We were invited to a briefing session today at U.S. Customs and Border Protection (CBP) headquarters: “an information sharing session and open dialog … with external privacy stakeholders” to discuss “recent enhancements to CBP’s biometric exit initiatives” and “CBP’s implementation plans for a biometric exit system“.
Although we weren’t able to make it to Washington for today’s meeting, we have many questions about CBP’s ongoing (and illegal, as discussed below) photographing of the faces of US citizens entering the US, and the agency’s plans to expand the current (also illegal) trials of exit photography to include most or all US citizens leaving the country.
We look forward to another chance to quiz CBP officials about these programs and their (lack of) legal basis. More importantly, we hope that members of Congress and the public will ask hard questions about these programs if regulations or legislation are proposed that would purport to authorize them.
We share the general concerns raised by others about the use of biometric information such as facial photos (mug shots) for suspicionless dragnet surveillance of any travelers. The right to leave any country is explicitly guaranteed by international treaty (Article 12 of the ICCPR) as a human right independent of citizenship.
But we find it especially objectionable — and likely to be illegal — that CBP is extending these surveillance schemes to US citizens. Here are some of the issues:
(1) CBP SHOULD NOT PHOTOGRAPH US CITIZENS WHEN WE LEAVE OR RETURN TO THE US.
We suspect that DHS takes it as a fait accompli that biometric data collection on exit from the US, including mug shots of US citizens, will be implemented, and only wants input from “privacy stakeholders” on how to minimize or mitigate its inherently intrusive and privacy-invasive character.
But if CBP wants a genuinely “open dialog” with its critics, it should start with whether any entry-exit tracking system should include US citizens at all.
We think compulsory suspicionless taking of mug shots of US citizens, solely on the basis of our exercise of our right to cross US borders, is unauthorized by law and would be unconstitutional even if a law were passed purporting to authorize it.
International air travel is the exercise of a right protected by Federal statute (“the public right of freedom of transit” by air, 49 USC 40101 and 40103), the First Amendment (“the right of the people… peaceably to assemble”), and international treaty (Article 12 of the ICCPR, as effectuated with respect to air travel by 49 USC 40101 and 40103). International air travel by common carrier is not a suspicious act that justifies intrusions on rights. Rather, it is a protected act, and restrictions on such a right are subject to strict scrutiny.
Abundant case law recognizes the intrusiveness of the taking of mug shots, requires that booking photos be taken only when an arrest is lawful, and requires that, in the absence of such a lawful basis for arrest and booking formalities, booking photos be expunged. Suspicionless photography of the faces of every US citizen leaving or returning to the US does not satisfy these established Constitutional standards.
(2) THE CURRENT FACIAL PHOTOGRAPHY OF US CITIZENS IS BLATANTLY ILLEGAL.
As we’ve discussed previously, CBP is already violating both the Paperwork Reduction Act (PRA) and the Privacy Act in its collection of photos (biometric data) of arriving US citizens, as well as in its pilot of biometric exit photography, to the extent that any US citizen is being required to allow the taking of a mug shot.
(A) Paperwork Reduction Act: The Paperwork Reduction Act requires that approval be obtained from the Office of Management and Budget (OMB) prior to any collection of information from ten or more individuals, and that the “control number” assigned by OMB be provided to each individual when information is collected. Each respondent must also be provided with an explicit statement of whether responses are voluntary or mandatory and, if they are mandatory, what Federal statute provides the basis for that mandate. But no OMB approval has been obtained and no OMB control number has been assigned for collection of photos of US citizens on entry or exit.
We’ve never seen an OMB control number or Privacy Act statement on the Automated Passport Control (APC) kiosks at airports that are already being used for collecting entry photos of US citizens.
CBP says most photos of US citizens will be deleted within 14 days. But the PRA governs the collection of information, regardless of whether or how long it is retained.
CBP obtained OMB approval and an OMB control number for information collection at APC kiosks, but (1) that OMB control number and the required PRA statement are not displayed or available through the kiosk user interface or in the kiosk areas, and (2) the OMB approval was based on the clearly false claims in the required public notices and in the supporting documents submitted to OMB (a) that the kiosks would collect only the same information as is included on the written customs declaration form, when in fact the kiosks also collect facial photos, and (b) that only non-US citizens would be photographed, when in fact photos of US citizens’ faces are already being collected.
(B) Privacy Act: The Privacy Act, 5 U.S. Code § 552a (e)(7), forbids the collection of data regarding the exercise of First Amendment rights (which include the right to assemble, which encompasses much travel and movement data) without explicit statutory authorization.
There is no statutory authorization, much less explicit authorization, for photographing US citizens or for any other collection of entry or exit tracking information, biometric or otherwise, about US citizens.
CBP’s latest Privacy Impact Assessment cites four statutes that it claims provide the legal basis for its biometric entry-exit tracking programs.
But each of these laws refers explicitly to requirements for “aliens” or “foreign nationals”, or refers to categories of persons to which a previous one of these acts applies, thereby incorporating by reference a definition limited in its applicability to non-US citizens.
In addition, the Privacy Act requires that data be collected, to the maximum extent feasible, directly from data subjects. But CBP is collecting photos through airline and airport intermediaries, and intends to continue and expand this prohibited outsourcing. (More on the implications and problems of this below.)
Without statutory authority, CBP can’t implement or authorize an entry/exit tracking scheme that includes US citizens merely by promulgating regulations. Congress would need to authorize it first, and the courts would need to uphold its Constitutionality if it were challenged, as we expect it would be.
CBP needs to bring its current biometric data collection from US citizens into compliance with these laws before Congress considers authorizing their expansion. And CBP’s failure to comply with even these minimal procedural rules casts gives good cause for grave doubt — on the part of both Congress and the public — as to whether the agency can or should be trusted to respect other restrictions on use of personal information or surveillance data.
Why is CBP illegally including US citizens in these tracking (i.e. surveillance) programs, and proposing to expand this practice?
Just as it is easier for the NSA and its telecom company collaborators (phone companies and Internet service providers) to collect all message traffic, and then discard or ignore that which pertains to US persons, rather than limiting collection to non-US persons, so it is logistically easier for DHS and its airline industry collaborators to track and collect data about the movements of all travelers, and then discard or ignore the data about US citizens, rather than limit the initial tracking and data collection to aliens.
Similarly, DHS mandates to airlines to collect (and make available to DHS) additional identifying data about travelers (as has already been done, as discussed further below) or biometric data (as is now being done and as may be expanded) are analogous to CALEA mandates to telecom companies to collaborate in government surveillance of their customers and users.
Congress wants something for nothing: it wants exit controls and passport checks on travelers leaving the US, without paying for them. This leads to pressure to outsource that function to airlines, which leads to pressure to bribe the airlines to collaborate and perform the data collection by giving airlines a free ride to use the data for their own purposes.
This is why we see further integration of DHS into airline IT systems and business processes as per se a Bad Thing which should be fought at every step.
At least there are some statutory and regulatory privacy rules applicable to telecom companies, although getting them enforced against collaboration in government surveillance has been an uphill battle. The situation with respect to travel surveillance is much worse than for communications surveillance: There are no comparable rules applicable to airlines, except to the extent that such restrictions can be considered implicit in their obligations as common carriers. That’s why the question of what information a common carrier can demand of passengers without violating its common carrier obligations is so important.
(3) MUG SHOTS WILL BE AVAILABLE FOR UNRESTRICTED AND UNDISCLOSED COMMERCIAL USE BY AIRLINES AND AIRPORTS.
A biometric facial photo entry/exit system outsourced to airlines would allow airlines to compile a comprehensive database of mug shots of international travelers, identified by name, data of birth, and passport number, which travelers will be required by the government to provide, not merely to the government, but also to the airlines.
What restrictions, if any, exist or will be imposed on the ability of airlines to retain, disseminate, monetize, or otherwise use this valuable data, for their own purposes or on behalf of any third party willing to pay their price?
It appears that CBP is replicating with facial photos of travelers the problems that already occur — and that we’ve been complaining about for years — when air travelers are required by DHS to provide Secure Flight Passenger Data for domestic flights or Advanced Passenger Information for international flights (date of birth, ID credential number, etc.) to airlines — but neither DHS nor the Department of Transportation (DOT) imposes any restrictions on retention, use, or onward disclosure of that data by airlines or airports.
Privacy of travel data held by common carriers has long fallen through jurisdictional cracks between DHS, DOT, and the Department of Commerce, as a coalition of privacy advocates has pointed out.
Given that CBP is talking about “collaboration” with airlines and airports in collecting biometric data, it’s critical for CBP to include DOT officials responsible for transportation common carrier data privacy in the discussion.
The State Department already has a database of passport photos, of course. But sharing of those photos with airlines, either to track the entries and exits of US citizens or for airlines’ commercial purposes, is not among the authorized routine uses or disclosures of those photos.
We are not aware of any airline that has yet tried to include provisions in its conditions of carriage requiring passengers to submit to photography or collection of other biometric data. But DOT has not yet promulgated any guidance as to whether it would approve or disapprove such terms.
What limits, if any, does DOT recognize on what biometric or other personal data an airline could require passengers to submit?
We would argue that such a requirement would violate an airline’s duty to operate as a common carrier, and DOT’s duty to require that airlines operate as common carriers that respect the right to air travel.
But again, DHS should bring DOT into these discussions, so we know what, if anything, DOT might do. Otherwise airlines would continue to get a free ride to use data collected under government mandate for their own profit, including as the basis for personalized pricing (the goal of the “New Distribution Capability” envisaged by IATA’s Resolution 787).
(4) AIRLINES CANNOT BE TRUSTED TO PROTECT PERSONAL INFORMATION ABOUT TRAVELERS.
Airlines have a dismal long-term track record of grossly insecure storage and uncontrolled dissemination of personal information about travelers.
Major vulnerabilities in the computerized reservations systems (CRSs) used to store airline passenger data were discussed in published reports, and reported to the CRS companies, more than 15 years ago. After a shocking public demonstration of these same continued vulnerabilities at a hacker conference last December in Germany, and following the intervention of several key Members of the European Parliament, these vulnerabilities are finally being investigated by the European Commission as violations of the data protection rules in the European Union “Code of Conduct for CRSs”.
But nothing has been done in the US, where CRS are completely deregulated. These known and well-publicized vulnerabilities (and others) remain, while airlines in the US, EU, and worldwide continue to rely on these knowingly insecure CRSs as outsourced hosts for data about reservations and passengers.
There is compelling evidence in airlines’ longstanding and continued lack of concern for the security of passenger data that these same airlines
should not be trusted with an additional massive database of travelers’ facial images — as is currently contemplated by CBP.
There are good reasons why the Privacy Act requires data to be collected directly by the government from data subjects whenever that is feasible. That provision of the law should be strictly applied to the collection of data about travelers and our movements.