There is some interesting news in the world of biometric identification and privacy this week. The Department of Homeland Security submitted a proposal to expand the Biometric Exit Program to include US Citizens and green card holders. This is an interesting example of how our system provides oversight to the various government organizations who use technology.

What is the Biometric Exit Program?

I have written about the Biometric Exit Program in detail before, but in summary it is a DHS program that uses biometrics to track when visa holders (foreigners who have applied for and gotten permission to visit the United States) enter and leave the country.

Our visa system is complex and varied, but generally a visa will place limits on how long a foreign national is allowed to remain in the country. When a traveler enters the country, they are photographed, and the visa is verified. But unless you also track when people exit the country, there is no way to know if the visa is being overstayed. Tracking the entry and exit of foreign nationals is required by several laws, and DHS has a mandate from Congress to start tracking exits by 2020. But it’s a difficult problem. DHS does not have permission to collect biometrics from US citizens and it’s difficult to track exits unless you track everyone – there isn’t an easy way for anyone to know the nationality of people as they approach a boarding gate at the airport.

The program was piloted in several major US airports - Atlanta, Las Vegas, Washington, D.C., Miami, Houston, New York City, Chicago in 2017 and is expanding. The system collects biometrics on everyone by default but if you area US citizen, you can opt-out. The program has been generally well received by travelers and has the potential to speed up the boarding process and make air travel faster and more convenient. More impressively, the system caught three people trying to enter the United States at Dulles with fake travel documents in the first week of operation and those three would have likely not have been caught by a human checking the documents.

Clearly the system performs better than humans looking at a passport and then looking at a person to verify that the documents are legitimate.

So What Happened?

In the proposal, DHS submitted a proposal to expand the program to include US citizens and green card holders. This would mean that all travelers, not just foreign nationals, would have to complete a biometric identity check before they are allowed to enter the country but also to leave the country. There was criticism from various privacy groups and members of congress and in response, DHS has announced they are no longer seeking the regulatory change that would allow them to use face recognition technology on all people entering and leaving the United States. People have objected to the program on several different grounds:

The Technology Doesn’t Work

One is that the technology doesn’t work. Although this has been widely reported, it’s just not true. The accuracy of these systems is better than that of a human comparing a face to a photograph of a face, and that’s all you really need. DHS claims they have already caught over 200 imposters trying to enter the country with false documents.

The Technology is Invasive

The ACLU objects because they feel travelers, including US citizens, shouldn’t have to submit to “invasive biometric scans” as a condition of exercising their constitutional right to travel. I don’t think this argument really makes sense. We have already accepted that in order to travel, you must have identification documents – you cannot fly anonymously. At the airport, a person will look at your face and then look at the photograph of your face on your passport to ensure you match your travel documents. Having a computer verify that you match your passport isn’t really any different from what we are using people to do right now.

DHS Can’t Be Trusted to Keep the Data Secure

Sen. Edward J. Markey (D-Mass) is a longtime critic of the department’s use of facial recognition technology and he is vocally against the program:

“The Department of Homeland Security should immediately withdraw plans to force Americans to undergo facial recognition and hand over their biometric information,” Markey said. “This proposal would amount to disturbing government coercion, and as the recent data breach at Customs and Border Protection shows, Homeland Security cannot be trusted to keep our information safe and secure.”

Sen. Edward J. Markey (D-Mass)

The Senator was referring to a breach in which photos of people’s faces and license plate images gathered when they crossed a single land border entry point were stolen from a CBP contractor as part of a “malicious cyber-attack”. I’m not really convinced on this one. For the majority of people uploading selfies to the internet every day, it seems unlikely that a data breach allowing their face to be on the Internet is going to cause them harm. This doesn’t excuse DHS of course. They need to improve their data protection practices, especially since they handle a lot of data that is truly sensitive. But cancelling a program because an agency has security issues seems to be missing the point - the security problems are fixable and why would we block a useful program because of a fixable problem?

DHS Doesn’t Have the Authority to Collect Biometrics from US Citizens

Now this is an objection that makes sense. In 2016, Congress authorized up to $1 billion collected from certain visa fees to fund the implementation of biometric entrance/exit. But a 2017 study by researchers at Georgetown University Law School’s Center on Privacy and Technology noted that while Congress passed legislation authorizing the collection of biometric data from non-citizens, it has never explicitly authorized the collection of that information for citizens.

All of the concerns about the growing use of biometric face recognition technology center on the fear of mass surveillance. There is a huge difference between using your face to unlock your phone and having your face photographed without your knowledge or consent and having that data used to monitor and control you. Generally speaking, people love technology when they can decide whether or not to use it. We like it when it's something we do, we don't like it when it's something that is done to us. Face recognition technology should always be voluntary and opt-in. In this case, the system worked exactly as it is intended to work - DHS overreached and Congress stopped them.