Customs Deploying Biometric Tech at Ports Without Fully Addressing Privacy Requirements, GAO Finds

Customs and Border Protection failed to provide complete and accurate privacy notices and conduct appropriate audits to ensure the agency’s facial recognition technology used for identity checks comply with privacy standards. 

A Government Accountability Office audit published Wednesday describes shoddy communication practices relating to how CBP informs the public of its facial recognition program, such as the use of signs with inaccurate information or signs that are hard to see at ports of entry such as land border crossings, international airports and seaports. CBP has also audited just one of its 27 airline partners involved in deploying facial recognition technology to determine whether they are complying with privacy policies. 

GAO completed the audit at the request of Rep. Bennie Thompson, D-Miss., who is chairman of the House Homeland Security Committee, and Sens. Ron Johnson, R-Wis., and Gary Peters, D-Mich., chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committees, respectively. 

Rebecca Gambler, the director of GAO’s homeland security and justice team, told Nextgov CBP has taken some steps to address privacy requirements, but the bottom line is there are additional areas that require more attention. She added this audit fits a pattern in terms of challenges CBP consistently faces in its efforts to implement facial recognition technology. 

“We have done a number of reviews looking at CBP’s efforts to develop and implement a biometric entry and exit system and we have, over the years, identified long-standing challenges in CBP’s efforts to develop and implement that system,” Gambler said.

The facial recognition program on which GAO focused in this latest report is used for entry and exit identity verification at ports of entry. The technology is deployed at land, sea and air ports, but it is currently used most at airports for air exit. As of May 2020, 27 airports including Hartsfield-Jackson in Atlanta, John F. Kennedy in New York and Dulles in Virginia deployed the technology.

The privacy findings fall into two categories: The first relates to upholding privacy commitments by informing the public about facial recognition technology, including information about how to opt-out of participation in the program. The second has to do with CBP’s plans to conduct oversight of the program’s partners. Airlines are the agency’s major partner in the program.

GAO’s audit is based on visits to sites where facial recognition technology is deployed, interviews with local CBP agents, reviews of program documents like schedules and reports from pilot tests, Privacy Impact Assessments and a joint CBP and Transportation Security Administration report on facial recognition technology to Congress. 

GAO found multiple problems with signage at airports. In one case, Gambler said a sign with facial recognition information was obscured from view by another CBP sign. In another instance, signs displayed conflicting information regarding how long CBP would hang on to pictures used to verify identities because one of the signs was not up to date.

“The notices are really intended to provide travelers with information about CBP’s use of facial recognition technology, including locations where the technology is deployed and how the data collected is going to be used, and the notices are also to provide information on procedures for opting out if that's applicable,” Gambler said. 

In another instance, GAO auditors called a CBP call center inquiring about where facial recognition technology is deployed. The CBP operator didn’t have that information, and GAO also found the call center only operated on an intermittent basis. GAO also found information on CBP’s website was incomplete. GAO made the agency aware of discrepancies in May 2020, but when they again reviewed the website in June 2020, nothing had changed. 

This is a key point because the agency’s Privacy Impact Assessment of the program points to the availability of information on its website as a measure in place to provide transparency to the public under DHS’s own privacy standards. But that information was incomplete. Gambler did add that local CBP officials in interviews recognized it was their responsibility to inform the public about the technology. 

CBP also can’t yet know whether airline partners are complying with privacy requirements because they haven't checked, according to the audit. The agency hasn’t been conducting the necessary audits, and according to the GAO report, it doesn’t have plans to conduct future audits at this time.

Ultimately, GAO made five recommendations. The first three address the privacy concerns. They ask CBP to ensure privacy notices are complete and accurate, ensure those notices are available at locations using the technology and develop and implement a plan to audit partners.

The other two recommendations ask CBP to make sure it is capturing required traveler photos at air exit correctly and create a mechanism that automatically alerts CBP when the facial recognition technology’s performance falls below established, accepted thresholds.  

DHS agreed with all five recommendations, and also responded to the fifth by asking GAO to consider the issue resolved and closed. The agency said it has steps in place addressing the performance issue monitoring. 

In a statement to Nextgov, Thompson said he is still concerned facial recognition technologies are unable to accurately and consistently process people of color. A major National Institute of Standards and Technology study in 2019 showed facial recognition algorithms were significantly less accurate when asked to identify people of color. GAO included several references to the 2019 study for context, but this latest audit was focused on privacy concerns. 

“It is clear that facial recognition technology has not been fully developed yet and still faces privacy and civil liberties questions,” Thompson’s statement reads. “It is apparent that facial recognition camera systems malfunction too often to be effective in the field—and these malfunctions are often due to skin color and age.” 

The offices of Sens. Johnson and Peters did not respond to requests for comment as of publication. 

GAO’s audit is based on visits to sites where facial recognition technology is deployed, interviews with local CBP agents, reviews of program documents like schedules and reports from pilot tests, Privacy Impact Assessments and a joint CBP and Transportation Security Administration report on facial recognition technology to Congress. 

The Biometric Entry-Exit Program right now is used for creating entry-exit records for foreign nationals, but other DHS agencies, including TSA, are beginning to use facial recognition technology on U.S. citizens, as well. 

TSA is conducting a pilot program at D.C.’s Ronald Reagan Washington National Airport testing biometric verification technology to confirm travelers’ identities at checkpoints. According to the GAO audit, TSA’s use of facial recognition technology at various ports is not mature enough to audit yet.