Civil rights groups say CBP ignored them and skipped public feedback for Biometric Entry/Exit
U.S. Customs and Border Protection (CBP) intends to apply the Biometric Entry and Exit system to all international flights in the country in as little as two years, according to documents obtained by the non-profit research group Electronic Privacy Information Center (EPIC) and reported by BuzzFeed News.
The documents also explicitly state that airlines are not limited in how they can use facial recognition data. A Privacy Impact Assessment (PIA) published in November pointed out a risk of airline and other partners in the program using biometric data for commercial or marketing purposes, and BuzzFeed reports that CBP abruptly changed its position and limited companies from using the data at a data privacy meeting in December.
BuzzFeed also suggests that the documents indicate CBP skipped the public feedback period which it is required to go through before implementing technology meant for broad use on citizens.
“I think it’s important to note what the use of facial recognition [in airports] means for American citizens,” EPIC Domestic Surveillance Project Director Jeramie Scott told BuzzFeed News. “It means the government, without consulting the public, a requirement by Congress, or consent from any individual, is using facial recognition to create a digital ID of millions of Americans.”
“CBP is committed to protecting the privacy of all travelers and has issued several Privacy Impact Assessments related to [its biometric entry-exit program], employed strong technical security safeguards, and has limited the amount of personally identifiable information used in the transaction,” an agency spokesperson said.
The article provides a brief history of CBP’s Traveler Verification Service (TVS) and its predecessor, the Departure Information System, and suggests that the low opt-out rate indicates a lack of passenger awareness, rather than a high level of passenger acceptance. It also suggests that accuracy may be a problem, particularly in the absence of clear regulatory requirements for thresholds.
JetBlue Head of Customer Experience Caryl Spoden told BuzzFeed that CBP’s match rate goal for in-scope travellers is 97 percent, with a false positive rate of 0.1 percent or lower.
“It sounds like CBP has finally set a false positive rate, which is something that hasn’t been mentioned in the past,” notes Clare Garvie, of Georgetown Law School’s Center on Privacy and Technology.
CBP has also updated its policy for storing biometric data of U.S. citizens, deleting its own data 12 hours after capture and requiring airline and airport partners to do the same and allow CBP to audit their compliance. For technology partners such as biometric capture or cloud matching service providers, however, the requirements are less clear.
World Privacy Forum Executive Director Pam Dixon says that amounts to “a mandatory situation where we’re giving the airlines our biometric data — and other commercial partners — and we don’t even know who they are.”
“If the U.S. government wants to run this program, the U.S. government should take the pictures, and only they should have access to the photos.”
Civil rights advocates from EPIC, World Privacy Forum, and the ACLU said that despite government stipulations to consider their views when developing and trialing the system, CBP did not do so. It held a pair of meetings with privacy advocates, but the organizations found the interactions inadequate.
Identity Project consultant Edward Hasbrouck says CBP’s current focus is “how to structure the program to make it technically work, and what tweaks the agency might need to make to appease, or suppress, or frustrate protests and legal challenges,” and in particular whether it will end up defending the program in court.
CBP says facial biometrics have been used to identify 5 imposters travelling to the U.S. by air in recent years, and 64 at land border crossings in less than a year.