BREAKING: OPM and DOD (Claim They) Don’t Think Fingerprint Databases Are All That Useful

In the most negative news dump released behind the cover of Pope Francis’ skirts, Office of Public Management just announced that rather than previous reports that 1.1 million people had had their fingerprints stolen from OPM’s databases, instead 5.6 million have.

Aside from the big numbers involved, there are several interesting aspects of this announcement.

First, it seems OPM had an archive of records on 4.5 million people, including fingerprint data, they hadn’t realized was there at first.

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed.

If, as it appears, this means OPM had databases of key counterintelligence lying around it wasn’t aware of (and therefore wasn’t using), it suggests Ron Wyden’s concern that the government is retaining data unnecessarily is absolutely correct.

Rather bizarrely, upon learning that someone found and went through archived databases to obtain more fingerprint data, “federal experts” claim that “as of now, the ability to misuse fingerprint data is limited.”

As EFF just revealed, since February the FBI has been busy adding fingerprint data it gets when it does when it does background checks on job applicants into its Next Generation Identification database.

Being a job seeker isn’t a crime. But the FBI has made a big change in how it deals with fingerprints that might make it seem that way. For the first time, fingerprints and biographical information sent to the FBI for a background check will be stored and searched right along with fingerprints taken for criminal purposes.

The change, which the FBI revealed quietly in a February 2015 Privacy Impact Assessment (PIA), means that if you ever have your fingerprints taken for licensing or for a background check, they will most likely end up living indefinitely in the FBI’s NGI database. They’ll be searched thousands of times a day by law enforcement agencies across the country—even if your prints didn’t match any criminal records when they were first submitted to the system.

This is the first time the FBI has allowed routine criminal searches of its civil fingerprint data. Although employers and certifying agencies have submitted prints to the FBI for decades, the FBI says it rarely retained these non-criminal prints. And even when it did retain prints in the past, they “were not readily accessible or searchable.” Now, not only will these prints—and the biographical data included with them—be available to any law enforcement agent who wants to look for them, they will be searched as a matter of course along with all prints collected for a clearly criminal purpose (like upon arrest or at time of booking).

In its PIA explaining the move, FBI boasts that this will serve as “an ‘ongoing’ background check that permits employers, licensors, and other authorized entities to learn of criminal conduct by a trusted individual.” To suggest that a massive database of fingerprints can provide the FBI real-time updates on certain behaviors, but pretend it wouldn’t serve a similar purpose to the Chinese, defies logic. Heck, why is OPM keeping fingerprint information if it can’t be used? And of course, all that assumes none of the 5.6 million people affected has a fingerprint-authenticating iPhone.

Of course this can be used, otherwise the Chinese wouldn’t have gone out of their way to get it!

But OPM’s claim that the Chinese just went out of their way to get that fingerprint data for no good reason provides the agency with a way to delay notification while FBI, DHS, DOD and “other members of the Intelligence Community” come up with ways to limit the damage of this.

If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

After which OPM spends two paragraphs talking about the identity protection those whose identities have been stolen will get, as if that mitigates a huge counterintelligence problem.

It sure sounds like OPM is stalling on informing the people who’ve been exposed about how badly they’ve been exposed, under the incredible claim that databases of fingerprints aren’t all that useful.

17 replies
  1. bloopie2 says:

    If we would fire all of them (OPM), and hire new people to do the work instead, would that impact the quality of the work being done? (Hmm. I wrote that sentence thinking that people would read it to mean “negatively impact”, but, now that I think it through, perhaps “positively impact” might be a more likely result?)

  2. orionATL says:

    fyi: about the identity protection plan offered to those whose data was stolen ** –

    to acquire protection requires submitting much detailed personal info, including detailed financial info.

    i wonder who will be guarding this information, opm or the insuring contractors (or dod, with troops, anti-tank and anti-aircraft weaponry :) ) ?

    ** here “data stolen” is not equal to “identity stolen”

  3. orionATL says:

    “… the Office of Personnel Management and the Department of Defense have been analyzing impacted data … ”

    why is dod involved ?

    what part of dod is involved ?

    are civilian dod employees involved, or only military ?

      • orionATL says:

        nsa at dod would be cyber command.

        i wonder what cyber command has to offer ?

        could be as simple as no civilian bureaucratic roadblocks and very high-speed data manipulation, or something more sophisticated.

  4. rosalind says:

    The FBI and DOJ are dictating to State governments they acquire digital fingerprints for more and more jobs, building their biometric database one b.s. justification at a time.
    Each job requires a different private for profit fingerprint company, with people in a field like education forced to submit their prints over & over.
    Our prints remain the same, yet we are expected to submit them whenever to whomever the Gov’t anoints with no control how they will be used and abused.
    and we are forced to pay for the indignity over and over out of our own pockets.

  5. orionATL says:

    you chinese got my fingerprints, eh ?

    well that’s the last straw, xi jinping! i was going to go to macao and spend a million or so of my ill-gotten american gains. but if you got my fingerprints, screw china. i’m going to singapore now.

  6. Matt says:

    “It sure sounds like OPM is stalling on informing the people who’ve been exposed about how badly they’ve been exposed, under the incredible claim that databases of fingerprints aren’t all that useful.”

    Is there even any evidence that people are being notified that their info’s been stolen? I got a security clearance in 2010 so I’m certain my data was stolen but I haven’t heard shit about it from the government.

    • emptywheel says:

      For the breach involving security clearances OPM has said it hasn’t started yet (click through for the latest on this). Basically, they’ve hired a contractor who will get all those clearance holders’ identities (itself a security compromise) so they can send letters that other adversaries can watch the mail for.

      My suspicion–which is part of what I’m getting at with this post–is OPM and DOD and the IC are stalling, either because they don’t know how bad the counterintelligence problem is, or because they know it’s catastrophic and there’s no good way of dealing with it.

    • jerryy says:

      There is one good part … when they issue you new fingerprints, you will not have to go down to their local office to let them know what your new prints are, they will already have them. Oh wait…

  7. pdaly says:

    On the upside of biometric data theft–perhaps people in the IC will get to keep their fingers from being snipped off and stolen during any future planned security breach –if this current fiasco forces a change to the view that biometric cyberlocks and real-world locks are no longer considered secure.

  8. Trevanion says:

    8000 “journalists” accredited to “cover” visit by Pope. Fifty “journalists” Per Candidate “cover” recent GOP “debate.” And this oil spill at home gets the steno treatment, except by someone working out of her living room in Grand Rapids Michigan.

    I had [xx/xxx] clearance for several decades, across several agencies, and have not heard squat.

Comments are closed.