GAO’s Facial Recognition Testimony Doesn’t Explain Why Federal Agencies Aren’t Fixing Problems Reported A Year Ago
The Government Accountability Office (GAO) recently submitted testimony [PDF] to the House Subcommittee on [takes deep breath] Investigations and Oversight and Committee on Science, Space, and Technology. Candace Wright, the GAO's Director of Science, Technology Assessment, and Analytics explained the findings of previous GAO reports on facial recognition use by federal agencies.
Two of those reports were published last year. The first appeared in June and it showed federal agencies were doing nearly nothing to track employees' use of facial recognition tech.
Thirteen federal agencies do not have awareness of what non-federal systems with facial recognition technology are used by employees. These agencies have therefore not fully assessed the potential risks of using these systems, such as risks related to privacy and accuracy. Most federal agencies that reported using non-federal systems did not own systems. Thus, employees were relying on systems owned by other entities, including non-federal entities, to support their operations.
Thirteen of the fourteen agencies examined by the GAO (a list that includes ICE, ATF, CBP, DEA, FBI, and the IRS) did not have any processes in place to track use of non-federal facial recognition tech.
This lack of internal oversight led directly to the behavior observed in the GAO's second report, delivered in August. Either due to a lack of tech on-site or a desire to avoid what little internal oversight exists, federal agencies were often asking state and local agencies to do their dirty face rec work for them.
Unfortunately, this testimony - delivered nearly a year after the GAO's released its findings - doesn't provide any answers about this lack of internal oversight. Nor does it suggest things are moving forward on the internal oversight front as a result of its earlier investigations.
The status remains quo, it appears. About the only thing this testimony adds to the facial recognition discussion is the unfortunate fact that federal agencies feel zero compunction to better control use of this tech. It also adds a bit of trivia to the FRT mix by discussing a few little known uses of the tech by the government.
Four agencies-the Departments of Health and Human Services, Transportation, and Veterans Affairs, and NASA-reported using FRT as a tool to conduct other research. For example, Transportation reported that the Federal Railroad Administration used eye tracking to study alertness in train operators. Similarly, NASA also reported that it used eye tracking to conduct human factors research. In addition, the Department of Veterans Affairs reported it used eye tracking as part of a clinical research program that treats post-traumatic stress disorder in veterans.
Nor does the report explain why agencies surveyed under-reported their use of Clearview's highly controversial facial recognition software. The information in the GAO's June 2021 report is contradicted by public records obtained by Ryan Mac and Caroline Haskins of BuzzFeed, strongly suggesting five agencies flat out lied to the GAO.
In a 92-page report published by the Government Accountability Office on Tuesday, five agencies - the US Capitol Police, the US Probation Office, the Pentagon Force Protection Agency, Transportation Security Administration, and the Criminal Investigation Division at the Internal Revenue Service - said they didn't use Clearview AI between April 2018 and March 2020. This, however, contradicts internal Clearview data previously reviewed by BuzzFeed News.
This misleading - whether deliberate or not - goes unmentioned in the GAO's testimony. And apparently no follow-up investigation was performed to see if agencies were doing anything to prevent the sort of thing seen here:
Officials from another agency initially told us that employees did not use non-federal systems; however, after conducting a poll, the agency learned that its employees had used a non-federal system to conduct more than 1,000 facial recognition searches.
A year down the road, and all the GAO can report is that three of the 13 agencies that had no internal tracking processes are now in the process of implementing at least one" of the three recommendations the GAO handed out nearly 13 months ago following its first report.
Most of the testimony is handed over to discussing much quicker movements by federal agencies, i.e. the expanded deployment of questionable tech far ahead of mandated Privacy Impact Assessments or assessment efforts to track the reliability of the tech being deployed.
This testimony is incredibly underwhelming, to say the least. This is the Government Accountability Office doing the talking here. And it's apparently unable to encourage more than a rounding error's-worth of accountability gains. This leaves it to Congress, an entity that's largely unconcerned with increasing government accountability because it might make things uncomfortable for them as they seek to extend four-year terms to de facto lifetime appointments.
The government has a facial recognition tech problem. And it's going to get too big to handle quickly if findings like those reported by the GAO a year ago continue to be ignored by federal agencies and the oversight this testimony was delivered to. If the GAO can't be bothered to ask tough questions from agencies that misled it months ago, it seems unlikely Congressional reps with multiple interests to serve (sometimes even those of their constituents!) are going to hold any agency accountable for playing fast and loose with questionable tech and citizens' rights.