report, published in December 2004, we found that the differing fingerprint collection requirements of the FBI and the DHS were one of two principal barriers that had created an impasse in achieving full interoperability between IAFIS and IDENT.4 In that report, we noted that the DHS and the Department of State (DOS), which is responsible for collecting fingerprints from visa applicants, had not agreed to implement the National Institute of Standards and Technology (NIST) recommendation of 10 flat fingerprints as the uniform method for collecting fingerprint information and for searching against large databases.5 We recommended that the Department report to the President’s Homeland Security Council or Congress that it had reached an impasse in interoperability planning and formally request that a decision be made on whether to adopt the NIST Technology Standard.6

In our December 2004 report, we also found that the DHS was checking most visitors’ fingerprints against an IDENT database supplemented by IAFIS extracts rather than against the full IAFIS database.7 Checking only a subset of the IAFIS database created a risk that criminal aliens or terrorists could enter the United States undetected, highlighting the need for immigration and law enforcement fingerprint identification systems to share information in order to fully identify the criminals and wanted aliens in their custody. We concluded that for the Department to effectively proceed with making IAFIS interoperable with the biometric fingerprint systems of the DHS, high-level policy decisions needed to be made regarding who should be subjected to fingerprint searches, the fingerprint collection standard to be used, which of the databases should be queried, who should have access to the information, how the information should be used, and who should maintain the databases. In that report, we made five other recommendations to the Department related to the provision of IAFIS extracts to the DHS, risk analysis, sufficiency of IAFIS’s capacity for conducting all of the fingerprint searches the DHS requested, upgrades to IAFIS’s performance, and IAFIS availability to users of the system.

In this follow-up to our December 2004 report, we examined interoperability planning documents; interagency correspondence; working group agendas; and IAFIS data on capacity, availability, and workload. We also interviewed officials from the Department, DHS, DOS, and NIST, and analyzed data from all four agencies. The scope of this report includes the interoperability progress made from December 2004 through June 2006. Because of the dynamic nature of the project, the details described in this report may change before the project is completed.

RESULTS IN BRIEF

The primary barrier to achieving full interoperability among federal biometric fingerprint systems was resolved in May 2005 when the DHS agreed to use 10 flat fingerprints as the standard for US‑VISIT.8 In response to that decision, the FBI and the DHS are implementing the first phase of a three-phase plan to make IAFIS and IDENT, including US‑VISIT, fully interoperable by December 2009. In the first phase, the agencies plan to deploy a joint automated system for near real-time sharing of certain key immigration and law enforcement data between the FBI and the DHS by September 3, 2006.9 The data to be shared are the FBI’s “Wants and Warrants” records that have fingerprints associated with them and the DHS’s “Visa Denial” and “Expedited Removal” records.10

In the remaining two phases, the FBI and the DHS plan to expand the data shared to include law enforcement and immigration data in IAFIS, IDENT, and US-VISIT and to allow access to that data by federal, state, and local law enforcement agencies, authorized non-criminal justice agencies, and immigration authorities.11 By December 2009, IAFIS and IDENT users are expected to be able to submit a single request that searches all fingerprint records maintained by the FBI and the DHS to receive associated criminal history and immigration information about the subject. As of June 2006, FBI officials stated that they are on schedule for achieving full interoperability among IAFIS, IDENT, and US‑VISIT by December 2009.

To support full interoperability, the FBI is upgrading IAFIS to process more flat (in lieu of rolled) fingerprint submissions, and the DHS is planning to modernize IDENT and convert US-VISIT from a 2‑ to a 10‑fingerprint system. The FBI and the DHS are also working to develop an estimate of interoperability costs; have identified technical, funding, and policy risks to achieving full interoperability; and have developed risk mitigation strategies.

To lessen the risk that criminal aliens or terrorists will enter the United States undetected before a fully interoperable system is available, the FBI has taken interim actions. These include providing daily transmissions of key terrorist records to the DHS, improving overall IAFIS availability and capacity for DHS fingerprint searches, and reducing the response time to DHS requests for checks of aliens’ fingerprints. However, Department officials feel that the DHS should initiate a risk analysis to determine how many individuals who are exempt from the US-VISIT requirements have records in IAFIS.

We now discuss in more detail the three-phase interoperability plan, IAFIS and IDENT upgrades and the US-VISIT transition to 10 fingerprints, interoperability cost estimates, interoperability risks, the FBI’s interim actions, and the risk analysis.

The FBI and the DHS are implementing the first phase of a three-phase plan for achieving full interoperability.

In May 2005, the DHS Secretary announced that the DHS would adopt a 10‑fingerprint collection standard for enrolling visitors into US‑VISIT, as recommended by the NIST. This decision resolved the primary barrier to achieving interoperability among the FBI’s IAFIS and the DHS’s IDENT and US-VISIT. The resolution of this issue allowed the FBI and the DHS to begin planning and implementing a three-phase approach to achieve full interoperability. In May 2005, the FBI, DHS, and DOS formed an Integrated Project Team (IPT) to develop a plan to achieve full interoperability in the following three phases: Interim Interoperability, Initial Operating Capability (IOC), and Full Operating Capability (FOC).

Interim Interoperability

The interim interoperability phase, currently being developed, is scheduled to be implemented by September 3, 2006. This phase uses an interim Data Sharing Model (iDSM), which is intended to enable the FBI and the DHS to directly access read-only copies of certain key law enforcement and immigration data from IAFIS and IDENT in near real time. By replicating the data (described below), the FBI and the DHS will each be able to conduct fingerprint searches against the other agency’s records at their respective locations. The replicated files will also provide a 24‑hour backup for those shared IAFIS and IDENT records. The FBI’s and the DHS’s replicated files are expected to initially accommodate up to 1 million records each. According to IPT planning documents, the iDSM will deliver the first interoperable biometric data capability between the FBI and the DHS and is intended to serve as a prototype for full interoperability.

For the iDSM to become operational, the FBI and the DHS must identify the records to be shared and then exchange those records. As of June 2006, the FBI and the DHS had each agreed to share read-only copies of the approximately 800,000 FBI Wants and Warrants records that have fingerprints associated with them, 16,000 DOS Visa Denial records, and 390,000 DHS Expedited Removal records. These three sets of records were identified as being the most useful to support FBI and DHS missions and IAFIS and IDENT users’ needs. FBI officials told us that, as of June 2006, the iDSM’s development was on schedule and that it is expected to become operational by September 3, 2006.

In addition to developing the iDSM to provide the initial interoperability capability, the FBI has taken steps to improve the records available to the DHS until the iDSM becomes operational. On November 30, 2005, the FBI began expanding the Wants and Warrants records extracted from IAFIS to provide the DHS with all newly issued or updated warrants created after November 2005, including those for U.S. citizens. Prior to November 30, 2005, the DHS had access only to a subset of the Wants and Warrants records that did not include U.S. citizens. The DHS’s immediate access to these additional records allows immigration officials to conduct fingerprint searches using more complete and current information.

After September 3, 2006, when the iDSM is expected to become operational, the FBI and the DHS plan to begin using and testing the iDSM by conducting fingerprint searches against the data and tracking the number of fingerprint matches. The FBI plans to enable three agencies to submit fingerprint searches through IAFIS to be run against the DHS’s records. The three agencies are the Boston Police Department, the Texas Department of Public Safety, and the U.S. Office of Personnel Management. Those agencies represent state and local law enforcement and a federal agency authorized to conduct fingerprint searches for non-criminal justice purposes. The FBI is planning to divide the initial iDSM search capacity of 1,000 daily fingerprint searches among those three agencies. The DHS is planning to use the iDSM to continue searching visitors’ fingerprints against the FBI’s Wants and Warrants records; once the iDSM is operational, the DHS will be able to conduct those searches against all Wants and Warrants records that contain fingerprints rather than a subset of the records.

Initial Operating Capability

The IOC development phase is scheduled to last approximately 22 months, beginning on September 4, 2006, and ending in July 2008.12 At the beginning of the IOC phase, the IPT must choose one of three technical solutions currently under consideration for achieving full interoperability. The three technical solutions are the shared data model, the shared services model, and the base case. Under the shared data model, the FBI and the DHS would independently maintain their own biometric (e.g., fingerprint) and biographic data (e.g., name, date of birth, social security number), but would provide a copy of the fingerprint data to the other agency. The receiving agency would be responsible for searching the data and requesting the associated biographic information when a match is encountered. The shared services model would not utilize copies of the FBI’s and the DHS’s fingerprint data. Instead, each agency would maintain control over its data by requesting that the other agency perform a fingerprint search and return the associated biographic information. Finally, the base case option refers to a slightly improved version of the operational iDSM, which the FBI stated would encompass the DHS’s efforts to modernize IDENT as they occur.

The FBI considers the iDSM to be a prototype of the shared data model because it allows the FBI and the DHS to access copies of each other’s fingerprint data located on their own servers. The iDSM also includes a shared services component in that the FBI and the DHS must each request immigration and criminal history data from the agency that owns the data when a fingerprint match is encountered. Although the FBI and the DHS have not made a final decision on the technical solution for full interoperability, they are implementing the iDSM to test the shared data approach.

During the IOC development phase, the FBI and the DHS expect to have access to one another’s basic immigration and criminal history information associated with any fingerprint searches that result in a match. Specifically, the FBI and the DHS plan to: (1) expand the data shared between them; (2) establish the initial fingerprint search capacity and storage needed for full interoperability; (3) allow federal, state, and local agencies limited access to immigration data, which includes basic biographic data; and (4) provide immigration authorities full access to criminal history information.

Expanded data sharing. During the IOC development phase, the FBI and the DHS plan to expand the data accessible to each agency beyond the records initially selected for sharing through the iDSM. With IOC, the FBI expects to have access to all biometric records in IDENT, and the DHS expects to have access to all biometric records from the IAFIS Criminal Master File.13 The method of providing this access will depend on which of the technical solutions (shared data or shared services) the IPT selects.

Fingerprint search capacity and storage. The FBI and the DHS also expect to establish the initial fingerprint search and storage capacity needed for full interoperability during the IOC phase.14 The FBI plans to conduct up to 1,000 initial fingerprint searches per day of selected criminal arrestees and federal employees in positions of public trust or national security against the DHS’s records in the iDSM. By the end of the IOC development phase, the FBI plans to increase those fingerprint searches to approximately 50,000 per day and increase the storage capacity to accommodate all the records that will be in IAFIS and IDENT by fiscal year (FY) 2009.

Federal, state, and local agencies’ limited access to immigration data. During the IOC development phase, the FBI plans to allow any agency – beyond the three pilot agencies – to request a fingerprint search against the DHS’s records. The agencies may be federal, state, or local law enforcement or civil agencies conducting non-criminal justice searches. The FBI’s current system receives approximately 60,000 search requests per day from all such agencies. Currently, FBI and other law enforcement personnel can obtain immigration data on a foreign national who is a “subject of interest” by submitting the subject’s name to the DHS’s Law Enforcement Support Center (LESC).15 During IOC, the LESC will continue to provide support to the FBI. When the FBI finds a match of a subject’s fingerprints against IDENT data, it plans to request the associated immigration data from the LESC. However, as of June 2006, FBI officials indicated that the amount and types of immigration data that the LESC would provide had not been determined. The FBI plans to request the data from the LESC by submitting an electronic request known as an Immigration Alien Query, to which the LESC will return an automated response. The FBI will then provide that response back to the requesting agency.

Immigration authorities’ full access to criminal history data. For criminal justice purposes, the DHS plans to obtain criminal history information through the existing procedure whereby it submits a query to the FBI’s National Crime Information Center. For non-criminal justice agencies (e.g., the DOS), the FBI will provide the criminal history information associated with a fingerprint match after it makes a positive identification in IAFIS.

Full Operating Capability

The FOC phase is scheduled to be developed over 17 months, beginning in July 2008 and ending in December 2009 with full interoperability. During the FOC development phase, the FBI and the DHS plan to: (1) provide complete, standardized data sharing between the FBI and the DHS; (2) increase fingerprint search capacity and storage to accommodate more transactions; and (3) allow federal, state, and local agencies full access to immigration data.

Standardized data sharing. By the end of the FOC development phase, IAFIS and IDENT users are expected to be able to submit a single request that searches all fingerprint records maintained by the FBI and the DHS to receive associated criminal history and immigration information about the subject. The searches are to be based on fingerprints, although interoperability planning documents indicate that expansion to palm prints, facial recognition, and other biometrically based methods may be developed and used by the agencies in the future in a final interoperability solution (beyond FOC). The method of providing this information will depend on which of the technical solutions (shared data, shared services, or a base case) the IPT selects.

Increased fingerprint search capacity and storage. FBI officials stated that by the end of the FOC development phase, the federal, state, and local agencies’ capacity to search against the DHS’s records will increase from the planned IOC capacity of approximately 50,000 transactions per day to approximately 200,000 per day, a level that according to FBI officials, will accommodate all requests. The FBI and the DHS are also planning to increase the storage capacity of the interoperability solution to accommodate all the records that will be in IAFIS and IDENT by FY 2010.

Federal, state, and local agencies’ full access to immigration data. By the end of the FOC development phase, the FBI and the DHS are planning to allow all federal, state, and local law enforcement agencies, as well as authorized non-criminal justice agencies, full access to the DHS’s immigration data, both benefits- and enforcement-related. However, the two agencies have not yet decided on the parameters of this access and must still make several policy decisions, including how law enforcement officials and authorized non-criminal justice agencies should use and safeguard the immigration data. With FOC, the LESC is expected to provide more comprehensive immigration information associated with fingerprint matches.

To support full interoperability, the FBI and the DHS are upgrading IAFIS and IDENT, and the DHS is preparing to convert US‑VISIT to 10 fingerprints.

Concurrent with the IPT’s efforts to implement full interoperability, the FBI and the DHS are independently upgrading IAFIS and IDENT to process 10 flat fingerprints. The FBI is implementing its Next Generation Identification (NGI) initiative, which includes the processing of flat fingerprints, and the DHS is planning to modernize IDENT and convert US‑VISIT from a 2‑ to a 10‑fingerprint system.

Upgrading IAFIS

The FBI began planning its NGI initiative (originally called Next Generation IAFIS), in early 2004 to provide IAFIS users with quicker and more accurate fingerprint searches and more complete criminal history information. The FBI now plans to implement NGI concurrently with the overall interoperability effort. The interoperability-related portions of NGI include processing an increased volume of flat fingerprints. The FBI currently accepts flat fingerprint submissions from only three entities: the DOS, the American Bankers Association, and the Ohio Bureau of Criminal Identification and Investigation.16 NGI is also slated to provide several new services, such as a specialized biometric database expected to provide quicker identification of certain criminals and terrorists and improved disposition data associated with criminal history records. According to the FBI, the interoperability‑related portions of NGI are tentatively scheduled to be completed by the end of the FOC phase in December 2009, pending the results of a study the FBI is conducting to determine IAFIS user needs.

Modernizing IDENT

The DHS is planning to modernize IDENT through an effort it refers to as “Unified IDENT” to accept, store, and process 10 fingerprints and improve fingerprint matching accuracy. The DHS also plans to provide more comprehensive individual alien history information, link its various immigration databases, and establish a “person-centric view” that the DHS expects will allow each individual with an immigration history to have only one identity (known as a unique identifier) in the system. Under the person-centric view, the DHS expects that users will be able to submit a single query and receive a consolidated response containing all benefits- and enforcement-related immigration information associated with the individual in question. The DHS is planning to begin modernizing IDENT during the interim interoperability phase and intends to complete the modernization effort during the FOC phase.

Converting US-VISIT to 10 Fingerprints

The DHS and the DOS have begun planning for the transition of US‑VISIT from a 2- to a 10-fingerprint enrollment standard during the interim interoperability phase. The DHS and the DOS currently enroll visitors to the United States into US-VISIT using two flat fingerprints and a digital photograph. DOS officials either enroll visitors at visa-issuing consulates before they travel to the United States or DHS officials enroll visitors at ports of entry upon arrival in the United States. When visitors subsequently re-enter the country, their two fingerprints are matched against their own enrolled fingerprints to verify their identity. Once the new US-VISIT enrollment standard is implemented, the DHS and the DOS plan to begin collecting 10 flat fingerprints from visitors using new scanners (described below), but to continue verifying visitors’ identities using 2 fingerprints.

To select new fingerprint scanners that will support the US-VISIT transition, the DHS formed a user group with representatives from the FBI, National Institute of Justice, DOS, NIST, and Department of Defense. The user group defined the criteria for fingerprint scanners that are faster, smaller, and more portable than the devices currently being used by the DOS and other agencies for capturing 10 flat fingerprints. The user group found two vendors capable of developing such scanners within 12 months. The user group plans to test and evaluate the scanners, once they become available, during the interim interoperability phase.

The DOS has begun a series of pilot projects to collect 10 flat fingerprints from visa applicants at selected consulates and embassies. The DOS began its first pilot project in San Salvador, El Salvador in April 2006 and is planning additional pilot projects in London, England in July 2006 and in Riyadh, Saudi Arabia in September 2006. To collect the fingerprints during the pilot projects, the DOS plans to use an existing type of 10-print scanner that the FBI certified as being in compliance with IAFIS. Once smaller, lighter scanners are available, the DOS plans to deploy the devices and require 10 flat fingerprint processing at its remaining consulates and embassies during the IOC phase. Because IDENT is not yet prepared to accept 10 fingerprints from the DOS, the DOS plans to continue transmitting 2 fingerprints to IDENT until September 2006, when IDENT is expected to begin accepting 10 fingerprints.

The IPT is estimating interoperability costs for the IOC phase.

The IPT is working on a cost-benefit analysis, which it expects to complete by August 2006, that will estimate the IOC interoperability-related expenses for the FBI, DHS, and DOS to make IAFIS, IDENT, and US-VISIT interoperable.17 Those expenses will include agency-specific initiatives needed for interoperability, such as a portion of the FBI’s NGI, the DHS’s IDENT modernization, and the DHS and DOS joint implementation of a 10‑fingerprint enrollment standard for US-VISIT. The final cost will depend largely on which of the technical solutions the IPT chooses for full interoperability. FBI officials noted that achieving full interoperability is dependent on the FBI, DHS, and DOS receiving adequate appropriations to cover all interoperability-related expenses.

The FBI has estimated costs for the first two interoperability phases.

Separate from the IPT’s cost-benefit analysis for IOC, FBI officials have developed FBI-specific cost estimates for the first two interoperability phases. For FY 2006, the FBI estimated a cost of $7.9 million for the iDSM and $24 million for the first portion of the IOC phase. In its FY 2006 appropriation, the FBI budgeted $18.9 million for interoperability-related expenses, most of which included reprogrammed funding. For FY 2007, the FBI estimated that $33 million will be needed for hardware and software for the IOC phase, and the FBI subsequently requested that amount in the President’s FY 2007 budget.

The FBI and the DHS have identified technical, funding, and policy risks and have developed mitigation strategies.

We examined whether the FBI and the DHS (through the IPT) have identified potential technical, funding, and policy risks that could delay full interoperability and whether they have developed corresponding mitigation strategies. We found that the IPT has developed risk management plans and mitigation strategies that appear reasonable for the overall interoperability effort. We also found that the FBI developed a risk management plan with mitigation strategies for its portion of the interim interoperability phase (iDSM).18

The IPT recognized several broad risks, including that it had limited time to develop, design, and deploy an interoperability solution; that there could be a lack of financial, personnel, or technical resources within participating agencies; that privacy issues may be of concern; and that IAFIS and IDENT users could misuse the data in the interoperable solution. In terms of the iDSM-specific risks, the FBI identified 57, and as of May 3, 2006, 18 were still considered open.19 The open risks involved areas such as schedule, technology, system reliability, cost, policy, privacy, and security. Among them were:

  • Purchase and receipt of iDSM equipment: The FBI recognized that the acquisition process for the hardware and software needed for the iDSM would be lengthy and could significantly delay the deployment schedule of the first interoperability phase. To address this risk, the FBI stated that the purchase of this equipment must be made by June 2006 and the equipment received by July 2006. As of June 27, 2006, FBI officials stated that they were in the process of purchasing the equipment.

  • Sufficient resources for the iDSM: The FBI recognized the possibility that insufficient resources could cause the first interoperability phase to fall behind schedule. To address this risk, the FBI stated it would apply Earned Value Management to optimize investment planning and control.20 Officials from both the FBI and the DHS have indicated that while implementation of the three interoperability phases is currently on schedule, delays in receiving necessary funding would push back the December 2009 target completion date for full interoperability. For example, FBI officials stated that if a purchase request is delayed by as little as 45 days, it could cause the FBI to miss a procurement cycle, which would push back each of the interoperability phases.

  • Protection of sensitive data to be shared through the iDSM: Because the data to be shared through the iDSM is considered sensitive, the FBI recognized the risk of not protecting this data and stated that owners of the data may need to restrict access. To address this risk, the FBI is working with privacy officials and conducting analyses to determine whether a privacy impact assessment is needed.21 The FBI also decided to limit the volume of data initially being shared through the iDSM.

Although these interoperability risks and corresponding mitigation strategies appear to be reasonable, the scope of our review did not include a thorough analysis of whether the IPT or the FBI identified all potential risks to the interoperability project and appropriately closed or mitigated those risks. Further, the FBI has not completed risk analysis plans for the remaining two interoperability phases, although FBI officials stated that they have begun identifying potential risks for the IOC and FOC development phases. We therefore encourage the FBI to continue regularly monitoring the overall risks to the project and to develop risk mitigation strategies for the IOC and FOC phases.

The FBI has taken action to lessen the risk of criminal aliens or terrorists entering the United States undetected.

Since our December 2004 report, the FBI has taken several steps to lessen the risk of criminal aliens or terrorists entering the United States undetected. As our previous report recommended, the FBI has increased the transmission of “Known or Suspected Terrorists” records to the DHS from monthly to daily (or as available), which allows the DHS to conduct searches of visitors’ fingerprints using the most current IAFIS extracts. Similarly, by improving the FBI’s IAFIS availability so that users can access the system 99 percent of the time, the FBI has lessened the risk that the DHS could unknowingly release aliens because it could not access IAFIS to determine whether the aliens had criminal records. Also, the FBI increased IAFIS capacity from 8,000 daily fingerprint transactions from the DHS in 2004 to 20,000 daily transactions in 2005, which is more than sufficient to handle the DHS’s current average daily workload for criminal checks. In addition, the FBI has significantly improved IAFIS response time and has implemented a “high priority” designation for DHS fingerprint transactions so that criminal aliens or terrorists can be identified more quickly.

No risk analysis has been conducted on the visitors exempt from the US-VISIT requirements.

During our 2004 review, Department officials proposed conducting a study to determine how many individuals whose fingerprints were in IDENT but who were not subjected to fingerprint searches against IAFIS had records in the IAFIS Criminal Master File. This population would have included both visitors subjected to US-VISIT and those exempt from the US‑VISIT requirements.22 The study would have provided the Homeland Security Council with more information to use in making a decision on a uniform fingerprint collection methodology for foreign nationals. Our December 2004 report encouraged the Department to undertake such a study.

However, after the DHS’s May 2005 decision to adopt the NIST Technology Standard, and the subsequent progress made toward achieving full interoperability, the Department announced that it was no longer planning to conduct the study. Given that the FBI and the DHS had already begun planning for full interoperability and were preparing to implement the iDSM, the Department stated, “it is less imperative from [the Department’s] perspective to conduct the study.” Nonetheless, Department officials stated that the study was still needed to assess the risk of unknowingly admitting criminal aliens into the United States, particularly those exempt from US‑VISIT, and suggested to the OIG that the DHS conduct the study.

Department officials stated that it would be valuable to know the “hit rate” (i.e., the number of hits against IAFIS records) of individuals exempt from US‑VISIT requirements, particularly the Border Crossing Card population. Department officials explained that because these visitors are not screened against IAFIS upon entry to the United States, the DHS does not know how many may have matches in the FBI’s database. The DHS could use that information to inform future immigration policy decisions, such as whether to expand the pool of individuals to which US‑VISIT applies. Because it is the DHS’s responsibility to prevent inadmissible aliens from entering the country, Department officials asserted that the DHS, not the Department, should undertake the study.

During this review, we asked DHS officials whether they intended to conduct a study similar to the one proposed by the Department using US‑VISIT or Border Crossing Card data. On March 29, 2006, officials from the US-VISIT office indicated that the need for conducting this study has been “overcome by events” because the DHS has already decided to implement a 10-fingerprint standard for US-VISIT.

We believe that until full interoperability is achieved in December 2009, the DHS’s policy of using IAFIS to check the fingerprints of less than 1 percent of the visitors subjected to US-VISIT will continue to create a risk that criminal aliens or terrorists could enter the United States undetected.23 Once full interoperability is achieved, this risk will be reduced because the visitors subjected to US‑VISIT will be checked against the full IAFIS Criminal Master File. However, this risk will not be eliminated because a substantial number of visitors exempt from US-VISIT, such as Border Crossing Card holders, will not have their fingerprints searched against IAFIS.

CONCLUSION

Since our December 2004 report, the FBI and the DHS have made progress toward achieving full interoperability among IAFIS, IDENT, and US-VISIT. The DHS’s decision to implement a 10-fingerprint enrollment standard for US-VISIT resolved 1 of the 2 barriers to interoperability that we identified in 2004. Since then, the FBI and the DHS have formed an interoperability working group and have began implementing the first phase of a three-phase plan to make IAFIS, IDENT, and US‑VISIT interoperable by December 2009. In the remaining two phases, the agencies plan to facilitate complete sharing of the immigration and law enforcement records in IAFIS and IDENT among federal, state, and local law enforcement agencies; authorized non-criminal justice agencies; and immigration officials. Although not completed, the decision to begin sharing immigration information with law enforcement officials through the iDSM partially resolves the second barrier that we identified in 2004. To support full interoperability, the FBI and the DHS are upgrading IAFIS and IDENT to process 10 flat fingerprints, and the DHS is preparing to convert US-VISIT to a 10-fingerprint enrollment standard.

The FBI and the DHS stated that they are on schedule for achieving full interoperability by December 2009. The IPT is estimating the interoperability-related costs for the IOC phase and has identified technical, funding, and policy risks to the overall interoperability effort, along with risk mitigation strategies. Until full interoperability is achieved, the FBI has implemented interim actions since December 2004 that lessen the risk of criminal aliens or terrorists entering the United States undetected.

Based on the results of our current review, we believe that the Department and the FBI have implemented actions to address our recommendations from 2004; therefore, we are closing them. However, there are still milestones and outstanding risks that need to be monitored as the interoperability project moves forward toward full interoperability among IAFIS, IDENT, and US-VISIT. For example, the IPT’s risk management plan for the iDSM states that the equipment purchase needed to be made by June 2006 and that the equipment must be received by July 2006. The FBI has noted that if a purchase request is delayed by even 45 days, it could cause them to miss a procurement cycle, which would push back each of the interoperability phases. The OIG plans to monitor the progress of the interoperability project, including the achievement of these and other milestones, until full interoperability is achieved.

Officials from the Department (including the FBI), DHS, and DOS provided informal comments on this report. Those comments reflected a general concurrence with the facts presented in this report.



Footnotes
  1. The previous five reports are: The Rafael Resendez-Ramirez Case: A Review of the INS’s Actions and the Operation of its IDENT Automated Fingerprint Identification System, March 2000; Status of IDENT/IAFIS Integration, December 2001; Status of IDENT/IAFIS Integration, June 2003; IDENT/IAFIS: The Batres Case and the Status of the Integration Project, March 2004; and Follow-up Review of the Status of IDENT/IAFIS Integration, December 2004. For a description of each report, see the Background and Appendix of the OIG’s December 2004 report, available at www.usdoj.gov/oig/reports/plus/e0501/index.htm.

  2. IAFIS contains the largest criminal biometric database in the world, the Criminal Master file, which stores over 50 million fingerprint sets and corresponding criminal history information submitted by federal, state, and local law enforcement agencies. The Criminal Master File records follow the law enforcement standard of taking prints from all 10 fingers by rolling and pressing each finger on either a scanner or a standard paper fingerprint record form (10 rolled prints). Fingerprints also may be taken by pressing fingers straight down (flat fingerprints) and from fewer than 10 fingers.

  3. The DHS subsequently designed US-VISIT to use IDENT to collect two flat fingerprints and a digital photograph from foreign nationals. IDENT contains the fingerprints of over 55 million individuals, including legitimate travelers and immigration violators. According to the DHS, IDENT processes 150,000 to 230,000 daily fingerprint identifications and verifications.

  4. The second principal barrier was that the DHS and the Department of Justice (Department) disagreed on the details of how to make “readily and easily accessible” to federal, state, and local law enforcement agencies the fully interoperable system specified in the USA PATRIOT Act (Patriot Act) and in subsequent congressional legislation.

  5. The NIST Technology Standard, issued in January 2003, calls for 10 flat fingerprints to be collected from foreign nationals and 2 flat fingerprints and a digital photograph to be used to verify a foreign national’s identity against an existing enrollment record.

  6. The Homeland Security Council, under the Executive Office of the President, is responsible for ensuring coordination of all homeland security-related activities among executive departments and agencies.

  7. At that time, the DHS was requesting IAFIS fingerprint searches on less than 1 percent of the visitors subjected to US-VISIT (about 800 per day) at ports of entry.

  8. The second barrier that we identified in our December 2004 report has been partially resolved. The DHS has agreed to provide the FBI and other law enforcement agencies with access to immigration data; however, the FBI and the DHS have not finalized a method of providing this access.

  9. According to the FBI, “near real time” means that information will be updated within 24 hours. However, the FBI plans to update this information more quickly after September 2006.

  10. Wants and Warrants are records of individuals with active warrants from the Wanted Persons file of the FBI’s National Crime Information Center. Visa Denials are the DOS’s “Biometric Visa Application Category 1 Critical Refusals,” which are fingerprint records from applicants whose visas were denied because the DOS determined that they posed a substantial risk to the United States. Expedited Removals are records of aliens removed from the United States because they lacked proper documentation or committed fraud when attempting to enter the United States.

  11. Authorized non-criminal justice agencies are those agencies permitted to request criminal background checks for employment, licensing, immigration, credentialing, and volunteer activities.

  12. The IPT’s plans call for the records in the iDSM to remain available for conducting fingerprint searches throughout the 22‑month IOC development phase.

  13. Information on individuals with protected identities (e.g., individuals seeking asylum or those enrolled in a witness protection program) will not be shared.

  14. If a shared data model or the base case is chosen, then the necessary capacity of the iDSM will have to be determined. If the shared services model is chosen, then the agencies will need to determine the necessary capacity of IAFIS and IDENT.

  15. The LESC – which operates 24 hours a day, 365 days a year – provides federal, state, and local law enforcement agencies with information about foreign nationals they encounter (e.g., immigration status, identity of individuals arrested or under investigation) by researching information available in various databases and criminal history repositories.

  16. To handle the volume of flat fingerprint submissions that will result from all visitors being enrolled into US-VISIT (approximately 43 million per year), the FBI has begun upgrading IAFIS search capacity.

  17. We attempted to obtain an estimate of the total interoperability-related expenses through the FOC phase but FBI officials stated that a total estimate was not available.

  18. FBI officials told us that the DHS has also devised risk management plans for its portion of the interoperability risks. However, we did not verify this with the DHS or examine those plans.

  19. The FBI closed a risk if: (1) it took action to mitigate the risk or render the risk moot, (2) it incorporated a specific risk with another one already being addressed, or (3) it determined that the probability of occurrence was low.

  20. Earned Value Management is a program management technique for estimating the performance of a project in terms of its budget and schedule while taking risk into consideration.

  21. A privacy impact assessment is an analysis of how an agency handles information on individuals to ensure it conforms to applicable privacy laws and policies. The E-Government Act of 2002 requires executive branch agencies to conduct privacy impact assessments when they develop or modify electronic collections of such information.

  22. Visitors exempt from US-VISIT (and therefore not subjected to fingerprint searches against IAFIS) include those with certain designated visa classifications, children under the age of 14, persons over the age of 79, Mexican nationals to whom the DOS has issued Border Crossing Cards for use along the southern border, and Canadians entering the United States across the northern border.

  23. To date, no known terrorists have been identified through the IAFIS extract process, only criminal aliens.



« Previous Table of Contents Next »