DHS’s biometric advanced recognition technology system begins road to the cloud
The Department of Homeland Security’s (DHS) Homeland Advanced Recognition Technology System (HART), which is replacing DHS’s legacy Automated Biometric Identification System (IDENT) as the department’s primary system for storing and processing biometric and associated biographic information, is a step closer to being realized.
DHS’s Office of Biometric Identity Management (OBIM) released the required Privacy Impact Assessment for the initial HART Increment 1 rollout expected in 2021 as the program is being developed to be moved entirely to Amazon’s GovCloud. However, the new PIA stated, “Pending any development or program changes, OBIM anticipates that this will occur in Fiscal Year 2020.”
Northrop Grumman was awarded the coveted $95 million contract to develop the first phase of the HART roll out last year, which OBIM director of Identity Operations Division Patrick Nemeth has described as being a much trimmer rendering of IDENT scaled to receive new biometric capabilities.
Indeed, the PIA noted that “The data and system architecture have been designed for scalability to address projected growth in identity and image data volumes and to accommodate any needs associated with larger files. HART Increment 1 includes OBIM’s design and acquisition of the physical infrastructure for HART,” as well as “existing internal reporting functionality needed to provide reports to our users, monitor redress requests, and support administrative tasks.”
HART serves as the central federal biometric database for national security; law enforcement; immigration and border management; intelligence; background investigations for national security positions and specific positions of public trust; and associated testing, training, management reporting, planning and analysis; development of new technologies; and other administrative uses. OBIM will implement HART in 4 incremental phases. The PIA only focuses on HART Increment 1. OBIM will publish an update to the PIA prior to each Increment of the program
The legacy IDENT system was developed in 1994 by the then Immigration and Naturalization Service (INS) as a law enforcement system for collecting and processing biometrics from individuals apprehended by U.S. Border Patrol or immigration officials. Ten years later, DHS deployed the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) Program as the first large-scale biometric identification program to support immigration and border management.
In 2013, US-VISIT transitioned to become OBIM, which in 2015 “began planning for the replacement of IDENT with the HART, a more robust system that will provide OBIM with flexible and more efficient biometric data that supports DHS core missions,” DHS said, explaining “OBIM’s mission is to provide identity services to DHS and its mission partners that enable informed decision making by producing accurate, timely, and high assurance biometric identity information.”
OBIM’s “mission partners capture biometric data and submit it to HART to carry out [its] missions and functions, which include law enforcement; national security; immigration screening; border enforcement; intelligence; national defense background investigations relating to national security positions; and credentialing consistent with applicable DHS authorities.”
DHS also maintains this information to support its information-sharing agreements and arrangements with authorized foreign partners, the sharing of which DHS says “augments the law enforcement and border control efforts of both the United States and its partners. Additionally, DHS is using this information in concert with external partners to facilitate the screening of refugees to combat terrorist travel consistent with DHS’s and Components’ authorities.”
DHS said in its new PIA that, “Once OBIM completes HART development and technical configurations, HART will replace IDENT as the biometric system of record. HART will store and process biometric data (digital fingerprints, iris scans, facial images (including a photo) and link these biometrics with biographic information pursuant to the data owner’s authorities and policies for use, retention, and sharing of information.”
DNA retention is not included in Increment 1, the PIA pointed out, and is not addressed elsewhere in the document.
“HART Increment 1 development is focused on delivering the core foundational infrastructure and baseline existing functionality in IDENT that ensures continuity of services without disruption to existing IDENT users,” DHS said, pointing out that “HART Increment 1 implements a new data architecture, which includes conceptual, logical, and physical data models, a data management plan, and physical storage of records where each associated record may have multiple associated biometric modality images.”
HART Increment 1’s migration to the Amazon Web Services (AWS) GovCloud will “provide mission partners a biometric matching capability based on multiple biometric modalities (fingerprint (including latent prints), face (including a photo), and iris), and additional means by which to identify an individual such as a unique identifier (e.g., Social Security number (SSN), Alien Number (A-Number)).”
Increment 2 will provide additional biometric capabilities for its customers’ needs, “and provide increased interoperability with agency partners and improved reporting features. Increments 3 and 4 will include a web portal and user interface capability, support for additional modalities, and improved reporting tools.”
Amazon’s GovCloud service “is required to adhere to the security and privacy controls required by the National Institute of Technology’s Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, as well as DHS’s Chief Information Officer.
The new PIA did note, however, a system security plan has not been completed for the information system(s) supporting the project, saying “OBIM is in the process of obtaining the Authority to Operate for HART,” which is supposed to occur by the end of the year. OBIM is expected to publish updates to the PIA before operationalizing additional increments and functionalities.
While the PIA states, “there is a risk that HART facial image matching results may be inaccurate or result in a disproportionate impact to certain populations,” it said, “OBIM mitigates this risk by conducting face matcher tuning to optimize accuracy and system performance. The face matcher tuning evaluates face algorithms for biographic, biometric, and contextual factors.”
There is also a recognized “privacy risk that non-matching facial images are disclosed to HART authorized users,” but that this should be mitigated. The PIA explaining that “In the case of the 1 to 1 facial recognition service, if the match does not return a match/no-match result, the facial images are reviewed by OBIM’s facial examiners in [OBIM’s] Biometric Support Center [BSC], and non-matching faces are not disclosed to HART users. HART may generate a candidate list as an investigative lead as part of a 1 to Many service,” and that “OBIM’s BSC may review candidate lists and provide them to authorized HART users for use as an investigative lead only, and not the sole basis for any law enforcement action.”
Another potential risk noted in the PIA is “that the quality and integrity of information collected and maintained in HART may not have sufficient quality required to serve its purpose of biometric and biographic verification and matching, thus potentially causing misidentification.”
But, presumably, according to OBIM, “HART mitigates this risk by requiring fingerprints, which are unique identifiers, and basic biographic information, to establish an identity in HART.”
Finally, concerns have been expressed within DHS, contractors, developers, employees, engineers, users, etc., over whether the COVID-19 pandemic will substantively delay even the deployment of HART Increment 1, given the discovery of a more virulent mutated strain and projections of 3,000 deaths a day in the U.S. through August. OBIM acknowledges there have been pandemic-related setbacks and that the deadline may well be pushed back until the end of the year if not well into 2021.
DHS has been silent regarding the pandemic’s impact on not only this program but many others in which large numbers of essential employees and contractors have been required to abide by federal social distancing requirements.
Amazon | biometric database | biometrics | cloud computing | Department of Homeland Security | DHS | facial recognition | fingerprint recognition | Homeland Advanced Recognition Technology (HART) | iris recognition | law enforcement | Northrop Grumman | United States