The Department of Homeland Security is rushing to implement a March 2017 executive order issued by President Trump mandating the use of facial recognition to identify “100 percent of all international passengers” – including American citizens, according to BuzzFeed.
Originally signed into law by President Obama in 2015, Trump’s EO accelerates the program, which will be implemented by US Customs and Border Protection (CBP) in 20 top US airports by 2021 (Of note, seventeen international airports already use facial recognition, including “Atlanta, New York City, Boston, San Jose, Chicago, and two airports in Houston”).
Many major airlines are on board with the idea — Delta, JetBlue, British Airways, Lufthansa, and American Airlines. Airport operations companies, including Los Angeles World Airports, Greater Orlando Aviation Authority, Mineta San Jose International Airport, Miami International Airport, and the Metropolitan Washington Airports Authority, are also involved. –BuzzFeed
According to a 346-pages of “as-yet-unpublished” documents obtained by the Electronic Privacy Information Center and reviewed by BuzzFeed News, US Customs and Border Protection is furiously rushing to meet the deadline for this “biometric entry-exit system” – which will use facial recognition technology on more than 100 million passengers in as little as two years, or roughly 16,300 flights per week.
As BuzzFeed notes, the biometric systems are being implemented “despite questionable biometric confirmation rates and few, if any, legal guardrails.”
What’s more, there are no limits to how airlines can use facial recognition data.
These same documents state — explicitly — that there were no limits on how partnering airlines can use this facial recognition data. CBP did not answer specific questions about whether there are any guidelines for how other technology companies involved in processing the data can potentially also use it. It was only during a data privacy meeting last December that CBP made a sharp turn and limited participating companies from using this data. But it is unclear to what extent it has enforced this new rule. CBP did not explain what its current policies around data sharing of biometric information with participating companies and third-party firms are, but it did say that the agency “retains photos … for up to 14 days” of non-US citizens departing the country, for “evaluation of the technology” and “assurance of the accuracy of the algorithms” — which implies such photos might be used for further training of its facial matching AI. –BuzzFeed
“CBP is solving a security challenge by adding a convenience for travelers,” said an agency spokesperson in an email to BuzzFeed. “By partnering with airports and airlines to provide a secure stand-alone system that works quickly and reliably, which they will integrate into their boarding process, CBP does not have to rebuild everything from the ground up as we drive innovation across the travel experience.”
Meanwhile, it appears that CBP has simply skipped part of the “rulemaking process” – foregoing public feedback prior to implementing the technology. Beyond “privacy, surveillance and free speech implications,” this is worrisome according to BuzzFeed, which notes that last summer the ACLU reported that Amazon’s facial recognition technology falsely matched 28 members of congress with arrest mugshots.
According to a Homeland Security OIG report, CBP was able to provide biometric confirmation for just 85% of passengers processed, while mexican and Canadian citizens were “particularly problematic” reports BuzzFeed.
“The low 85-percent biometric confirmation rate poses questions as to whether CBP will meet its milestone to confirm all foreign departures at the top 20 US airports by fiscal year 2021,” said the audit – while a spokesperson said that the rate has risen to 98.6% since the report.
“I think it’s important to note what the use of facial recognition [in airports] means for American citizens,” said Jeramie Scott – director of EPIC’s Domestic Surveillance Project. “It means the government, without consulting the public, a requirement by Congress, or consent from any individual, is using facial recognition to create a digital ID of millions of Americans.”
“CBP took images from the State Department that were submitted to obtain a passport and decided to use them to track travelers in and out of the country,” said Scott.
“Facial recognition is becoming normalized as an infrastructure for checkpoint control,” said ACLU senior policy analyst Jay Stanley. “It’s an extremely powerful surveillance technology that has the potential to do things never before done in human history. Yet the government is hurtling along a path towards its broad deployment — and in this case, a deployment that seems quite unjustified and unnecessary.”
CBP has suggested that privacy concerns are overblown, and that “CBP is committed to protecting the privacy of all travelers and has issued several Privacy Impact Assessments related to [its biometric entry-exit program], employed strong technical security safeguards, and has limited the amount of personally identifiable information used in the transaction,” according to an agency spokesperson.
“THE MOST OPERATIONALLY FEASIBLE AND TRAVELER-FRIENDLY OPTION”
According to CBP’s Concept of Operations document released in June 2017, “Airlines, airports, TSA, and CBP are facing fixed airport infrastructure with little opportunities for major investment, increased national security threats with pressures for solutions, and increased traveler volume.”
“Collectively, this is a status quo that is not sustainable for any of the main stakeholders, and failure to change will ultimately result in increases in dissatisfied customers, use of alternative modes of travel, and vulnerability to serious threats.”
In June 2016, CBP began its first pilot for facial recognition technology in airports at the Hartsfield–Jackson Atlanta International Airport. Once a day, for a flight from Atlanta to Tokyo, Japan, passengers’ passport photos were biometrically matched to real-time photographs. Before travelers proceeded to the passenger loading bridge to board their flight, CBP officers told passengers to scan their boarding passes, then a camera snapped a digital image of the traveler’s face; a CBP-developed back-end system called the Departure Information System used facial recognition to automatically compare photos during boarding against a photo gallery. Everyone between the ages of 14 and 79 was expected to participate. –BuzzFeed
CBP says that the stated goal is to “identify any non-U.S. citizens subject to the exit requirements who may fraudulently present” travel documents, and that the agency has “no plans to biometrically record the departure of U.S. citizens.”
That said, the CBP also says that it “does not believe there is enough time to separate U.S. citizens from non-U.S. citizen visitors prior to boarding” … “therefore, facial images will be collected for U.S. citizens as part of this test so that CBP can verify the identity of a U.S. citizen boarding the air carrier.”
Once a traveler is identified and confirmed as a US citizen, the CBP claims their image is deleted.
Three months after the 2016 pilot, CBP switched to monitoring a daily flight from Atlanta to Mexico City. By the end of November that year, the test was being run on approximately seven flights per week.
The result of these tests? “CBP concluded that facial recognition technology … was the most operationally feasible and traveler-friendly option for a comprehensive biometric solution,” according to a DHS Inspector General audit of the government’s facial recognition biometrics program.
As the system expanded, in June 2017 CBP replaced it’s Departure Information System with a more advanced automated matching system known as “Traveler Verification Service” (TVS) which could “[operate] in a virtual, cloud-based infrastructure that can store images temporarily and operate using a wireless network.” Once a passenger boarded a plane, TVS transmits confirmation of a biometric match across other DHS systems, according to BuzzFeed.
CBP says it allows U.S. citizens to decline facial verification and to instead have their identities confirmed through the usual manual boarding process. “CBP works with airline and airport partners to incorporate notifications and processes into their current business models, including signage and gate announcements, to ensure transparency of the biometric process,” an agency spokesperson said in an email to BuzzFeed News. But of 12 flights observed by OIG during its audit in 2017, only 16 passengers declined to participate.
According to Delta, less than 2% of its weekly 25,000 passengers going through the Atlanta airport’s Terminal F, which features “curb to gate” facial recognition systems, opt out of using the tech. –BuzzFeed
my Emirates flight from Dulles is using facial recognition scans on passengers as a part of the pilot with CBP. I asked the airlines about whether they had informed people and let them know about their options to opt out. They pointed to a board, not super visible from the queue pic.twitter.com/VNs5u6N1XZ
— Mishraji (@Tanvim) March 8, 2019
Meanwhile, CBP is allowing people wearing “religious headwear” to pass through security checkpoints at the discretion of airport personnel.
Read the rest of the report here.