Tag Archives: fbi

CIBS: Keeping Secrets From NGI

An interesting item popped up in SAM.gov. According to a Request for Information (RFI) due February 20, the FBI may have interest in a system for secret biometric searches.

“The FBI intends to identify available software solutions to store and search subjects at the classified level.  This solution is not intended to replace the Next Generation Identification System Functionality, which was developed and implemented in collaboration with the FBI’s federal, state, local, tribal, and territorial partners. The solution shall reside at the Secret and/or Top-Secret/SCI level with the ability to support data feeds from external systems.  The solution must allow the ability to enroll and search face, fingerprint, palmprint, iris, and latent fingerprints, and associated biographic information with a given set of biometrics.”

Now remember that the Next Generation Identification (NGI) system is protected from public access by requiring all users to adhere to the CJIS Security Requirements. But the CJIS Security Requirements aren’t Secret or Top Secret. These biometric searches, whatever they are, must REALLY be kept from prying eyes.

The RFI itself is 8 pages long, and is mysteriously numbered as RFI 01302025. I would have expected an RFI number 01152026. I believe this was an editing error, since FBI RFI 01302025 was issued in 2025 for a completely different purpose.

Whatever the real number is, the RFI is labeled “Classified Identity-Based Biometric System.” No acronym was specified, so I’m self-acronyming it as CIBS. Perhaps the system has a real acronym…but it’s secret.

If your company can support such a system from a business, technical, and security perspective, the due date is February 20 and questions are due by February 2. See SAM.gov for details.

Today’s Acronym is PIA (Privacy Impact Assessment)

(Imagen 4)

(Part of the biometric product marketing expert series)

Do U.S. government agencies simply run roughshod over your privacy rights?

Not exactly.

Government agencies are required to issue Privacy Impact Assessments (PIAs) for their projects.

The Federal Bureau of Investigation alone has issued over 60 PIAs.

For example, here is the PIA for CODIS, the Combined National Deoxyribonucleic Acid (DNA) Index System (CODIS).

And if anything needs a PIA, it’s CODIS, since it potentially contains your personally identifiable information…and the personally identifiable information of your relatives.

The PIAs themselves are detailed. The CODIS PIA includes 8 sections with 19 pages of questions and responses. For example, here is the response in section 8 regarding privacy:

The type, quantity, and sources of information collected by FBI CODIS are necessary to identify crime scene offenders, missing persons, or unidentified human remains, or to link multiple crime scenes. Such information is only further disseminated for these purposes. Moreover, NDIS does not store State Identification Number/Universal Control Number or otherwise collect, handle, disseminate, or store contributors’ names. Therefore, CODIS DNA profiles and pedigrees can only be matched to a named individual by the submitting Criminal Justice Agency forensic laboratory, independent of NDIS.

  • The privacy risks associated with the collection and maintenance of FBI CODIS information are inaccurate information, unauthorized access, and unauthorized disclosures.
  • The privacy risks associated with the access and use of FBI CODIS information are unauthorized access, unauthorized (or overly broad) disclosures, and loss of data.
  • The privacy risks associated with the dissemination of FBI CODIS information are the risks of unauthorized disclosures and loss of data.

The risks of unauthorized access, unauthorized disclosures, loss of data and inaccurate information are mitigated by the quality assurance standards promulgated by the FBI pursuant to the Federal DNA Identification Act. These risks are further mitigated by the system, physical access, network-infrastructure, auditing and quality assurance controls, as described more specifically in Sections 6.1 and 6.2, which are in compliance with FIPS Publication 199, as applicable.

The risk of inaccurate information is also specifically mitigated through the identity verification process performed by participating Criminal Justice Agency forensic laboratories to confirm a potential match. The identity must be confirmed prior to the disclosure of any personally identifiable information to the law enforcement entity who submitted the DNA sample.

Lastly, notice is provided as described in Section 5.1.

Revisiting Amazon Rekognition, May 2025

(Part of the biometric product marketing expert series)

A recent story about Meta face licensing changes caused me to get reflective.

“This openness to facial recognition could signal a turning point that could affect the biometric industry. 

“The so-called “big” biometric players such as IDEMIA, NEC, and Thales are teeny tiny compared to companies like Meta, Alphabet, and Amazon. If the big tech players ever consented to enter the law enforcement and surveillance market in a big way, they could put IDEMIA, NEC, and Thales out of business. 

“However, wholesale entry into law enforcement/surveillance could damage their consumer business, so the big tech companies have intentionally refused to get involved – or if they have gotten involved, they have kept their involvement a deep dark secret.”

Then I thought about the “Really Big Bunch” product that offered the greatest threat to the “Big 3” (IDEMIA, NEC, and Thales)—Amazon Rekognition, which directly competed in Washington County, Oregon until Amazon imposed a one-year moratorium on police use of facial recognition in June 2020. The moratorium was subsequently extended until further notice.

I last looked at Rekognition in June 2024, when Amazon teamed up with HID Global and may have teamed up with the FBI.

So what’s going on now?

Hard to say. I have been unable to find any newly announced Amazon Rekognition law enforcement customers.

That doesn’t mean that nothing is happening. Perhaps the government buyers are keeping their mouths shut.

Plus, there is this page, “Use cases that involve public safety.”

Nothing controversial on the page itself:

  • “Have appropriately trained humans review all decisions to take action that might impact a person’s civil liberties or equivalent human rights.”
  • “Train personnel on responsible use of facial recognition systems.”
  • “Provide public disclosures of your use of facial recognition systems.”
  • “In all cases, facial comparison matches should be viewed in the context of other compelling evidence, and shouldn’t be used as the sole determinant for taking action.” (In other words, INVESTIGATIVE LEAD only.)

Nothing controversial at all, and I am…um…99% certain (geddit?) that IDEMIA, NEC, and Thales would endorse all these points.

But why does Amazon even need such a page, if Rekognition is only used to find missing children?

Maybe this is a pre-June 2020 page that Amazon forgot to take down.

Or maybe not.

Couple this with the news about Meta, and there’s the possibility that the Really Big Bunch may enter the markets currently dominated by the Big Three.

Imagine if the DHS HART system, delayed for years, were resurrected…with Alphabet or Amazon or Meta technology.

We are still in the time of uncertainty…and may never go back.

(Large and small wildebeests via Imagen 3)