PROBLEMS IN IDENT DEPLOYMENT
INS' progress in deploying IDENT has been considerably slower than that outlined in the original IDENT System Project Plan, dated September 5, 1995, and signed by the Commissioner on March 29, 1996. The original IDENT System Project Plan called for funding of about $61 million for IDENT through FY 1997--almost twice what INS estimates it will have spent through FY 1997. As the discussion below indicates, this is the result of deployment that has been far slower than originally anticipated.
The IDENT System Project Plan included specific timeframes for IDENT deployment at locations around the country in a variety of INS operations. The plan specified that by the end of FY 1996, INS would install IDENT at 24 ports of entry in the Southwest. Deployment at these locations slipped into FY 1997. The plan also projected that by the end of FY 1997, IDENT would be installed in all 8 Asylum offices, 10 Service Processing Centers, 23 District Offices, 11 Border Patrol sectors outside of the Southwest border, and 52 ports of entry. Projected deployment dates for IDENT at ports of entry, district offices, and Border Patrol sectors have been extended by at least a year from the dates originally listed in the project plan.
The IDENT project plan specifically projected that 281 workstations would be installed by the end of FY 1996 and 1,044 workstations would be installed by the end of FY 1997. As of the end of FY 1997, INS reports having installed a total of 341 IDENT workstations. This includes 90 prototype ENFORCE terminals (with IDENT capability) that were installed in late FY 1997 at district offices, ports-of-entry, Border Patrol locations and service processing centers. Also included were two prototype asylum office terminals (with IDENT capability) installed in the Arlington, Virginia, asylum office.
In addition to the IDENT workstations, INS reported that as of the end of FY 1997, 10-print fingerprint machines were installed at 36 sites, primarily service processing centers and district offices.
One reason for the slower than anticipated progress in deploying IDENT throughout INS was a change in priorities. The Commissioner's decision to implement IDENT first along the entire Southwest border meant that IDENT terminals originally intended for deployment around the country were instead deployed along the border. In addition, INS has also experienced significant delays in deploying IDENT at many remote Southwest border locations because of the time and expense needed to establish the necessary communication lines and infrastructure in these locations.
INS-wide implementation of IDENT fingerprint technology has also been slowed because the ENFORCE and automated benefit processing systems, with which IDENT was intended to be used, are still being developed.
Communications and Infrastructure Problems Have Slowed IDENT Deployment
INS has installed IDENT terminals in all but 11 of the 74 Border Patrol stations in Southwest border sectors, and these 11 stations accounted for only 3 percent of the Border Patrol's apprehensions along the Southwest border during FY 1997.11 However, communications and infrastructure problems continue to be a factor in IDENT deployment.
Difficulties in obtaining communication lines have been an ongoing problem in deploying IDENT at many sites, in particular at Border Patrol stations and checkpoints in remote areas along the Southwest border. Many Border Patrol locations along the Southwest border are in desert areas where telephone lines are not available, or the installation of telephone lines was determined to be prohibitively expensive. In some locations, INS has opted to use a satellite dish for IDENT communications. INS is successfully using satellite communications for IDENT transmissions at seven locations along the Southwest border.
During the course of our inspection, we expressed three concerns to INS management about communications and infrastructure.12 First, we found that infrastructure improvement plans did not include all locations at which the Border Patrol planned to use IDENT, and we were most concerned about IDENT availability at high volume highway checkpoints. INS officials indicated they would ensure that all planned IDENT locations are scheduled for infrastructure upgrades.
Second, we spoke with INS management about our concerns that INS' communication requirements could exceed the capacity of existing and planned communication circuits. We were particularly concerned that the communication requirements for the electronic submission of 10-print fingerprint card data to the IDENT lookout database, and in the future to the Federal Bureau of Investigation, would exceed the capacity of INS' communication lines. INS officials have indicated that communication line upgrades have been ordered to reflect increased transmission requirements, and that faster lines have been ordered for all Service Processing Centers to handle expected increases in fingerprint image processing requirements.13
Finally, many existing IDENT workstations may not meet future IDENT processing requirements. Specifically, the latest versions of IDENT and ENFORCE require a faster processor, more computer memory, a larger hard drive, and faster video cards for adequate performance than the typical workstation configuration in place. If INS is to successfully implement the range of biometric-related operations planned for the future, most or all of the existing IDENT workstations may have to be replaced.
System Development Delays Have Inhibited Servicewide Use of IDENT
As mentioned previously in this report, IDENT was intended to be a subsystem of ENFORCE and CLAIMS. However, these systems have been delayed in development. IDENT was originally designed to provide only the biometric matching technology in these systems.
ENFORCE is intended to provide the full range of case tracking information, reporting and analysis, from arrest processing through deportation, and will include automation of many of the forms currently used in INS enforcement operations. When ENFORCE was not ready for deployment concurrently with IDENT, a data input screen was added to IDENT to capture information that in the future will be captured in ENFORCE. In this respect, ENFORCE development delays did not prevent the use of biometric technology in border enforcement, but have resulted in processing inefficiencies. For example, Border Patrol agents in three of the four sectors we visited were still required to complete the paper Form I-213, Record of Deportable Alien, in addition to entering much of the same information into IDENT.
INS continues to develop the latest ENFORCE version. A previous version was tested in the El Paso Border Patrol Sector, but the test was discontinued in order to test the newest version of the IDENT software. During the summer of 1997, the INS Office of Information Resources Management held a week-long ENFORCE training and user acceptance testing session for field personnel at INS headquarters. INS is now testing the latest version of ENFORCE at five locations: the Philadelphia and El Paso district offices, and the El Paso, McAllen and San Diego Border Patrol sectors.
While delays in ENFORCE development have not significantly slowed IDENT deployment along the Southwest border, delays in CLAIMS development have prevented the use of automated fingerprint technology in benefits processing. The existing CLAIMS is based on old computer technology and will be replaced by a new CLAIMS system. INS has begun development of this new CLAIMS and recently initiated a pilot test of the system in the Chicago district office and Lincoln Service Center. The pilot test initially will support only naturalization processing. IDENT fingerprint technology is not planned to be included in CLAIMS until a later CLAIMS version. INS must complete development of both ENFORCE and CLAIMS application systems if it is to realize the full potential of IDENT biometric technology.
INS Has Not Taken the Necessary Steps to Ensure IDENT Data Integrity
We found serious data management and integrity problems in IDENT that must be addressed promptly. We identified problems such as duplicate records and invalid data, and found that the system can generate multiple fingerprint identification numbers (FINs) for one individual.
We found that data input controls, designed to ensure that only valid data is entered into the system, are almost completely lacking in both the recidivist and lookout databases. Although data entry into the recidivist database will eventually be handled by the ENFORCE and CLAIMS systems, and INS officials have assured us that appropriate input controls will be in place in these systems when implemented, data entry into the lookout database will continue to be part of IDENT. Input controls that accept only valid entries in the IDENT lookout database are lacking for critical fields such as alien number, last name, date of apprehension, originating office and charge code.
For example, thousands of alien numbers in the lookout database are in nonstandard formats, i.e., do not follow conventions used by INS in assigning alien numbers. We also found over a thousand invalid data entries in the alien number field, including data that should have been entered elsewhere in the database such as dates, "N/A", 10-print card originating office code, country of origin, charge, and numerous unidentifiable alphanumeric entries. As a result, some of the data entered is invalid, and this will limit its usefulness in determining an alien's status and in performing analyses used for agent deployment and intelligence purposes.
In addition, without a valid alien number, INS personnel are unable to cross reference lookout hit information with other INS nationwide systems to obtain information on an alien's previous history with INS. It is important that INS put appropriate data input controls in place to ensure the quality of this data.
We also discovered that the system is generating multiple FINs for a single individual. This is contrary to the central premise that each individual should have a unique fingerprint record. We discovered this problem during tests we conducted of the recidivist database at each INS location we visited along the Southwest border. Our 5-member team entered their own fingerprints a total of 147 times at 27 locations. In 5 of those 147 transactions, the IDENT system generated a new FIN for the same individual.
The reasons why IDENT is creating multiple FINs appear to involve fingerprint quality. A new (second or subsequent) FIN can be created for the same set of fingerprints when the fingerprint quality is poor. One apparent cause of poor fingerprint quality is the condition of many platens used to capture fingerprint images.14 We observed numerous fingerprint platens that were not properly used or maintained. For example, we observed platens that had scratches in the plastic coating or had the plastic coating removed. At many locations, the platens were visibly dirty and it appeared they were not routinely cleaned. In a few instances, we found that the cleaning solution being used was one that, according to the manufacturer, would damage the platen and compromise print quality.
The problem is compounded by a lack of training in the field. During field work, we observed IDENT processing and found that few agents (and even fewer supervisors) were trained to use IDENT. One consequence of the lack of training is that in many cases agents were not completing the final stage of the enrollment process. During this final stage, agents should be visually confirming that the photograph and fingerprints of the alien in their custody are the same as those for an alien matched by IDENT from a previous encounter. Agents should then be electronically confirming IDENT matches in the system. When agents fail to complete this step, the IDENT software initiates an automatic procedure that creates a new FIN if the match score falls below a certain numerical threshold.
The lack of training is also of concern in terms of its impact on data quality generally. Using training data provided by INS officials, we determined that only about 300 Border Patrol agents, or less than 6 percent of all agents assigned to the nine sectors along the Southwest border, had been trained to use the current version of IDENT. This is troubling because the latest version included significant software changes, including a new, visual confirmation process as previously discussed.
During field work, we found that very few agents or supervisors had received training on the latest version of IDENT. In addition, some of these individuals were not familiar with the photograph and fingerprint match confirmation process, or with other features of the latest version of the software.
We believe that INS needs to develop and implement a strategy to provide the necessary IDENT training for all INS personnel. This could be accomplished in several ways, including making IDENT a part of an INS data systems training module at the training academies.
12 INS has embarked on an infrastructure improvement program, referred to as the Technology Infrastructure Project (TIP). TIP is to provide standard office automation capabilities to all INS locations. The standard TIP office automation systems suite includes workstations, file servers, scanners and printers, network and electronic mail access, and word processing and spreadsheet software.
13 INS expects that the Service Processing Centers will be a primary entry point for submitting fingerprints for entry into the IDENT lookout database.
14 IDENT platens are coated glass surfaces against which each alien's index fingers are pressed to obtain fingerprint images.
#####