EPIC v. CBP (Biometric Entry/Exit Program)
- DHS Proposes Database to Link Biometric Data, EPIC will Oppose: The Department of Homeland Security has published a Systems of Record Notice for the "Enterprise Biometric Administrative Records." The DHS seeks to link personal data in the IDENT biometric database to unique machine-generated identifiers. IDENT contains personal data on both U.S. citizens and non-U.S. persons.The IDENT database is tied to biometric databases maintained by the FBI, the Department of Defense, and the State Department. DHS also announced a Notice of Proposed Rulemaking that proposes to exempt the Enterprise Biometric Administrative Records database from many of the protections of the Privacy Act. EPIC is currently pursuing a Freedom of Information lawsuit against the State Department for information about the disclosure of personal biometric data to other federal agencies. Public comments on the Enterprise Biometric Administrative Records System of Record Notice or Notice of Proposed Rulemaking are due April 10 and April 15 respectively. EPIC will urge the DHS to suspend the project. And if the agency goes forward, EPIC will urge the agency to comply with all of the requirements of the federal Privacy Act. (Apr. 1, 2020)
- In FOIA Case, EPIC Obtains Details on State Department's Facial Recognition Program: In response to EPIC's Freedom on Information Act lawsuit, EPIC v. State, the State Department has provided EPIC with several agency agreements concerning State Department facial recognition program. The Consular Consolidated Database contains millions of images from visa and passport applicants, which other federal agencies are now accessing for purposes unrelated to the processing of visa and passport application. The State Department agreements include the Labor, Interior, and Defense Departments. Several of the documents EPIC obtained concealed the name of the federal agency accessing the State Department database. In a related EPIC FOIA lawsuit, EPIC obtained documents concerning Customs and Border Protection use of images from the State Department. (Feb. 19, 2020) More top news »
The CBP's implementation of a Comprehensive Biometric Entry/Exit Plan currently includes the testing of facial recognition and iris imaging capabilities at exit/entry points within the US. The FY 2016 Consolidated Appropriations Act provides up to a $1 billion for the CBP biometric entry/exit program and President Trump's Executive Order "Protecting the Nation From Foreign Terrorist Entry into the United States"(Executive Order 13780 of March 6, 2017) explicitly calls on CBP to "expedite the completion and implementation of a biometric entry exit tracking system." These techniques pose significant threats to privacy and civil liberties, in particular the ability to conduct facial recognition covertly, remotely and on a mass scale. The lack of precautions that can be taken to prevent the collection of one's facial image, in addition to the absence of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers, raises serious privacy concerns for the individual. Identification through these processes eliminates an individual's ability to control their identities and poses a specific risk to the First Amendment rights of free association and free expression.
CBP's 1:1 Facial Recognition Air Entry Pilot Program
Facial recognition technology has been used by CBP officers at airport entry screening points. This roll out began with a sixty-day field test deploying equipment to take photos of individuals at ports of entry and using facial recognition technology to compare the photo stored on the embedded computer chip in U.S. passports. The program has been expanded to all U.S. airports and to cover first-time travelers form VWP countries. Individuals, including U.S. citizen, do not have the option to opt-out of the facial recognition comparison process.
CBP states it will "retain facial images and comparison match score data from those travelers who are subject to an adverse or law enforcement action resulting from secondary inspection." This retention was expanded to include those "images with scores that fall in the mandatory referral range" as well as "all facial images taken during secondary inspection."
CBP's Biometric Exit Program
A pilot facial recognition program (the Departure Information Systems Test ("DIST")) began in June 2016 at Hartsfield-Jackson Atlanta International Airport. The purpose of the pilot was to test the accuracy of CBP's facial recognition technology. The CBP stated that the agency's "initial findings support the piloted process as a viable solution to fulfill the mandated biometric exit requirements in certain settings." However, no report explaining these initial findings has been released to the public.
Under this program, CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3"). Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS.
The Traveler Verification Service ("TVS") is an iteration of the agency's biometric exist system that uses a cloud environment for facial recognition. A production of a "report identifying how each algorithm performed" was expected following the release of a TVS PIA update in May 15, 2017. DHS Deputy Executive Assistant Commissioner, John Wagner, has stated that TVS will be expanded to eight airports during the summer of 2017.
A JetBlue self-boarding program will utilize CBP's facial recognition technology to verify the identity of JetBlue customers and CBP's database of passport, visa, and immigration photographs and is part of CBP's "ongoing trials to implement a biometric exit process in the future."
CBP's Iris Imaging Testing
The CBP is testing "iris imaging capabilities" at Otay Mesa Port of Entry. Testing, beginning in December 2015, consisted of capturing the iris images of non-U.S. citizens entering the U.S. and requiring certain non-U.S. citizens to "provide facial and iris biometrics to compare to their entry record.";
The CBP has three goals for the entry/exit strategy they have developed: (1) reducing biographic gaps by expanding biographic collection, (2) conducting targeted biometric operations, and (3) transforming entry/exit operational processes.
CBP's Changing Rules
Without any formal procedure in place, CBP has frequently changed the FAQs provided on the agency's website with regard to opt-out procedures. As of December 11, 2018, the FAQs read:
Are U.S. Citizens required to provide biometrics for the entry-exit system?
U.S. Citizens who are entering or exiting the country are generally required to be in possession of a valid U.S. passport. At this time, however, CBP does not require U.S. Citizens to have their photos captured when entering or exiting the country. U.S. Citizens who do not wish to participate in this biometric collection should notify a CBP Officer or an airline or airport representative in order to seek an alternative means of verifying their identity and documents. CBP discards all photos of U.S. Citizens, once their identities have been verified.
But on March 6, 2018, the same FAQ stated:
Individuals seeking to travel internationally are subject to the laws and rules enforced by CBP and are subject to inspection. If a U.S. citizen, however, requests not to participate in the Traveler Verification System, specified agreements between CBP and the partner airline or airport authority will guide alternate procedures. For some participating airlines, a traveler may request not to participate in the TVS and, instead, present credentials to airline personnel before proceeding through the departure gate. In other cases of an opt-out, an available CBP Officer may use manual processing to verify the individual’s identity. (screenshot)
And on August 24, 2018 it read:
Individuals seeking to travel internationally are subject to the laws and rules enforced by CBP and are subject to inspection. However, if a U.S. Citizen does not wish to participate in the biometric entry or exit process, he or she must request to be processed using alternate procedures, such as presenting travel credentials to an available CBP Officer or authorized airline personnel. Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program. (screenshot)
EPIC is concerned that the CBP's biometric entry/exit tracking system and techniques lack proper privacy safeguards and maintains that the public should be fully informed about these systems. Without access to relevant records, EPIC and the public cannot assess the level to which the biometric entry/exist systems used and developed by the CPB safeguard and respect individual privacy. EPIC therefore has a significant interest in obtaining CPB documents concerning the biometric entry/exit system and plan -- including reports, records, correspondence, training materials, technical specifications, memoranda, passenger complaints, contracts, policies and procedures.
EPIC previously sued the FBI over the Bureau's Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
- EPIC's FOIA Request - Facial Recognition Air Entry Pilot Program (June 6, 2015)
- CBP's Final Production Letter (July 24, 2017)
- EPIC's FOIA Request - Iris Imaging Testing (Mar. 2, 2017)
- CBP's FOIA Acknowledgement (Mar. 9, 2016)
- EPIC's FOIA Request - Biometric Exit Program (Jun. 13, 2017)
- FOIA Production
- 1:1 Face ePassport Air Entry Experiment - Final Report
- Southern Border Pedestrian Field Test - Summary Report
- Supplemental FOIA Production
U.S. District Court for the District of Columbia (No. 17-1438)
- EPIC Complaint (July 19, 2017)
- Protecting the Nation From Foreign Terrorist Entry Into the United States, Executive Order 13780 (March 6, 2017)
- U.S. Department of Homeland Security, Comprehensive Biometric Entry/Exit Plan, 2016 Report
- Shayna Posses, EPIC Demands Info About Biometric Tracking At U.S. Borders, Law360 (July 20, 2017)
- Jeramie D. Scott, Facial recognition surveillance is here -- but privacy protections are not, The Hill (Jul. 13, 2017)
- Franks Bajak and David Koenig, Face scans for US citizens flying abroad stir privacy issues, AP News (Jul. 12, 2017)
- Donna Goodson, JetBlue to test facial recognition tech at Boston's Logan airport, (Jun. 1, 2017)
- Mark Rockwell, CBP reports advances in biometrics, FCW (May 24, 2017)
- Russell Brandom, Airport face recognition could extend to US citizens, says Customs, The Verge (May 9, 2017)
- Alex Perala, CBP Lays Out Biometric Entry-Exit Program Plan, Find Biometrics (Mar. 7, 2017)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.