Homeland Security eyes expanding biometric collections at US borders
The initiative aims to collect a combination of fingerprints, facial images, and iris scans of foreign visitors, leading privacy advocates to worry that travelers would be put at greater risk of digital fraud and unwarranted surveillance.
Homeland Security officials are working on a plan to vastly expand the collection of biometric information at US borders in an effort to more closely track foreign visitors.
The program aims to put in place more biometric scanners, which may include iris, face, and fingerprints, at border crossings beginning in 2018 in an effort to ensure visitors do not leave the US under another person's passport.
Department of Homeland Security (DHS) officials told Passcode that by verifying the travelers' biometric information at border checkpoints, foreign visitors trying to overstay their visas in the US will not be able to send imposters out of the country in their place. DHS has collected biometrics in an entry and exit program since 2004.
The plan comes as the US government has implemented various measures to tighten border security, track visitors, and attempt to keep visitors with potential terrorist ties from entering the US or staying here illegally.
Earlier this year, the government imposed new restrictions on the Visa Waiver Program for people who have recently traveled to Syria and Iraq. The Customs and Border Protections agency also proposed collecting information about visitors' social media accounts to check for "possible nefarious activity."
The proposal for additional biometric screening at borders grew out of a post-9/11 effort to collect more information on foreign travelers. Several of the hijackers who perpetrated the 9/11 terrorist attacks overstayed their visas.
It's unclear how many visitors overstay their visas. At a congressional hearing in January, DHS was unable to provide a more recent number than a 1994 statistic – which said 40 percent overstay their visas. As for passport imposters, the agency recorded 776 cases in fiscal year 2015, and 571 cases in 2016 as of July 11, according to CBP data provided to Passcode.
"We truly believe that having biometrics on both exit and entry is going to be that next step in our transformative efforts to make the arrivals and departure processes the most efficient and secure it can be at the US border for both US citizens and our visitors," said Kevin McAleenan, deputy commissioner of US Customs and Border Protection (CBP), the DHS agency leading the charge for more biometric information.
DHS issued a public request for information (RFI) June 20 asking for ideas on how the government should expand its current capabilities. According to the RFI, collecting iris and fingerprint information, along with the biographic information on an individual's passport will "ensure that a traveler could not depart as an imposter (i.e., use someone else's travel documents/identity when departing) or have someone depart on his or her behalf (i.e., someone else uses the supposed traveler’s documents)."
Currently, US citizens' biometric information is discarded after the verification is confirmed at the checkpoint. All data for non-US citizens is stored for 75 years after collection, Mr. McAleenan said. That includes biometric information. Currently, McAleenan said, there is no system in place for expunging data collected on a foreigner if that person later becomes a US citizen.
The plan to potentially increase biometrics collection at borders has privacy advocates concerned about increased surveillance, data retention time, and the government's ability to safeguard that information.
According to the Customs and Border Protection documents on the proposal, biometric data collected from travelers is cross-referenced with criminal, immigration, and terror-watch databases. Privacy experts say that raises questions about whether the data will also be used outside the scope of border security, such as for surveillance while in the US.
"There’s always the potential that certain groups of people could be targeted disproportionately by a government surveillance program," said Jeramie Scott, director of the Electronic Privacy Information Center’s domestic surveillance project.
Other privacy advocates cited numerous high-profile data breaches such as the one at the US Office of Personnel Management, where suspected Chinese hackers made off with more than 5.6 million Americans’ fingerprint information, as evidence the US government can't reliably safeguard sensitive personal data.
"I really worry with this mass collection of biometric data that the government is not going to protect it appropriately and then all of a sudden we’ll see this information released and people’s identities will be stolen," said Jennifer Lynch, staff attorney at the Electronic Frontier Foundation.
Mr. McAleenan of DHS said the agency has "learned a lot" from the OPM breach and increased their security measures, but did not offer specifics. He emphasized that privacy is a priority for CBP and "culturally central to how we do business."
The agency has managed biometric data for some time, he said, in addition to other information such as cargo data. For this particular program expanding biometric collection, DHS costs will depend on which system the agency eventually chooses to go with. It wouldn't provide a ballpark figure.
Beyond the DHS plan to expand biometric checks, technology designed to track and analyze people's physical features and expressions has also expanded in recent years.
Biometric checks began at Washington Dulles International Airport in 2015, followed by inspections at John F. Kennedy International Airport in New York this year. Likewise, Customs and Border Protection implemented facial recognition and iris-scanning technology earlier this year at the Otay Mesa, Calif., outbound pedestrian border crossing. Fingerprint scanning is set to be in place at 20 of the nation's busiest airports by 2018.
Dr. Arun Ross, director of the Integrated Pattern Recognition and Biometrics lab at Michigan State University, said the collected data should, at a minimum, be encrypted while it is stored. It should also have "cancelable properties," which could nullify the value of stolen data.