Facial Recognition: CBP and TSA are Taking Steps to Implement Programs, but CBP Should Address Privacy and System Performance Issues
U.S. Customs and Border Protection uses facial recognition technology for identity checks at borders. As of May 2020, CBP had deployed this technology to 27 U.S. airports.
We found that CBP's privacy notices—which inform the public about its use of this technology—were not always current or available where this technology is being used or on CBP's website. Also, CBP has only audited one of its 27 airline partners to ensure compliance with its facial recognition privacy policies.
We recommended that CBP ensure its privacy notices are complete and available at locations using this technology, and that CBP develop a plan to audit its partners.
Example of cameras and display screens used for facial recognition at the Port Canaveral Seaport
What GAO Found
U.S. Customs and Border Protection (CBP) has made progress testing and deploying facial recognition technology (FRT) at ports of entry to create entry-exit records for foreign nationals as part of its Biometric Entry-Exit Program. As of May 2020, CBP, in partnership with airlines, had deployed FRT to 27 airports to biometrically confirm travelers' identities as they depart the United States (air exit) and was in the early stages of assessing FRT at sea and land ports of entry.
Facial Recognition Technology in Use at an Airport
CBP has taken steps to incorporate some privacy principles in its program, such as publishing the legislative authorities used to implement its program, but has not consistently provided complete information in privacy notices or ensured notices were posted and visible to travelers. Ensuring that privacy notices contain complete information and are consistently available would help give travelers the opportunity to decline to participate, if appropriate. Further, CBP requires its commercial partners, such as airlines, to follow CBP's privacy requirements and can audit partners to assess compliance. However, as of May 2020, CBP had audited only one of its more than 20 airline partners and did not have a plan to ensure all partners are audited. Until CBP develops and implements an audit plan, it cannot ensure that traveler information is appropriately safeguarded.
CBP has assessed the accuracy and performance of air exit FRT capabilities through operational testing. Testing found that air exit exceeded its accuracy goals—for example, identifying over 90 percent of travelers correctly—but did not meet a performance goal to capture 97 percent of traveler photos because airlines did not consistently photograph all travelers. A plan to improve the photo capture rate would help CBP better fulfill the program's mission of creating biometrically confirmed traveler departure records. Further, while CBP monitors air exit's performance, officials are not alerted when performance falls short of minimum requirements.
The Transportation Security Administration (TSA) has conducted pilot tests to assess the feasibility of using FRT but, given the limited nature of these tests, it is too early to fully assess TSA's compliance with privacy protection principles.
Why GAO Did This Study
Within the Department of Homeland Security (DHS), CBP is charged with the dual mission of facilitating legitimate travel and securing U.S. borders, and TSA is responsible for protecting the nation's transportation system. For both CBP and TSA, part of their inspection and screening responsibilities includes reviewing travel identification documents and verifying traveler identities. Beginning in 1996, a series of federal laws were enacted to develop and implement an entry-exit data system, which is to integrate biographic and, since 2004, biometric records for foreign nationals. This report addresses (1) the status of CBP's deployment of FRT, (2) the extent to which CBP has incorporated privacy protection principles, (3) the extent to which CBP has assessed the accuracy and performance of its FRT, and (4) the status of TSA's testing and deployment of FRT and how TSA has incorporated privacy protection principles. GAO conducted site visits to observe CBP's and TSA's use of FRT, which were selected to include all three travel environments—air, land, and sea; reviewed program documents; and interviewed DHS officials.
GAO is making five recommendations to CBP to (1) ensure privacy notices are complete, (2) ensure notices are available at locations using FRT, (3) develop and implement a plan to audit its program partners for privacy compliance, (4) develop and implement a plan to capture required traveler photos at air exit, and (5) ensure it is alerted when air exit performance falls below established thresholds. DHS concurred with the recommendations.
Recommendations for Executive Action
|United States Customs and Border Protection||The Commissioner of CBP should ensure that the Biometric Entry-Exit Program's privacy notices contain complete and current information, including all of the locations where facial recognition is used and how travelers can request to opt out as appropriate. (Recommendation 1)||
We reported that CBP had not consistently provided travelers with information about the locations where facial recognition is used. We also reported that CBP's privacy signage provided limited information on how to opt out of facial recognition, and CBP did not consistently post privacy signage. As a result, we recommended that the Commissioner of CBP should ensure that the Biometric Entry-Exit Program's privacy notices contain complete and current information, including all of the locations where facial recognition is used and how travelers can request to opt out as appropriate. CBP concurred with our recommendation, and in response, in March 2021, CBP provided us with details and supporting documentation on the actions CBP has taken to address our recommendation. For example, CBP provided us with information on CBP's efforts to publish Biometric Entry-Exit privacy information, and CBP created a new website that outlines the locations (air, land, and seaports) where CBP uses facial recognition technology. CBP also updated its biometrics website (biometrics.cbp.gov) to include information on how travelers can opt out of the facial recognition verification process. Furthermore, CBP has begun providing its call center and information center staff with additional training, so staff are prepared to provide the public with complete and current information about the facial recognition verification program. We believe these actions taken by CBP provide the traveling public with greater transparency of CBP's use of facial recognition technology, and addresses our recommendation.
|United States Customs and Border Protection||The Commissioner of CBP should ensure that the Biometric Entry-Exit Program's privacy signage is consistently available at all locations where CBP is using facial recognition. (Recommendation 2)||
CBP concurred with this recommendation, and in June 2021 CBP reported that it developed a plan to ensure privacy signage is consistently available at all locations. On December 28, 2022, CBP provided us with documentation that outlined its plan to help ensure biometric exit signage is consistently available at locations using facial recognition technology. As part of CBP's plan, CBP reviewed existing privacy signage language and updated its signage to make it clear that travelers can request alternative screening procedures. The CBP Biometric Entry-Exit program office also conducted a survey across locations using facial recognition technology to request information on sign version, number of signs, visibility of signs, and operational /infrastructure restrictions. The Biometric Entry-Exit program office reported it has completed the signage survey and distributed updated signage to ports. In addition, CBP continues to work with each port of entry on signage requirements, and has begun shipping new signage to sea and airports as of August 2022. In December 2022, CBP also provided us with its updated Standard Operating Procedures that outlines CBP's process for ensuring privacy signage is provided at locations included in CBP's Biometric Entry-Exit Program. We believe the actions taken by CBP provides the traveling public with information needed to explain how travelers can request to opt out of the facial recognition screening process, as appropriate; and addresses our recommendation.
|United States Customs and Border Protection||The Commissioner of CBP should direct the Biometric Entry-Exit Program to develop and implement a plan to conduct privacy audits of its commercial partners', contractors', and vendors' use of personally identifiable information. (Recommendation 3)||
CBP concurred with this recommendation. In December 2022, CBP provided us with an update on the progress made to conduct privacy audits of its commercial partners, such as air carriers and airports. In the air exit environment, CBP reported that the Office of Field Operations continues to conduct security assessments on partner biometric capture equipment, and all interfaces with CBP's Traveler Verification Service, as detailed in the Biometric Entry-Exit Program audit plan. The audit plan provides details on the steps CBP takes during its review of its commercial partners' compliance with security and privacy requirements. According to CBP audit plan documentation, each assessment requires planning, internal security controls reviews, onsite systems vulnerability testing, and reporting stages. In fiscal year (FY) 2020, CBP conducted one assessment, in FY 2021 CBP conducted assessments at five locations, and in FY 2022, CBP conducted four assessments. CBP intends to conduct four assessments in FY 2023, and plans to begin sea environment assessments no later than FY 2024. In December 2022, CBP also provided us with its updated Standard Operating Procedures that outlines CBP's process to assess the vulnerability and security of a stakeholder's biometric exit solution, where CBP's Traveler Verification Service is used. Based on these actions, CBP's has addressed our recommendation.
|United States Customs and Border Protection||The Commissioner of CBP should develop and implement a plan to ensure that the biometric air exit capability meets its established photo capture requirement. (Recommendation 4)||
CBP concurred with this recommendation. However, CBP subsequently determined that it would no longer require the program to meet the original photo capture requirement. CBP noted that the original requirement was included in the 2017 Operational Requirements Document when there was the possibility of CBP owning, operating, and maintaining cameras at airport departure gates. CBP subsequently determined that it cannot require airlines to take a photo of every traveler-in part because it does not have enough staff to be present at every airport departure gate. In June 2021, CBP noted that the photo capture requirement had been removed from the latest draft of the Operational Requirements Document. In November 2022, the Department of Homeland Security approved the updated Operational Requirements Document. As the new Operational Requirements Document for the Biometric Entry-Exit Program does not include a photo capture requirement, we are closing this recommendation as not implemented.
|United States Customs and Border Protection||The Commissioner of CBP should develop a process by which Biometric Entry-Exit program officials are alerted when the performance of air exit facial recognition falls below established thresholds. (Recommendation 5)||
We reported that CBP's process to monitor the performance of its Biometric Entry-Exit program does not alert CBP when the performance falls below minimum performance requirements. As a result, we recommended that CBP should develop a process by which program officials are alerted when the performance of the Biometric Entry-Exit air exit facial recognition program falls below established thresholds. CBP concurred with our recommendation, and in April 2021, CBP provided us with documentation on the various monitoring systems in place for the air exit facial recognition program. For example, CBP creates program performance reports that are automatically generated and distributed to CBP and to external stakeholders, such as air carriers, so they are aware when performance falls below thresholds. One monitoring report includes information on the percentage of flights biometrically processed out of the total number of possible international departures segmented by airport. Another report includes a daily synopsis of operational performance data. CBP also produces reports that provides Air Exit stakeholders with operational performance data by flight number, passenger counts, and biometric match rates. According to CBP, the Biometric Entry-Exit program team monitors these reports for performance issues and addresses any anomalies with stakeholders as they arise. The program team also conducts random sampling to determine the technical match rates and to identify any system or equipment issues. The random sampling is conducted on a weekly basis and includes two flights per airport per week, according to CBP. Finally, the program team receives alert notifications if the system experiences an outage and has a gallery assembly system monitor that provides notifications when a flight gallery is not created. We believe the actions taken provides CBP with the alerts and information it needs to understand when it the air exit facial recognition program falls below minimum performance requirements, and addresses our recommendation.