Tuesday, October 11, 2011

How state agencies outside law enforcement use and store fingerprint data

A Texas state auditor's survey released in August analyzed practices at 20 state agencies that collect fingerprints for criminal background checks. Not much controversial here, but I did learn a few new tidbits from the report.

For instance, "Seventeen (85 percent) of the 20 state agencies surveyed reported that they used a third-party vendor to collect fingerprints. Of those 17 state agencies, 16 reported that they used the services of the Department of Public Safety’s FAST contractor —L-1 Identity Solutions—to collect fingerprints. L-1 Identity Solutions contracts and works with the Department of Public Safety to provide fingerprinting services throughout the state." (FAST stands for "Fingerprint Applicant Services of Texas.") Though the survey didn't mention it, in July L-1 Identity Solutions was acquired by a French military contractor, Safran [NYSE Euronext Paris: SAF], and will be operated by one of their subsidiaries called Morpho.

A quarter of agencies surveyed (5 of 20) store fingerprint information with a third-party vendor, presumably L-1/Safran, instead of exclusively in their own systems or with state or local law enforcement. I don't much like that: When you apply for a job with a state agency and give them your fingerprints, it's a bit unnerving to think that some private military contractor from France will end up storing the data.

Indeed, when asked "who stores the fingerprints for your organization" - the agency itself, state or local law-enforcement, or a third-party vendor - four agencies listed "Other." (There was overlap in the answers, with some saying more than one entity stored the data.) There's no way to know from the report who are these "other"entities storing fingerprint data.

Seventy percent of agencies surveyed (14) did not know whether the image quality of fingerprint scans meet the minimum scan quality of 500 pixels per inch as required by the FBI ("per the National Institute of Standards and Technology Special Publication 500-275"). So therein lies at least the potential for errors if the agencies simply aren't aware of whether or not they meet minimal technical requirements for accuracy.

Agencies included in the survey were:
  • Board of Chiropractic Examiners.
  • Board of Examiners of Psychologists.
  • Board of Law Examiners.
  • Board of Podiatric Medical Examiners.
  • Credit Union Department.
  • Department of Aging and Disability Services.
  • Department of Banking.
  • Department of Family and Protective Services.
  • Department of Insurance.
  • Department of Licensing and Regulation.
  • Department of Savings and Mortgage Lending.
  • Department of State Health Services.
  • Funeral Service Commission.
  • Health and Human Services Commission.
  • Office of Consumer Credit Commissioner.
  • Optometry Board.
  • Racing Commission.
  • Texas Board of Nursing.
  • Texas Education Agency.
  • Texas Medical Board.


gravyrug said...

Great. Now there's a chance of international mistaken identity without ever leaving the state. Movie of the week waiting to happen.

KBCraig said...

These fingerprints are ostensibly taken to conduct background checks, so it would seem to make sense to make sure they meet the FBI's standards.

But, the FBI doesn't use fingerprints when conducting background checks. That came to light during the time that Texas DPS was blaming delayed background investigations for concealed handgun licenses on the FBI, over rejected fingerprint cards.

This was shortly before DPS mandated the switch to FAST. It makes no sense at all.

DFWPhotoguy said...

This is an incredibly timely post. I am doing research right now on L1 and trying to find out what politicians were paid off to off-shore this contract.

It is completely unacceptable for this data and the information you have to provide along with your fingerprints, to be handled by a non-governmental organization, and on top of that, not even an American company.

That being said, if ANY data is transmitted overseas, the E.U. Data Protection Directive will cover this. Basically, the angle I am going to use to figure out what is going on is researching with the ECHR to find out exactly what is going on with this data.

Anonymous said...

Outsourcing background data. Next, someone in India will answer 911.

Anonymous said...

L1 needs to lose the contract IMMEDIATELY. I am sure that somewhere in the contract there is an 'out' for if the data leaves the country or comes under control of an entity outside of the US.

Who the hell do we need to talk to?