Follow-up Review of the Status of IDENT/IAFIS Integration
E & I Report No. I-2005-001
United States immigration authorities have long recognized the need for an automated fingerprint identification system to quickly determine the immigration and criminal histories of aliens they apprehend. However, the inability of immigration and law enforcement fingerprint identification systems to share information prevents law enforcement agencies from identifying criminals and wanted aliens in their custody, and has led to tragic results in some cases. In a report issued earlier this year, the Office of the Inspector General (OIG) described one such case, where border authorities twice released a man attempting to enter the country illegally. He subsequently returned to the United States illegally and traveled to Oregon where he raped two nuns, killing one. Because the federal government’s immigration and law enforcement fingerprint databases were not linked, the immigration agents who stopped and released him at the border never learned of his extensive criminal record. See OIG report entitled "IDENT/IAFIS: The Batres Case and the Status of the Integration Project," March 2004 (Batres report).
Congress has expressed increasing concern that the Federal Bureau of Investigation’s (FBI) Integrated Automated Fingerprint Identification System (IAFIS) and the Department of Homeland Security’s (DHS) Automated Biometric Identification System (IDENT) have not been integrated. After the terrorist attacks of September 11, 2001, Congress required that the fingerprint identification systems of law enforcement agencies be made interoperable so that criminals and known or suspected terrorists can be more readily identified.
In the Enhanced Border Security and Visa Entry Reform Act of 2002 (Border Security Act), which amended several key portions of the USA PATRIOT Act (Patriot Act), Congress required a "cross-agency, cross-platform electronic system that is a cost-effective, efficient, fully interoperable means to share law enforcement and intelligence information necessary to confirm the identity of…persons applying for a United States visa.…"1 The Patriot Act further required that this system be "readily and easily accessible" to all consular offices, federal inspection agents, and law enforcement and intelligence officers responsible for investigating aliens. The Border Security Act, in its description of an "interoperable data system," requires that immigration authorities have "current and immediate" access to information in federal law enforcement agencies’ databases in order to determine whether to allow aliens to enter the United States.2
During the past four years, the OIG has issued four reports that monitored the progress of efforts to integrate the automated biometric fingerprint systems of the DHS and the FBI.3 In our most recent report, the March 2004 Batres report, we found that integration has been moving slowly and would take years to fully accomplish. Shortly after we issued the Batres report, however, the DHS committed to Congress that it would expedite deployment of the initial version of a workstation that integrates IDENT and IAFIS (Version 1.2 IDENT/IAFIS workstations). On September 21, 2004, the DHS reported that it had completed deployment of Version 1.2 to all 136 Border Patrol stations. In addition, DHS officials told us that the DHS is on schedule to complete deployment of Version 1.2 to 179 of the approximately 331 ports of entry by December 31, 2004.
The OIG initiated this review to determine if the Department of Justice (Department) and the FBI are prepared to support the increase in IAFIS queries expected to result from the DHS’s expedited deployment of Version 1.2 workstations. However, because we discovered significant disagreements among the Departments of Justice, Homeland Security, and State regarding the definition and required elements of an interoperable biometric fingerprint system, we broadened our review to include an analysis of these issues. We also reviewed the status of the Department’s efforts to develop and deploy the next planned version of IAFIS.
US-VISIT entry/exit system. In addition to effectively identifying criminals among apprehended illegal aliens, border authorities also intend to check visitors to the United States entering through ports of entry to ensure that they are not criminals or suspected terrorists. To accomplish this, the DHS is implementing a new entry/exit and border security system – the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) – at air, sea, and land ports of entry.
To establish the entry/exit system quickly, the DHS designed US-VISIT to use IDENT and its biometric databases to collect two fingerprints and a digital photograph to provide the biometric identification for visitors. On July 18, 2003, the Homeland Security Council Deputies approved the use of a photograph and two fingerprints for initial US-VISIT deployment in sea and air ports of entry. At the same time, the Deputies directed the DHS and the DOS to work with the Homeland Security Council and the Office of Management and Budget in developing future plans to migrate to an eight fingerprint system. Consequent to the Deputies’ decision, in September 2003, the DOS began to deploy small single finger scanners at its consulates and, in January 2004 the DHS launched US-VISIT. Both are based on the two-fingerprint system approved by the Deputies. The US-VISIT fingerprint checks against the IDENT database take approximately 15 to 20 seconds.
The DHS estimates that up to 43 million visitors a year – an average of about 118,000 per day – will be subject to the US-VISIT requirements.4 This includes most visitors traveling to the United States on a visa and the nationals of the 27 countries participating in the Visa Waiver Program who do not require a visa if their stay for business or pleasure is less than 90 days.5
To ensure that US-VISIT is interoperable with IDENT/IAFIS, the Department of Justice, the DHS, and the Department of State (DOS) are working to establish the common elements of a comprehensive biometric fingerprint policy, as required by the Border Security Act. The Data Management Improvement Act of 2000 amended previous legislation requiring an entry/exit data system and required implementation deadlines for US-VISIT. The Border Security Act directed the Attorney General and Secretary of State to implement an entry/exit system that includes biometric identifiers which utilize a technology standard, and in recent legislation, Congress specifically directed that the biometric fingerprint systems operated by the Department and the DHS work together.6 The DHS’s appropriation bills for fiscal years (FY) 2004 and 2005 and the DOJ’s FY 2005 appropriation bill specifically state that it is essential for US-VISIT to be interoperable with IAFIS (FY 2004), and for IDENT and IAFIS to ensure that both systems "can retrieve, in real time, biometric information contained in [IDENT and IAFIS] (FY 2005)."7
RESULTS IN BRIEF
This OIG review concluded that the FBI is prepared to handle the projected workload increase that will result from the DHS’s expedited deployment of Version 1.2 IDENT/IAFIS workstations at Border Patrol stations and air, land, and sea ports of entry. We found that the DHS currently plans to use IAFIS to check the fingerprints of less than one percent of the visitors subject to US-VISIT at the ports of entry. However, if IAFIS will be required to search fingerprints of an expanded number of visitors, current and planned IAFIS capacity could be inadequate.
We also found that efforts to achieve the fully interoperable biometric fingerprint identification system directed by Congress have stalled. Despite months of effort, the DHS, the DOS, and the Department disagree on a uniform method for collecting fingerprint information or on the extent to which federal, state, and local law enforcement agencies will have direct access to biometric fingerprint records. The Department has warned that the federal government may face significant future costs to re-engineer the fingerprint identification systems if these issues are not resolved soon.
Meanwhile, the majority of visitors to the United States are still not checked directly against the FBI’s IAFIS Criminal Master File, which is the most complete and current law enforcement database. Instead, the DHS continues to rely upon the interim measure of checking most visitors’ fingerprints against the small portion of IAFIS data extracted into IDENT. As a result, criminal aliens – including many who committed violent crimes that threaten public safety – are not identified and prevented from entering the United States. In addition, the lack of immediate access to the FBI’s full Criminal Master File creates a risk that a terrorist could enter the country undetected because the extract process results in a delay of up to one month before new records of known or suspected terrorists’ fingerprints are entered into the IDENT and US-VISIT databases.
For the Department of Justice to effectively proceed with its plans to make IAFIS interoperable with the biometric fingerprint systems of the DHS and the DOS, high-level policy decisions must be made regarding who should be subjected to fingerprint searches, the fingerprint collection standards to be used, the databases to be queried, who will have access to the information, how the information will be used, and who will maintain the databases.
Impact of projected DHS workload on IAFIS. The current and planned IAFIS capacity is sufficient to handle the projected workload that will result from the DHS’s deployment of Version 1.2 of IDENT/IAFIS workstations. According to DHS projections, as of December 31, 2004, the DHS will conduct up to 6,400 full IAFIS checks (that do not rely on the IAFIS extracts) each day from ports of entry and Border Patrol stations nationwide. Our review indicates that current capacity of the FBI’s IAFIS system will support up to 8,000 full IAFIS checks by the DHS each day. Planned IAFIS improvements through October 1, 2005, will increase IAFIS capacity to support 20,000 full IAFIS checks from the DHS each day.
Although the current and planned IAFIS capacity is sufficient to meet the DHS’s requirements, the DHS workload projections assume that only a limited number of visitors will be subjected to electronic checks directly against the full IAFIS Criminal Master File. According to data provided by US VISIT officials, between July 1, 2003, and June 30, 2004, an average of about 22,350 individuals were referred to secondary inspection each day, and 1,811 of these individuals were not admitted to the United States for law enforcement or administrative reasons. DHS inspection policy states that “all subjects who are suspected of being inadmissible to the United States shall be queried through IDENT/IAFIS.” However, according to the DHS, by the end of FY 2005, it expects to directly check only about 800 individuals each day (0.7 percent of the 118,000 visitors subject to US-VISIT daily) against the full IAFIS Criminal Master File.
The vast majority of visitors (99.3 percent) will be checked only against the US-VISIT watch list.8 These persons will not be checked directly against the full IAFIS Criminal Master File, which, as we explain below, could result in a failure to identify criminals or terrorists. However, a decision to check all of the 22,350 visitors referred to secondary inspection directly against IAFIS could exceed the current and planned IAFIS capacity of 20,000 daily searches.
IAFIS availability. Our review of system availability data from November 2003 through April 2004 found that IAFIS did not meet its requirement that the entire system be available 99 percent of the time. During that six-month period, the system was available 96.3 percent of the time. On 70 occasions, (including scheduled and unscheduled outages), downtime lasted 30 minutes or more and, in some cases, hours at a time. During these outages, FBI responses to DHS fingerprint search requests were not timely and resulted in aliens’ fingerprints not being checked against IAFIS. Further, IAFIS users were not always notified of system outages. The excessive downtime occurred because there is no backup system that can continue to process transactions to completion when IAFIS or its components are taken out of service for scheduled or unscheduled maintenance. The FBI is currently working to improve IAFIS availability and provide more timely notification to customers when the system is unavailable.
Progress toward full interoperability. Although new interim measures to improve border security have been implemented since issuance of our Batres report, our current review found that the longer-term effort to implement a fully interoperable biometric fingerprint identification system has stalled. We identified two principal barriers to further progress. First, the DHS and the DOS have not agreed to implement the January 2003 Technology Standard, developed by the National Institute of Standards and Technology (NIST), jointly with the Attorney General and the Secretary of State, at the direction of Congress, as the uniform method for collecting fingerprint information and for searching against large databases. The NIST research showed that ten "flat" fingerprints can be taken almost as quickly as two flat fingerprints and that ten flat fingerprints offered search accuracy rates approaching the traditional law enforcement standard of ten "rolled" fingerprints.9 The NIST showed that taking ten flat fingerprints offered a technologically and operationally acceptable approach for the Departments of Justice, Homeland Security, and State to screen incoming visitors. Accordingly, the NIST-recommended Technology Standard is for ten flat fingerprints to be taken to add or "enroll" individuals in databases and to conduct searches of the databases. The NIST further recommended that two flat fingerprints and a digital picture be used to verify the identity of a person against an existing record, but not for enrollment. Thus, the current US-VISIT fingerprint collection standard (two flat fingerprints for enrollment and database searches) is not consistent with the NIST-recommended Technology Standard.
The second barrier to achieving interoperability is that the DHS and the Department disagree on a method of implementing a fully interoperable system that provides federal, state, and local law enforcement agencies with the "readily and easily accessible" access to the IDENT database specified in the Patriot Act and in subsequent congressional legislation. Similarly, the DHS does not believe that the FBI or other law enforcement agencies should have access to US-VISIT records. The DHS maintains this position for several reasons, including concerns that the information in IDENT is incomplete and could be misinterpreted, and to protect the privacy of visitors enrolled in US-VISIT. Without direct access to the DHS’s IDENT database, it is more difficult for federal, state, and local law enforcement agencies to identify illegal aliens they encounter.
Because these issues have not been resolved, the DHS continues to rely on records extracted from IAFIS into IDENT for most fingerprint searches of visitors at ports of entry nationwide. The extracted data represents only a small portion of the more than 47 million records in the IAFIS Criminal Master File. A Department study of the extracted data has shown that the extracts are prone to have errors and omissions that result in missed criminals. Further, the fingerprint file of "Known or Suspected Terrorists" is only transmitted to the DHS once a month. Consequently, criminals or terrorists could be missed by checks against the extracted records.10
In an August 2004 preliminary draft Metrics Study report, the Department examined IDENT/IAFIS transactions that occurred at Border Patrol stations and at secondary inspection in ports of entry to determine if access to IAFIS would result in identifying more criminal aliens.11 The Department reported that almost three quarters (73.1 percent) of the criminal aliens encountered at Border Patrol stations and ports of entry were identified only by checking IAFIS, and would not have been identified by checking IDENT alone.12 The results clearly showed that not checking aliens against IAFIS increases the risk that the United States will unknowingly admit criminal aliens.
The Department has proposed conducting a similar study on visitors enrolled in US-VISIT, but, as of October 22, 2004, the DHS had not yet agreed to do so. Finally, the DHS’s decision to continue using two flat fingerprints rather than ten flat fingerprints makes direct searches against IAFIS impractical because two-fingerprint searches would significantly reduce the accuracy of IAFIS by increasing the number of false positives.13 In addition, the cost of searching IAFIS with two flat fingerprints is 25 times greater than ten fingerprints and requires significantly more computer processing resources. The Department has argued that the federal government may face significant costs to re-engineer its fingerprint identification systems in the future to implement a uniform fingerprint technology standard and make all the systems fully interoperable.
Actions taken in response to prior OIG recommendations. The Department and the FBI have taken steps that were responsive to all but one of the recommendations we made in our March 2004 Batres report. The Department was unable to implement our first recommendation, which was to develop a memorandum of understanding (MOU) with the DHS to guide the integration of IAFIS and IDENT. Although the agencies have continued to work together to solve operational and technical problems of mutual concern, the MOU has not been developed because of fundamental disagreements between the Department and the DHS over the attributes of an interoperable biometric fingerprint system and the degree to which the systems should be consolidated or made interoperable. For the other four recommendations:
Conclusion. Notwithstanding the significant positive steps taken to expedite the deployment of the initial integrated version of IDENT/IAFIS, progress toward the longer term goal of making all biometric fingerprint systems fully interoperable has stalled. The Department, the DHS and the DOS have not agreed on a uniform fingerprint Technology Standard nor agreed how to develop a fully interoperable system that provides law enforcement agencies with "readily and easily accessible" access to IDENT and US-VISIT immigration records as directed by Congress in the Patriot Act and in subsequent congressional legislation.
Because these capabilities have not been developed, over 99 percent of the visitors seeking admission to the United States under the US-VISIT provisions will only be checked against the US-VISIT watch list. Because that watch list relies on a limited number of records extracted from the IAFIS Criminal Master File, the checks will not be as complete as those made directly against the full 47-million-record IAFIS Criminal Master File. As the Department’s Metrics Study showed, when only extracts are checked many criminal aliens – including many who committed violent crimes that threaten public safety – are not identified and may be unknowingly admitted to the United States.
For the Department to effectively proceed with planning to make IAFIS interoperable with the biometric fingerprint systems of the DHS and the DOS, high-level policy decisions must be made regarding who should be subjected to fingerprint searches, the fingerprint collection standard to be used, the databases to be queried, who will have access to the information, how the information will be used, and who will maintain the databases. We recommend that the Department seek to have the federal government address those decisions in a timely way. Until those decisions are made, we recommend that the Department: