OIG Evaluation and Inspections Report I-2005-001

Follow-up Review of the Status of IDENT/IAFIS Integration

E & I Report No. I-2005-001
December 2004

Results of the Review - Part II

Although interim measures to improve border security have been implemented, the longer-term effort to achieve the fully interoperable biometric fingerprint identification system directed by Congress has stalled due to two principal issues. First, the Department, the DHS and the DOS have not agreed on a uniform Technology Standard for collecting fingerprint information. Second, the DHS disagrees with the Department that a fully interoperable system must provide federal, state, and local law enforcement agencies with ready access to IDENT and US-VISIT immigration records. Until these issues are resolved, some criminal aliens will not be identified as they try to enter the United States, illegal aliens already in the United States may not be identified, and the speed and accuracy of identification checks will be significantly reduced. In addition, the federal government may face significant costs to later re-engineer the fingerprint systems to correct deficiencies.

Interim Measures to Improve Border Security Have Been Implemented, But Efforts to Achieve the Fully Interoperable Fingerprint Biometric Identification System Directed By Congress Have Stalled.

As described in the background section of this report, since we last reported on the status of the integration project in March 2004, the Department and the DHS have implemented several interim measures to improve border security. With the implementation of US-VISIT on January 1, 2004, the DHS will now check about 43 million of the 260 million annual visitors’ fingerprints against data extracted from the FBI’s IAFIS. On May 17, 2004, the FBI began providing daily rather than bi-weekly Wants and Warrants electronic extracts to the DHS, as recommended in the OIG’s Batres report. Also, on September 21, 2004, the DHS finished deploying Version 1.2 IDENT/IAFIS workstations to all Border Patrol stations, and is in the process of deploying integrated workstations to all United States ports of entry, to be completed by December 31, 2005.
However, even with these significant interim measures, the fully interoperable biometric fingerprint system directed by Congress has not been achieved. The current system is not a fully interoperable biometric fingerprint system because: (1) the Department, the DHS, and the DOS have not implemented a uniform fingerprint collection methodology; and (2) law enforcement agencies still do not have direct access to all of the DHS’s immigration fingerprint biometrics information. Efforts to implement a system that corrects these deficiencies have stalled because of a failure to agree on standard collection methodologies, and disagreement over the extent to which agencies will have access to each other’s fingerprint data.
At the direction of Congress, the NIST developed a Technology Standard to establish a uniform method for collecting fingerprint information. In the Patriot Act, as amended by the Border Security Act, Congress directed the NIST, jointly with the Attorney General and Secretary of State, to develop and certify a technology standard for verifying the identity of those seeking a visa to visit the United States. In January 2003, the NIST, the Attorney General, and the Secretary of State submitted a joint report to Congress containing recommendations on the most effective Technology Standard for an interoperable biometric database.⁴⁹ The Technology Standard recommended by the NIST called for ten flat fingerprints to be taken for enrollment and checking of large biometric databases. The NIST further recommended that two flat fingerprints and a digital picture be used to confirm the identity of a person against his or her own existing record, but not for enrollment.
The NIST continued to conduct research on fingerprint biometrics throughout 2003 and 2004, and issued several subsequent reports. In these reports, the NIST analyzed the fingerprint matching performance and accuracy of: (1) IAFIS, using flat and rolled prints and two or more fingers;⁵⁰ (2) US-VISIT, using flat prints and one-to-one identify verification; and (3) fingerprint vendor technology, using operational fingerprint data from a variety of United States government sources. Regarding enrollment speed, the NIST found that taking ten flat fingerprints took 10 to 15 seconds longer than taking two flat fingerprints, using current fingerprint scanning technology.⁵¹ Regarding the effects on response time, the NIST confirmed other research that found that providing more fingerprints substantially speeds search processing by increasing the filtering of the database (which reduces the number of fingerprints actually searched). The NIST also found that search accuracy increased (i.e., there were fewer false positives) when the maximum number of fingers (ten) was used to search a database.⁵² This was true for all the fingerprint matching systems that the NIST tested. In September 2004, the NIST provided Congress with a summary of its recommendations for a fingerprint Technology Standard. The summary reported that the extensive testing of biometric systems conducted by the NIST in 2003 and 2004 confirmed the NIST’s January 2003 recommended Technology Standard of ten flat fingerprints for enrollment and two flat fingerprints and a digital picture for identity verification.
The Department, the DHS and the DOS Have Not Agreed on a Uniform Technology Standard for Collecting Fingerprint Information.

The Department, the DHS, and the DOS have not agreed to begin collecting fingerprint biometric information in a uniform manner. At present, the Department standard is to collect ten rolled fingerprints for enrollment in IAFIS, although the Department also accepts that two flat fingerprints may be used to subsequently verify aliens’ identities by checking their fingerprints against their own records (one-to-one matches). The DHS collects two flat fingerprints at ports of entry to enroll visitors into US-VISIT. The DHS also collects ten rolled fingerprints from apprehended aliens at Border Patrol stations and from visitors referred to secondary inspection at ports of entry that are not going to be admitted to the United States to check IAFIS, but enrolls them in IDENT using only two fingerprints. If an officer decides to book an apprehended alien, an officer transmits ten rolled fingerprints to IAFIS and to the Biometrics Support Center to enroll the alien in the lookout database. At United States consulates, the DOS collects two flat fingerprints to enroll individuals applying for visas into US-VISIT. Each of the departments’ positions regarding implementation of a fingerprint collection standard is discussed below.
The Department position on collecting fingerprint information. The Department endorsed the recommendations in the NIST’s Technology Standard. All Department officials we spoke with stated that direct queries of the criminal and immigration databases using ten flat fingerprints (instead of two) would enable more complete and rapid adjudication of individuals seeking admission to the United States. They also stated that taking ten flat fingerprints would reduce the number of false positives, and offer more options for system design and interoperability across the DHS, the DOS, the Department, and other agencies. A ten flat fingerprint system would also significantly increase the probability of making a match on latent fingerprints from crime scenes.
Department officials stated that acting promptly to implement a system to collect ten flat fingerprints could reduce system upgrade costs, minimize the volume of re-enrollments, and reduce the inconvenience to foreign travelers. Finally, although the Department officials stated that all systems should collect ten flat fingerprints, they also stated that the systems must be flexible so that upgrades in biometric capture technology, such as the ability to collect ten rolled fingerprints quickly and accurately, could be incorporated in the future.
Consistent with the above, the Department has stated that it believes that the US-VISIT fingerprint workstations at consulates and ports of entry should be modified to collect ten flat prints for enrollment in the database. Because the NIST found that ten flat fingerprints could be taken in almost the same time as the two flat prints, the Department believes this option could be implemented within one year. In its draft proposal to the Policy Coordination Committee, the Department’s estimate was that it would cost the Department $103 million in the first year to implement a ten-flat fingerprint system.⁵³
The DHS position on fingerprint collection. Although not a party to the original NIST study, the DHS officials we spoke with were aware of the NIST Technology Standard and DHS staff participated in the discussions that led to the publication of the NIST Technology Standard. In April 2004, we asked the US-VISIT Deputy Director whether, and when, the DHS would begin taking more than two fingerprints to enroll individuals in US-VISIT. He responded that the DHS plans to continue with the current two-print process, and will make a decision regarding eight or ten prints "based on recommendations by the NIST and as the technology evolves," as it is still "an open question" whether the DHS is required to collect more than two fingerprints for US-VISIT. The DHS officials continue to maintain this position. However, in the DHS’s May 28, 2004, Statement of Work, which described the scope of the Prime Contractor’s obligations under the contract to develop US-VISIT, the DHS stated that a move to taking eight fingerprints at consular offices worldwide is "in planning." Also, on July 18, 2003, the Homeland Security Council Deputies approved the use of a photograph and two fingerprints for initial US-VISIT deployment in sea and air ports of entry. At the same time, the Deputies directed the DHS and the DOS to work with the Homeland Security Council and the Office of Management and Budget to develop future plans to migrate to an eight fingerprint system.
The DHS officials also stated that operationally IAFIS cannot meet the rapid response time of 15 to 20 seconds that is needed when visitors are checked against the US-VISIT watch list at primary inspection.⁵⁴ DHS officials also said they would have to purchase more expensive scanners and reconfigure the primary inspection work space to accommodate the scanners.
The DOS position on fingerprint collection. DOS officials told us that DOS consulates are taking two flat fingerprints of visa applicants because this meets the congressional mandate to implement standardized fingerprint collection at all consulate posts no later than October 26, 2004.⁵⁵ Regarding the possibility of implementing an eight or ten print system, the Deputy Assistant Secretary of State for Visa Services told us that the DOS will be guided "by what the scientists [i.e., the NIST] say." She acknowledged the NIST’s finding that too many false positives could occur with a two-print system, and stated that, at the point that the system began returning an unacceptable number of false positives, the DOS would go to a system using more than two fingerprints. The Deputy Assistant Secretary and other DOS officials cited the following concerns associated with implementing a fingerprint system that uses more than two fingerprints:

Cost and resource issues. DOS officials told us that they have resisted going to more than two prints largely because the scanners used to take ten fingerprints are more expensive and staff would have to be retrained to use the new equipment.
Need for visa applicants to remain in clear view. Because DOS employees at consulates must operate behind a "hard line" (a glass window separating visa applicants from employees), they must have a clear view of visa applicants to verify that individuals are physically placing their own fingers on the scanner. Fingerprint scanners that are too large to mount on the window ledge may have to be placed where there can be no clear view of visa applicants and could make it difficult for non-English-speaking applicants to understand how to scan their fingerprints. As a result, the ten-print scanners may have to be installed off-site, which would be inefficient for visa processing.
Ten-prints viewed as criminal. DOS officials told us that the two-print system has been well received by visa applicants thus far. However, the officials expressed concern that visa applicants may view the requirement to provide ten fingerprints as a criminal booking procedure, which the DOS is concerned could discourage travel to the United States.

Table 4 (below) provides a comparison of the fingerprint collection methods used by the Department, the DHS, and the DOS and the pros and cons of each method.

TABLE 4 - COMPARISON OF FINGERPRINT COLLECTION METHODS

Methods Used By Pros Cons

Rolled prints of 10
fingers

(10-rolled prints) DOJ: Used as the IAFIS Criminal Master File enrollment standard

DHS: Used to check apprehended aliens against IAFIS Criminal Master File; used to enroll aliens in the IDENT Lookout database; used to enroll aliens to be booked in IAFIS Criminal Master File (CAR booking); used for background checks prior to issuing lawful permanent resident card or granting citizenship.

DOS: Not used. Provides the most complete information for identifying individuals

Search accuracy; results in among the fewest false positive hits

Provide the most information to match against latent fingerprints

Greatest categorization of fingerprints reduces search to about 2 percent of database, enabling the most efficient use of processing power Taking 10 rolled prints is time consuming and labor intensive

Most difficult to take prints of acceptable quality (highest enroll reject rate)

Requires different/more expensive equipment

Most intrusive (operator must physically roll subjects' fingers)

Most objectionable to foreign visitors

Flat-pressed prints
of 10 fingers

(10-flat prints) DOJ: FBI is currently implementing this as the standard for civil enrollments and conducting background checks

DHS: Not used

DOS: Not used

NIST recommended standard to enroll and search interoperable systems Search accuracy for identifying criminals in IAFIS is statistically indistinguishable from using 10-rolled prints

Takes only 10 to 15 seconds longer than taking 2-flat prints

Less intrusive than 10-rolled prints - operator need not touch subject

Fewer false positives than 2-prints

Improved categorization of fingerprints reduces search to about 6 percent of database, enabling more efficient use of processing power More expensive than two flats

Perceived as more intrusive than two flats

Slower IAFIS searches than 10 rolled

Provides less information than 10-prints for identifying latent fingerprints

Flat-pressed prints
of 2 fingers

(2-flat prints) DOJ: Not used, but accepted for one-to-one verification matches

DHS: used to enroll aliens in IDENT apprehension database as well as for later searches of this database; used to enroll visitors at ports of entry in the US-VISIT database (if not done by DOS)

DOS: used at consulates to search US-VISIT watch list database and enroll visa applicants in US-VISIT

NIST recommended standard for one-to-one verifications only Least expensive for equipment and labor

Least intrusive for subjects

Least objectionable for foreign visitors

Acceptable search time when used to check 2-print databases

Fastest and easiest to take prints of acceptable quality (lowest enroll reject rate) Least accurate, results in most false positive hits and more false frequent negatives (i.e., missed identification of criminal on file)

Least categorization makes it inefficient for searching 10-print databases, such as IAFIS (requires searching 70 percent of database)

Provides least information for identifying latent fingerprints, which may be from any of 10 fingers

Possibility of finger sequence errors

The DHS Disagrees with the Department that a Fully Interoperable System Must Provide Federal, State, and Local Law Enforcement Agencies with Ready Access to IDENT and US-VISIT Immigration Records.

The second barrier to further progress on implementing an IDENT/IAFIS system that is fully interoperable, including with US-VISIT, is that the DHS has not agreed to provide the Department and other law enforcement agencies with direct access to US-VISIT records. In the Border Security Act, Congress directed creation of "an interoperable electronic data system to provide current and immediate access to information databases of Federal law enforcement agencies and the intelligence community that is relevant to determine whether to issue a visa or determine the admissibility or deportability of an alien."⁵⁶ Both the Border Security and Patriot Acts further specified that information in the system be "readily and easily accessible" to immigration officials and law enforcement or intelligence officers responsible for investigating or identifying aliens.⁵⁷
On June 22, 2004, the Homeland Security Council Deputies stated that the Department and the FBI should provide a proposal with suggested language to provide the FBI with access to US-VISIT. On August 3, the Deputies stated that by August 6, 2004, the DHS will provide the FBI with 100 accounts for accessing US-VISIT data or, if this is not possible, define the way forward to overcome the technical or other obstacles impeding this access.
In October 2004, the DHS drafted an MOU to grant user accounts to 30 individuals named by the FBI for accessing US-VISIT.⁵⁸ On November 1, 2004, the DHS sent a memorandum to the Deputy Director of the Homeland Security Council stating that it had met its obligations to provide the FBI with full access to its US-VISIT records. In the memorandum, the DHS stated that it had provided training on the data limitations of US-VISIT records to these 30 individuals. In the memorandum, the DHS also stated that it would provide US-VISIT access and training to an additional 200 users whom the FBI indicated also need access to US-VISIT. However, Department officials told us that they are disappointed at the slow pace and limited scope of the access that the DHS has provided thus far and do not consider that the FBI has "full and immediate" access to the US-VISIT database.
Further, little progress has been made toward providing the DHS’s apprehension and criminal history information to other federal, state, and local law enforcement agencies. We found that the DHS’s current plans do not ensure that the information in the DHS’s IDENT and US-VISIT databases will be "readily and easily accessible" to the Department or other federal, state, and local law enforcement agencies. Progress to interoperability has been stymied by disagreements over how it is to be achieved. Each of the Departments’ positions on this issue is discussed below.
The Department’s position on law enforcement access to immigration data. According to Department of Justice officials we spoke with, a fully interoperable system should provide direct, real-time access to data from the IDENT, IAFIS, and US-VISIT databases to other federal and local law enforcement agencies. In the Department’s submission to the OMB working group supporting the Homeland Security Council Deputies, JMD defined interoperability as:

The seamless ability to share data that is complete, accurate current, and timely (available as needed) among and between participating stakeholders. The flow of information being shared must be multi-directional, not just one-way.

The need for multi-directional sharing was echoed by Department officials we spoke with. For example, on June 15, 2004, we interviewed a Section Chief at the CJIS Division who stated that the FBI’s primary issue with the current process of the FBI sending the DHS extracts from IAFIS is the lack of direct access to DHS information. The Section Chief explained that the FBI supports collecting and sharing biometric information; however, the information sharing should be a "two-way street" – that is, the DHS must also share its information with the FBI. For investigations and special queries, the Section Chief stated that the FBI must be able to search any United States government database directly, including IDENT, in a timely manner.
Information in the IDENT database, specifically the alerts in the apprehensions file, is not in the IAFIS database. Alerts flag the records of aliens who did not meet the criteria for inclusion in the lookout database but nevertheless who should be closely scrutinized or detained if apprehended. Alerts include warnings about aliens who may present threats to officer safety. This information would be useful to federal, state, and local law enforcement officers who might encounter the aliens. If the FBI is unable to directly access the information in IDENT and US-VISIT, it will be less able to identify aliens arrested in the United States who have violated their immigration status, tell employers the status of an applicant for a sensitive position, and coordinate with the DOS to ensure that law enforcement can identify persons of interest when they apply for a visa.
We asked whether the FBI’s position had been communicated to the DHS, and the FBI Section Chief told us that at every opportunity during frequent meetings with representatives from the DHS he reiterates the FBI’s need for direct access to the DHS databases. The Section Chief said he even has asked DHS representatives directly when the FBI will have access to DHS data, but has received no response. Further, CJIS Division executives we interviewed confirmed the FBI’s need for multi-directional interoperability.
In another interview, a Senior Information Technology Specialist in the CJIS Division’s Operations Branch confirmed the Department’s position on interoperability and law enforcement access to DHS data. He told us that interoperability for the FBI means that law enforcement personnel must have access to information about previously apprehended individuals who have again illegally entered the United States. He explained that the most valuable aspect of interoperability is that all the DHS and FBI data would be available to law enforcement personnel the way that CAR transactions are currently available to anyone who queries IAFIS.
Further, Department officials stated that an interoperable environment should reduce or eliminate the replication of records in multiple databases. The "principles of interoperability" that the Department submitted to the Homeland Security Council Deputies stated: "Providing large data extracts from one system to another is the antithesis of interoperability." FBI officials also stated that sending the DHS extracts of IAFIS data (e.g., Wants and Warrants) is an inefficient and untimely practice. The CJIS Division Section Chief mentioned above told us that the FBI would prefer that the DHS search IAFIS directly, as do other users. However, the Section Chief explained that the DHS does not want to directly search IAFIS and wants the FBI to continue sending DHS extracts so that the DHS can build its own database of duplicate information. He also stated that providing extracts to the DHS is not efficient or cost-effective for the FBI as it requires human intervention to move the records to compact disks and send them to the DHS.
Finally, Department officials stated that non-citizens have minimal rights under the Privacy Act. Although the DHS made the policy decision to afford US-VISIT enrollees privacy protections, these protections do not preclude the sharing of information for law enforcement purposes.
The DHS position on law enforcement access to immigration data. The DHS officials we spoke with did not agree with the Department’s vision of interoperability. In our interviews with DHS officials, they stated that law enforcement officials outside of the DHS should not have access to US-VISIT records because of privacy concerns. They also cautioned that the law enforcement records on individuals in the IDENT database are not the individual’s comprehensive immigration records. In addition, they stated IDENT may have outdated or incomplete information. While outdated or incomplete data does not compromise the utility of the database, DHS officials said that it may result in errors if relied on by other law enforcement agencies.
Privacy concerns with access to US-VISIT data. Regarding US-VISIT, Program Managers from the DHS’s US-VISIT Program Management Office told us that they view US-VISIT as wholly separate from IDENT/IAFIS. They explained that the fingerprint records stored in US-VISIT are from people who are presumed innocent and that US-VISIT is considered a "benefit" or "good guys" database. Conversely, IDENT and ENFORCE are on the enforcement side and are considered "bad guys" databases, as they are comprised primarily of immigration violators. The US-VISIT Deputy Director told us that the DHS is particularly concerned about guarding the data in US-VISIT to protect the privacy of visiting foreign nationals who are presumed to be non-criminals. The DHS has extended the principles and protections of the 1974 Privacy Act to all individuals processed through US-VISIT and include a process for redress if an individual has a complaint. The US-VISIT Program Office worked closely with the DHS Privacy Officer to develop the US-VISIT privacy policy. The policy explains who the program affects, what information is collected, how the information is used, and how people can find out what information is retained.
DHS Program Managers stated that another issue is ownership of US-VISIT records. The US-VISIT Deputy Director believed strongly that the DHS has the ability to store, and can "maintain the integrity of, foreign nationals’ fingerprints." Regarding access by other law enforcement agencies, he stated that records in the database can be searched for law enforcement purposes on a case-by-case basis. He reiterated, though, that the FBI should not be given the authority to search the database directly. Instead, the DHS can check the US-VISIT fingerprints against a criminal watch list or for other agencies if the FBI or any other law enforcement agency has a "legitimate reason" to query the records.
The US-VISIT Deputy Director and the US-VISIT Program Managers told us that law enforcement personnel can get access to immigration data by submitting a search request for a "subject of interest" to the DHS, the Law Enforcement Support Center, or the Biometrics Support Center. For example, the Virginia State Police have expressed interest in having access to law enforcement immigration information on aliens they encounter. The Program Managers explained that if during a traffic stop an officer finds a subject of interest, the officer could contact the Law Enforcement Support Center, which maintains updated records on immigration violators and is capable of placing a "detainer" on a deported felon. We asked when such information would be available more immediately via direct access. The US-VISIT Deputy Director stated that the DHS’s prime contractor, Accenture, is responsible for defining the interoperability scheme for working with local law enforcement.⁵⁹ That is, in conjunction with DHS officials, Accenture must help decide how best to provide federal, state and local law enforcement with access to IDENT data.
IDENT does not reflect updated immigration status. The US-VISIT Program Managers also told us that the IDENT and US-VISIT databases cannot be relied upon to accurately determine immigration status because immigration status is dynamic. The databases were created to serve different purposes and populations and may not contain current and complete immigration data. For example, if an individual is apprehended along the border and naturalized two years later, IDENT would contain information on the apprehension but may not contain information on the subsequent naturalization. The latter information is kept in other databases that are available to immigration officers, but not to law enforcement agencies querying IDENT. This is important, the Program Managers stated, because it creates the potential for police officers using incomplete information to apprehend someone that they think is an immigration violator. According to the US-VISIT Program Managers, there have not yet been any detailed discussions about how to resolve this issue.
In addition to disagreeing with the Department that other law enforcement agencies should be able to directly access US-VISIT, DHS officials also disagree that the current practice of extracting records from IAFIS to IDENT fails to meet the requirement for integrating the systems. The DHS officials told us that they believe they have already achieved an acceptably integrated IDENT/IAFIS system by having access to the Department’s data in IAFIS through the FBI’s now-daily transmission of its Wants and Warrants file, and the monthly transmission of suspected terrorists’ and military detainees’ fingerprints on a compact disk.
Similarly, the DHS has stated this same position to Congress. During an April 1, 2004, hearing before the Immigration and Border Security Subcommittee of the Senate Judiciary Subcommittee, Senator Chambliss asked the DHS Assistant Secretary for Border and Transportation Security Policy and Planning whether the DHS agreed with a recommendation in the OIG’s March 2004 report that the Department should develop and implement an MOU with the DHS to guide integration of IDENT and IAFIS. The Assistant Secretary indicated that he disagreed with the recommendation because "…we have an integrated system…that can be used by the Border Patrol to essentially query both the IDENT system, which has a record of people that have been illegally deported or denied entry and so forth, as well as the IAFIS system, which is the FBI's huge fingerprint database of people with criminal records. So,…we have an integrated system."
The DOS position on law enforcement access to immigration data. DOS officials told us that, in their opinion, the FBI should have access to certain DHS data, such as entry and exit information in US-VISIT. They told us that during interagency meetings they have encouraged the DHS to share this information with the FBI, but they recognize the DHS’s privacy concerns. The DOS offered to share its textual visa applicant information with the FBI and plans to sign an MOU with the FBI regarding procedures for sharing such information. Information from visa applicants is stored in the Consular Consolidated Database, which does not contain fingerprint data, only photographs and textual information on applicants. DOS officials explained that, under the MOU, certain CJIS Division representatives would have access to the Consular Consolidated Database. The DOS officials believed that direct FBI access to the DOS Consular Consolidated Database will be a significant improvement over past procedures when the FBI relied on the DOS Security Advisory Opinions.
Although the DOS supports FBI access to US-VISIT data, it does not support taking ten flat fingerprints from visa applicants to query IAFIS directly. Instead, the DOS supports the current process of the FBI providing extracts of its IAFIS data to the DHS. The DOS suggested that the FBI transfer all foreign-born criminal history data in IAFIS to IDENT. During a June 23, 2004, interview with DOS officials, we explained that the Department considers that as an interim measure until long-term interoperability and direct access was achieved. However, the Deputy Assistant Secretary of State for Visa Services told us that the current process of FBI transferring information from IAFIS to IDENT is "the way to go," and believes that "it’s working." She responded that the DOS does not consider this to be only an interim measure. She also stated that the DOS should maintain the fingerprints its officers enroll at the consular posts because this would best ensure the integrity of the fingerprints collected overseas and allow them to verify that an individual provided his or her own fingerprints.
The Department disagrees with the DHS’s and the DOS’s positions on interoperability and access to immigration biometrics records in IDENT and US-VISIT. The Department’s position is that a fully interoperable system should provide direct, real-time, multi-directional sharing of data with other federal, state, and local law enforcement agencies. Currently, no direct connection between IAFIS and IDENT or US-VISIT makes this possible. The Department maintains that the interim measure of providing large extracts of IAFIS data to DHS, while valuable in the short-term, is time-consuming and inefficient. Most important, it does not ensure the most complete and timely identification of criminal aliens and known or suspected terrorists.
We also found that the Attorney General and the CIO have communicated the Department’s position on interoperability to the DHS on several occasions. On November 6, 2003, the Attorney General wrote a letter to DHS Secretary Ridge, citing the need for increased coordination between the Department and the DHS.⁶⁰ The Attorney General’s letter also included a letter, dated September 8, 2003, from the Department’s CIO to the DHS’s CIO that proposed a broad MOU between the Department and the DHS that would cover policy and business processes related to US-VISIT, interoperability of IAFIS with US-VISIT, identity enrollment and the NIST standard, information sharing between US-VISIT and federal, state and local law enforcement, and the role of IDENT/IAFIS in the US-VISIT strategy and schedule, including upgrading integrated workstations.
On May 25, 2004, the Attorney General sent a memorandum to the Homeland Security Council representatives, including the Deputy Secretary of DHS and the Secretary of State, to reiterate the Department’s position on interoperability as it relates to US-VISIT. The Attorney General stated that the two principles of safety and security for Americans and a quick and accurate processing of people should guide the US-VISIT program. Regarding safety and security, the Attorney General stated:

. . . the best way to protect our safety and security is to make our various fingerprint systems fully interoperable. This will maximize our ability to apprehend or exclude potential terrorists and other violent criminals. . . While this will require additional resources, I believe that . . . it is better to spend those funds developing the proper system now. The alternative of continuing to rely on separate systems and extracts and deciding later that we need interoperability would entail substantial delays and even more expense. I believe that DHS, DOJ/FBI, and State should move towards this goal as quickly as possible.

Regarding the quick and accurate processing of people, the Attorney General stated:

We need to implement technology and establish a fingerprint standard that minimizes the "false positive" problem…Large numbers of "false positives" could severely slow down and/or compromise our inspection processes and have adverse security, foreign policy and commercial consequences. . . it is my view that we need to rely on our best scientists to determine the specific standard we should adopt for fingerprint enrollment to accomplish this…I believe that this will result in an enrollment standard of more than two fingerprints.

Until These Issues are Resolved, Risks Remain that Criminal Aliens Will Not Be Identified as They Try to Enter the United States, Illegal Aliens May Not Be Identified, and the Speed and Accuracy of Identification Checks Will Be Significantly Reduced.

The majority of visitors to the United States are still not checked against the most complete and current law enforcement records to identify criminal aliens. The IAFIS Criminal Master File contains over 47 million fingerprint records. As of September 2004, the FBI has copied many of the IAFIS records most likely to be associated with aliens and provided them to the DHS for inclusion in IDENT (see text box, below). However, the records provided through September 2004 amount to only one percent or less of all IAFIS records.
Under the current US-VISIT system, the vast majority of the 118,000 daily visitors will be checked against the records copied into IDENT [using two fingerprints]. Because the US-VISIT, IAFIS, and IDENT systems are not interoperable, only a select number of visitors who are subjected to additional screening are checked against the full Criminal Master File in IAFIS. Current DHS estimates indicate that the DHS plans to conduct a full check on only about 800 visitors a day (about 0.7 percent of all visitors entering the United States). However, a draft August 2004 report by JMD demonstrates that not checking aliens against the full IAFIS database increases the risk of admitting criminal aliens.⁶¹

IAFIS Records Copied Into IDENT

Latent Fingerprints. Approximately 7,000 latent fingerprints collected at crime scenes, and approximately 250 latent fingerprints related to known or suspected terrorist activity.

Known or Suspected Terrorist Fingerprints. Approximately 15,000 fingerprints of known or suspected terrorists, including military detainees being held oversees, updated monthly.

Wants and Warrants. A daily list of about 141,000 records of active warrants for individuals with an unknown or foreign birthplace or prior arrest on immigration charges. The DHS electronically scans the list to identify new and deleted records, and requests fingerprint images that it does not have.

Criminals from High Risk Countries. About 179,500 fingerprint records of males from 25 counties, such as Iraq, Iran, Syria, and the Sudan, designated as high risk (a one-time effort).

All Potential Foreign Criminals. At the DHS's request, the FBI identified about 7 million records that list foreign or no place of birth or a prior arrest on immigration charges. These records are being extracted and added to the IDENT database, but because the FBI limits the DHS to 3,000 IRQs per day, at the current rate it will take over 6 years to fully extract these fingerprint records. *

*NOTE: Because IDENT may not have the capacity to hold all 7 million records, the DHS is currently trying to prioritize the most serious criminal offenders.

Sex Offenders. About 11,000 fingerprint records of convicted sex offenders who have an unknown or foreign birthplace, or prior arrest on immigration charges.

JMD’s Metrics study report.⁶² In an August 2004 draft Metrics report, JMD reported that querying individuals directly against IAFIS resulted in a significant increase in the number of criminals identified, and that failing to conduct IAFIS queries leaves the United States vulnerable to criminal aliens and terrorists entering the country undetected. In this study, JMD analyzed 179,094 encounters with aliens that occurred during 2003 at 40 sites (21 Border Patrol stations and 19 ports of entry) using Version 1.2 IDENT/IAFIS workstations. Of the encounters examined, 164,232 occurred at Border Patrol sites and 14,862 occurred at ports of entry. As described in the Background Section, the Version 1.2 workstations enable the DHS to query IAFIS directly (in addition to IDENT). The Metrics study examined whether searching IAFIS, as opposed to searching only IDENT, resulted in the identification of more criminals seeking entry into the United States. The study also identified the most serious offenses the criminals had committed.
The Metrics study found that, of the 179,094 aliens checked, 80,150 (44.8 percent) had no record, and 74,924 (41.8 percent) had prior administrative immigration violations. The remaining 24,020 (13.4 percent) of the aliens had criminal records (20,346 from Border Patrol stations and 3,674 from ports of entry). Importantly, the study found that at least 17,553 of these criminal aliens – 73.1 percent – were identified only as a result of the IAFIS query. Almost three quarters of the criminal aliens attempting to enter the country would not have been identified as criminals by IDENT alone because immigration officials would not have had access to their criminal records in IAFIS.

Table 5: Criminal Hits Attributed to IAFIS by Most Serious Offense

Most Serious Offense Hits Percent of Total

Immigration 3,526 28.6%

Dangerous Drugs 1,851 15.0%

Assault 1,574 12.8%

Weapons Offenses 180 1.5%

Robbery 128 1.0%

Sexual Assault 116 0.9%

Sex Offenses 84 0.7%

Kidnapping 41 0.3%

Homicide 38 0.3%

All Others 4,794 38.9%

Total 12,332 100.0%

Source: JMD Metrics Report

Many of the criminal aliens had committed serious violations. JMD analyzed the criminal rap sheets of 12,332 of the 17,553 individuals identified by IAFIS to determine the nature and severity of their criminal histories. The most serious offense on 7,538 (61 percent) of the rap sheets fell into one of nine categories identified as "special interest" because they would likely result in action by a United States Attorney or the Executive Office of Immigration Review (Table 5, above). Many had committed crimes that raised public safety or border security concerns. Nearly one-third (4,012) committed violent crimes or were involved with dangerous drugs. Also, many were repeat offenders. Over half the rap sheets contained multiple charges and 15.6 percent had five or more charges while 4.4 percent had 10 or more charges.
The JMD Assistant Director for Management and Planning told us that JMD would like to conduct a study of US-VISIT fingerprint data similar to the Metrics Study described above. In conjunction with a statistician, the CJIS Division, the DHS, and JMD could take statistically valid random samples of US-VISIT data from various ports of entry and from other relevant immigration biometric databases used for enforcement or benefit purposes in IDENT and search the DHS’s two-flat fingerprint data against IAFIS. The objective of the study would be to assess the risk of not checking the fingerprints of all visitors subject to US-VISIT or those exempt from US-VISIT against the complete IAFIS database. The research would be conducted so as not to disrupt normal IAFIS operations. Officials from JMD have discussed this possible study with the DHS, but the DHS and JMD have not yet agreed on the parameters of the study or on the data that is to be sampled.
Until a standard ten fingerprint methodology is adopted and an interoperable system is implemented, the speed and accuracy of identification checks will be significantly reduced. Research conducted by MitreTek showed that taking more fingerprint impressions greatly speeds fingerprint searches.⁶³ When IAFIS processes a fingerprint search, it first classifies the fingerprints according to pattern (e.g., left loop, right loop, whorl, and arch). It then conducts a fingerprint matching check against only records of fingerprints having the same basic patterns. For searches using ten rolled fingerprints, about 98 percent of the database can be filtered out so that the fingerprint matching is conducted on only about 2 percent of the records. Using ten flat prints allows about 94 percent of the database to be filtered out. In contrast, with two flat fingerprints about 70 percent of the database must be matched, increasing the amount of processing required by about 35 fold over ten rolled prints. These research findings strongly suggest that, because the US-VISIT system is not collecting fingerprints in accordance with the NIST’s recommended Technology Standard, response times will be delayed as the US-VISIT database grows. In addition to longer processing times, using fewer than ten fingerprints results in reduced accuracy and a greater likelihood of identifying false positives.
Further, the Metrics study report found that the data extracts from IAFIS to IDENT are prone to error because, for example, one of the selection criteria relies upon self-reported data (e.g., place of birth). However, aliens being arrested have an incentive to lie about their nationality to avoid deportation. Also, many United States citizens have an unknown or foreign place of birth. The result is that the records of United States citizens may be loaded into the IDENT database, while the records of some non-United States citizens and potential criminal aliens are not included. The Metrics study found that the Wants and Warrants extract failed to include 22 percent (121 of 541) of criminal aliens with active Wants and Warrants.⁶⁴
The Federal Government May Face Significant Costs to Later Re engineer the Different Fingerprint Systems
According to Department officials, if timely action is not taken to adopt a uniform fingerprint methodology, such as the NIST Technology Standard, and establish the parameters for an interoperable system, the costs to re-engineer the systems later will be significantly greater. Further, enrollment records currently being created in US-VISIT may be incompatible with the Technology Standard that ultimately is adopted. In that case, individuals may have to be re-enrolled in order for their records to be complete. Among the decisions that must be made are: Who should be subjected to fingerprint searches? What fingerprint collection standard should be used? Which databases are to be queried? Who will have access to the information in each database? How will the information be used? Who will maintain the databases?
The need for resolution of these questions is increasing because the Department is proceeding with the development of new systems. For example, JMD had begun planning for Version 2 of IDENT/IAFIS and the FBI is planning for the Next Generation IAFIS. Further, in June 2004 the Department submitted a draft proposal to members of the Policy Coordination Committee containing options, costing up to $280 million, for a long-term strategy to achieve interoperability.⁶⁵ The Department recognized the potential for future costs, stating:

Significant cost savings will also be achieved by avoiding mistakes now that will be costly in the future. By collecting [more than two fingerprints] for US-VISIT enrollment now instead of later, system upgrade costs will be lower and the volume of re-enrollments will be minimized to reduce the inconvenience to foreign travelers.

Because of the disagreements about collection of uniform biometric fingerprint information and the extent to which systems should be made interoperable, the Department, the DHS, and the DOS still have not developed an MOU on how law enforcement agencies will be given direct access to all of the DHS’s immigration data.
Footnotes

Use of Technology Standards and Interoperable Databases with Machine-Readable Tamper-Resistant Travel Document, January 2003.
Taking more than two but less than ten flat fingerprints was an option considered, including taking eight flat fingerprints (not using the thumbprints).

The NIST found that two flat fingerprints can be taken in approximately 10-15 seconds, and that ten flat fingerprints can be taken in approximately 30 seconds.

The false positive rate, or false accept rate, is the probability that the system will incorrectly determine that a search fingerprint and a file fingerprint are matches. This would occur if a traveler is mistakenly matched as a criminal hit. The false negative rate, or false reject rate, is the probability that the system will not identify a search fingerprint match when the match is in the system. This would occur if a criminal with a record in IAFIS is not identified when his or her fingerprints are searched.

The Department also estimated first year costs for the DOS's visa processing to be $13.3 million, and $59 million for the DHS. DOS officials said that its cost estimates for moving to a 10-fingerprint system are higher than suggested by the DOJ, but the DOS officials did not provide a cost estimate.

Although the rapid response time is essential at the primary inspection booths, it is much less an issue for secondary inspection and for the consular posts where more time can be taken before deciding whether to admit a visitor into the United States or grant a visa.

The Border Security Act, Section 303 (b)(1) states, "not later than October 26, 2004, the Attorney General and the Secretary of State shall issue to aliens only machine-readable, tamper-resistant visas and other travel and entry documents that use biometric identifiers. The Attorney General and the Secretary of State shall jointly establish document authentication standards and biometric identifiers standards to be employed on such visas and other travel and entry documents from among those biometric identifiers recognized by domestic and international standards organizations." Although the deadline has been extended one year, the DOS officials stated that all visa-issuing consulates would be transmitting two fingerprints to the DHS to be checked against the US-VISIT watch list by October 26, 2004.

Enhanced Border Security and Visa Reform Act of 2002 (P.L. 107-173), Section 202(a)(2).

The Border Security Act specifies federal law enforcement, whereas the Patriot Act includes all law enforcement officers. See Enhanced Border Security and Visa Reform Act of 2002 (P.L. 107-173), Section 202(a)(5) and USA PATRIOT Act (P.L. 107-56), Section 403(c)(3).

In its November 1, 2004, memorandum to the Homeland Security Council, the DHS stated that the MOU is currently being circulated for review and clearance with the Department and the FBI.

At the time of this interview, the DHS had not yet awarded the contract. The contract was awarded to Accenture on June 2, 2004.

On January 27, 2004, the Attorney General re-sent the November 6, 2003, letter to Secretary Ridge, because the Secretary did not receive the original letter.

"Cost and Operational Effectiveness Analysis, Second Report to Congress," August 27, 2004, Justice Management Division, Management and Planning Staff, United States Department of Justice.

This is the second of several expected Metrics reports and it updates the first report of July 18, 2003.

Implications of the IDENT IAFIS Image Quality Study for Visa Fingerprint Processing, MitreTek Systems, October 31, 2002.

Of the 22 percent (121) of the criminal aliens with outstanding Wants and Warrants who were not included in the extracts, 14 percent (77) were not included because they did not meet the extract criteria (foreign or no place of birth, prior immigration violation) and 8 percent (44) may have been missed due to the two-week lag time between extracts.

Policy Coordination Committee Concept Paper Proposal: Law Enforcement Interoperability with US-VISIT and Overseas Visa Issuance, June 2004 draft.