A group of House Democratic lawmakers is demanding answers about why Customs and Border Protection’s Biometric Exit Program includes data collected from U.S. citizens.
“This is an unprecedented and unauthorized expansion of the agency’s authority,” the letter states about CBP’s use of biometric technology to capture the faces of traveling Americans. The main goal of the program is help track when noncitizens come and go, relative to the lengths of their visas. But since the the technology was expanded to 17 airports in 2018, travelers boarding participating international flights, including U.S. citizens, have had to explicitly opt out if they don’t want their faces photographed.
For the lawmakers, the ability to opt out isn’t enough. They want CBP’s parent agency, the Department of Homeland Security, to explain the legal basis for capturing information from U.S. citizens in the first place.
“The random nature of this pilot does not allow travelers the requisite advanced notice to make an informed decision on their willingness to participate,” the letter reads. Indeed, while observing the system in use during boarding at Dulles International Airport, FedScoop didn’t see many travelers opt out.
Here’s how it works: CBP uses airline manifest data and government databases (including passport and visa databases) to assemble a gallery of existing photos of passengers who are expected to arrive in or depart from the U.S. The system then matches photos of passengers taken during the boarding process against this gallery, looking for a positive match.
Travelers can ask to have their travel documents checked the old fashioned way, and signs placed near the checkpoints alert them to this option. But the lawmakers are worried that this is too little, too late.
The program kicked off in 2016 with an initial pilot in Atlanta, and entered phase two in August 2018. Per the CBP website, biometric tech is currently in use for entry, exit or both at 17 airports across the country. And there could be more on the way — President Trump’s Executive Order 13780 from March 2017 called for the “expedited completion” of the system.
And then there’s the issue of data privacy. In a privacy impact assessment document published in August 2018, DHS said it gets rid of all personally identifiable information (PII) expeditiously. Pictures of passengers are deleted from the TSA tablet used for this matching process within two minutes, it states. But the images stick around for a bit longer in other places — 12 hours in the TVS cloud matching service and, for noncitizens, up to 14 days in the Automated Targeting System Unified Passenger Module, the system that creates the “biometric templates” of the passenger pictures.
However, in light of last week’s news that a DHS subcontractor was hacked, leading to the exposure of photos of motorists coming in and out of the U.S. and their license plate numbers, lawmakers also want to know how DHS is making sure its partners stick to these rules.
This isn’t the first time the Biometic Exit Program has received criticism. A December 2017 a report from Georgetown Law School’s Center on Privacy & Technology didn’t have many nice things to say about it.
“The privacy concerns implicated by biometric exit are at least as troubling as the system’s legal and technical problems,” the report’s authors wrote at the time. “As currently envisioned, the program represents a serious escalation of biometric scanning of Americans, and there are no codified rules that constrain it.”
Recent House Oversight and Reform Committee hearings on facial recognition have revealed strong bipartisan support for regulating the use of the technology.