US Customs and Border Protection (CBP) has published a new Privacy Impact Assessment (PIA) for its Automated Passport Control (APC) kiosks and Mobile Passport Control (MPC) apps.  Unlike most PIA’s, this one does not say why it was prepared, or what, if anything, about the programs it assesses has changed. But it appears to be a response — although an inadequate and possibly still a factually inaccurate one — to some of our complaints.

At many international airports and some cruise ports  in the US, travelers — including US citizens — have to submit their mug shots to CBP through either an APC kiosk or the MPC smartphone app before they are allowed to proceed to CBP officers for customs, immigration, and agricultural inspections.  This requirement is enforced by “line minders” manning the velvet ropes and directing pedestrian traffic inside “sterile” arrival areas. These line minders are employed by the airline, airport, and/or their contractors or sub-contractors, making it easy for CBP to deny any responsibility for their actions.

In January of this year, we were part of a meeting between civil liberties and human rights organizations and CBP officials on the subject of these  “biometric entry/exit” schemes.

The CBP officials we met with in January denied that anyone is required to use the APC kiosks, contrary to our experience and that of other participants in the meeting.

When we complained that CBP hasn’t complied with even the minimal notice requirements of the Privacy Act and the Paperwork Reduction Act (PRA) for this sort of data collection, CBP’s Privacy Officer responded, “I do not consider this program to be operating in violation of the Privacy Act, therefore, I have nothing to investigate.”

But although CBP didn’t conduct an “investigation”, it does appear to have conducted a new “assessment” and published a new set of claims about what it is doing.

What does CBP now say about its mug shots of arriving travelers? And is it true?

We call B.S.

The new CBP Privacy impact Assessment (PIA) claims that (1) use of the APC kiosks is voluntary, and (2) the APC kiosks and MPC apps include initial popup notices including a Paperwork Reduction Act (PRA) notice and a notice of the right to opt out:

Eligible travelers who voluntarily elect to use the APC kiosks or an MPC-enabled mobile application must acknowledge a CBP Privacy Policy, a Disclaimer Notice, and the business sponsor and/or application developer’s Privacy Policy prior to download. Eligible travelers obtain immediate notice on the kiosk or mobile application screens prior to entering their information. Upon first use of the mobile application, or before the individual provides information, he or she is confronted with a pop-up message that requires his or her direct and affirmative consent in order to continue using the application. The notices inform travelers that the use of these approaches is purely voluntary and that they retain the option of proceeding directly to the CBPO for the more traditional examination….

When travelers approach the APC kiosk, they must acknowledge the CBP Privacy Policy and other required notices (7) by following the instructions provided on the kiosk screen. Then the traveler scans or swipes his or her passport’s machine-readable zone (MRZ), poses for a facial photograph captured by the kiosk and its server, and verifies biographic and flight information by answering a series of  CBP inspection-related questions on the touch screen.

7. Notices include Intellectual Property Rights, Paperwork Reduction Act, and Section 311 of the Trade Facilitation and Trade Enforcement Act of 2015 Notice.

For starters, the claim about providing notices “prior to download” of the MPC app is patent nonsense. It’s either a deliberate and knowing lie or indicative of gross incompetence or gross negligence on the part of those who signed off on the CBP “assessment”.  Nobody who has actually tested downloading or using these apps could possibly believe this claim to be true.

Downloading the Android version of the MPC app from the Google Play Store requires only a single click on “Install”. There’s no link to any privacy policy and no way to see any privacy policy or notices until after the app is installed. If you install and run the app, you have to enter your personal information including a “selfie” photo before you get to any privacy notices, link to privacy policy, or notice of your right to opt out.

The page for the iOS version of the app on the Apple App Store includes a link to a “privacy policy”. But that link goes to the terms of use for the Website of the contractor who produced the app. It doesn’t even appear to pertain to the app itself, and certainly doesn’t say anything about CBP, the Privacy Act, or the PRA.

Hundreds of thousands of people have downloaded and installed these apps. Any of them can see that what CBP says about these app isn’t true. Who does CBP expect to fool?

A popup message citing OMB Control Number 1651-0009 (discussed further below) is displayed in the Android app after personal information including passport details and a selfie photo have been entered. But that’s not what the PIA claims. And since the Android app can only be installed through the Google Play Store, which requires root privileges on the device, there’s no way for the user to tell if any or all of this information has already been transmitted to the government and/or private parties before the notice is displayed. The same is presumably true for the iOS app available through the Apple App Store.

As for the APC kiosks, we’ve never seen a popup Privacy Act or PRA notice on any of them in the past, including when we have arrived in the US as recently as early in March 2018.

Has anyone who has entered the US more recently seen such a notice on an APC kiosk?

Has CBP added new notices to the APC kiosks in the last few weeks,  or are they still lying about the APC kiosks as well as about the MPC apps?

It’s significant that CBP now says explicitly that, “use of these approaches [APC kiosks and MPC apps] is purely voluntary and [travelers] retain the option of proceeding directly to the CBP for the more traditional examination.” If you don’t want to add a “selfie” to the CBP’s files every time you enter the US, you might want to save and/or print a copy of this portion of the PIA to show the next line-mender who won’t let you out of the roped-off corral around the APC kiosks unless and until you show an APC receipt including your photo.

Have you been told that you had to use the APC kiosks, or prevented from “proceeding directly to the CBP” past the APC kiosks without using them?

And if there is a PRA notice on any of the APC kiosks, what OMB control number does it cite? Our guess is that it would be OMB Control Number 1651-0009. But so far as we can tell, neither this nor any other OMB approval or OMB control number would actually apply to mug shots of arriving US citizens.

OMB Control Number 1651-0009, which previously covered the paper customs declaration forms, was most recently amended in 2015 to add the collection of the same information as is on the paper forms through the APC kiosks and MPC apps (which have already been in use, illegally, without OMB approval). But this OMB approval was for an “extension without change of an existing information collection”, adding the kiosks and apps only as new modes of collection of the same data. The supporting documents submitted to OMB specifically stated that all of the information to be collected through the kiosks and apps was already included on the paper form. The paper form, of course, didn’t include photos or any other biometric data, and the collection of this data remains unapproved.

The CBP Privacy Impact Assessment doesn’t even pretend to address the requirement of the Privacy Act for explicit statutory authorization for collection of information about the exercise of rights protected by the First Amendment, including speech and assembly.

In our meeting with CBP officials in January, they claimed that airlines and airports (including those that own and/or operate the APC kiosks) have no interest in retaining photos or other biometric identification data  about travelers or using them for other purposes. But airlines, airport operators, and their technology providers continue to say exactly the opposite, in the plainest possible terms.

For example, a white paper on biometrics for passenger processing published in March by SITA, an IT service provider cooperative founded and jointly owned by its member airlines, stress the priority placed by the industry on “interoperability and common use” of biometric data, including commercial use of government-mandated personal data:

Julie Shainock, Global Director Travel and Transportation, Microsoft … believes that it would be great for airlines and airports to have access to this information, so the airline/airport does not have to ask a passenger or guest for the same information available to other security agencies. This will eliminate redundancy….

IATA’s One ID concept seeks to introduce a collaborative identity management solution that spans across all process steps and stakeholders in the end-to-end journey from booking to destination… Rather than asking passengers to identify themselves at each touchpoint in a repetitive manner, to various stakeholders and for different purposes, the idea is to authenticate the passenger’s identity just once, to a sufficiently high standard and as early as possibly in the process, ideally prior to arriving at the airport, and then sharing this information with authorized stakeholders so that the passenger will not just be recognized but actually expected at subsequent touchpoints…

The end goal is to provide passengers with a frictionless experience as they go through the airport…. Creating this walk-through experience will require smart integration of biometrics with next-generation access control systems, as well as with the existing airline and airport systems.