WPF calls on Secretary of Homeland Security to provide formal notice and comment and address substantive concerns regarding the CBP biometric entry and exit program World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics

WPF calls on Secretary of Homeland Security to provide formal notice and comment and address substantive concerns regarding the CBP biometric entry and exit program

The World Privacy Forum sent a detailed letter (PDF, 18 pages) September 18, 2018 to the Secretary of Homeland security outlining our substantive concerns regarding the US Department of Homeland Security (DHS) Customs and Border Protection (CBP) and Transportation Security Administration (TSA) biometric[1]entry and exit program. The World Privacy Forum[2]letter calls on the Secretary to provide formal notice and solicit public comments pursuant to the Administrative Procedure Act, and to address and resolve the additional regulatory, legal and policy issues discussed in the letter. Although DHS issued three Privacy Impact Assessments regarding this program, DHS failed to provide formal notice and solicit public comments pursuant to requirements of the Administrative Procedure Act (APA) for its Phase I and Phase II pilot tests of the biometric entry and exit system. DHS failed to do so despite an extensive implementation of the stage II pilot of biometric technology at many airports with international flights, affecting millions of travelers annually. The WPF letter focuses on the specific problems of legal liabilities of the biometric entry and exit program, the lack of availability of redress under APA before programs are implemented, and the applicability of the Violence Against Women Act (VAWA) to these programs. This letter also identifies further implementation concerns regarding ownership of airport cameras, complex and unmapped data flows, and the role of biometric data sharing with commercial entities without adequate contractual or privacy controls. The letter also discusses the technical security problem of biometric morphing, something that DHS has not yet addressed in its Privacy Impact Assessments. In the letter, WPF requests that DHS immediately: Undertake a full notice and comment period for this program under the APA; and Address how biometric entry and exit will specifically comply with VAWA. Further, we requested that DHS share the following information publicly: The name(s) of the biometric vendors in use (including pilot program use) for all airlines, CBP, and TSA; The NIST facial recognition vendor tests for all biometric vendors involved in the pilot project; If vendors did not submit their facial recognition algorithm to the NIST FRVT, do the vendors plan on submitting their algorithms for the NIST biometric vendor tests, and when; If a NIST biometric vendor test does not exist for the relevant vendor(s) we request the vendors’ self-test to be made public; What morph detection mitigations, if any, has the CBP system has employed, including for affected individuals who may be ID theft victims; A complete list of all airports and other border crossings (sea and land) participating in the biometric program as of September 18, 2018; and Copies of the Memoranda of Understanding between CBP, the airlines, other transportation companies and other entities participating in the pilot program, including biometric systems vendors. The full WPF letter to DHS is available here: (PDF, 18 pages) [1]In this letter, biometric refers to automated recognition of individuals based on their biological and/or behavioral characteristics. There are many types of biometrics. For example facial recognition systems are a type of biometric, as are systems that include fingerprint analysis, iris recognition, and gait analysis. In this letter, we primarily discuss facial recognition biometric systems. See: International Organization for Standardization: Information technology, Vocabulary, Part 37: Biometrics. ISO/IEC 2382-37:2017, JTC 1/SC 37, Geneva, Switzerland, 2017. Available at: https://www.iso.org/standard/66693.html. [2]The World Privacy Forum is a non-profit public interest research and consumer education group focusing on issues related to consumer privacy and data protection. Our work includes substantive, original, peer-reviewed research in the field of biometrics as it relates to privacy. Our work may be found at www.worldprivacyforum.org.

Related documents

The full WPF letter to DHS is available here PDF 18 pages

Posted September 21, 2018 in Biometrics, Government privacy, ID Ecosystem, Identity, Privacy Act of 1974, Public Policy, Risk assessment, US Customs and Border Protection, US Department of Homeland Security Next »Voting system data breach notifications – National Academies of Science recommendations for securing voting systems « PreviousIndia’s Supreme Court delivers long-awaited Aadhaar decision WPF updates and news CALENDAR EVENTS

WHO Constituency Meeting WPF co-chair

6 October 2022, Virtual

OECD Roundtable WPF expert member and participant Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy

4 October 2022, Paris, France and virtual

OECD Committee on Digital and Economic Policy fall meeting WPF participant

27-28 September 2022, Paris, France and virtual more Recent TweetsWorld Privacy Forum@privacyforum·7 OctExecutive Order On Enhancing Safeguards For United States Signals Intelligence Activities The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/Reply on Twitter 1578431679592427526Retweet on Twitter 1578431679592427526Like on Twitter 1578431679592427526TOP REPORTS National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence... Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974 This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process. COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.