The FBI has collected 430,000 iris scans in a so-called 'pilot program'

To create that pool of scans, the FBI has struck information-sharing agreements with other agencies, including US Border Patrol, the Pentagon, and local law enforcement departments. California has been most aggressive about collecting scans, but agencies in Texas and Missouri can also add to and search the system. The result amounts to a new national biometric database that stretches the traditional boundaries of a pilot program, while staying just outside the reach of privacy mandates often required for such data-gathering projects.

"The fact these systems have gone forward without any public debate or oversight that we've been able to find is very troubling," says Nicole Ozer, Technology and Civil Liberties Policy director at the ACLU of California, who likened the project to other programs, such as facial recognition and cell site simulators, that have also been put in place in the state.

Iris scans work by taking a detailed image of the ridges in the colored part of the eye, typically using infrared photography. The ridges in the eye are as detailed and distinctive as a fingerprint but can be scanned much faster and without physical contact. The documents laying out the California program suggest most scans were submitted to the database in a fraction of a second.

The US government first deployed the technology in Iraq, where soldiers used iris scanners to track local civilians authorized to work on military bases. In the years since, iris scanning has spread to airports and assorted private security systems, but was considered too expensive or obscure for most local police departments.

That changed in 2013, when the FBI launched an iris pilot program. Part of an effort to overhaul an aging identification system, the program was pitched as one more tool to help law enforcement track down criminals, alongside the existing fingerprint system and newer technologies like facial recognition. In a recent speech at the ConnectID conference, FBI project manager Nick Megna described the technology as particularly useful in the case of a prison break or mistaken release. Police could use iris scanners to check each person passing through a roadblock, where taking fingerprints would require too much contact to be practical.

The program's beginnings are documented in the records obtained by The Verge. A 2013 memo signed by representatives from the FBI and California Department of Justice summarizes responsibilities. At that time, according to the memo, the FBI had more than 30,000 images but did not have a way to search through them. Working with a handful of local and national partners, the FBI planned to test the feasibility of a searchable database, one that would steadily grow as iris data was submitted by law enforcement around the country. The length of the California program was to be kept at one year, and reassessed after, but the documents show the partnership has been renewed every year since.

The FBI would not comment on numbers from any particular source. However, "operations reports" obtained by The Verge through the California Public Records Act requests the catalogue of the program's progress and suggest the state has been a major asset in the construction of the database. A document dated February of this year lists more than a quarter of a million "enrollments" in the database from the California Department of Justice. In both 2014 and 2015, according to the document, more than 100,000 records were added to the system.

Those scans are sent to the FBI by the California Justice Department, which in turn receives them from three counties: Los Angeles, San Bernardino, and Riverside. Those counties obtain the scans through a variety of sources, usually jails and detentions centers. The California Justice Department, like other agencies the FBI has partnered with, can log a scan as part of the booking process, even for low-level crimes, and well before a conviction. When the scans are sent to the national database, the FBI says, they are bundled with fingerprints and mug shots.

Reports for individual counties in California also show intense collection programs in unlikely places. Despite its relatively small population, the documents show San Bernardino County made more than 190,000 enrollments alone since 2014, far outpacing Los Angeles and Riverside counties. The San Bernardino County Sheriff's Office did not respond to request for comment on its collection practices, although the FBI noted the county "had an iris system in place for some time and had collected iris images prior to the beginning of FBI Iris Pilot."

Despite the option to search the database, the recent Justice Department document lists consistent zeros across a "searches" field. A spokesperson for the department said California stores the biometric information itself as well, as part of its statewide Automated Archive system, but confirmed that the local agencies do not access iris scans in either database.

Federal agencies are usually required to submit privacy reports for any project involving personal data, as a way of anticipating and mitigating possible overreach, but the iris pilot still has no privacy impact assessment. A preliminary privacy review in 2014 determined that the assessment was unnecessary "because the pilot was conducted with very limited participation for a limited period of time in order to evaluate iris technology," an FBI representative told The Verge. The majority of the current 434,000 enrollments were added after that determination was made. The bureau says it is currently in the process of creating a privacy impact assessment in response to the expanded scope of the project, although it's not clear when those documents will be complete.

The agreement between the FBI and California "is pretty vague" on privacy guidelines, Ozer says. The document says only that the FBI will handle information from the project "lawfully," while California must "comply with its state privacy laws." (The FBI has said the program is bound by internal information security standards.)

It's not the first time the FBI has dragged its heels on creating privacy reports for a biometric database. In June, a report from the Government Accountability Office found hundreds of millions of facial scans were made under an out-of-date privacy assessment, including tens of millions from driver's license photos that were not linked to any crime. Like the iris pilot, the result was a nominally experimental program that nonetheless ingested vast quantities of personally identifiable data from US citizens.

Both programs were developed as part of the FBI's Next Generation Identification database, an ongoing project that includes federal databases for finger and palm prints collected from crime scenes, as well as employment-based background checks. NGI also includes enhanced searches for identifying unknown corpses.

The FBI has been attempting to exempt the NGI database from certain provisions of the Privacy Act, which would require the government to maintain up-to-date public records on each program. Privacy advocates have accused the agency of attempting to obfuscate how the database will function. "The Privacy Act was enacted to ensure that individuals had an enforceable right to know the records that the government keeps about their activities," a group of advocates and companies recently wrote in a letter to the FBI. "While there may be legitimate reasons for exempting some law enforcement activities from some of the Act's provisions, exemptions must not render the Act meaningless."

As the iris program expands to agencies around the country, as it likely will, Ozer says it will be increasingly important to monitor its scope. "You imagine 58 counties in California, and all the other places this might be around the country," she says. "If hundreds of thousands of people are being added to this system on a yearly basis," she asks, "what are those implications?"