The facial recognition program for international arrivals in airports is rolled out in all international airports in the United States.
Customs and Border Protection continues to expand its facial recognition program at airports, sea ports and land entry points, but concerns about oversight and the potential for so-called “mission creep” remain, witnesses and lawmakers said at a July 27 House Homeland Security hearing.
As of July, 32 airports use facial recognition to confirm identities as travelers leave the country, according to testimony from the Government Accountability Office. All U.S. international airports use the technology for arriving visitors.
In March 2020, the entry program covered 18 airports and the exit program had 27, according to an earlier GAO report.
Although the agency has been prioritizing airports, CBO also deployed the system at 26 sea ports and 159 land ports.
The program dates back to laws from the late 1990s that mandated the development of an entry-exit data system for foreign nationals entering the United States.
Going through the facial recognition process is required for certain international visitors, but U.S. citizens can opt out. The images of Americans who do go through the process are deleted in 12 hours, according to the agency.
Many witnesses emphasized the need for more audits, one of several recommendations GAO made in 2020 that remains open. In 2019, the program suffered a breach of 184,000 images.
CBP has conducted five audits of airline partners, and had three more underway as of last month, according to the testimony of Rebecca Gambler, director of Homeland Security and Justice at GAO. But it needs to also audit sea and land partners and vendors and contractors that can access information, she said.
“Facial recognition technology raises questions about data privacy and how passengers’ information is used and stored. It also raises questions about the adequacy of the oversight mechanisms in place,” said Chair of the Subcommittee on Border Security, Facilitation and Operations, Nanette Barragán (D-Calif.), who also pointed to the lack of a “robust system for conducting audits.”
She also addressed the concern that the system or its data could be used beyond this program alone.
“Current authorized uses are set by policy and guidance, which are more open to change than laws, rules, and regulations,” said Barragán. “Understanding CBP’s use of facial recognition technology and the issues and concerns surrounding its use is crucial to our responsibility to conduct oversight.”
Her counterpart, ranking member Clay Higgens (R-La.), said although “the deployment of this technology is something that we should carefully consider and control,” Congress should also “embrace” it and “recognize that it has advanced tremendously since its introduction.”
Jeramie Scott, senior counsel at the Electronic Privacy Information Center, also spoke about the potential for “mission creep.”
He recommended that Congress add new requirements like barring the program’s use of one-to-many facial recognition technology (a more controversial method that compares a photo against a database of images, as opposed to matching two photos) and requiring that the system only be used for this particular program, as well as mandating annual third-party audits.
“Unless regulations are put in place to end or at least limit the biometric entry-exit use of facial recognition technology, the program will continue to expand well beyond its intended purpose,” Scott said, calling the expansion of the system a “tool of surveillance.”
Daniel Tanciar, former CBP deputy executive director of the unit that does this entry and exit program and current chief innovation officer at Pangiam, pointed to existing guardrails like opt-out provisions, limited data retention for Americans and privacy notices.
“Civil liberty and privacy protections were built into the program at the forefront,” he said. “This is not surveillance.”
CBP itself touted in a June announcement about the system that the process saves time, catches fraudulent documents and fulfills a Congressional mandate. A recent watchdog report also found that the agency has strengthened its internal procedures for facial recognition over the past two years.