This month some cruise lines are joining airlines and airports in taking mug shots of travelers and passing them on to US Customs and Border Protection (CB P). CBP uses these facial images (“biometrics”) for border and travel control and general law enforcement (policing and surveillance) purposes, and shares them with other Department of Homeland Security components and other domestic and foreign entities.

The addition of cruise lines to CBP’s travel industry “partnerships” for collecting biometric data about  travelers was disclosed in a July 6, 2018, update to the Privacy Impact Assessment (PIA) for the CBP/DHS “Traveler Verification Service (TVS) Partner Process”.

Most aspects of the new CBP partnerships for outsourced photo surveillance of travelers by cruise lines are similar to those already in operation with airlines and airports.

But there’s one significant difference: The PIA update says that US citizens traveling by sea will be allowed to opt out of being photographed or having their photos sent to CBP:

U.S. Citizens may choose to inform the cruise line that they do not wish to participate in the photo collection process. Instead, they will submit to an alternative inspection performed by a CBP Officer. Signage and optional tear sheets will be provided for travelers who are U.S. Citizens to inform them that they have the voluntary option to inform the cruise line that they do not wish to participate in the photo collection process and would rather be inspected by a CBP Officer.

It’s  not clear whether allowing US citizens to opt out of cruise line mug shots is a result of questions about the legal basis for demands for US citizens to submit to mug shots as a condition of travel from members of Congress or from the Identity Project and other civil liberties and human rights organizations, or of pushback from cruise lines.

But the updated PIA still fails to recognize any similar right for US citizens to opt out of the ongoing facial photography by CBP partner airlines and airports. According to the PIA:

If a traveler, however, requests not to participate in the TVS, specified agreements between CBP and the partner airline or airport authority will guide opt-in or opt-out procedures. For some participating airlines, a traveler may request not to participate in the TVS and instead present credentials to airline personnel before proceeding through the departure gate. In other cases of an opt-out, an available CBP Officer may employ manual processing to verify the individual’s identity.

These references to “some” CBP agreements with airlines and airport operators stop short of any assurance that all of these agreements require airlines, airports, and their agents and contractors to allow US citizens to opt out. And none of these agreements between CBP and its travel industry collaborators have been made public.

In the PIA, CBP continues to disclaim any responsibility for how airlines and airports use the photos they are collecting in partnership with CBP and DHS:

For CBP partners and their approved vendors or integrators who retain the images in line with their business purposes and processes, signed Memoranda of Understanding (MOU) with CBP will govern their retention practices…. However, once the images are shared with CBP, the airline or airport authority, along with their approved integrator or vendor, may choose to retain the newly-captured photos consistent with their contractual relationship with the traveler.

To find out what’s really been agreed to or promised, and what — if any — opt out rights are recognized in the agreements with which airlines and airports, we’ve made a request under the Freedom of Information Act for all CBP agreements with airlines and airports for collection or sharing of  biometric information about travelers, as well as any CBP records related to the legal basis for requiring travelers to allow collection of biometric data.

CBP officials are active participants in discussions with airline and airport industry partners on joint collection and use  of shared biometric data for government purposes and airline and airport business process automation. But airlines are common carriers, and almost all US airports with scheduled airline service are publicly owned.

So far as we know, neither the US Department of Transportation nor any US court has yet addressed the question of what or how much biometric or biographic  personal information can lawfully be required by an airline as a condition of carriage, consistent with:

1. Its obligations as a  Federally regulated common carrier.
2. The “public right of transit” recognized in the Airline Deregulation Act of 1978.
3. The rights to freedom of movement and personal privacy recognized in the International Covenant on Civil and Political Rights (as effectuated in this respect by the “public right of transit” clause of the Airline Deregulation Act).
4. The rights of members of the traveling public and the status of airlines as common carriers recognized in bilateral and multilateral aviation treaties to which the US is a party.

For airport operators, particularly public entities, there are additional potential issues  related to privacy rules applicable to public entities in their respective jurisdictions.

As governments work with public and private informers such as airlines and airports to outsource more of their photographic and other surveillance of travelers, these issues of the legal basis for demands to submit to such surveillance will grow.

We urge civil liberties and human rights lawyers, scholars, and activists to begin researching these issues, which are likely to be critical to future travel surveillance law.