EPIC v. CBP (Biometric Entry/Exit Program)
- EPIC FOIA: Massive DHS Biometric Database Still Lacks a Privacy Impact Assessment: In response to EPIC's Freedom of Information Act request, the Department of Homeland Security confirmed that no privacy impact assessment has been completed for a vast DHS biometric database known as the "Homeland Advanced Recognition Technology." The HART database will include fingerprints, iris scans, and facial images on millions of individuals. The documents EPIC did obtain from DHS consist of privacy threshold reviews that indicate a privacy impact assessment is required and was expected by January 2019. A previous document obtained by EPIC show that the Homeland Advanced Recognition Technology database is part of the facial recognition Biometric Entry/Exit program at US airports. (May. 3, 2019)
- EPIC to TSA: Conduct Rulemaking on Facial Recognition: In comments to inform the Transportation Security Administration's 2020 National Strategy, EPIC recommended that TSA to suspend the facial recognition program at US airports. EPIC wrote, "The TSA's use of facial recognition lacks the safeguards necessary for implementation." EPIC has also warned lawmakers and the DHS about the biometric border program that incorporates deploy facial recognition. EPIC has urged the agency to undertake a notice and comment rule making that would provide the public with the opportunity to comment on the controversial program. EPIC successfully required TSA to conduct a rulemaking on its deployment of airport body scanners in EPIC v. DHS. EPIC also recommended that TSA incorporate the Universal Guidelines for Artificial Intelligence, endorsed by over 300 organizations and experts, for AI-based systems. (Apr. 26, 2019) More top news »
The CBP's implementation of a Comprehensive Biometric Entry/Exit Plan currently includes the testing of facial recognition and iris imaging capabilities at exit/entry points within the US. The FY 2016 Consolidated Appropriations Act provides up to a $1 billion for the CBP biometric entry/exit program and President Trump's Executive Order "Protecting the Nation From Foreign Terrorist Entry into the United States"(Executive Order 13780 of March 6, 2017) explicitly calls on CBP to "expedite the completion and implementation of a biometric entry exit tracking system." These techniques pose significant threats to privacy and civil liberties, in particular the ability to conduct facial recognition covertly, remotely and on a mass scale. The lack of precautions that can be taken to prevent the collection of one's facial image, in addition to the absence of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers, raises serious privacy concerns for the individual. Identification through these processes eliminates an individual's ability to control their identities and poses a specific risk to the First Amendment rights of free association and free expression.
CBP's 1:1 Facial Recognition Air Entry Pilot Program
Facial recognition technology has been used by CBP officers at airport entry screening points. This roll out began with a sixty-day field test deploying equipment to take photos of individuals at ports of entry and using facial recognition technology to compare the photo stored on the embedded computer chip in U.S. passports. The program has been expanded to all U.S. airports and to cover first-time travelers form VWP countries. Individuals, including U.S. citizen, do not have the option to opt-out of the facial recognition comparison process.
CBP states it will "retain facial images and comparison match score data from those travelers who are subject to an adverse or law enforcement action resulting from secondary inspection." This retention was expanded to include those "images with scores that fall in the mandatory referral range" as well as "all facial images taken during secondary inspection."
CBP's Biometric Exit Program
A pilot facial recognition program (the Departure Information Systems Test ("DIST")) began in June 2016 at Hartsfield-Jackson Atlanta International Airport. The purpose of the pilot was to test the accuracy of CBP's facial recognition technology. The CBP stated that the agency's "initial findings support the piloted process as a viable solution to fulfill the mandated biometric exit requirements in certain settings." However, no report explaining these initial findings has been released to the public.
Under this program, CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3"). Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS.
The Traveler Verification Service ("TVS") is an iteration of the agency's biometric exist system that uses a cloud environment for facial recognition. A production of a "report identifying how each algorithm performed" was expected following the release of a TVS PIA update in May 15, 2017. DHS Deputy Executive Assistant Commissioner, John Wagner, has stated that TVS will be expanded to eight airports during the summer of 2017.
A JetBlue self-boarding program will utilize CBP's facial recognition technology to verify the identity of JetBlue customers and CBP's database of passport, visa, and immigration photographs and is part of CBP's "ongoing trials to implement a biometric exit process in the future."
CBP's Iris Imaging Testing
The CBP is testing "iris imaging capabilities" at Otay Mesa Port of Entry. Testing, beginning in December 2015, consisted of capturing the iris images of non-U.S. citizens entering the U.S. and requiring certain non-U.S. citizens to "provide facial and iris biometrics to compare to their entry record.";
The CBP has three goals for the entry/exit strategy they have developed: (1) reducing biographic gaps by expanding biographic collection, (2) conducting targeted biometric operations, and (3) transforming entry/exit operational processes.
CBP's Changing Rules
Without any formal procedure in place, CBP has frequently changed the FAQs provided on the agency's website with regard to opt-out procedures. As of December 11, 2018, the FAQs read:
Are U.S. Citizens required to provide biometrics for the entry-exit system?
U.S. Citizens who are entering or exiting the country are generally required to be in possession of a valid U.S. passport. At this time, however, CBP does not require U.S. Citizens to have their photos captured when entering or exiting the country. U.S. Citizens who do not wish to participate in this biometric collection should notify a CBP Officer or an airline or airport representative in order to seek an alternative means of verifying their identity and documents. CBP discards all photos of U.S. Citizens, once their identities have been verified.
But on March 6, 2018, the same FAQ stated:
Individuals seeking to travel internationally are subject to the laws and rules enforced by CBP and are subject to inspection. If a U.S. citizen, however, requests not to participate in the Traveler Verification System, specified agreements between CBP and the partner airline or airport authority will guide alternate procedures. For some participating airlines, a traveler may request not to participate in the TVS and, instead, present credentials to airline personnel before proceeding through the departure gate. In other cases of an opt-out, an available CBP Officer may use manual processing to verify the individual’s identity. (screenshot)
And on August 24, 2018 it read:
Individuals seeking to travel internationally are subject to the laws and rules enforced by CBP and are subject to inspection. However, if a U.S. Citizen does not wish to participate in the biometric entry or exit process, he or she must request to be processed using alternate procedures, such as presenting travel credentials to an available CBP Officer or authorized airline personnel. Without legal authority or the opportunity for public comment, CBP is making up the rules as it rolls out the program. (screenshot)
EPIC is concerned that the CBP's biometric entry/exit tracking system and techniques lack proper privacy safeguards and maintains that the public should be fully informed about these systems. Without access to relevant records, EPIC and the public cannot assess the level to which the biometric entry/exist systems used and developed by the CPB safeguard and respect individual privacy. EPIC therefore has a significant interest in obtaining CPB documents concerning the biometric entry/exit system and plan -- including reports, records, correspondence, training materials, technical specifications, memoranda, passenger complaints, contracts, policies and procedures.
EPIC previously sued the FBI over the Bureau's Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
- EPIC's FOIA Request - Facial Recognition Air Entry Pilot Program (June 6, 2015)
- CBP's Final Production Letter (July 24, 2017)
- EPIC's FOIA Request - Iris Imaging Testing (Mar. 2, 2017)
- CBP's FOIA Acknowledgement (Mar. 9, 2016)
- EPIC's FOIA Request - Biometric Exit Program (Jun. 13, 2017)
- FOIA Production
- 1:1 Face ePassport Air Entry Experiment - Final Report
- Southern Border Pedestrian Field Test - Summary Report
- Supplemental FOIA Production
U.S. District Court for the District of Columbia (No. 17-1438)
- EPIC Complaint (July 19, 2017)
- Protecting the Nation From Foreign Terrorist Entry Into the United States, Executive Order 13780 (March 6, 2017)
- U.S. Department of Homeland Security, Comprehensive Biometric Entry/Exit Plan, 2016 Report
- Shayna Posses, EPIC Demands Info About Biometric Tracking At U.S. Borders, Law360 (July 20, 2017)
- Jeramie D. Scott, Facial recognition surveillance is here -- but privacy protections are not, The Hill (Jul. 13, 2017)
- Franks Bajak and David Koenig, Face scans for US citizens flying abroad stir privacy issues, AP News (Jul. 12, 2017)
- Donna Goodson, JetBlue to test facial recognition tech at Boston's Logan airport, (Jun. 1, 2017)
- Mark Rockwell, CBP reports advances in biometrics, FCW (May 24, 2017)
- Russell Brandom, Airport face recognition could extend to US citizens, says Customs, The Verge (May 9, 2017)
- Alex Perala, CBP Lays Out Biometric Entry-Exit Program Plan, Find Biometrics (Mar. 7, 2017)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.