Sep 03 2020

GAO report on DHS use of facial recognition on travelers

The Government Accountability Office (GAO) has released a new report requested by Congressional oversight committee chairs describing and assessing the ways that US Customs and Border Protection (CBP) and the Transportation Security Administration (TSA) use facial recognition to identity and track international (CBP) and domestic (TSA) travelers.

Here’s how the GAO says it works  (click flowchart for larger version): The GAO report doesn’t address several of the most significant issues with DHS use of facial recognition to identify travelers, including:

  • The Constitutionality of automated surveillance of travelers’ exercise of their right to travel, including their First Amendment right to assemble;
  • How and on what legal basis the DHS acquires drivers license photos to compare with the webcam photos of travelers taken at domestic airline departure gates;
  • Whether CBP and TSA have complied with the Privacy Act;
  • Whether the exceptions in the Privacy Act comport with the “Fair Information Practices Principles” that the DHS purports to comply with;
  • Whether CBP and TSA have complied with the Paperwork Reduction Act; and
  • Whether US citizens and permanent residents are, in fact, allowed to opt out of having mug shots taken at departure gates or international ports of entry.

The GAO report doesn’t mention either Automated Passport Control (APC) kiosks or the Mobile Passport Control (MPC) apps, both of which capture mug shots or “selfies” of arriving international travelers. It’s unclear whether or not these were included in the scope of the GAO study, or why they would have been considered out of scope.

It’s unclear whether the GAO actually audited the flow of data, or whether the GAO took CBP and TSA at their word as to what data is transferred between what entities.

Within its limited scope, the GAO report found some problems that should be red flags suggestive of potentially more serious lurking problems:

  • Although CBP and TSA claim to have placed restrictions on how airlines and airports can use images collected and shared with CBP and/or TSA, the DHS has audited only one of at least twenty airlines sharing facial images with DHS. DHS uses of facial recognition covered by the GAO audit had begun by 2017, but the first DHS data protection audit of a single airline didn’t take place until March 2020. The GAO doesn’t mention having conducted, or tried to conduct, any such audit itself, and doesn’t specify how these purported “restrictions” are imposed on partners or are supposed to be enforced. The GAO also doesn’t mention audits, either by the GAO or by DHS, of airport operators, service providers, contractors, or other DHS partners.
  • Signs giving notice of use of facial recognition were often missing or hidden.
  • Standard CBP and TSA signs, even when present and visible, fail to give clear notice of how to opt out of facial recognition or the consequences of opting out.
  • The lists on CBP and TSA websites of airports, seaports, and land border crossings where facial recognition is being used are inaccurate.

Here’s the GAO’s list of airports, seaports, and land border crossings where CBP and/or TSA are using facial recognition ot identity and track travelers, as of March 2020:

The GAO report makes clear that neither airlines nor airports are required to use facial recognition: “Because airline and airport partners participate voluntarily, they can choose to manually verify travelers’ identities (not use facial recognition technology) for any
reason.” Travelers should continue to demand — as customers of airlines, and as constituents of government bodies that operate airports — that airlines and airports stand up for travelers against government surveillance,  and opt out of facial recognition.