Follow-up Review of the Status of IDENT/IAFIS Integration

E & I Report No. I-2005-001
December 2004

Appendix 5

DHS Comments on the Draft Report


  U. S. Department of Justice
Washington, D.C. 20528
Homeland Security

December 3, 2004



Glenn A. Fine
Inspector General
U.S. Department of Justice
950 Pennsylvania Avenue NW, Suite 4322
Washington, D.C. 20530-0001

Dear Mr. Fine:

Thank you for the opportunity to comment on the draft report entitled, IDENT/IAFIS: Follow-up Review of the Status of IDENT/IAFIS Integration. Clearly we all share the goal of protecting our nation. We believe the issue of IDENT/IAFIS integration to be extremely important to the Department of Homeland Security's (DHS) primary mission to protect American's homeland and its citizens and visitors. We welcome efforts to improve the communications and data exchange between DHS and the Department of Justice (DOJ). We also agree that further communications and interoperability must continue between the several departments involved in biometrics that are cited in your working draft.

We would like to note that there are several inaccuracies and incorrect assumptions in the draft report. In addition, we would propose alternative recommendations for your consideration as to how to move forward. Our relevant comments appear in the enclosure.

Please let me know if you have any questions. You or your staff may also contact Tom Hamer of US-VISIT at (202) 298-5206 for additional information

Sincerely,

(signed)

Asa Hutchinson
Under Secretary
Border and Transportation Security





Enclosure

Comments from the Department of Homeland Security on the Department of Justice Inspector General Draft Report IDENT/IAFIS: Follow-up Review of the Status of IDENT/AFIS Integration

  1. Requirements of the USA PATRIOT Act were fulfilled. After having reviewed all pertinent technical studies by NIST and having considered all other relevant factors such as operational constraints and implementation costs, the Homeland Security Council (HSC) Deputies Committee, including representatives from the Department of State, the Department of Justice, the Department of Homeland Security, and the National Institute of Standards and Technology (NIST) decided on July 18, 2003, to establish as the technical standard for the US-VISIT Program two index fingerprints and a photo. Through this decision by the Deputies Committee, the requirements of the USA PATRIOT Act were fulfilled. The USA PATRIOT Act did not assign to NIST the sole responsibility for setting the technology standard, as your report indicates.

The Deputies Committee also decided that the Department of State (DOS), the Department of Homeland Security (DHS), and the Office of Management and Budget (OMB) should conduct planning for a migration to the use of eight fingerprints. That was based on concern expressed by NIST that when the US-VISIT enrollment database grows to a certain size, the result might be a large number of false positive fingerprint matches that would require the hiring of an excessive number of fingerprint examiners to review. In other words, the primary concern was one of workload relating to clearing fingerprints through the US-VISIT enrollment database. The planning to be undertaken, in the decision of the Deputies Committee, did not relate to ten fingerprints and the use of the ten-print IAFIS fingerprint system. The problem of false positives has not materialized; however, the Department of Homeland Security is conducting appropriate planning to support the move to an eight-print system when appropriate.

  1. US-VISIT has been an unprecedented success . DHS and DOS have engineered the single most significant change to the visa issuance and U.S. border inspections process ever. To date, over 13 million travelers have been processed through US-VISIT, biometrically matching their identity with their visa/passport. At ports of entry over 1,500 persons have been identified off the watch list, and hundreds have been denied entry. At consular posts, over 3,500 have been identified off of the watch list assisting DOS with the adjudication of visa issuance or denial. All of this has been done without increasing wait times or impacting legitimate trade and travel, and while protecting the privacy of travelers.

  2. The draft report is misleading when it states that NIST research showed that ten "flat" fingerprints can be taken almost as quickly as two flat fingerprints. This would lead one to believe that the additional 1 0-15 seconds required to take ten prints of 43 million visitors per year is operationally feasible. Even discounting the processing time required, the additional 10-15 seconds required for print capture would have an enormous impact. It would require a significant number of additional inspectors and consular officers as well as significant facility modifications to handle the increase in wait times. This statement shows a lack of understanding of DHS and DOS operations.

  3. US-VISIT does not use the same architecture as IAFIS. The draft report is also misleading in that it incorrectly equates the Mitre study of the FBI's IAFIS system with the DHS IDENT system. The Mitre study, referred to in the draft report, analyzed the FBI architecture, which requires use of all 10 prints in order to filter the database down to a small enough size to do a comparison on the two index prints. IDENT does not use this type of filtering in its architecture. Adding 10-prints to IDENT would actually add additional time to the process because IDENT would need to make more matches, not fewer.

  4. US-VISIT is not IDENT/IAFIS. The report incorrectly assumes that the US-VISIT Program has the same set of requirements as that which generated the need for IDENT/IAFIS integration. The component of IDE NT that US-VISIT uses is a traveler identification system with lookout capability. It is not designed for booking criminals. The primary US-VISIT database contains the biometrics of over 10 million enrolled legitimate travelers to the United States. This is a separate from the IDENT lookout database that receives daily extracts from IAPIS.

The original intent behind IDENT/IAFIS integration was to provide quick access to criminal history information to INS officers during the apprehension process. Future versions were to give state and local law enforcement organizations access to IDENT immigration apprehension information. The US-VISIT enrolled population is not comprised of immigration violators.

  1. IAFIS, as currently architected, cannot meet DHS operational requirements. The report incorrectly assumes that the FBI's IAFIS system could be used for US-VISIT purposes; that taking 10-prints for every traveler at ports of entry and submitting these to the FBI's IAFIS would both solve most of the interoperability issues and be beneficial. This assumption is inaccurate for the following reasons:

    • Not all criminal history records are relevant to all DHS decisions. For example, our analysis has shown that only a small percentage of the information contained in the FBI database is for wanted persons or has a bearing on whether the individual will be admissible to the U.S. A U.S. officer on port-of-entry primary does not have the time, and more importantly, the need to review the vast majority of these records.

    • IAFIS' response time on a Ten Print Rap Sheet Request (TPRS) electronic query is approximately 10 minutes. This is the best response time currently available. An inspector at primary currently enjoys a response time of less than 10 seconds.

    • IAFIS does not have the capacity to handle the volumes associated with US-VISIT. Factoring in the DOS, land border, and exit, the number of transactions may reach as much as 180,000 per day, which would be nearly 10 to 20 times the current capacity of a TPRS IAFIS search.

    • IAFIS' availability is not adequate for real-time operations. Over the last six month period, IAFIS averaged two days per month of down time (planned and unplanned). Planned outages have recently been occurring almost monthly. Unscheduled outages are a significant problem with IAFIS as well. For example, at the time of the writing of this response, IAFIS has been down numerous times for unscheduled outages -once for as long as two hours -in the last two weeks.

    • IAFIS does not have any backup capability as your working draft correctly noted. IAFIS resides in a single location, with tapes stored off site. It would be impossible to bring the system back on line in any reasonable period of time, should something happen to its primary location. US-VISIT IDENT has redundant search capability -residing in Rockville, Maryland, and Dallas, Texas, with failover capability between the two.

    • The costs of moving to an FBI-based 10-print solution are significant and given FBI's current inability to respond to operational time constraints with information focused and relevant to the decision, with little benefit. Even discounting the significant cost to the FBI required to restructure the IAFIS architecture to provide the capacity to perform the transactions quickly and improve the reliability/availability, the costs to DHS are prohibitive. Capturing 10 prints would require hundreds of additional inspectors, and significant facility modifications at the ports.

The report asserts that there would be cost savings for moving immediately to a 10-print capture system. DHS believes that this assertion is erroneous and without justification. The US-VISIT IDENT system required an initial investment of$70 million with an additional operating cost of approximate $15 million per year. Although these costs are not insignificant, the cost of moving to a 10-print FBI solution would be far greater. DHS recognizes that biometric technology is constantly evolving. And although it is not technically or economically feasible to do this at this time, with advances in capture and matching technology, it may be technically feasible to move to a multi-print system in the future. However, even if it were possible, the potential huge disruption to the travel and tourism industry, due to increased processing times and cultural resistance associated with criminality, must be analyzed prior to making these significant investments.

  1. The findings of the JMD criminality study cannot be extrapolated to the US-VISIT population . The report draws an incorrect comparison between results from the Justice Management Division (JMD) metrics criminality report and US-VISIT. By definition, the populations are fundamentally different. US-VISIT contains information on travelers. The individuals described in the JMD report have already been arrested by the Border Patrol. By trying to cross the border illegally, these persons have already shown a disregard for the law, and in many cases it will not be their first time. This is precisely why DHS accelerated the deployment of the fully integrated IDENT/IAFIS terminal to all Border Patrol locations.

  2. The draft incorrectly cites organizational responsibility. The working draft cites the Department of Justice and Department of State under the Enhanced Border Security Act as being responsible for implementing appropriate biometric identifier standards at ports of entry and overseas posts. This is now the responsibility of DHS and DOS. DHS has developed an alternative proposal for how to address the need for IDENT/IAFIS interoperability, especially in relation to US-VISIT. This path is designed to achieve appropriate data exchange between DOJ and DHS.

  3. DHS will monitor performance. DHS and the Department of State are aware of both the capabilities and limitations of the biometric systems employed by US-VISIT. DHS / US- VISIT continues to closely monitor the IDENT system and work with the NIST with the goal of improving system performance including false positive rates, accuracy rates, and system throughput. We will move to a multi-print system at the appropriate time to improve system performance.

  4. DOJ and FBI are participating in DHS's US-VISIT Strategic Plan. DOJ and FBI are part of the team working on US-VISIT's Strategic Plan. The Strategic Plan will outline the business functionality needed for the immigration and border management enterprise, the technology, data, and facilities needed to support that functionality, and the business case that justifies the program. Providing DHS and DOS access to IAFIS information will be included as part of this US-VISIT Strategic Plan.

The following are recommendations that DHS would like to see added to the report:

  1. IAFIS modernization should support DHS's operational needs. DHS would like an expanded role for DHS/Border and Transportation Security, US-VISIT, and DOS in the FBI's ongoing IAFIS modernization effort. As large customers of IAFIS, DHS would welcome the opportunity to inform the FBI of future requirements and operational needs. In particular, DHS would strongly emphasize the need to:
    • Improve availability/reliability (up time and failover);
    • Increase availability of terrorist prints;
    • Re-architect IAFIS and NCIC to allow searches by offense; and
    • Improve system capacity and system response time.

  2. DHS would like the third recommendation in the draft report instead to ask the FBI to work with DHS to determine which IAFIS records are relevant in the determination of admissibility.

    DHS believes the FBI should immediately provide the relevant criminal history records to DHS. DHS is currently conducting a study to determine which records in IAFIS provide the highest value to immigration and border management decision makers so that access to these can be prioritized, while the more difficult interoperability challenges are architected. We were disappointed last year when the criminal history records of aliens of unknown origin were requested so that they could be included in our IDENT lookout database, and the answer was that it would take 720 days (the working draft says six years). It should be a top priority to provide this information to DHS since this information has the highest relevancy for DHS's mission.

  3. DHS and the FBI should finalize the Memorandum of Understanding (MOU) to clearly articulate how data should be shared and used, and to protect the privacy of our visitors. DHS has provided the FBI with access to US-VISIT and immigration violator data. DHS has provided user accounts to FBI analysts and provided extracts of data to IAFIS in support of DOJ operational needs. DHS did this in good faith that a memorandum of understanding will be agreed upon that provides for information sharing with DOJ/FBI and ensures that the necessary protections are clearly delineated so that DHS can ensure that the privacy of legitimate travelers is properly protected through explicit procedures for access to the data and normal audit provisions are included.

  4. The FBI should actively work to improve the quality of IAFIS and NCIC data. .Provide final dispositions (i.e., not just fact of arrest);

    • Provide full criminal history response (FBI queries certain individual state repositories to get full recent criminal history information; FBI does not do so on all requests); and

    • Improve the quality of prints from local law enforcement officers (LEOs). Quality of the prints is the most important determinant of accuracy of matching. DOJ should ensure that state/local law enforcement is equipped to electronically capture and submit, in real time, high quality prints from those they arrest and prosecute.