Nov 30 2020

CBP proposes to require mug shots of all non-US citizen travelers

Last December we called attention to plans  by US Customs and Border Protection (CBP) to require mug shots of all travelers entering or leaving the US by air or sea, including US citizens.

Within days, CBP issued a press release falsely accusing us of incorrectly reporting  the official CBP notice of its plans, and saying that it would withdraw its notice the next time the regulatory agenda was published.

So what happened?

Earlier this month, CBP withdrew the notice of proposed rulemaking (NPRM)… and issued a new notice of proposed rulemaking the same day that wouldn’t apply to US citizens, but would require all non-US citizens, including permanent US residents (green-card holders) to be photographed whenever they enter or leave the US by any means: air, land, or sea.

(This proposed rule is for collection of biometrics from international travelers at airports, cruise ports, and land borders. There’s a separate pending proposal which we and others have criticized  for collection of biometrics including fingerprints and DNA samples, in advance of travel, from visa applicants, other would-be US visitors, and their US sponsors.)

At airports, the scheme contemplated by CBP would follow the public/private partnership model that CBP and the Transportation Security Administration (TSA) have been collaborating on with airlines and airport operating authorities in the USA and abroad:

Generally, when travelers present themselves for entry or exit, they will encounter a camera connected to CBP’s cloud-based TVS facial matching service via a secure, encrypted connection…. The camera may be owned by CBP, the air or vessel carrier, another government agency such as TSA, or an international partner governmental agency….

At the departure gate, each traveler stands for a photo in front of a partner-provided camera. Aided by the authorized airline or airport personnel, the partner-owned camera attempts to capture a usable image and submits the image, sometimes through an authorized integration platform or vendor, to CBP’s cloud-based TVS facial matching service.

The key element in this partnership, CBP makes clear, is that airlines and airports will pay to operate cameras and send photos of passengers to CBP, in exchange for getting uncontrolled use of the CBP facial recognition system for their own business purposes:

The hardware cost in the regulatory period will be borne by the carriers and airports who partner with CBP.  CBP will give carriers and airports access to its facial recognition system and the carriers and airports will choose (and pay for) the hardware that best fits their needs. While this partnership is voluntary, CBP expects that all commercial carriers and major airports will elect to participate within five years.

Unless airlines and airports were given free use of the CBP facial recognition service for their own purposes, they would have no business reason to bear the cost of installing and operating cameras at all departure gates, or to send the photos to CBP. CBP has limited authority to force airlines to surveil their customers, so CBP’s scheme depends on successfully bribing them — all of them — to collaborate by giving them free access to the facial recognition service. This quid pro quo is the key to CBP’s confidence in its plans.

Some airlines and airports have already been sharing photos of airline passengers with CBP. CBP has previously downplayed these deployments as mere “demonstration” projects, but it now expects the same systems to be extended to all airports and airlines.

CBP says that it has contracts with airlines restricting their use of photos taken on behalf of CBP. But none of those contracts have been disclosed, even though we requested them more than two years ago pursuant to the Freedom Of Information Act (FOIA). CBP and other components of the Department of Homeland Security have begun producing some other related records in response to a more recent FOIA request and lawsuit by the ACLU. But there are no statutory or regulatory constraints on airline or airport use of these photos or the CBP facial recognition service, and it would be up to CBP whether to seek to enforce any contractual commitments or to wink at violations by airlines or airports.

A fundamental problem with this system architecture of outsourced cameras feeding photos to CBP is that the Privacy Act requires, with respect to both US citizens and permanent residents, that information be collected directly from the affected individuals.

The Privacy Act also prohibits the collection of information about the exercise by US citizens or permanent residents of rights protected by the First Amendment — which includes the right to assemble — “unless expressly authorized by statute or by the individual about whom the record is maintianed.”

CBP has no statutory authority, much less explicit authority, to collect photos or other biometrics of US citizens at airports, seaports, or land border crossings. And an “opt out” system would not seem to meet the requirment for “express authoritzation”.

We and others have raised these issues in Seattle, where the agency that operates the airport is reconsidering its decision to install and operate “shared-use” mug-shot stations at departure gates.

CBP’s plans for use of facial recognition at airports, including the latest NPRM, completely ignore the requirements of both the Privacy Act and the Paperwork Reduction Act (PRA).

CBP says that few US citizens have opted  out of mug shots during its facial recognition “pilot projects”. But that’s probably because CBP has never provided the notices required by the PRA, which would explicitly inform all travelers that they are not required to provide information including mug shots or other biometrics unless they have been given notice of the applicable OMB approval number (which has never been issued for this collection of information), and that they cannot be sanctioned or retaliated against for declining to provide this information. We assume that the “opt out” percentage would be much higher if travelers were given the notices required by the PRA.

As we told The Intercept, “once these things are trialed on foreigners, who have few legal rights anyway, and where the American public won’t complain, they will then become the new normal for U.S. citizens as well.”

You can submit comments on the CBP proposal here through December 20, 2020.

The 30-day comment period will end in time for CBP to rush out a rule finalizing its new proposal before the Presidential inauguration, if it doesn’t take time to consider the comments. But it’s not clear whether there is currently any validly appointed CBP or DHS official with the authority to promulgate new or revised regulations. One Federal court has already found that the appointment of the official performing the duties of the Acting Secretary of Homeland Security violated the Federal Vacancies Reform Act (FVRA), and the Government Accountability Office has made the same finding. Several similar Federal court challenges to the appointment and authority to issue regulations of the purported Acting Commissioner of CBP, Mark A. Morgan, are pending.