Follow-up Review of the Status of IDENT/IAFIS Integration

E & I Report No. I-2005-001
December 2004

Appendix 8

OIG Analysis of DOS Comments

On November 19, 2004, the Office of the Inspector General (OIG) sent copies of the final draft report to the Department of State (DOS). The Deputy Assistant Secretary for Visa Services provided the DOS response in a letter dated December 3, 2004 (Appendix VII). None of the six recommendations in the report are directed to the DOS. However, because the report addresses DOS policies and operations we offered the DOS an opportunity to comment on the report. Our analysis of the DOSís comments follows.

Summary of DOS Comments Regarding Technology Standard: The DOS stated that our report presents "fundamental inaccuracies" on the technology standard because it states that the NIST has statutory authority to develop and certify a Technology Standard, which implies that the NIST solely has this authority. The DOS stated, "by section 403(c) of the USA PATRIOT Act, the Secretary of State and the Attorney General -- not the NIST -- are granted the statutory authority to set the technology standard." The DOS further stated "the NIST is assigned only a technical advisory role in the decision-making process."

OIG Analysis: As noted above, it is correct that the NIST was not assigned the sole responsibility for establishing the technology standard. On pages 8 and 31 of our report, we acknowledged the language of section 403(c) of the Patriot Act, which states that "the Attorney General and the Secretary of State jointly, through the [NIST]Ö" shall develop and certify a technology standard. After extensive testing to determine the most efficient and effective method for verifying the identify of visa applicants, the NIST recommended to Congress (in a January 2003 report issued jointly by the NIST, the Attorney General, and the Secretary of State) that ten flat fingerprints be used for enrollment into large databases and two flat fingerprints and a photograph only be used to verify individualsí identities against existing records. Thus, we refer to this as the NIST-recommended Technology Standard.

In order to make clear that the NIST did not have sole responsibility for developing the technology standard, we amended the language on pages vi, 8 and 31 to reflect that Congress directed the Attorney General and Secretary of State, jointly through the NIST, to develop the technology standard.

Summary of DOS Comments Regarding HSC Deputiesí Decision: The DOS stated that the July 18, 2003, HSC Deputies Committee decision to use a two-fingerprint and photograph system for initial US-VISIT deployment in sea and air ports of entry reflected the Secretary of Stateís and the Attorney Generalís statutory authority to set the technology standard. The DOS stated that "it is the [HSC] decision, not the NIST advice that controls DOS, DHS and DOJ implementation of a technology standard."

OIG Analysis: As we stated in response to the DHSís comments, the DOS response further demonstrates that the departments do not interpret the Deputiesí decision or the requirements of the Patriot Act in the same way. The DOJ does not concur with the DHS and DOS contention that the Deputiesí decision to authorize a two-fingerprint technology for initial US-VISIT deployment represents a decision on the final fingerprint collection standard for the US-VISIT program, or that the decision replaced the congressional mandate for the Secretaries of the DHS and State, working jointly with the NIST, to develop and certify a technology standard. The DOJís position that the Deputiesí decision was not meant to be the final fingerprint collection standard is based on the Deputiesí direction that plans be made to migrate to an eight-fingerprint system. As described to us by DOJ officials, the HSCís decision was intended to allow the DHS to deploy US-VISIT quickly by taking advantage of the existing two-fingerprint IDENT system. The varying interpretations contained in the departmentsí responses reinforce our finding that the departments have not agreed on a uniform fingerprint collection standard.

The decision on a uniform fingerprint collection standard is required before further progress can be made on the development of an MOU to guide the efforts to achieve full interoperability of IDENT and IAFIS, efforts that are currently stalled. Because the decision has not been made, we recommended that the DOJ report to the HSC and Congress that the departments have reached an impasse and cannot complete the congressionally directed MOU to guide the integration of IDENT and IAFIS. We specified that the DOJís report formally request that the HSC or Congress decide whether or not to adopt the NIST Technology Standard (ten flat fingerprints for enrollment and two flat fingerprints and a photograph for identity verification) because the adoption of a uniform fingerprint collection standard must occur before plans to make IAFIS and IDENT fully interoperable can be completed.

In previous comments provided to us on a working draft of this report, the DOS acknowledged that the NIST expressed concern that when the US-VISIT enrollment database grows to a certain size, a large number of "false positive" fingerprint matches would occur. In this response, the DOS stated that the problem of false positives has not materialized. The DOS is correct that NIST research determined that the number of false positive fingerprint matches would increase as the US-VISIT database grows. As we stated on pages 31 and 32 of the report, the NIST also found that search accuracy improved (there were fewer false positives) when the maximum number of fingers (ten) was used to search a database. The NIST found that this was true for all fingerprint matching systems that it tested. We noted in the report the DOJís position that the most effective approach to addressing the issue of false positives is to increase the number of fingerprints collected before the number of false positives becomes a problem.

Summary of DOS Comments Regarding Time Required to Take Ten Fingerprints: The DOS stated that by presenting the NIST finding that taking 10 flat fingerprints takes 10 to 15 seconds longer than taking two flat fingerprints, our report ignores the significant effect on operations at ports of entry that this additional time would have. The DOS also stated that at its consulate in Monterrey, Mexico, it is conducting a pilot project to collect ten flat fingerprints from certain visa applicants. The DOS stated that with a consulate employee assisting the person whose fingerprints are being enrolled, it takes 60 to 90 seconds to enroll 10 flat prints. That is, they say, 30 to 60 seconds longer than it takes to enroll two flat fingerprints without the assistance of a consular employee and has significant workload implications.

OIG Analysis: The independent NIST research found that taking 10 flat fingerprints only takes approximately 10 to 15 seconds longer than taking 2 flat fingerprints. We amended page 16 of the report to reflect that the DOS is currently conducting several pilot projects in Mexico to take ten flat fingerprints. However, we do not have enough information on the structure, process, or equipment used in the DOS pilot projects to evaluate whether they are similar to that used by the NIST in its studies. More importantly, the results of these pilot projects are not yet conclusive and the reasons for the enrollment time that the DOS has experienced thus far have not yet been identified or analyzed. We recognize that enrollment time is an important issue for the DOS. However, unlike the DHS inspectors at primary inspection, consular officers do not have to make an immediate adjudication.

Summary of DOS Comments Regarding Resources: The DOS stated that because enrollment of ten flat fingerprints would require shifting the enrollment process off-site at some consular posts, "facilities and personnel costs would skyrocket." These operational and cost factors, the DOS stated, are not the responsibility of the NIST; they are decisions to be made by agency heads.

OIG Analysis: Our report recognized that there would be additional costs to the DHS and the DOS in order to implement a system that takes more than two fingerprints. However, the DOS did not provide detailed information describing the facilities and personnel costs that it believes would be necessary if such a system is implemented. In fact, neither the potential for a ten-fingerprint system to identify more criminal aliens among visitors to the United States, nor the potential additional costs of implementing a ten-fingerprint system are known at this point.

As we noted in the report, the NIST studies we cite have indicated that taking ten fingerprints is the best technological solution to ascertaining the identify of individuals entering the United States. The critical issue to be determined is whether the operational costs would be justified by the benefits of implementing a ten-flat fingerprint system. Until the DHS grants the DOJ access to a random sample of data from US-VISIT and other relevant immigration biometric databases, the DOJ cannot conduct a proposed study (as we recommended to the DOJ) to determine the risk of not checking all visitors against IAFIS. Therefore, whether the cost of implementing a ten fingerprint system is justified by the potential for such a system to identify more criminal aliens by checking IAFIS directly cannot be fully known at this point. We believe that the HSC and the Congress need that analysis to decide whether the risks constitute significant national security threats that warrant providing the DOS with the necessary resources and personnel to implement a ten-flat fingerprint system.

Moreover, on page 48 of our report we present the DOJ position that the federal government may face significant costs to later re-engineer existing systems if changes are not implemented now to upgrade US-VISIT to collect more than two fingerprints. These costs may include re-enrolling individuals when it is decided to begin using more than two fingerprints. A number of potential savings that could result from such a decision were also identified to us during this review. These include eliminating or reducing the cost of maintaining duplicate data in redundant systems; reduced costs of processing ten fingerprints against ten fingerprints, rather than processing two against ten (as cited by the NIST and others); and operational savings (and reduced inconvenience to visitors) from reducing the number of false positive matches.

Summary of DOS Comments Regarding Additional Pilot Study: The DOS described another pilot project at the embassy in San Salvador, El Salvador, that it is conducting in conjunction with the FBI. This pilot, the DOS stated, involves taking two fingerprints from certain visa applicants whose fingerprints are on the IDENT watch list, and automatically receiving the rap sheets for these applicants. The DOS described a three-step process for transferring fingerprints from IAFIS to IDENT and stated that the two-fingerprint pilot being tested in El Salvador could be deployed globally in conjunction with the three-step process to give consular officers fully automated access to visa applicantsí rap sheets. This, the DOS stated, would be a main component of the interoperable electronic data system envisioned in the Border Security Act.

The three-step process that the DOS referred to consists of (1) a DHS initiative to prioritize the 7-8 million records of foreign-born individuals contained in IAFIS before transfer into IDENT, (2) an expansion of IAFISís 3,000 daily image request services function, and (3) an upgrade of the IAFIS and IDENT connectivity "to be able to handle a rapid daily transfer of many thousands of fingerprint files." The DOS recommended that a consultant be hired to conduct a study of the technical issues involved with the second and third items, and to propose solutions and cost estimates. The DOS stated it believes that this three-step process would cost "a fraction of the DOJ proposals" and would "keep intact the highly successful Biometric Visa and US-VISIT Programs, which the DOJ [ten-] fingerprint proposals would unnecessarily dismantle in their present forms." The DOS stated that requiring consular officers to collect ten fingerprints would detract time from visa interviews and would be detrimental to border security. Lastly, the DOS restated its position that its proposal for enhancing the current two-fingerprint system would achieve the DOS, DHS, and DOJ common goal of screening visa applicants against criminal history records that would render them ineligible for visas.

OIG Analysis: The three steps that the DOS described all rely on the existing interim measures and do not present a long-term solution for fingerprint biometric interoperability, which according to the DOJ relies on multi-directional, direct, real-time access between the FBI, the DHS, and other law enforcement agencies needing access to immigration records. Checking a visa applicantís fingerprints against IDENT means that the individualís fingerprints are not checked directly against the FBIís IAFIS, which is the largest, most current, and most complete file of criminal fingerprints.

The DOSís response is consistent with its position that the current interim measure involving the FBI extracting data from IAFIS and providing it to the DHS for inclusion in IDENT is adequate. As we report, the DOJ does not agree that providing extracts of IAFIS data achieves interoperability; rather, the extract process is an inadequate method of checking individualís criminal history because the extracts are untimely, erroneous, and incomplete. The extract process results in the creation and maintenance of redundant databases.

The fact that the DHS is developing a prioritization method for the 7 million-plus records of foreign-born individuals suggests that it cannot currently support the entire file. As we stated on page 45 of our report, the current daily transfer will take 6 years to complete. According to the DOJ, this problem could be avoided by directly accessing IAFIS rather than waiting for the FBI to transfer, one day at a time, portions of the entire file. Further, upgrading IAFIS will not ameliorate the faulty extract process. Even with an upgraded capacity, the FBI would still have to continue providing the DHS with regular extracts of its data, which the DOJís Metrics study report found is incomplete and error prone.

Regarding the two DOJ proposals that the DOS cited, our report describes a draft proposal that the DOJ submitted to the Policy Coordination Committee containing two options and cost estimates for a long-term strategy to achieve interoperability by enrolling individuals in US-VISIT using more than two fingerprints. In previous correspondence to us, the DOS indicated that its own cost estimates are much higher than the DOJís. However, as we stated above, the DOS did not include its own cost estimates or provide alternative suggestions. Our reading of the DOJís proposal indicated that it is not intended to dismantle the DOSís nor the DHSís Biometric Visa and US-VISIT programs. On page 48 of our report, we include a statement from the DOJís proposal which says that reducing the inconvenience to foreign travelers is one of the benefits of upgrading US-VISIT. If more than two fingerprints are collected from travelers now, they will not have to be re-enrolled in the future.

In response to the DOSís statement that requiring consular officers to collect ten fingerprints would detract from visa interviews and would be detrimental to border security, we believe that conclusion is premature because neither the potential for a ten-fingerprint system to identify more criminal aliens among visitors to the United States, nor the potential additional operational and financial costs of implementing a ten-fingerprint system are known at this point.