The State Department maintains a huge data warehouse called the Consular Consolidated Database (“CCD”) that stores current and archived data about U.S. persons (i.e., citizens and legal permanent residents) and non-U.S. persons (i.e., foreign nationals). All data is pulled from applications for visas, passports, and American Citizen Services, and includes names, addresses, birthdates, biometric data (fingerprints and facial images), race, identification numbers (e.g., social security numbers and alien registration numbers) and country of origin.
Initially created to increase the efficiency of consular activity and to provide up-to-date information on transactions at domestic and post databases, the CCD functions as the “central consolidated storage facility” for the Bureau of Consular Affairs. The CCD also interfaces with other internal DOS facial recognition systems, such as the Automated Biometric Identification System (“ABIS”) and Integrated Biometric System (“IBS”). Both ABIS and IBS are “enterprise-level, facial-recognition matching” programs, and receive data from visa and passport applications via the CCD and disseminate facial recognition matching results with external agencies via the CCD. One of the uses of the data stored within the CCD is “[r]egistration of applicant facial images for Facial Recognition.”
The CCD also serves as the “repository of data flows” between the State Department and external federal agencies that provide input to passport and visa approval systems. The CCD is integrated with and serves as a “gateway” to the Department of Homeland Security’s Automated Biometric Identification System (“IDENT”), which performs automated fingerprint checking, and “other Federal biometric systems.”
External data dissemination via the CCD is of interest to EPIC because of the risks created by external agencies’ use of biometric data to perform facial recognition. For example, Customs and Border Protection uses facial photos collected by the State Department perform facial recogintion at airports as part of the Biometric Entry/Exit program.
Facial recognition systems are computer-based security systems that are able to automatically detect and identify human faces. Facial recognition technology can be deployed “covertly, even remotely, and on a mass scale,” and there is little an individual can do to prevent collection of his or her image. Facial images and other types of biometric data are especially sensitive because, “unlike other means of identification . . . it cannot be changed.” That external agency facial recognition programs receive data from and disseminate results through the CCD raises serious privacy and civil liberties concerns.
The CCD Privacy Impact Assessment states that “[a]ll external agencies that share information with the CCD are required to sign an Memorandum of Understanding or Memorandum of Agreement, which generally define a set of responsibilities and requirements.” EPIC is pursuing this FOIA request to make public these agreements and make more transparent the extent of dissemination of the biometric data collected by the State Department.