Glenn A. Fine
Inspector General
U.S. Department of Justice
950 Pennsylvania Avenue NW, Suite 4322
Washington, D.C. 20530-0001
Dear Mr. Fine:
Thank you for the opportunity to comment on the draft report entitled,
IDENT/IAFIS: Follow-up Review of the Status of IDENT/IAFIS Integration. Clearly
we all share the goal of protecting our nation. We believe the issue of
IDENT/IAFIS integration to be extremely important to the Department of Homeland
Security's (DHS) primary mission to protect American's homeland and its
citizens and visitors. We welcome efforts to improve the communications and
data exchange between DHS and the Department of Justice (DOJ). We also agree
that further communications and interoperability must continue between the
several departments involved in biometrics that are cited in your working
draft.
We would like to note that there are several inaccuracies and incorrect
assumptions in the draft report. In addition, we would propose alternative
recommendations for your consideration as to how to move forward. Our relevant
comments appear in the enclosure.
Please let me know if you have any questions. You or your staff may also contact
Tom Hamer of US-VISIT at (202) 298-5206 for additional information
Sincerely,
(signed)
Asa Hutchinson
Under Secretary
Border and Transportation Security
Enclosure
Comments from the Department of Homeland Security on the
Department of Justice Inspector General Draft Report IDENT/IAFIS: Follow-up Review of the Status of IDENT/AFIS
Integration
- Requirements of the USA PATRIOT Act were fulfilled. After having reviewed
all pertinent technical studies by NIST and having considered all other
relevant factors such as operational constraints and implementation costs, the
Homeland Security Council (HSC) Deputies Committee, including representatives
from the Department of State, the Department of Justice, the Department of
Homeland Security, and the National Institute of Standards and Technology
(NIST) decided on July 18, 2003, to establish as the technical standard for the
US-VISIT Program two index fingerprints and a photo. Through this decision by
the Deputies Committee, the requirements of the USA PATRIOT Act were fulfilled.
The USA PATRIOT Act did not assign to NIST the sole responsibility for setting
the technology standard, as your report indicates.
The Deputies Committee also decided that the Department of State (DOS), the
Department of Homeland Security (DHS), and the Office of Management and Budget
(OMB) should conduct planning for a migration to the use of eight fingerprints.
That was based on concern expressed by NIST that when the US-VISIT enrollment
database grows to a certain size, the result might be a large number of false
positive fingerprint matches that would require the hiring of an excessive
number of fingerprint examiners to review. In other words, the primary concern
was one of workload relating to clearing fingerprints through the US-VISIT
enrollment database. The planning to be undertaken, in the decision of the
Deputies Committee, did not relate to ten fingerprints and the use of the
ten-print IAFIS fingerprint system. The problem of false positives has not
materialized; however, the Department of Homeland Security is conducting
appropriate planning to support the move to an eight-print system when
appropriate.
- US-VISIT has been an unprecedented success
. DHS and DOS have engineered the single most significant change to the visa
issuance and U.S. border inspections process ever. To date, over 13 million
travelers have been processed through US-VISIT, biometrically matching their
identity with their visa/passport. At ports of entry over 1,500 persons have
been identified off the watch list, and hundreds have been denied entry. At
consular posts, over 3,500 have been identified off of the watch list assisting
DOS with the adjudication of visa issuance or denial. All of this has been done
without increasing wait times or impacting legitimate trade and travel, and
while protecting the privacy of travelers.
-
The draft report is misleading when it states that NIST research showed that ten
"flat" fingerprints can be taken almost as quickly as two flat fingerprints.
This would lead one to believe that the additional 1 0-15 seconds required to
take ten prints of 43 million visitors per year is operationally feasible. Even
discounting the processing time required, the additional 10-15 seconds required
for print capture would have an enormous impact. It would require a significant
number of additional inspectors and consular officers as well as significant
facility modifications to handle the increase in wait times. This statement
shows a lack of understanding of DHS and DOS operations.
-
US-VISIT does not use the same architecture as IAFIS. The draft report
is also misleading in that it incorrectly equates the Mitre study of the FBI's
IAFIS system with the DHS IDENT system. The Mitre study, referred to in the
draft report, analyzed the FBI architecture, which requires use of all 10
prints in order to filter the database down to a small enough size to do a
comparison on the two index prints. IDENT does not use this type of filtering
in its architecture. Adding 10-prints to IDENT would actually add additional
time to the process because IDENT would need to make more matches, not fewer.
-
US-VISIT is not IDENT/IAFIS. The report incorrectly assumes that the
US-VISIT Program has the same set of requirements as that which generated the
need for IDENT/IAFIS integration. The component of IDE NT that US-VISIT uses is
a traveler identification system with lookout capability. It is not designed
for booking criminals. The primary US-VISIT database contains the biometrics of
over 10 million enrolled legitimate travelers to the United States. This is a
separate from the IDENT lookout database that receives daily extracts from
IAPIS.
The original intent behind IDENT/IAFIS integration was to provide quick access
to criminal history information to INS officers during the apprehension
process. Future versions were to give state and local law enforcement
organizations access to IDENT immigration apprehension information. The
US-VISIT enrolled population is not comprised of immigration violators.
- IAFIS, as currently architected, cannot meet DHS operational requirements.
The report incorrectly assumes that the FBI's IAFIS system could be used for
US-VISIT purposes; that taking 10-prints for every traveler at ports of entry
and submitting these to the FBI's IAFIS would both solve most of the
interoperability issues and be beneficial. This assumption is inaccurate for
the following reasons:
-
Not all criminal history records are relevant to all DHS decisions. For
example, our analysis has shown that only a small percentage of the information
contained in the FBI database is for wanted persons or has a bearing on whether
the individual will be admissible to the U.S. A U.S. officer on port-of-entry
primary does not have the time, and more importantly, the need to review the
vast majority of these records.
-
IAFIS' response time on a Ten Print Rap Sheet Request (TPRS) electronic query
is approximately 10 minutes. This is the best response time currently
available. An inspector at primary currently enjoys a response time of less
than 10 seconds.
-
IAFIS does not have the capacity to handle the volumes associated with
US-VISIT. Factoring in the DOS, land border, and exit, the number of
transactions may reach as much as 180,000 per day, which would be nearly 10 to
20 times the current capacity of a TPRS IAFIS search.
-
IAFIS' availability is not adequate for real-time operations. Over the last six
month period, IAFIS averaged two days per month of down time (planned and
unplanned). Planned outages have recently been occurring almost monthly.
Unscheduled outages are a significant problem with IAFIS as well. For example,
at the time of the writing of this response, IAFIS has been down numerous times
for unscheduled outages -once for as long as two hours -in the last two weeks.
-
IAFIS does not have any backup capability as your working draft correctly
noted. IAFIS resides in a single location, with tapes stored off site. It would
be impossible to bring the system back on line in any reasonable period of
time, should something happen to its primary location. US-VISIT IDENT has
redundant search capability -residing in Rockville, Maryland, and Dallas,
Texas, with failover capability between the two.
-
The costs of moving to an FBI-based 10-print solution are significant and given
FBI's current inability to respond to operational time constraints with
information focused and relevant to the decision, with little benefit. Even
discounting the significant cost to the FBI required to restructure the IAFIS
architecture to provide the capacity to perform the transactions quickly and
improve the reliability/availability, the costs to DHS are prohibitive.
Capturing 10 prints would require hundreds of additional inspectors, and
significant facility modifications at the ports.
The report asserts that there would be cost savings for moving immediately to a
10-print capture system. DHS believes that this assertion is erroneous and
without justification. The US-VISIT IDENT system required an initial investment
of$70 million with an additional operating cost of approximate $15 million per
year. Although these costs are not insignificant, the cost of moving to a
10-print FBI solution would be far greater. DHS recognizes that biometric
technology is constantly evolving. And although it is not technically or
economically feasible to do this at this time, with advances in capture and
matching technology, it may be technically feasible to move to a multi-print
system in the future. However, even if it were possible, the potential huge
disruption to the travel and tourism industry, due to increased processing
times and cultural resistance associated with criminality, must be analyzed
prior to making these significant investments.
- The findings of the JMD criminality study cannot be extrapolated to the US-VISIT
population
. The report draws an incorrect comparison between results from the Justice
Management Division (JMD) metrics criminality report and US-VISIT. By
definition, the populations are fundamentally different. US-VISIT contains
information on travelers. The individuals described in the JMD report have
already been arrested by the Border Patrol. By trying to cross the border
illegally, these persons have already shown a disregard for the law, and in
many cases it will not be their first time. This is precisely why DHS
accelerated the deployment of the fully integrated IDENT/IAFIS terminal to all
Border Patrol locations.
-
The draft incorrectly cites organizational responsibility. The working
draft cites the Department of Justice and Department of State under the
Enhanced Border Security Act as being responsible for implementing appropriate
biometric identifier standards at ports of entry and overseas posts. This is
now the responsibility of DHS and DOS. DHS has developed an alternative
proposal for how to address the need for IDENT/IAFIS interoperability,
especially in relation to US-VISIT. This path is designed to achieve
appropriate data exchange between DOJ and DHS.
-
DHS will monitor performance. DHS and the Department of State are aware
of both the capabilities and limitations of the biometric systems employed by
US-VISIT. DHS / US- VISIT continues to closely monitor the IDENT system and
work with the NIST with the goal of improving system performance including
false positive rates, accuracy rates, and system throughput. We will move to a
multi-print system at the appropriate time to improve system performance.
-
DOJ and FBI are participating in DHS's US-VISIT Strategic Plan. DOJ and
FBI are part of the team working on US-VISIT's Strategic Plan. The Strategic
Plan will outline the business functionality needed for the immigration and
border management enterprise, the technology, data, and facilities needed to
support that functionality, and the business case that justifies the program.
Providing DHS and DOS access to IAFIS information will be included as part of
this US-VISIT Strategic Plan.
The following are recommendations that DHS would like to see added to the
report:
- IAFIS modernization should support DHS's operational needs. DHS would like an
expanded role for DHS/Border and Transportation Security, US-VISIT, and DOS in
the FBI's ongoing IAFIS modernization effort. As large customers of IAFIS, DHS
would welcome the opportunity to inform the FBI of future requirements and
operational needs. In particular, DHS would strongly emphasize the need to:
-
Improve availability/reliability (up time and failover);
-
Increase availability of terrorist prints;
-
Re-architect IAFIS and NCIC to allow searches by offense; and
-
Improve system capacity and system response time.
-
DHS would like the third recommendation in the draft report instead to ask the
FBI to work with DHS to determine which IAFIS records are relevant in the
determination of admissibility.
DHS believes the FBI should immediately provide the relevant criminal history
records to DHS. DHS is currently conducting a study to determine which records
in IAFIS provide the highest value to immigration and border management
decision makers so that access to these can be prioritized, while the more
difficult interoperability challenges are architected. We were disappointed
last year when the criminal history records of aliens of unknown origin were
requested so that they could be included in our IDENT lookout database, and the
answer was that it would take 720 days (the working draft says six years). It
should be a top priority to provide this information to DHS since this
information has the highest relevancy for DHS's mission.
-
DHS and the FBI should finalize the Memorandum of Understanding (MOU) to
clearly articulate how data should be shared and used, and to protect the
privacy of our visitors. DHS has provided the FBI with access to US-VISIT and
immigration violator data. DHS has provided user accounts to FBI analysts and
provided extracts of data to IAFIS in support of DOJ operational needs. DHS did
this in good faith that a memorandum of understanding will be agreed upon that
provides for information sharing with DOJ/FBI and ensures that the necessary
protections are clearly delineated so that DHS can ensure that the privacy of
legitimate travelers is properly protected through explicit procedures for
access to the data and normal audit provisions are included.
-
The FBI should actively work to improve the quality of IAFIS and NCIC data.
.Provide final dispositions (i.e., not just fact of arrest);
-
Provide full criminal history response (FBI queries certain individual state
repositories to get full recent criminal history information; FBI does not do
so on all requests); and
-
Improve the quality of prints from local law enforcement officers (LEOs).
Quality of the prints is the most important determinant of accuracy of
matching. DOJ should ensure that state/local law enforcement is equipped to
electronically capture and submit, in real time, high quality prints from those
they arrest and prosecute.
|