DHS proposes new enterprise biometric administrative records system
national security, law enforcement, and intelligence activities
The Department of Homeland Security (DHS) has issued notice of a new system of records called DHS/ALL–043 Enterprise Biometric Administrative Records (EBAR) System of Records, pursuant to the Privacy Act of 1974 which will exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.
The new regulations take effect on April 10, according to the DHS notice.
Issued by DHS Acting Chief Privacy Officer Jonathan R. Cantor, the new system of records will allow “DHS to collect and maintain administrative and technical records associated with the enterprise biometric system known as the Automated Biometric Identification System (IDENT) and its successor information technology system, currently in development, called the Homeland Advanced Recognition Technology (HART),” according to the recent notice.
DHS said this information is being collected by and on behalf of, and in support of or in cooperation with DHS and its components that may contain personally identifiable information (PII) that’s collected by federal, state, local, tribal, foreign, or international agencies that are consistent with applicable laws, rules, regulations, and information sharing and access agreements or arrangements.
The proposed new EBAR System of Records (SOR) Component system SORNs and the Enterprise Biometric Records (EBR) SORN “cover the biometric data itself, but the [Office of Biometric Identity Management’s (OBIM)] biometric repository generates technical and administrative information necessary to carry out functions that are not explicitly outlined in component source-system SORNs,” DHS’s proposed new regulation states.
Created in March 2013, replacing the United States Visitor and Immigration Status Indicator Technology (US-VISIT) Program, OBIM supports DHS’s responsibility to protect the nation by providing biometric identification services that assist federal, state, and local government decision-makers “accurately identify the people they encounter and determine whether those people pose a risk to the United States. OBIM supplies the technology for collecting and storing biometric data, provides analysis, updates its watchlist, and ensures the integrity of the data.
As Biometric Update earlier reported, OBIM is being transferred to DHS’s Management Directorate under the Cybersecurity and Infrastructure Security Agency Act (CISA) of 2018, which President Trump signed into law. DHS explained the transfer in an earlier CISA fact sheet, saying OBIM’s “placement within the DHS headquarters supports expanded collaboration and ensures OBIM’s capabilities are available across the DHS enterprise and the interagency.” The legislation directed OBIM to be “immediately realigned to the MGMT Directorate,” DHS stated in is FY 2020 budget justification documents.
The legislation requires OBIM be administered by a “director with significant management experience and experience in biometrics and identity management,” who “shall have specified duties, including leading DHS’s biometric identity services to support anti-terrorism, counterterrorism, border security, credentialing, national security, and public safety.”
Some have heralded CISA as a “landmark” piece of legislation. It “elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency,” DHS earlier stated.
OBIM was also the big winner under DHS’s proposed Fiscal Year (FY) 2020 budget, with a request for $269.6 million, a 6 percent increase. This includes a requested increase of $23.2 million to support the operations for both the Automated Biometric Identification System (IDENT) and the Homeland Advanced Recognition Technology System (HART). The base for this activity is $160.7 million.
Overall, $198 million would go toward IDENT/HART operations and maintenance (O&M); $70 million to identity and screening program operations; $184 million for OBIM O&M; and $15.5 million for procurement.
More than $170 million is allotted for the transfer of IDENT/HART O&M from the Cybersecurity and Infrastructure Security Agency (CISA) to DHS’s Management Directorate (MGMT), and $69.5 million for the transfer of OBIM to MGMT/OBIM from CISA.
OBIM’s Identity and Screening Program Operations, or PPA (PPA) as it’s called for purposes of budgeting, is comprised of Program Operations, Identity, and Screening Services, and IDENT/ HART program operations and maintenance.
DHS explained that in order “to more accurately identify individuals and ensure that all encounters are appropriately linked, IDENT and its successor information technology system, HART, will generate, store, and retrieve data by unique numbers or sequence of numbers and characters.”
These unique numbers or sequences of numbers and characters, also known as “enumerators,” link individuals with their encounters, biometrics, records, and other data elements. DHS said, “the EBAR SOR will be used for OBIM analysis and reporting functions in support of international data sharing efforts, redress functions, and the reporting and analysis functions of OBIM.”
DHS says the proposed new regulation is consistent with its mission, and “information covered by DHS/ALL–043 EBAR may be shared with DHS components that have a need to know the information to carry out their national security, law enforcement, immigration, intelligence, or other homeland security functions.” Additionally, DHS will be able to share this information with all appropriate federal, state, local, tribal, territorial, foreign, or international government agencies when consistent with the EBAR SORN.
DHS noted that the Privacy Act defines an individual as U.S. citizens and lawful permanent residents and that the Judicial Redress Act (JRA) “provides a statutory right to covered persons to make requests for access and amendment to covered records, as defined by the JRA, along with judicial review for denials of such requests. In addition, the JRA prohibits disclosures of covered records, except as otherwise permitted by the Privacy Act,” which allows government agencies to exempt individual records from specific provisions of the Privacy Act.
If, however, an agency claims an exemption, it must issue a Notice of Proposed Rulemaking “to make clear to the public the reasons why a particular exemption is claimed.”
DHS said it “is claiming exemptions from certain requirements of the Privacy Act for its proposed DHS/ALL–043 Enterprise Biometric Administrative Records System of Records” because some of the information that is contained “in this system of records relates to official DHS national security, law enforcement, and intelligence activities,” and therefore “these exemptions are needed to protect information relating to DHS activities from disclosure to subjects or others related to these activities.”
Specifically, DHS emphasized in its proposed rule, the exemptions are required to:
• Preclude subjects of these activities from frustrating these processes;
• Avoid disclosure of insider threat techniques;
• Protect the identities and physical safety of confidential informants and law enforcement personnel;
• Ensure DHS’s ability to obtain information from third parties and other sources;
• Protect the privacy of third parties; and
• Safeguard classified information.
DHS said that disclosure of any information to a subject of an inquiry “could also permit the subject to avoid detection or apprehension,” and that “in appropriate circumstances when compliance would not appear to interfere with or adversely affect the law enforcement purposes of this system and the overall law enforcement process, the applicable exemptions may be waived on a case by case basis.”
Expanding on these stated concerns, DHS explained that the “release of the accounting of disclosures could alert the subject of an investigation of an actual or potential criminal, civil, or regulatory violation to the existence of that investigation and reveal investigative interest on the part of DHS and the recipient agency,” and that “disclosure … would [also] therefore present a serious impediment to law enforcement efforts and efforts to preserve national security.”
Disclosure of the accounting would also be problematic, so even when an investigation has been completed, and an individual, individuals, or suspected criminal enterprise or terrorist organization, for example, is closed, DHS said: “information on disclosures made may continue to be exempted if the fact that an investigation occurred remains sensitive after completion.”
Providing access and allowing amendments to the records could inform subject under investigation, and allow them to tamper with evidence, which would “impose an unreasonable administrative burden by requiring investigations to be continually reinvestigated.”
“In addition,” DHS pointed out, “permitting access and amendment to such information could disclose security-sensitive information that could be detrimental to homeland security.
Currently, as explained by DHS, the EBAR System of Records is comprised of both electronic and paper records that will be used by DHS and its components, “including, but not limited to the enforcement of civil and criminal laws; investigations, inquiries, and proceedings thereunder; and national security and intelligence activities.”
This system of records further involve information collected by, on behalf of, in support of, or in cooperation with DHS and its components, and “may” contain PII that’s been collected, compiled, and assembled – and, presumably, also indexed, cross-referenced, and correlated -by other federal, state, local, tribal, foreign, or international government agencies as part of routine pattern recognition-based investigative and intelligence related dot-connecting.