WPF calls on Secretary of Homeland Security to provide formal notice and comment and address substantive concerns regarding the CBP biometric entry and exit program
The World Privacy Forum sent a detailed letter (PDF, 18 pages) September 18, 2018 to the Secretary of Homeland security outlining our substantive concerns regarding the US Department of Homeland Security (DHS) Customs and Border Protection (CBP) and Transportation Security Administration (TSA) biometric[1]entry and exit program. The World Privacy Forum[2]letter calls on the Secretary to provide formal notice and solicit public comments pursuant to the Administrative Procedure Act, and to address and resolve the additional regulatory, legal and policy issues discussed in the letter.
Although DHS issued three Privacy Impact Assessments regarding this program, DHS failed to provide formal notice and solicit public comments pursuant to requirements of the Administrative Procedure Act (APA) for its Phase I and Phase II pilot tests of the biometric entry and exit system. DHS failed to do so despite an extensive implementation of the stage II pilot of biometric technology at many airports with international flights, affecting millions of travelers annually.
The WPF letter focuses on the specific problems of legal liabilities of the biometric entry and exit program, the lack of availability of redress under APA before programs are implemented, and the applicability of the Violence Against Women Act (VAWA) to these programs. This letter also identifies further implementation concerns regarding ownership of airport cameras, complex and unmapped data flows, and the role of biometric data sharing with commercial entities without adequate contractual or privacy controls. The letter also discusses the technical security problem of biometric morphing, something that DHS has not yet addressed in its Privacy Impact Assessments.
In the letter, WPF requests that DHS immediately:
- Undertake a full notice and comment period for this program under the APA; and
- Address how biometric entry and exit will specifically comply with VAWA.
Further, we requested that DHS share the following information publicly:
- The name(s) of the biometric vendors in use (including pilot program use) for all airlines, CBP, and TSA;
- The NIST facial recognition vendor tests for all biometric vendors involved in the pilot project;
- If vendors did not submit their facial recognition algorithm to the NIST FRVT, do the vendors plan on submitting their algorithms for the NIST biometric vendor tests, and when;
- If a NIST biometric vendor test does not exist for the relevant vendor(s) we request the vendors’ self-test to be made public;
- What morph detection mitigations, if any, has the CBP system has employed, including for affected individuals who may be ID theft victims;
- A complete list of all airports and other border crossings (sea and land) participating in the biometric program as of September 18, 2018; and
- Copies of the Memoranda of Understanding between CBP, the airlines, other transportation companies and other entities participating in the pilot program, including biometric systems vendors.
The full WPF letter to DHS is available here: (PDF, 18 pages)
[1]In this letter, biometric refers to automated recognition of individuals based on their biological and/or behavioral characteristics. There are many types of biometrics. For example facial recognition systems are a type of biometric, as are systems that include fingerprint analysis, iris recognition, and gait analysis. In this letter, we primarily discuss facial recognition biometric systems. See: International Organization for Standardization: Information technology, Vocabulary, Part 37: Biometrics. ISO/IEC 2382-37:2017, JTC 1/SC 37, Geneva, Switzerland, 2017. Available at: https://www.iso.org/standard/66693.html.
[2]The World Privacy Forum is a non-profit public interest research and consumer education group focusing on issues related to consumer privacy and data protection. Our work includes substantive, original, peer-reviewed research in the field of biometrics as it relates to privacy. Our work may be found at www.worldprivacyforum.org.
Related documents:
-
The full WPF letter to DHS is available here: (PDF, 18 pages).