CBP Attempts to Mitigate Privacy Risks Created by New Customs App

The Customs and Border Protection agency launched a new app, CBP One, late last year, to streamline public access to various customs services. But the new app creates a number of privacy concerns—as does any government data collection effort.

Per congressional mandate for any new federal data collection, CBP issued a privacy impact assessment detailing these issues and the agency’s response and mitigation efforts.

“CBP One will eventually replace and upgrade existing CBP public-facing mobile applications to improve user interaction and services,” and create a single portal for a variety of travelers, the PIA states.

The app targets several demographics, including travelers; brokers, carriers and forwarders; and international organizations working on behalf of people enrolled in the Migrant Protection Protocols program. All of these users have sensitive information to upload through the app, including scheduling cargo inspections, submitting passenger manifests, and recording biometric and biographic information for the MPP.

CBP plans to add functionality for aircraft operators, bus operators, seaplane pilots, commercial truck drivers and vessel operators in the near future and will publish addendums to the privacy impact assessment for each.

The assessment also notes the CBP ROAM app—which “permits small pleasure boat operators along the Northern Border to report their arrival into United States”—will be removed from app stores this spring as its functionality gets wrapped into the CBP One app.

“Individuals using CBP One to report their travel into and out of the United States have to provide more information than users scheduling agriculture inspection appointments,” the PIA states.

Users will have to submit personal information through the app, though the app itself won’t store any of that information.

“Regardless of the function, CBP One does not store any information locally on the device,” according to the impact assessment. “CBP pushes all information collected through CBP One to back-end systems associated with the functions the user is using.”

The assessment gives the example of inspections for agricultural imports. The CBP One app collects the information, but only acts as a pass-through to the Amazon Web Services cloud environment that traditionally hosts and stores this information.

“Additionally, CBP has analyzed the application to ensure that information is sent only to CBP and the application can only access the information necessary to complete the functions,” the assessment states.

But by its nature as a data collection tool, the CBP One app creates some privacy issues, which the agency attempts to address in the privacy impact assessment.

For instance, the assessment notes some of the app’s functions collect geolocation data that could then be used by CBP to surveil or otherwise track users.

CBP officials claim the risk is “fully mitigated,” as geolocation data is collected only at the point and time of submission and the user’s device can’t be tracked afterward.

“At the time the user submits his or her exit or entry, the device’s GPS is pinged by CBP One and the latitude and longitude coordinates are sent to CBP,” the PIA states. “The GPS ping is only collected at the exact time the user pushes the submit button and is used to confirm the traveler’s device is in some cases inside a certain CBP-defined radius or outside the United States.”

The assessment states the location data is only used to confirm travelers are within certain geographic requirements—“e.g., to determine that the individual is in the 1-mile radius pertinent reporting requirement for the report of arrival of pleasure boats through CBP ROAM or outside of the United States for exit”—and “is not visible to CBP officers or agents.”

Similarly, new users must provide some personal information—namely their email address and phone number—to create an account through Login.gov, a General Services Administration-run tool that offers single sign-on for federal programs. While users must have a Login.gov account to access CBP One, the GSA program maintains those credentials and does not share that information with CBP.

Other potential risks to personally identifiable information include upload of inaccurate information, either by the traveler or someone submitting information about that person—whether on their behalf or maliciously.

CBP considers this risk “fully mitigated,” despite it being technically possible.

“It is unlikely that a user will submit inaccurate information … about another person. Primarily, because there is no benefit in submitting inaccurate information through CBP One,” the PIA states.

That said, the agency is taking additional steps, including verifying biographic information and, when needed, the identity of the user.