Follow-up Review of the Status of IDENT/IAFIS Integration

E & I Report No. I-2005-001
December 2004

Appendix 6

OIG Analysis of DHS Comments

On November 19, 2004, the Office of the Inspector General (OIG) sent copies of the draft report to the Department of Homeland Security (DHS). The Undersecretary of Border and Transportation Security provided the DHS response in a letter and attached comments dated December 3, 2004 (Appendix V). None of the six recommendations in the report are directed to the DHS. However, because the report addresses DHS policies and operations, we offered the DHS an opportunity to comment on the report. Our analysis of the DHS comments follows.

Summary of DHS Comments Regarding Patriot Act Requirements: The DHS stated that the HSC Deputies Committee’s July 18, 2003, decision to "establish as the technical standard for the US-VISIT Program" two fingerprints and a photograph constituted fulfillment of the Patriot Act requirements. The DHS also stated that the Patriot Act did not assign the NIST the sole responsibility for setting the technology standard. Regarding the Deputies’ decision that the DOS, the DHS, and the OMB conduct planning for migration to an eight fingerprint system, the DHS stated that this was based on concern expressed by the NIST that when the US-VISIT database grows to a certain size, the result might be a large number of false positive fingerprint matches.3 The DHS stated that the Deputies’ decision did not relate to ten fingerprints and the use of IAFIS, and "the problem of false positives has not materialized." Lastly, the DHS stated that it is conducting appropriate planning to support the move to an eight-fingerprint system "when appropriate."

OIG Analysis: The July 18, 2003, HSC Deputies’ decision, which appears in a document entitled "Summary of Conclusions," consists of the following statement: "With respect to the biometric identifier standards for the US-VISIT program, the Deputies approved the use of a photograph and two fingerprints for initial deployment in sea and airports. Deputies directed the Departments of Homeland Security and State to work with HSC and OMB in developing future plans to migrate to an eight fingerprint system." In light of DHS’s comment, we added language describing the Deputies’ decision to the Executive Summary of the report (we already had referred to the HSC Deputies’ decision in the body of the report).

The DHS response demonstrates that the departments do not interpret the Deputies’ decision or the requirements of the Patriot Act in the same way. The DOJ does not concur with the DHS contention that the Deputies’ decision to authorize a two-fingerprint technology for initial US-VISIT deployment represents a decision on the final fingerprint collection standard for the US-VISIT program, or that the decision replaced the congressional mandate for the Secretaries of the DHS and DOS, working jointly with the NIST, to develop and certify a technology standard. The DOJ’s position that the Deputies’ decision was not meant to be the final fingerprint collection standard is based on the Deputies’ direction that plans be made to migrate to an eight-fingerprint system. As described to us by DOJ officials, the HSC’s decision was intended to allow the DHS to deploy US-VISIT quickly by taking advantage of the existing two-fingerprint IDENT system. While it is correct that the Deputies do not specifically mention a ten-fingerprint system, the congressional report that the NIST, Attorney General, and Secretary of State submitted to Congress in January 2003 stated that a standard based on ten flat fingerprints offered the most technologically and operationally acceptable approach for the Departments of Justice, Homeland Security, and State to screen incoming visitors. The varying interpretations reinforce our finding that the departments have failed to agree on a uniform fingerprint collection standard.

It is also important to note that the decision on a uniform fingerprint collection standard is required before further progress can be made on the efforts to achieve full interoperability of IDENT and IAFIS, efforts that are currently stalled. Because the decision has not been made, we recommended that the DOJ report to the HSC and Congress that the departments have reached an impasse and cannot complete the congressionally directed MOU to guide the integration of IDENT and IAFIS. We believe that the DOJ’s report should formally request that the HSC or Congress decide whether or not to adopt the NIST Technology Standard (ten flat fingerprints for enrollment and two flat fingerprints and a photograph for identity verification). It is clear that a final decision on the adoption of a uniform fingerprint collection standard must occur before plans to make IAFIS and IDENT fully interoperable can be completed.

We agree, as the DHS commented, that the NIST was not assigned the sole responsibility for establishing the fingerprint technology standard, and we did not state otherwise in the report. In order to make clear that the NIST does not have sole responsibility for developing the technology standard, we amended the language on pages vi, 8, and 31 to reflect that Congress directed the Attorney General and Secretary of State, jointly through the NIST, to develop the technology standard.

Regarding the increasing number of false positives, the DHS correctly stated that NIST research determined that the number of false positive fingerprint matches would increase as the US-VISIT database grows. As we stated on pages 31 and 32 of the report, the NIST also found that search accuracy increased (i.e., there were fewer false positives) when the maximum number of fingers (ten) was used to search a database. The NIST found that this was true for all fingerprint matching systems that it tested. We also noted in the report the DOJ’s position that the most effective approach to addressing the issue of false positives is to increase the number of fingerprints collected for each person in the database before the number of false positives becomes a problem.

Summary of DHS Comments Regarding Success of US-VISIT: The DHS stated that both it and the DOS have engineered "the single most significant change to the visa issuance and U.S. border inspections process ever." Citing the over 13 million travelers that have been processed through US-VISIT, the DHS stated that at ports of entry, it has identified over 1,500 individuals who were on the US-VISIT watch list and denied entry to hundreds of them, and at consular posts, over 3,500 individuals have been identified through the US-VISIT watch list. The DHS stated that all of this has been accomplished while protecting traveler privacy and without increasing wait times or impacting trade and travel.

OIG Analysis: We acknowledge the DHS’s statement that the first phase of US-VISIT is a significant achievement. The DHS reported that it identified 5,000 of 13,000,000 visitors as being on the US-VISIT watch list. However, as described in our report, the Metrics study conducted by the DOJ found that most aliens with criminal records could be identified only by checking the IAFIS Criminal Master File, not through IDENT alone, which is what US-VISIT checks. Of the 24,020 aliens identified by the Metrics study as having criminal records, 17,553 (73.1 percent) were identified only through IAFIS. Therefore, we recommended that the DOJ request a random sample of records from US-VISIT and other relevant immigration biometric databases to determine the additional number of criminals that IAFIS could identify if enrollments in US VISIT were checked against IAFIS.

Summary of DHS Comments Regarding NIST Research on Time Requirements for Taking Ten Flat Fingerprints: The DHS stated that the draft report was misleading because it stated that the NIST research showed that ten "flat" fingerprints can be taken almost as quickly as two flat fingerprints. The DHS stated that readers would believe that the additional 10-15 seconds required to take ten fingerprints of 43 million visitors per year is operationally feasible. The DHS stated that even discounting the required processing time, the additional 10-15 seconds required to capture ten fingerprints would have "an enormous impact" and would require a significant number of additional inspectors, consular officers, and significant facility modifications to handle the increased wait times. The DHS contended that the report therefore showed a lack of understanding of DHS and DOS operations.

OIG Analysis: Our report stated that the NIST’s research found that 10 flat fingerprints can be taken in approximately 30 seconds (10 to 15 seconds longer than taking 2 flat fingerprints). As the OIG responsible for oversight of the Immigration and Naturalization Service (INS) before its transfer into DHS, and in light of the many reviews we conducted of the immigration process, we have a long and deep understanding of immigration operations. We understand that additional time to take ten flat fingerprints will have an effect on DHS and DOS operations. In our review, we also recognized that the significant time constraints that exist at primary inspection do not exist in secondary inspection or at the consulates where visa applications are taken, which the DHS response does not address. Importantly, although the DHS asserted that it is not operationally feasible to implement a ten-flat fingerprint system, it did not provide detailed information describing how many additional resources and facility modifications that it believes would be necessary if such a system was implemented, either in primary or secondary inspection.

However, as we noted in the report, the NIST studies we cite have indicated that taking ten fingerprints is the best technological solution to ascertaining the identify of individuals entering the United States. The critical issue to be determined is whether the operational costs would be justified by the benefits of implementing a ten-flat fingerprint system. Until the DHS grants the DOJ access to a random sample of data from US-VISIT and other relevant immigration biometric databases, the DOJ cannot conduct a proposed study (as we recommended to the DOJ) to determine the risk of not checking all visitors against IAFIS. Therefore, whether the cost of implementing a ten fingerprint system are justified because of the benefits that such a system will likely identify more criminal aliens by checking IAFIS directly cannot be compared at this point. We believe that the HSC and the Congress need that analysis to decide whether the risks constitute significant national security threats that warrant providing the DHS with the necessary resources and personnel to implement a ten-flat fingerprint system.

Lastly, the DHS stated that it is already conducting planning to support moving to an eight-fingerprint system, at the direction of the HSC. Therefore, the DHS objections regarding the additional processing costs are inconsistent because the DHS appears to believe that it will have to eventually address the issues of additional processing time and personnel costs, as well as potential facility modifications as a result of its own plans.

Summary of DHS Comments Regarding US-VISIT Architecture: The DHS stated that our report is misleading because it incorrectly equates the MitreTek study of the FBI’s IAFIS system with the DHS’s IDENT system, but US VISIT does not use the same architecture as IAFIS. The MitreTek study, the DHS stated, analyzed IAFIS’s architecture, which requires using all ten fingerprints in order to filter the database down to a small enough size to compare the two index fingerprints. The DHS stated that IDENT does not use this type of filtering in its architecture, and that adding ten fingerprints to IDENT would add additional time to the process because IDENT would need to make more matches, not fewer.

OIG Analysis: We recognize that IDENT uses a different type of filtering in its architecture than IAFIS. Although in the report we presented a brief description of how fingerprint filtering in IAFIS works, we made no assumptions about the IDENT architecture. Our report cites a MitreTek study that found that searching a biometric database using two flat fingerprints results in longer processing times and reduced accuracy (a greater likelihood of identifying false positives) compared to using more fingerprints to conduct the searches, and NIST findings that providing more fingerprints substantially speeds search processing and increases search accuracy. The need to ensure that compatible architectures can be integrated is a primary reason for timely resolving the issues we raise in this report.

In addition, because the DHS did not earlier communicate to us its contention that adding ten flat fingerprints to IDENT would increase rather than reduce processing time, we contacted the manager of the NIST Image Group to discuss this issue. In response to our inquiry, he contacted a contractor involved in developing IDENT, and then responded to us that implementing a ten-flat fingerprint system would cause about a 20 percent increase in the time taken by the IDENT fingerprint matching process. However, he stated, the operational impact of such an increase in the matching process would likely be negligible because the computer processing time is only a part of the fingerprint check. In sum, the biometrics experts at the NIST and the DHS will need to address this issue fully in order to determine the extent to which an increase in the fingerprint matching process could affect the DHS’s operations.

Summary of DHS Comments Regarding IDENT/IAFIS: The DHS stated that our report incorrectly assumes that the US-VISIT program has the same set of requirements that generated the need for IDENT/IAFIS. The DHS stated that the component of IDENT that US-VISIT uses is a "traveler identification system with lookout capability," which is not designed for booking criminals. The primary US-VISIT database, the DHS stated, contains the biometrics of over 10 million enrolled legitimate foreign travelers, which is separate from the IDENT lookout database that receives daily extracts from IAFIS. The DHS stated that IDENT/IAFIS was originally intended to provide quick access to criminal history information to INS officers during apprehension, but that future versions were to give state and local law enforcement organizations access to IDENT immigration information. Lastly, the DHS stated that the US-VISIT database does not contain immigration violators.

OIG Analysis: We did not assume that the US-VISIT program has the same set of requirements that generated the need for IDENT/IAFIS. Our report makes clear that the US-VISIT and IDENT databases are separate and that it is the US-VISIT watch list that is being queried when visitors apply for a visa or arrive to be inspected. The report explains that the US-VISIT watch list includes the IDENT lookout database, which, as the DHS stated, contains data extracted from IAFIS. However, the information extracted into IDENT is only a small portion of all the records in IAFIS. The majority of the estimated 43 million annual visitors to the United States are not checked directly against IAFIS – which contains the most current and complete criminal history information – but are only checked against the US-VISIT watch list. The risk of this practice is that some known criminals will be missed, as the DOJ’s Metrics study showed, because the extracts included in IDENT are not complete and are prone to have errors and omissions.

Therefore, while it is correct that the US-VISIT is not intended to be a booking system for criminals, it should still be as effective as it can be at identifying whether visitors have criminal records or are suspected terrorists. However, neither the potential for a ten-fingerprint system to identify more criminal aliens among visitors to the United States, nor the potential additional costs of implementing a ten-fingerprint system are known at this point. As we stated above, we believe that the HSC and the Congress need that information in order to decide whether the operational and financial costs of implementing a ten-flat fingerprint system outweigh the benefits of implementing such a system.

Summary of DHS Comments Regarding IAFIS’s Ability to Meet DHS Operational Requirements: The DHS stated that our report incorrectly assumes that the FBI’s IAFIS system could be used for US-VISIT purposes and that taking ten fingerprints for every traveler at ports of entry and submitting these to the FBI’s IAFIS "would solve most of the interoperability issues and would be beneficial." The DHS stated that this assumption is inaccurate because it believes IAFIS, as currently established, cannot meet DHS operational requirements for several reasons, which the DHS listed:

  • Not all criminal history records are relevant to all DHS decisions. The DHS included an example stating that its analysis has shown that only a small percentage of the wanted person’s information in IAFIS has a bearing on whether the individual will be admissible to the U.S., and immigration officers in primary inspection do not have the time or need to review the vast majority of these records.

  • IAFIS’ response time on a Ten Print Rap Sheet Request (TPRS) query is approximately 10 minutes versus 10 seconds for US-VISIT at primary inspection.

  • IAFIS does not have the capacity to handle the volumes associated with US-VISIT. The DHS stated that there could be up to 180,000 transactions per day, which would be nearly 10 to 20 times the current capacity of a TPRS search through IAFIS.

  • IAFIS’ availability is not adequate for real-time operations. The DHS cited two days per month of IAFIS downtime (planned and unplanned) over the last six months and stated that planned outages have recently been occurring almost monthly. The DHS also stated that unscheduled outages are a significant problem for IAFIS; it provided an example of IAFIS being down numerous times, including one time for two hours, in the two weeks prior to their response.

  • IAFIS does not have any backup capability as our report noted. The DHS stated that IAFIS resides in a single location, with tapes stored off-site. It would be impossible, the DHS stated, to bring the system back on line in a reasonable amount of time, should something happen to its primary location. The DHS stated that US-VISIT IDENT has "redundant search capability" in Rockville, Maryland and Dallas, Texas, with "failover capability" between the two locations.

  • The costs of moving to an FBI-based ten-fingerprint solution are significant and with little benefit to the DHS, given the FBI’s current inability to respond to the DHS’s operational time constraints with focused and relevant information. The DHS stated that even discounting the significant cost to the FBI that would be required to expand IAFIS capacity, the costs to the DHS are prohibitive; the DHS stated that capturing ten fingerprints would require hundreds of additional inspectors and significant facility modifications at the ports.

Finally, the DHS stated that it does not believe that there would be cost savings for moving immediately to a ten-fingerprint system because the costs would be far greater than DHS’s initial investment of $70 million for US-VISIT IDENT, and $15 million annual operating costs. The DHS stated that it recognizes that biometric technology is constantly evolving, and although it is not technically or economically feasible to implement a change now, with advances in fingerprint capture and matching technology it may be technically feasible to move to a multi-print system in the future. However, the DHS stated that even if it were possible, the "potential huge disruption to the travel and tourism industry, due to increased processing times and cultural resistance associated with criminality," must be analyzed before the DHS would make the significant investments to move to a ten-print system.

OIG Analysis: Regarding the DHS’s first point that not all criminal history records are relevant to all DHS decisions, having access to all criminal records would enable immigration officers to make the most informed decision possible. Currently, consular and immigration officers do not have full access to the most current and complete records contained in IAFIS. Should such access be granted, the immigration officer first would be alerted to a possible fingerprint match and then the visitor would be referred to secondary inspection where the information would be evaluated.

The DHS’s reference to response time is a legitimate concern for primary inspections, and our report makes this point. The FBI stated that IAFIS would provide a TPRS response time of less than 10 minutes and currently the system is averaging 2-3 minutes, although 2 minutes is currently the fastest response time it can produce. However, adjudications that occur in secondary inspections or in consular offices do not have the same time constraints as primary inspection points. Secondary inspections involve checking other databases and questioning the visitor. Therefore, as is the case with processing time, the TPRS transaction response time is much less of an issue for officers working at secondary inspection and the consular offices.

Regarding IAFIS capacity, we agree with the DHS that IAFIS does not presently have the capacity to handle the volume of transactions associated with US-VISIT. Part I of the report makes this point clearly. Nonetheless, we believe that is it important to fully utilize existing IAFIS capacity. Moreover, decisions on future requirements are needed to enable the FBI to ensure that IAFIS will be prepared to handle a large increase in transactions associated with US-VISIT. We recommended that the DOJ and the FBI coordinate with the DHS to identify the capacity needed to conduct IAFIS searches on all visitors referred to secondary inspection. The DOJ and the FBI concurred with this recommendation.

Regarding IAFIS availability, we agree with the DHS that IAFIS must improve its availability. Part I of the report makes this point clearly. We also made a recommendation that the FBI take steps to ensure that IAFIS meets its system availability requirements of 99 percent; both the DOJ and the FBI concurred with this recommendation.

Regarding the lack of IAFIS backup, we discuss this at some length in Part I of the report. In addition, on page 28 of the report, we added a footnote containing the information that the DHS provided about the redundant US VISIT and IDENT search capability.

Regarding the DHS conclusion that the costs of implementing a ten-fingerprint system are significant and provide little benefit, we believe that conclusion is both premature and not clear. Our report recognized that there would be additional costs to the DHS and the DOS in order to implement a system that takes more than two fingerprints. However, neither the potential for a ten-fingerprint system to identify more criminal aliens among visitors to the United States, nor the potential additional costs of implementing a ten-fingerprint system are known at this point.

Regarding the DHS statement that it is erroneous that there would be any cost savings associated with expediting the implementation of a ten-fingerprint system, a number of potential savings that could result from such a decision were identified to us during this review. These include eliminating or reducing the cost of maintaining duplicate data in redundant systems; reduced costs of processing ten fingerprints against ten fingerprints, rather than processing two against ten (as cited by the NIST and others); and operational savings (and reduced inconvenience to visitors) from reducing the number of false positive matches. There are also potential costs associated with delaying implementation of a ten-fingerprint system. Those include operational and financial costs to re-engineer the fielded systems and re-enroll individuals using more than two fingerprints.

The DHS stated that delays would likely occur at primary inspection due to slow IAFIS response times, which it believed would be disruptive to the travel and tourism industry. However, some disruption will likely result in conjunction with any procedural change that the DHS implements, whether now or in the future. Moreover, should an incident occur involving a criminal alien or terrorist inadvertently admitted to the United States, which is a viable risk, the DHS and the DOS would likely experience greater pressure to move more quickly to a re-engineered system, and would be at risk of implementing rushed or inadequate measures. We believe that by effectively planning for implementation of a system that uses more than two fingerprints – including completing the MOU with the DOJ – the DHS and the DOS can better ensure that costs and disruptions are minimized. Moreover, as stated above, the HSC and the Congress need an analysis of both the potential costs and the risks of not checking all visitors against IAFIS to decide whether they warrant expending additional resources for the DHS to implement a ten-flat fingerprint system and to accommodate the additional processing time. Only after the results of this study are analyzed will the federal government be able to fully assess the costs and benefits of a ten-fingerprint system.

Summary of DHS Comments Regarding JMD Criminality Study: The DHS stated that the findings of the JMD criminality study cannot be extrapolated to the US-VISIT population. The DHS stated that our report incorrectly compares the results from JMD’s Metrics study and US-VISIT because the two populations are fundamentally different; US-VISIT contains information on travelers while the individuals in the JMD study had already been arrested by the Border Patrol. The DHS stated that these individuals have already shown a disregard for the law by crossing the Border illegally. The DHS added that it already had accelerated the deployment of the fully integrated IDENT/IAFIS terminal to all Border Patrol locations.

OIG Analysis: We agree that the visitors in US-VISIT and the sample of aliens examined by the Metrics study are different. The Metrics study found that about one in eight of the aliens detained by the Border Patrol and checked in the Metrics study had a criminal record. According to data cited by the DHS in its response, the US-VISIT has identified about 5,000 of the 13,000,000 visitors checked so far (about 1 in every 2,600 visitors) as being on the US-VISIT watch list. Although the US-VISIT watch list is not a comprehensive list of criminals and other individuals ineligible to enter the United States, these results indicate that the percentage of the general population of US-VISIT visitors who have criminal records (the criminality rate) is less than that of the aliens examined in the Metrics study. We are aware of these differences and, for that reason, we did not extrapolate the criminality rate found in the JMD Metrics study to the US-VISIT population.

Nonetheless, the findings of the Metrics study regarding the capability of IDENT and IAFIS to identify criminal aliens are relevant. The Metrics study clearly showed that only checking IDENT (which the US-VISIT watch list relies on) will fail to identify most criminal aliens. Over 70 percent of the criminals identified in the Metrics study were only identified by IAFIS. While we agree that the criminality rate of US-VISIT visitors may be lower than the Metrics study, neither the actual US-VISIT criminality rate nor the percentage of criminals that are missed by US-VISIT is known. It is for that reason that we recommended that the DOJ conduct a study using random samples from US-VISIT and from other relevant immigration biometric databases used for enforcement or benefit purposes to determine the additional number of individuals that IAFIS will identify as criminals and the risk posed by not checking all visitors against IAFIS.

Summary of DHS Comments Regarding Organizational Responsibility: The DHS stated that the draft report cited the DOJ and the DOS as being responsible for implementing appropriate biometric standards under the Border Security Act, but that this responsibility has now been transferred from the DOJ to the DHS. The DHS also stated that it has developed an "alternative proposal" for addressing the need for IDENT/IAFIS interoperability, especially in relation to US-VISIT, which is designed to achieve appropriate data exchange between the DOJ and the DHS.

OIG Analysis: The DHS is correct about the shifting of organizational responsibility from the DOJ to the DHS. On pages iv and 8 of the report, we added a footnote to the description of the Border Security Act that clarifies this shift in responsibility. Regarding the "alternative proposal," the DHS has provided us with no information on this.

Summary of DHS Comments Regarding Monitoring IDENT Performance: The DHS stated that it and the DOS are aware of both the capabilities and limitations of the biometric systems employed by US-VISIT. The DHS stated that it continues to closely monitor the IDENT system and work with the NIST with the goal of improving system performance, including false positive rates, accuracy rates, and system throughput. The DHS stated, "We will move to a multi-print system at the appropriate time to improve system performance."

OIG Analysis: We accept the DHS statement that it closely monitors US-VISIT and works with the NIST. However, because we found that the DHS, the DOS, and the DOJ did not interpret the HSC Deputies’ decision or the Patriot Act requirements in the same way, and because the departments continue to disagree on a uniform fingerprint collection standard, no further progress toward achieving full interoperability between IDENT and IAFIS can be made.

It has been almost two years since the NIST, the Attorney General, and the Secretary of State issued the report to Congress stating that ten flat fingerprints is the most effective and efficient method of enrolling individuals in large biometric databases. Similarly, it has been almost one and a half years since the HSC Deputies’ approved the use of two flat fingerprints and a photograph for initial US-VISIT deployment, with the direction to conduct planning for the eventual migration to an eight-fingerprint system. The DHS stated it is already conducting this planning. However, the departments have as yet been unable to complete an MOU to establish how the project to achieve interoperability will proceed. The recommendations we make are partly intended to improve the information available to the HSC and Congress regarding the risks and costs associated with the various options so that they may better examine the issues related to the fingerprint technology standard and capabilities required for an interoperable biometric fingerprint system.

Summary of DHS Comments Regarding US-VISIT Strategic Plan: The DHS stated that the DOJ and the FBI are part of the team working on US-VISIT’s Strategic Plan, which will "outline the business functionality needed for the immigration and border management enterprise, the technology, data, and facilities needed to support that functionality, and the business case that justifies the program." The DHS stated that providing the DHS and the DOS with access to IAFIS information is part of the US-VISIT Strategic Plan.

OIG Analysis: The US-VISIT Strategic Plan team is a recently formed group that we did not review during our fieldwork. However, based on discussions with DOJ staff, we added this group to the report’s list of working groups on page 18.

Summary of DHS Comments Regarding Recommendations to be Added to the Report: The DHS stated that it would like the following recommendations added to the report.

  1. "IAFIS modernization should support DHS’s operational needs." The DHS stated that it would like an expanded role for DHS/Border and Transportation Security, US-VISIT, and the DOS in FBI’s ongoing IAFIS modernization efforts. As large customers of IAFIS, the DHS stated that it would welcome the opportunity to inform the FBI of future requirements and operational needs, including the need to:

    • Improve availability/reliability (up time and failover).
    • Increase availability of terrorist prints.
    • Re-architect IAFIS and NCIC to allow searches by offense.
    • Improve system capacity and system response time.

OIG Analysis: Improving IAFIS availability and increasing the availability of terrorist fingerprints are already recommendations in our report. Although re-engineering IAFIS and NCIC to allow searches by offense may be beneficial, this is the first time that the DHS has raised this issue to us, and it is outside the scope of this report. Improving IAFIS capacity is also addressed in the report and is already addressed in our recommendations. Reducing IAFIS response time is a goal of Next Generation IAFIS, but DOJ, FBI, and DHS technical experts will have to determine how IAFIS can meet the response time required at primary inspection.

  1. "DHS would like the third recommendation in the report instead to ask the FBI to work with DHS to determine which IAFIS records are relevant in the determination of admissibility." The DHS stated that it believes that the FBI should immediately provide the relevant criminal history records to the DHS. The DHS stated that it is currently conducting a study to determine which IAFIS records provide the highest value to immigration officials so that they may prioritize their access while the more difficult interoperability challenges are architected. The DHS stated that it was disappointed when it requested the criminal history records of aliens of unknown origin from the FBI and was told that it would take 720 days. The DHS believes that it should be a top priority for the FBI to provide this information to the DHS.

OIG Analysis: This DHS comment is unrelated to the random sampling of US-VISIT that our report recommends. We do describe the fingerprint image requests and the DHS’s desire to prioritize them. We also understood that the US-VISIT watch list may not have the capacity to handle the estimated 7 million additional records of individuals who are foreign born, have no place of birth listed, or who have had previous encounters with immigration officials documented in IAFIS. Moreover, the DHS’s expectation that the FBI should provide all of these records to the DHS is indicative of its position that the current interim measure involving the FBI extracting data from IAFIS and providing it to the DHS for inclusion in IDENT is adequate. As our report states, the DOJ does not believe that providing extracts of IAFIS data achieves interoperability; rather, the extract process is an inadequate method of checking individual’s criminal history because the extracts are untimely, erroneous, and incomplete. The extract process also creates data duplication.

The FBI sent a letter to the US-VISIT Program Manager in February 2004 stating that a mass extract of the types of records (described above) that the DHS requested would require 750 days to process with current IAFIS capacity. However, the FBI told us that it would take many years to extract the entire population in which the DHS has an interest. We state in the report that since the DHS is permitted to extract 3,000 records a day from IAFIS, by dividing 3,000 into 7 million we estimate that it will take over 6 years to accomplish.

  1. "DHS and the FBI should finalize the Memorandum of Understanding (MOU) to clearly articulate how data should be shared and used, and to protect the privacy of our visitors." The DHS stated that it has provided: (1) the FBI with access to US-VISIT and immigration violator data, (2) user accounts to FBI analysts, and (3) extracts of data to IAFIS in support of DOJ operational needs. The DHS stated that it did this in good faith that an MOU would be agreed upon that provides for information sharing with the DOJ/FBI and ensures that the necessary privacy protections and data access procedures are clearly delineated.

OIG Analysis: We agree that the DHS and the FBI should finalize such an MOU. On page 37 of the report, we added language discussing the DHS’s November 1, 2004, memorandum to the HSC Deputy Director, which stated that it had met its obligations to provide the FBI with full access to its US-VISIT records. In the memorandum, the DHS stated that it had provided training on the data limitations of US-VISIT records to 30 individuals named by the FBI. In the memorandum, the DHS also stated that it would provide US-VISIT access and training to an additional 200 users whom the FBI indicated also need access to US-VISIT.

However, DOJ officials told us that they are disappointed at the slow pace and limited scope of the access that the DHS has provided thus far and do not consider that the FBI has "full and immediate" access to the US-VISIT database. Further, DOJ officials stated that they considered the DHS’s granting access to 30 FBI individuals a short-term, stop-gap measure intended to provide limited access to certain FBI users quickly. Our report also states that little progress has been made toward providing the DHS’s apprehension and criminal history information to other federal, state, and local law enforcement agencies. Based on our discussions with officials in all the departments, as described in this report, we concluded that the efforts to ensure that the information in the DHS’s IDENT and US-VISIT databases will be "readily and easily accessible," (as required by the Patriot Act), to the DOJ or other federal, state, and local law enforcement agencies have stalled.

  1. "The FBI should actively work to improve the quality of IAFIS and NCIC data" so that it would:

    • Provide final dispositions,
    • Provide full criminal history response, and
    • Improve the quality of fingerprints from local law enforcement officers because fingerprint quality is the most important determinant of matching accuracy. The DHS stated that the DOJ should ensure that state and local law enforcement is equipped to electronically capture and submit, in real time, high quality fingerprints from individuals they arrest and prosecute.

OIG Analysis: The first time that the DHS has raised these issues to us was in their response to our draft report. We contacted responsible FBI officials, and they told us that the FBI is working on these issues to the extent that they are within its area of responsibility and authority. However, these issues are not within the scope of this report.


  1. The false positive rate, or false accept rate, is the probability that the system will incorrectly determine that a search fingerprint and a file fingerprint are matches.