CBP biometric, face-recognition tech draws scrutiny
A new report posits that the U.S. Customs and Border Protection’s program to use biometric screening to verify the identity of passengers leaving the country is often inaccurate and possibly illegal.
The report, issued Thursday by Georgetown Law School’s Center on Privacy & Technology, says that CBP’s Comprehensive Biometric Entry/Exit Plan, which is currently testing biometric and facial-recognition technology in several larger airports around the country for international flights, doesn’t provide the value or results that would justify its potential costs.
“The privacy concerns implicated by biometric exit are at least as troubling as the system’s legal and technical problems,” the report said. “As currently envisioned, the program represents a serious escalation of biometric scanning of Americans, and there are no codified rules that constrain it.”
CBP has operated the pilot program since 2013, aiming to collect biometric information about passengers exiting the U.S. primarily to ensure they don’t overstay their visa, but also to check that they aren’t fraudulently presenting themselves as someone else.
But the Georgetown report said that DHS facial recognition systems reject one out of every 25 passengers with valid credentials, which it said was the equivalent of 1,632 travelers moving through New York’s John F. Kennedy International Airport per day.
More troubling, authors Harrison Rudolph, Laura Moy and Alvaro Bedoya allege that the pilot program captures the biometric data of not only foreign passengers but also Americans leaving the country without the legal authority to do so.
“Congress has repeatedly ordered the collection of biometrics from foreign nationals at the border, but has never clearly authorized the border collection of biometrics from American citizens using face recognition technology,” the report said. “Without explicit authorization, [the Department of Homeland Security] should not be scanning the faces of Americans as they depart on international flights—but DHS is doing it anyway.”
Because there haven’t been any codified rules on the use of the biometric technology to screen travelers, the report raises the concerns that the program’s use could expand without legal authority or the assurance that the technology can effectively achieve those goals.
The report called on the Department of Homeland Security, which oversees CBP, to make six changes to the program:
- That the agency justifies face-scanning investments with evidence of the problem it will solve
- That the agency halt face scanning until it has put in place federally-required rules for the program
- That the agency stop scanning the faces of Americans leaving the country
- That the agency provide proof that the scans identify imposters
- That DHS policy prohibit the secondary use of data collected by the program
- That DHS provide fairness and privacy guarantees to partner airlines
CBP officials said in an email that the pilots are meant to conduct “technical demonstrations” of the biometric technology and not a governmentwide rollout that would yet require policy guidance.
“If it is determined that U.S. Citizens are to be the subject of mandatory biometric collection as part of the biometric entry-exit system required by statute, CBP will publish the required documentation establishing such mandatory collection under the appropriate authorities, as well as additional privacy documentation,” officials said in an emailed statement.
“CBP is working to meet the Congressional mandate for biometric exit in a way that’s most efficient and secure for the traveler and that is least disruptive for the travel industry, while also effectively enhancing border security.”
CBP officials also pointed to an August release where they met with privacy groups to ensure the program would safeguard the information collected from biometric scanners and issued two privacy impact statements on the program. One of those impact statements outlined that the pilot will not create exit records from the biometric testing but would continue to retain biographical information. Gathered biometric information would be deleted from its Automated Targeting System-Unified Passenger within 14 days unless it’s needed to further test technology performance.
Agency officials also noted that the demonstration matching rate for biometric exit data is reported as “in the high 90 percentile” and did not result in the inconvenience alleged in the Georgetown report.
“Travelers are not prevented from boarding as a result of facial recognition mismatch for purposes of these technical demonstrations,” the CBP statement said. “The traveler must only provide their travel document for manual review and verification prior to boarding.”