Today the Identity Project (IDP), Restore the Fourth, Privacy Times, and the National Workrights Institute filed joint comments with U.S. Customs and Border Protection (CBP) in opposition ot the CBP proposal to require mug shots (and possibly collection of other biometrics) from all non-U.S. citizens at all border crossings and international airports and seaports:
The purported NPRM [Notice of Proposed Rulermaking] was promulgated under purported authority delegated by an official purporting to exercise the duties of the Secretary of Homeland Security. That official was not appointed in accordance with the Vacancies Reform Act and therefore lacks authority to promulgate notices of proposed rules or final rules, or to delegate authority to do so which they do not themselves hold….
The proposed rules and procedures would violate the Privacy Act, and must therefore be revised or withdrawn.
The proposed rules and procedures would violate the Paperwork Reduction Act (PRA), and must therefore be revised or withdrawn.
The impact assessment in the NPRM is incomplete, inaccurate, and grossly underestimates the costs which would be imposed on individual travelers by the proposed rule. The NPRM fails to consider how many (more) individuals would opt out of collection of biometrics, if they were provided with the notices required by the PRA, or the cost to those travelers who are so delayed that they miss their flights. The impact assessment must be revised.
As our comments discuss in more detail, the Privacy Act allows the collection of information “describing how any individual exercises rights guaranteed by the First Amendment”, which includes records of travel and assembly, only in specified circumstances — none of which apply to suspicionless mug shots at airports and borders.
The Privacy Act also requires that information used to make decisions such as whether to “allow” an individual to enter or leave the US or board a ship or plane be collected by Federal agencies “to the greatest extent practicable directly from the subject individual.” But plans to outsource photography of travelers, illegally, to its airline and airport “partners”:
It would be feasible for CBP to collect facial images directly from travelers, and the NPRM describes how CBP did so in its pilot programs for “biometric exit” at airports. However, despite having proven that this approach of direct collection was practicable and despite the unambiguous and explicit mandate of the Privacy Act, CBP proposes in the NPRM that facial images be collected by airlines or airport operators, and then passed on to CBP….
According to the NPRM: “The hardware cost in the regulatory period will be borne by the carriers and airports who partner with CBP. CBP will give carriers and airports access to its facial recognition system and the carriers and airports will choose (and pay for) the hardware that best fits their needs. While this partnership is voluntary, CBP expects that all commercial carriers and major airports will elect to participate within five years.”
Why would all airlines – for-profit commercial entities – bear the cost of assisting CBP in biometric tracking of their customers, as the NPRM assumes? What’s the quid pro quo?
CBP can be confident that airlines will all make the same commercial choice because the value to airlines of getting “free” use of the CBP facial-recognition “identification-as-a-service” Traveler Verification Service (TVS) for their own business purposes, including at other passenger “touchpoints,” will exceed the capital and labor costs of collecting photos and passing them on to CBP. Airlines won’t need to retain the photos themselves, or develop their own facial recognition systems, to obtain the commercial benefits of automated facial recognition conducted for them by CBP through TVS, on the basis of photos sourced in part from airlines and airports.
CBP is counting on being able to bribe airlines into deploying and operating biometric systems for CBP to track their customers, in exchange for giving those commercial entities “free” use of a CBP facial-recognition identification service, based on image galleries aggregated from government and commercial (airline) sources, for their commercial purposes.
The Privacy Act, for good reasons, does not permit such a scheme. If CBP wants to collect biometric information about travelers, it can – and must – collect that information from them directly.
The Paperwork Reduction Act (PRA) requires prior approval and posting of notices wherever information, including biometric information, is being collected by Federal agencies. But CBP has never bothered with any of these approvals or notices for its facial recognition programs, and has no plans to do so. The required notices include explicit notice of the right not to respond to any request for information that doesn’t include the required Office of Management and Budget (OMB) approval number and notices.
In its impact assessment of the costs of the proposed mug shot requirement, CBP says that during its facial recognition “pilot projects” few U.S. citizens have opted out of mug shots taken for CBP use. But that’s probably because they weren’t provided with the notices of their right to opt out that are specifically required by the PRA. And CBP omits any estimate of how many people who opt out of mug shots at airport boarding gates, as their flights are about to depart, and are subjected to unspecified “alternative procedures” , will miss their flights, or the consequential costs of delay form missing an international flight.
Because the person purporting to act as head of the Department of Homeland Security was never properly appointed and lacked authority to issue the NPRM, CBP must, at minimum, issue a new NPRM and start this rulemaking over. But we hope that CBP will use this opportunity to reconsider and abandon this bad idea entirely rather than trying for a do-over.