This blog post was first published in The Hill on July 18, 2017.
This summer, the U.S. Department of Homeland Security (DHS) is expanding its program of subjecting U.S. and foreign citizens to facial recognition screening at international airports. This indiscriminate biometric surveillance program threatens the personal privacy of millions of travelers. DHS should end it.
The history of this program is a case study in mission creep. In 1996, Congress authorized automated tracking of foreign citizens as they enter and exit the U.S. In 2004, DHS began biometric screening of foreign citizens upon arrival. In 2016, DHS launched a pilot program of facial recognition screening of all travelers, U.S. and foreign citizens alike, on a daily international flight out of Atlanta’s Hartsfield-Jackson airport. In March 2017, President Trump’s revised travel ban ordered DHS to expedite the completion of biometric entry-exit screening of foreign citizens. Today, facial recognition screening is underway for all travelers on certain international flights out of two more pilot sites: Washington’s Dulles airport and Houston’s Bush airport. Later this summer, DHS will expand this program to five more international airports.
To be clear—what began as DHS’s biometric travel screening of foreign citizens morphed, without congressional authorization, into screening of U.S. citizens, too. In the words of DHS’s recent testimony to Congress: “U.S. citizens are not exempted from this process.” Privacy advocates have long opposed biometric screening of immigrants. Now we also oppose the expansion of biometric border screening to cover U.S. citizens.
For many reasons, DHS should end its ever-growing biometric border screening program.
First, facial recognition is a unique threat to our privacy. Most of us display our faces wherever we go. Cameras are increasingly accurate at great distances. Facial recognition algorithms are increasingly powerful. Computer systems are increasingly interoperable. Thus, for example, an easy-to-use Russian mobile app called FindFace allows strangers to identify each other by using facial recognition to link an ordinary phone camera to a popular social networking site. If identity thieves or stalkers target us, we can change our credit card numbers and even our names, but we cannot change our faces.
Second, facial recognition has significant accuracy problems. Thus, many international travelers will be unjustly delayed and scrutinized, and scarce law enforcement resources will be wasted, due to the inevitable errors of government biometric screening systems. Worse, facial recognition error rates are even higher for African-American travelers than for white travelers, perhaps because people of color are underrepresented in algorithmic training data. So the DHS program will have an inevitable racial disparate impact.
Third, data thieves might steal DHS’s biometric information. In the infamous 2015 data breach of the U.S. Office of Personnel Management, hackers absconded with the fingerprints of over five million people. As part of its border screening, DHS plans to retain the biometric information of U.S. citizens for as long as two weeks. DHS does not rule out keeping this sensitive information even longer. DHS retains the biometric information of foreign citizens for many years. DHS processes more than 300,000 international air travelers every day. Their biometric information will be an enticing target for data thieves.
Fourth, government employees might misuse DHS’s reservoir of biometric data. NSA and police officials alike (usually male) have abused sensitive government databases to acquire information about people (usually female) that they are romantically interested in.
Fifth, DHS might share with other government agencies the biometric information it seizes from travelers. Many government agencies share their biometric data with each other. For example, the FBI’s facial recognition system has access to more than 400 million photos held by other agencies (in addition to the FBI’s own repository of 30 million photos). Likewise, half of all adult U.S. drivers live in states whose motor vehicles agencies share their license photos with police facial recognition systems, according to a 2016 study by the Georgetown Law Center on Privacy and Technology. DHS’s biometric border screening system is part of this larger web of government biometric surveillance. If DHS shares its biometric data, the photographs of millions of innocent travelers could wind up in criminal justice databases.
Sixth, DHS might expand the ways it uses its biometric screening system. Today, DHS uses it to enforce immigration laws and ensure traveler identity. Tomorrow, DHS could try to use it to identify travelers who are wanted on outstanding warrants. Police warrant databases are riddled with error. And they include many people sought for traffic infractions and other minor offenses, which should not impede anyone from flying to a family event or a work opportunity.
DHS recently took the alarming position that “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.” But our government should not try to force us to abandon one of our human rights (biometric privacy) in order to enjoy another (travel).
It gets worse. DHS is now exploring how to subject U.S. and foreign citizens to biometric airport screening not just for international departures, but also for international arrivals and even for domestic flights, according to a recent article in The Verge. A DHS executive explained: “Why not look to drive the innovation across the entire airport experience? . . . We want to make it available for every transaction in the airport where you have to show an ID today.”
Far from expanding its system of biometric border screening, DHS should end it. At a minimum, DHS must publish clear policies to ensure that any such screening is a knowing and voluntary opt-in choice, and that border agents do not coerce or trick any traveler into surrendering their biometric privacy.