DOD advances biometric security while DHS faces privacy concerns

A new Government Accountability Office (GAO) audit report has raised red flags about privacy vulnerabilities in the Department of Homeland Security’s (DHS) HART system. Meanwhile, however, the Department of Defense (DOD) successfully migrated to the cloud its Automated Biometric Identification System (ABIS), offering valuable lessons in biometric IT acquisitions.

The contrast between these two programs underscores the importance of proactive risk management, robust security frameworks, and clear governance policies. As federal agencies continue to adopt advanced biometric technologies, balancing innovation with privacy protection will be critical in ensuring both security and civil liberties are upheld.

DOD has taken a different approach to enhancing biometric capabilities through ABIS, which processes up to 45,000 biometric submissions daily and can surge to 100,000 during major operations. ABIS has undergone a significant transformation through cloud migration. Unlike DHS’s challenges with HART, DOD has successfully transitioned its ABIS to a highly secure Impact Level 5 AWS cloud architecture, improving speed, security, and scalability.

The DOD ABIS plays a crucial role in identifying persons of interest across battlefields, borders, and military bases worldwide. It processes multiple biometric modalities, including fingerprints, palm prints, iris scans, facial recognition, and voice recognition. With a repository of over 30 million biometric records shared among DOD, federal agencies, and international partners, the system required a modernization effort to enhance security and efficiency.

Transitioning from on-premises servers to a cloud infrastructure has aligned ABIS with DOD’s Zero Trust Architecture, reducing security vulnerabilities while enabling seamless scalability.

A key aspect of the migration was maintaining interoperability with critical systems like the Federal Bureau of Investigations (FBI) Next Generation Identification system and DHS’s identification databases. ABIS also manages critical watch lists, ensuring that up-to-date biometric data is accessible across multiple platforms, including field devices used by military and intelligence teams. The goal of the migration was to preserve existing capabilities while enhancing processing speeds and streamlining the development of new functionalities.

Unlike the risks GAO identified in HART, DOD’s incremental cloud migration approach minimized disruptions and ensured operational continuity. Rather than a risky all-at-once transfer, ABIS was migrated in logical phases, reducing the likelihood of system failures and technical issues. Leidos, the prime contractor overseeing the migration, worked closely with DOD to implement the cloud efficiently, demonstrating a methodical approach to IT modernization.

By shifting to AWS GovCloud, ABIS has significantly improved its processing speed, reducing turnaround times for biometric analyses by 10 percent to 15 percent. The system’s enhanced capacity enables warfighters and intelligence teams to make faster, data-driven decisions in the field. With increased security and operational flexibility, the modernized ABIS infrastructure stands as a testament to the successful implementation of cloud-based biometric identification systems in federal agencies.

“We reduced the risk of operational impact, from the front-end workstation all the way to the back-end compute environment, by migrating pieces of the system that were grouped logically through incremental deployments,” said Leidos DOD ABIS Program Manager David Jones.

“When we encounter a potential adversary in some far-away place, it’s important that warfighters and other agencies understand whether that person has a prior history of threat activities,” explained JB Burton, a retired Army brigadier general supporting the Leidos initiative. “Are they on a watch list? Have we ever encountered them before? Providing timely, accurate and complete responses to DOD ABIS end users facilitates faster decision making at the forward edge.”

Over at DHS, though, GAO found privacy issues with HART, the biometric identity system that is designed to replace the existing Automated Biometric Identification System (IDENT) which is expected to enhance the government’s ability to collect, store, and process sensitive biometric data. GAO’s audit underscores significant privacy risks tied to the technology, raising concerns about data security, unauthorized surveillance, and potential misuse of personally identifiable information.

HART is a mission-critical IT acquisition that will serve multiple agencies, including DHS, the Department of State, and the Department of Justice. It is intended to improve identity verification processes for immigration enforcement, law enforcement investigations, and national security operations. However, the report identifies HART as one of the acquisitions with the highest privacy risk. The scale of data collection and storage involved in HART increases the likelihood of security breaches, unauthorized access, and data misuse. Given that biometric data is immutable, the stakes for protecting this information are exceptionally high.

One of the central privacy concerns with HART is the potential for mass surveillance and tracking. GAO warned that the system’s vast database could enable the government to monitor individuals on an unprecedented scale, raising questions about civil liberties and data protection. Privacy advocates have cautioned that without robust safeguards, HART could be used beyond its intended scope, leading to surveillance of law-abiding individuals and communities. The system’s integration with other government databases and law enforcement networks amplifies these risks, making it imperative for DHS to implement strict access controls and oversight mechanisms, GAO said.

GAO also highlighted the challenge of securing biometric data against cyber threats. Unlike alphanumeric data, biometric information, once compromised, cannot be reset or replaced. A breach of HART’s database could expose millions of individuals to identity theft and fraud. The audit report stresses that DHS must adopt cutting-edge encryption and data anonymization techniques to mitigate these risks. However, GAO found inconsistencies in DHS’s approach to privacy risk management, noting that the department had not fully addressed prior recommendations related to biometric data security.

Another significant issue identified in the report is the lack of transparency regarding how biometric data will be shared with other federal, state, and international entities. HART is designed to facilitate data exchange between agencies, but GAO raises concerns that DHS has not clearly outlined policies on data retention, sharing agreements, and oversight mechanisms. Without clear regulations and accountability measures, there is a risk that biometric data could be accessed or used beyond its original purpose. The report calls for DHS to establish stringent data governance policies to prevent potential misuse and ensure compliance with privacy laws.

GAO also found that DHS has faced challenges in implementing privacy protections within HART due to the complexity of integrating security measures into such a large-scale IT system. The system’s development has experienced delays, in part due to difficulties in aligning privacy safeguards with operational needs. The audit report warns that unless DHS prioritizes privacy considerations from the outset, the system may launch with inadequate protections, increasing the risk of future breaches and misuse.

The potential consequences of failing to address these privacy risks are severe. GAO pointed to past incidents where weak biometric security measures led to significant data breaches. For instance, a 2019 Customs and Border Protection breach exposed facial recognition data collected from travelers. A similar breach in HART could have far-reaching implications, affecting not only U.S. citizens, but also foreign nationals whose biometric information is stored in the system. The report underscores that protecting this data is not only a privacy issue but also a national security concern.

GAO recommended that DHS take several urgent steps to mitigate the privacy risks associated with HART. First, DHS must implement a comprehensive privacy impact assessment to evaluate and address potential risks before full deployment. Second, DHS must strengthen its encryption and anonymization protocols to safeguard biometric data against cyber threats. Third, DHS needs to improve transparency by clearly defining how biometric information will be shared, retained, and used across different agencies. And lastly, DHS must ensure ongoing oversight and independent audits to monitor compliance with privacy protections and prevent unauthorized use of HART’s data.

HART represents a significant advancement in biometric technology, but it also poses unprecedented privacy challenges. The GAO audit report makes it clear that without robust safeguards, the system could lead to widespread surveillance, unauthorized data sharing, and increased vulnerability to cyber threats. GAO’s findings serve as a critical warning that while technological advancements in identity verification are necessary, they must not come at the cost of privacy and security.

Article Topics

ABIS  |  biometric database  |  biometric identification  |  biometrics  |  data privacy  |  DHS  |  GAO (Government Accountability Office)  |  Homeland Advanced Recognition Technology (HART)  |  Leidos  |  U.S. Government