CBP One app found to have issues vetting users, security vulnerabilities
U.S. Customs and Border Protection’s (CBP) already controversial CBP One mobile app that allows undocumented noncitizens seeking admission into the United States to submit as part of their Advance Travel Authorization request their biographic and biometric information so that CBP can determine whether they have “derogatory records” is in hot water once again.
Civil and human rights groups have decried the CBP One app for its collection of the biometrics of non-U.S. citizens.
The CBP One app’s appointment feature allows all noncitizens seeking safe and orderly arrival into the United States through one of the eight Southwest border ports of entry (POEs) to submit personally identifiable information (PII) and to schedule appointments in advance of their arrival to expedite the entry process.
The U.S. Department of Homeland Security (DHS) Inspector General (IG) said in a new audit report, however, that it found CBP “did not formally assess and mitigate the technological risks involved with expanding the application to allow undocumented noncitizens to schedule appointments to present themselves for processing at Southwest border crossings, nor is CBP leverage[ing] the information to identify suspicious trends as part of its pre-arrival vetting procedures.”
Generally, undocumented noncitizens are individuals who do not possess valid travel documents like a visa or passport that allow them entry into the U.S. Consequently, CBP Field Operations officers spend considerable time collecting information and processing noncitizens at POEs because they do not possess valid travel documents. Historically, CBP has not received advance information prior to the noncitizen’s arrival at a land border POE that would assist with this process. The CBP One app’s appointment feature rolled out on January 12, 2023, streamlines this process by providing CBP officers with advance biographic and biometric information that’s supposed to reduce the administrative burden of manually entering information into records systems to conduct pre-arrival noncitizen vetting.
“Based on our review of CBP One data, we found suspicious trends in the noncitizens’ pre-reported U.S. residential address, which is a required field during the CBP One registration process,” DHS IG Joseph V. Cuffari stated in his August 19 audit report.
The IG reported finding that 208,996 of 264,554 noncitizens (79 percent) who registered in CBP One between January 12, 2023, and August 18, 2023, reported the same intended residence as another noncitizen despite appearing to be unrelated. We identified seven U.S. addresses that 1,696 noncitizens claimed as their intended residence, which we considered suspicious and potentially relevant to their admissibility determinations. Furthermore, the 1,696 noncitizens did not enter into the United States through the same POEs.”
The IG emphasized that while “CBP uses biographic and biometric information submitted to CBP One to determine whether arriving noncitizens have derogatory records, it does not leverage the information to identify suspicious trends as part of its pre-arrival vetting procedures.”
Based on the IG’s analysis of CBP One data, it identified what it said were “potentially unrelated noncitizens who repeatedly claimed identical U.S. residences as their intended address.” The IG said that “in one particularly striking example, we identified 358 noncitizens who reported the same 4-bedroom, single-family home as their intended U.S. residence within an 8-month period,” yet “no single POE realized the number of noncitizens reporting this suspicious address.”
The DHS IG also found that “CBP currently does not have a mechanism to routinely analyze CBP One data” from the eight Southwest border POEs for “trends which may be useful intelligence to help guide front-line CBP officers when interviewing noncitizens during appointment processing.”
And because it doesn’t, the IG reported, CBP “missed an opportunity to assess the advance information for trends of suspicious activity across the Southwest border” and to communicate the results to POEs for consideration during their admissibility determinations.
DHS’s Inspector General also “identified security vulnerabilities within the CBP One application and its supporting infrastructure operating systems. And “without a process to ensure all corrective security patches are timely implemented and assets are properly configured, CBP One data could be susceptible to exploitation or cyber-attacks,” a problem that “is especially important as CBP continues to update the application.”
The DHS auditor said that “based on the results of our assessments, we identified vulnerabilities within the CBP One mobile application, web application, and supporting infrastructure operating systems that could compromise the integrity of sensitive systems and information.”
“Specifically,” the IG said, “bad actors could use the weakness identified [in the CBP One web application] to bypass front-end security rules, access internal systems, and potentially launch attacks on users who are actively browsing the website.”
CBP developed its CBP One mobile and web application system in October 2020, to serve as a single portal for a variety of CBP services, such as applying for a Form I-94,1 scheduling agricultural inspections at airports, and requesting Advance Travel Authorizations. The CBP One appointment process is composed of three “distinct phases:” appointment scheduling, pre-arrival vetting, and POE processing.
Noncitizens seeking entry to the U.S. input their biographical information and intended U.S. residence into the CBP One app. They also must submit a photograph that’s subject to CBP’s Genuine Presence technology to verify the user is a “live” person. CBP’s Traveler Verification Service image gallery contains all photographs submitted into CBP One to assist CBP POE officers with verifying noncitizens during POE processing. CBP One also captures the device’s latitude and longitude.
After a noncitizen schedules an appointment, their information is stored in CBP’s Automated Targeting System (ATS), which uses a built-in feature called Unified Passenger (UPAX) to automatically perform pre-arrival vetting by comparing noncitizen-provided information against raw intelligence in DHS, law enforcement and intelligence databases like the Terrorist Screening Database and databases containing outstanding warrants, Be on the Lookout notices, and Red and Blue Notices issued by INTERPOL. It also applies risk-based rules centered around CBP Officer experience and analysis of trends of suspicious activity. Using this information, UPAX automatically generates what’s called a CBP One Hotlist for each POE which documents all upcoming appointments and pre-arrival vetting results.
According to the January 2017 Privacy Impact Assessment Update for the ATS, “the enhanced presentation provided in the UPAX functionality provides direct access to cross-referenced files and information from partner agency databases through the use of hypertext links and single sign-on protocols.”
Once an undocumented non-citizen arrives at a POE who has gone through the Advance Travel Authorization process through CBP One app, CBP officers use the CBP One Hotlist to verify the person had a confirmed appointment prior to entering the POE. Once verified, CBP officers direct noncitizens into the POE to begin primary inspection.
At primary inspection, CBP officers collect biometric information, including a photograph for comparison to the TVS gallery to retrieve the noncitizens’ advance information in CBP One and pre-populate CBP’s Unified Secondary system. Noncitizens are then referred to secondary processing where CBP officers confirmed the advance information submitted into CBP One, collect the noncitizen’s fingerprints for comparison to DHS’s Automated Biometric Identification System for a criminal background check, collect a DNA sample that’s sent to the U.S. Federal Bureau of Investigations for Combined DNA Index System processing, review the vetting results, and coordinate with the NTC to confirm derogatory information.
DHS’s Inspector General made three recommendations to correct the problems it found. CBP concurred with all three recommendations and began taking actions to fix them. While the IG considers all three problems “resolved,” they remain “open” until CBP provides the IG with “documentation to substantiate it has implemented” all three of the IG’s recommendations.
Article Topics
biometric identification | biometrics | border security | CBP | CBP One | cybersecurity | identity verification | mobile app | U.S. Government
Comments