CBP’s biometric traveler verification service is working, but privacy, implementation issues remain
“Perhaps the most challenging aspect to deploying a nationwide biometric entry/exit system is the myriad differences in logistics and locations where travelers depart the United States,” according to the new Privacy Impact Assessment (PIA) for Customs and Border Protection’s (CBP) Traveler Verification Service (TVS) just issued by CBP’s Office of Field Operations Planning, Program Analysis and Evaluation (PPAE) department and the Department of Homeland Security’s (DHS) Chief Privacy Officer. “Even limited to the air environment only, each airport authority is different and manages its departure gates in different ways,” the PIA explained, noting, “CBP’s collection of biometrics for entry and exit processing poses a number of logistical challenges.”
“As with all biometric modalities, facial recognition poses a unique set of privacy issues,” the PIA acknowledged,” saying, “Facial images can be captured at a distance, covertly, and without consent. Further, facial images are ubiquitous, and whereas individuals may take measures to avoid fingerprint and iris collection, there are fewer ways to hide one’s face. The newness of the technology, and differences in reliability for certain demographics in previous applications, raise the bar for testing to ensure that matching algorithms are effective.”
But, the PIA assured, “CBP is taking steps to promote data minimization and privacy protections by using an airline-generated alphanumeric unique ID (UID) and other methods to disassociate the biographic information associated with the new facial images, and populating the record with test biographic ‘dummy’ information. The algorithms have continued to improve their performance over time.” In addition, “CBP has also taken a number of steps to ensure that its deployment of the TVS is consistent with … privacy best practices.”
The comprehensive new PIA pointed out that, “CBP Officers (CBPO) must process a large volume of travelers in a relatively short period. Second, although infrastructure exists to conduct thorough traveler inspections upon entry to the United States, there has not been such an infrastructure for outbound travelers. Third, the collection of biometrics is a privacy-sensitive practice, with heightened concern on behalf of US citizens, and outbound travelers who are not accustomed to CBP inspection at exit. CBP must tackle these practical challenges with the congressional mandate to implement a comprehensive biometric entry/exit program.”
To address these challenges, CBP has spent several years testing various technologies in a mixture of locations in order “to determine which technology could be deployed large-scale without disrupting legitimate travel and trade,” but “while still meeting the biometric exit mandate.
DHS and CBP were congressionally mandated to deploy a biometric entry/exit system that can record arrivals and departures to and from the United States.
“Following several years of testing and pilots, CBP has successfully operationalized and deployed facial recognition technology,” known as TVS, “to support comprehensive biometric entry and exit procedures in the air, land, and sea environments.”
While CBP has formerly issued PIAs “documenting each new phase of TVS testing and deployment,” its new comprehensive PIA consolidates all previously issued PIAs, as well as to provide notice to the public about how TVS collects and uses personally identifiable information (PII).
Consequently, the new PIA says, “CBP is conducting this overarching, comprehensive PIA for the TVS that will replace all previous PIAs and provide a consolidated privacy risk assessment for TVS.”
As the new comprehensive, single PIA noted, “The 1996 Illegal Immigration Reform and Immigrant Responsibility Act authorized the US government to use an automated system to record arrivals and departures of non-U.S. citizens at all air, sea, and land ports of entry (POEs). CBP is also authorized to collect biometric entry and exit information pursuant to numerous laws, including the 2002 Enhanced Border Security and Visa Entry Reform Act, the Intelligence Reform and Terrorism Prevention Act of 2004, and the Implementing Recommendations of the 9/11 Commission Act of 2007.”
While CBP has been collecting biometric information on entry since 2004, it wasn’t until 2013 that CBP “began developing and testing new processes and capabilities for using biometric information, specifically facial recognition technology, to verify the departure of persons leaving the United States.”
The Consolidated Appropriations Act of 2016, however, authorized CBP to expend up to $1 billion in certain visa fee surcharges collected over the next ten years for biometric entry and exit implementation. Then, Executive Order 13780, Protecting the Nation from Foreign Terrorist Entry into the United States, required DHS to “expedite the completion and implementation of a biometric entry/exit tracking system for in-scope travelers to the United States.”
Under the TVS system – which is an accredited CBP information technology system that consists of a group of similar systems and subsystems that support the core functioning and transmission of data between CBP applications and partner interfaces … CBP will use the TVS as its backend matching service for all biometric entry and exit operations that use facial recognition, regardless of air, land, or sea. Previously, CBP had considered using different technologies based on the different environments in which an individual could present themselves for inspection or exit the United States, but CBP has determined that the TVS facial matching service works across all CBP operating environments (air, land, and sea).
“Regardless of the method of entry or exit, e.g., pedestrian, vehicle, cruise ship, vessel, or airplane, the TVS system conducts the backend biometric matching and provides a result to different CBP systems depending on the environment,” the PIA said, adding, “For all biometric matching deployments, the TVS relies on biometric templates generated from pre-existing photographs that CBP already maintains, known as a ‘gallery,’” which are images that “may include photographs captured by CBP during previous entry inspection, photographs from US passports and US visas, and photographs from other DHS encounters.”
The PIA explained that, “CBP creates localized photographic galleries using either [the] Advance Passenger Information System (APIS) data, or CBP-generated lists of frequent travelers at a specific port of entry. To populate the localized galleries with photographs, CBP compiles photographs from existing CBP sources,” including the Automated Targeting System (ATS) and Unified Passenger Module (UPAX) system. “TVS will then generate biometric templates for each gallery photograph and store the template, but not the actual photograph, in the TVS virtual private cloud (VPC) for matching when the traveler arrives or departs.”
CBP’s TVS deployment for processing arriving air travelers mirrors the process for air exit, with manifest-based galleries and a similar facial recognition algorithm, it integrates it into CBP’s entry inspection applications. Inbound and outbound processing for travelers on commercial sea vessels (e.g., cruise ships) will resemble the air entry and exit processes, as this travel method is also based on a passenger manifest.
But, “While CBP may create APIS manifests on land border crossers via bus or rail, unlike travelers in the air and sea environments, there are no manifests created for pedestrian travelers to assemble a gallery of known travelers,” so, “CBP is developing processes that would enable the use of TVS at the land border; for example, CBP may briefly retain local galleries of travelers who have recently crossed at a given Port of Entry and are expected to cross again within a given period of time.”
As part of its routine testing, and “as technology continues to shift and progress, CBP needs baseline data to test across technology providers over time. CBP regularly tests its facial matching algorithms to ensure high performance and maximize match rates while reducing the risk of false positives. CBP has continued to explore the best modalities and collection methods for implementation of the biometric entry/exit program. In particular, CBP continues to conduct testing and analysis to determine the factors that lead to high quality biometric capture that will result in higher confidence scores. A number of technical demonstrations over the last several years have provided CBP with a baseline of images collected in a live environment that may be compared with images collected in other similar CBP demonstrations. Throughout this process, CBP has designed the tests in order to assess whether the process generates the same results across all demographics, including differences in skin tones. CBP’s efforts to ensure the reliability and quality of its biometric matching algorithm is outlined in more detail in Section 2 of” of the new PIA.
As for privacy risks, the PIA said, “There is a risk that the facial images collected through the TVS process will not be of high enough quality or be an accurate representation of the traveler, therefore negatively impacting the reliability of the matching service.” However, the PIA said, “This risk is mitigated [because] CBP is fully committed to testing new processes and capabilities for using facial recognition technology to verify the entry and departure of travelers to the United States,” and in order “to do so, CBP must balance the practical challenges of processing a large volume of travelers in a short period of time and minimal infrastructure for outbound travelers, with the mandate to implement a comprehensive biometric entry/exit program. After extensive research, CBP has found facial recognition to be the most efficient, effective, accurate, and less invasive biometric approach.”
There is also “a risk that CBP will use exit records created under the TVS for a purpose other than those specified for the original collection.” The “risk is partially mitigated,” the PIA explained, because, “CBP collects information under this process in order to verify the identities of travelers departing the United States; however, CBP uses border crossing information more broadly,” and, “creates entry and exit records primarily in support of its mission to facilitate legitimate travel and enforce immigration laws, which include activities related to counterterrorism and immigration enforcement.” CBP may also share this information with federal, state, and local authorities, which may be authorized to use the information for purposes beyond the scope of CBP’s mission.
Another privacy risk that is partially mitigated is TVS’s use of facial images from a variety of sources, both public and private, which poses the risk that the airline, airport, and cruise line partners will use the biometric data for commercial or marketing purposes, or for a purpose other than identity verification.
The PIA identified other privacy risks, but said they’ve partially been mitigated by CBP procedures and processes. It also concluded that CBP still has obstacles to overcome before it’s fully in compliance with the laws mandating its nationwide biometric entry/exit system.