Privacy advocates say they still want better privacy protections for the agency's Entry-Exit program.
U.S. Customs and Border Protection rolled out a new website last month dedicated to its Biometric Entry-Exit program used to verify identities at ports. In a recent interview, a CBP official told Nextgov the new site aims to alleviate privacy concerns by providing a clear explanation of how CBP uses biometric facial comparison technology.
The new website launched September 1, one day before the Government Accountability Office publicly released an audit outlining failures by CBP to provide adequate notice informing travelers about the biometric program via signage at ports, website information and CBP call center assistance.
Deputy Executive Assistant Commissioner for CBP Field Operations Diane Sabatino told Nextgov CBP recognizes biometric facial comparison technology raises legitimate privacy concerns. But Sabatino said CBP’s Traveler Verification Service, or TVS, simply automates an existing process. This messaging features prominently on the new website, found at biometrics.cbp.gov.
“The application of the facial recognition technology as we apply it, it’s in an environment where an individual would normally expect to have to present themselves for identity verification purposes,” Sabatino said.
The website includes an explanation of what the program is, a 3D model demonstrating what the technology looks like at ports, and a list of the ports where the technology is deployed. There’s also a dedicated privacy section on the website.
Though work on the website project began in September 2019—prior to publication of the GAO audit—CBP said the website addresses some of the problems GAO noted in its audit. GAO conducted its audit from May 2019 to September 2020.
One factor CBP consistently highlights as a mitigator of privacy concerns is notice. Providing information via required privacy impact assessments, website information and signage at ports how the agency addresses at least some privacy concerns.
GAO’s September report found this notice isn’t always provided appropriately. For example, signs at some ports weren’t visible or contained outdated information. GAO alerted CBP to the fact the agency’s website lacked a full list of where the facial comparison technology is in use in May 2020. But by June 2020, the information still wasn’t updated, according to the audit.
The new website does contain a list of ports where biometric facial comparison is in use. While the GAO audit noted the technology is in use or being tested at 27 airports for exit, the new website lists 24. Both the audit and the new website counted the same number of airports where the technology was in use for entry, totaling 18.
Sabatino attributed the difference in numbers to the fact that some locations are in various stages of deployment. She said if a port is in the testing stage of implementation, it may not be listed on the website as a location where facial comparison is used even though the process of implementation has begun.
The brief privacy section on the website also contains critical information regarding storage of photos. For U.S. citizens, CBP may store photos for up to 12 hours. Photos of non-U.S. citizens can be held in the Homeland Security Department’s Biometric Identity Management System, known as IDENT, for up to 75 years. That length of time is consistent with practices across DHS.
“But to that end with respect to privacy, knowing that we're also in an environment where we're vulnerable to cyberattacks, we do use cloud-based technology that only that image for the purposes of identity verification is in that cloud environment,” Sabatino said. “There's no biographic data that's tied to those photos.”
Sabatino added private partners such as airlines are required to purge images; they aren’t allowed to use photos taken of travelers for any other purpose beyond the facial comparison program.
CBP has met with privacy advocacy groups to talk about Biometric Entry-Exit, Sabatino said. These groups include organizations like the Center for Democracy and Technology, among others.
Mana Azarmi, policy counsel at CDT, told Nextgov CBP’s effort to update the website to better provide notice to travelers is a positive step, but it’s not sufficient. Greater accountability is needed, according to Azarmi.
“We have been raising concerns about the program,” Azarmi said. “We haven’t seen responsive changes.”
Some of these concerns relate directly to information CBP touts on its website. Azarmi indicated the idea that biometric facial comparison merely automates existing processes, a point Sabatino made in the interview, is misleading. It’s possible to create a system of identification powered by scanning technology without collecting and storing information—including passport photos—from travelers, Azarmi said.
But with TVS, DHS takes photos travelers submit to the State Department to get passports and houses those photos in a DHS system, Azarmi said, limiting travelers’ ability to truly opt-out of the biometrics program.
The privacy section of the new website indicates concerned travelers have the ability to opt-out of participation in the program, but it offers few details clarifying what this means. Azarmi indicated the option to decline participation in the biometrics program is unrealistic without dedicated resources for people who wish to opt-out. Providing signage explaining the right to opt-out isn’t enough.
“If you don't have CBP or airport staff around for a traveler to communicate ‘Hey, I don't want to go through this process, I also don't want to have to go stand in another line that's going take me another half hour to get through,’ [then] it's not giving individuals a real choice,’” Azarmi said.
Still, clear and accurate notice is important. Updates to improve the quality and depth of notice CBP provides on its website are on the way, Sabatino indicated.
One change CBP may consider, Sabatino said, is to provide more information about where facial comparison is being tested so that travelers would be aware of any location they may interact with the technology versus only those locations where the technology is fully deployed.
Sabatino also said CBP is still working on the “Our Partners” section of the website. The website does not currently list which specific companies CBP works to deploy biometric facial comparison, but Sabatino said CBP does intend to include more information about partnerships.
One persistent concern with algorithms used for facial recognition is demographic differences. The National Institute of Standards and Technology published a landmark study in 2019 showing algorithms are markedly worse at identifying non-white faces.
CBP’s website doesn’t contain information about its algorithm’s performance despite these well-known challenges. When asked why it lacked details in this area, Sabatino said the website may be updated to include demographic performance information should CBP determine that was of concern to travelers.
“It certainly could be valuable to travelers and appreciate the feedback, if it is something we should include on the website,” Sabatino said. “We certainly have partnered with NIST with respect to the review of our algorithm and found it to be the gold standard for the application and the utilization that we've applied.”
Sabatino added that if, for whatever reason, CBP doesn’t have a passport photo available to conduct facial comparison or the technology is unable to make a match, that doesn’t necessarily lead officers to believe something wrong with the traveler. The officers simply revert back to the manual identity verification process, Sabatino said.
In the letter sent to GAO upon reviewing the draft of its audit, the DHS noted the website would be reviewed and updated on a monthly basis. At this point, CBP has audited only one of its industry partners participating in the Biometric Entry-Exit program to ensure privacy compliance. CBP said it has paused audit activity in 2020 due to the coronavirus pandemic. Once COVID-19 travel restrictions are lifted, CBP plans to conduct four to six reviews per year.
CBP also said its Privacy and Diversity Office is finalizing a privacy evaluation of TVS that will provide an evaluation of TVS program protections identified in previous compliance documents including Privacy Impact Assessments.
The revamp of the website and the GAO audit comes as DHS is expanding its use of biometric technology. CBP is currently working with the Transportation Security Agency to begin implementing TVS for domestic travel.
Sabatino emphasized the need for efficiency gains created by touchless identity verification has become clearer during the COVID-19 crisis. By the end of November, CBP officials hope to identify 67% of inbound traffic using biometric facial comparison, Sabatino said.
DHS also proposed a new rule in September that would increase the scope of the agency’s use of biometrics. The rule has concerned privacy advocates including CDT, which published comments this week urging DHS to withdrawal its proposal.