EPIC v. CBP (Biometric Entry/Exit Program)
- Indian Supreme Court Imposes New Limits on National Identity System: In a ruling today, the Indian Supreme Court imposed new limits on Aadhar, India's national biometric identification system. The Court found the system did not violate the Indian constitution, but struck down a section of the law permitting private entities to demand Aadhar to verify identity. Aadhar can no longer be mandatory to register for education, open a bank account, or obtain a cell phone connection. However, the state-issued number may still be required for purposes related to government funds, including filing an income tax. The Court also struck down an exception authorizing disclosure of Aadhar data for national security purposes. The Court encouraged the state to establish a "a robust statutory regime" for data protection "in near future." The dissent would have held Aadhar unconstitutional. The biometric system "violates essential norms pertaining to informational privacy, self-determination and data protection," the dissent states, and "dignity of individuals cannot be made to depend on algorithms or probabilities." Last year, India's Supreme Court ruled that privacy is a fundamental right under the Indian Constitution. EPIC has also backed comprehensive privacy legislation in comments to the Indian government, and urged creation of a private right of action and breach notification requirement. (Sep. 26, 2018)
- EPIC Urges DHS To Abandon Privacy Act Exemptions for New Biometric Database: In comments to the Department of Homeland Security, EPIC urged the agency to withdraw proposed Privacy Act exemptions that would reduce privacy safeguards in the federal government. The Immigration Biometric and Background Check database will contain personal data on U.S. and non-U.S. citizens. DHS has proposed to exempt the database from several Privacy Act protections, including ensuring that records are accurate, timely, and complete. DHS also claims numerous “routine uses” that allow the agency to disseminate the data to law enforcement and intelligence agencies. EPIC has urged strict compliance with Privacy Act obligations and warned that inaccurate, insecure, and overbroad government databases threaten both privacy and national security. (Aug. 31, 2018) More top news »
The CBP's implementation of a Comprehensive Biometric Entry/Exit Plan currently includes the testing of facial recognition and iris imaging capabilities at exit/entry points within the US. The FY 2016 Consolidated Appropriations Act provides up to a $1 billion for the CBP biometric entry/exit program and President Trump's Executive Order "Protecting the Nation From Foreign Terrorist Entry into the United States"(Executive Order 13780 of March 6, 2017) explicitly calls on CBP to "expedite the completion and implementation of a biometric entry exit tracking system." These techniques pose significant threats to privacy and civil liberties, in particular the ability to conduct facial recognition covertly, remotely and on a mass scale. The lack of precautions that can be taken to prevent the collection of one's facial image, in addition to the absence of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers, raises serious privacy concerns for the individual. Identification through these processes eliminates an individual's ability to control their identities and poses a specific risk to the First Amendment rights of free association and free expression.
CBP's 1:1 Facial Recognition Air Entry Pilot Program
Facial recognition technology has been used by CBP officers at airport entry screening points. This roll out began with a sixty-day field test deploying equipment to take photos of individuals at ports of entry and using facial recognition technology to compare the photo stored on the embedded computer chip in U.S. passports. The program has been expanded to all U.S. airports and to cover first-time travelers form VWP countries. Individuals, including U.S. citizen, do not have the option to opt-out of the facial recognition comparison process.
CBP states it will "retain facial images and comparison match score data from those travelers who are subject to an adverse or law enforcement action resulting from secondary inspection." This retention was expanded to include those "images with scores that fall in the mandatory referral range" as well as "all facial images taken during secondary inspection."
CBP's Biometric Exit Program
A pilot facial recognition program (the Departure Information Systems Test ("DIST")) began in June 2016 at Hartsfield-Jackson Atlanta International Airport. The purpose of the pilot was to test the accuracy of CBP's facial recognition technology. The CBP stated that the agency's "initial findings support the piloted process as a viable solution to fulfill the mandated biometric exit requirements in certain settings." However, no report explaining these initial findings has been released to the public.
Under this program, CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3"). Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS.
The Traveler Verification Service ("TVS") is an iteration of the agency's biometric exist system that uses a cloud environment for facial recognition. A production of a "report identifying how each algorithm performed" was expected following the release of a TVS PIA update in May 15, 2017. DHS Deputy Executive Assistant Commissioner, John Wagner, has stated that TVS will be expanded to eight airports during the summer of 2017.
A JetBlue self-boarding program will utilize CBP's facial recognition technology to verify the identity of JetBlue customers and CBP's database of passport, visa, and immigration photographs and is part of CBP's "ongoing trials to implement a biometric exit process in the future."
CBP's Iris Imaging Testing
The CBP is testing "iris imaging capabilities" at Otay Mesa Port of Entry. Testing, beginning in December 2015, consisted of capturing the iris images of non-U.S. citizens entering the U.S. and requiring certain non-U.S. citizens to "provide facial and iris biometrics to compare to their entry record.";
The CBP has three goals for the entry/exit strategy they have developed: (1) reducing biographic gaps by expanding biographic collection, (2) conducting targeted biometric operations, and (3) transforming entry/exit operational processes.
EPIC is concerned that the CBP's biometric entry/exit tracking system and techniques lack proper privacy safeguards and maintains that the public should be fully informed about these systems. Without access to relevant records, EPIC and the public cannot assess the level to which the biometric entry/exist systems used and developed by the CPB safeguard and respect individual privacy. EPIC therefore has a significant interest in obtaining CPB documents concerning the biometric entry/exit system and plan -- including reports, records, correspondence, training materials, technical specifications, memoranda, passenger complaints, contracts, policies and procedures.
EPIC previously sued the FBI over the Bureau's Next Generation Identification database, which contains face prints, fingerprints, and other biometrics of millions of Americans. EPIC's lawsuit against the FBI revealed that biometric identification is often inaccurate.
- EPIC's FOIA Request - Facial Recognition Air Entry Pilot Program (June 6, 2015)
- CBP's Final Production Letter (July 24, 2017)
- EPIC's FOIA Request - Iris Imaging Testing (Mar. 2, 2017)
- CBP's FOIA Acknowledgement (Mar. 9, 2016)
- EPIC's FOIA Request - Biometric Exit Program (Jun. 13, 2017)
- FOIA Production
- 1:1 Face ePassport Air Entry Experiment - Final Report
- Southern Border Pedestrian Field Test - Summary Report
- Supplemental FOIA Production
U.S. District Court for the District of Columbia (No. 17-1438)
- EPIC Complaint (July 19, 2017)
- Protecting the Nation From Foreign Terrorist Entry Into the United States, Executive Order 13780 (March 6, 2017)
- U.S. Department of Homeland Security, Comprehensive Biometric Entry/Exit Plan, 2016 Report
- Shayna Posses, EPIC Demands Info About Biometric Tracking At U.S. Borders, Law360 (July 20, 2017)
- Jeramie D. Scott, Facial recognition surveillance is here -- but privacy protections are not, The Hill (Jul. 13, 2017)
- Franks Bajak and David Koenig, Face scans for US citizens flying abroad stir privacy issues, AP News (Jul. 12, 2017)
- Donna Goodson, JetBlue to test facial recognition tech at Boston's Logan airport, (Jun. 1, 2017)
- Mark Rockwell, CBP reports advances in biometrics, FCW (May 24, 2017)
- Russell Brandom, Airport face recognition could extend to US citizens, says Customs, The Verge (May 9, 2017)
- Alex Perala, CBP Lays Out Biometric Entry-Exit Program Plan, Find Biometrics (Mar. 7, 2017)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.