DHS Rolls Back Facial-Recognition Expansion Plan

biometrics data breach

Biometric facial scanning won’t be a requirement for all U.S. citizens traveling internationally after all, the department decided.

The Department of Homeland Security (DHS) has reconsidered a plan to use facial-recognition technology on all U.S. citizens traveling internationally through airports, deciding to roll back the plan after meeting with privacy experts.

Last week the DHS said it would expand facial recognition checks to all travelers entering and leaving the U.S., including previously-exempt U.S. citizens. However, now the agency is saying it won’t be required after hearing feedback from privacy advocates, according to an online statement.

“U.S. citizens may opt out of the biometric facial comparison process by notifying a CBP officer or airline representative,” according to the statement. “Individuals who opt out simply present their passport for visual inspection, as is standard practice at ports of entry today.”

Various airports have implemented facial-recognition checks through the “Biometric Exit” program, which the U.S. Customs and Border Protection (CBP) first introduced in 2015. As of April, the program was operational in 17 airports, with the agency reportedly planning to expand that number to 20 by 2021.

The CBP is currently required by law to biometrically record the entry of foreigners into the United States, according to the DHS. Agents compare traveler photos taken at the gate with existing images that have been stored “in a secure environment” – including photographs taken during the entry inspection, photographs from U.S. passports and visas, and images “from previous DHS encounters,” a CBP official previously told Threatpost.

The CBP claims that using the technology has allowed them to apprehend more than 200 people attempting to enter the United States illegally using authentic travel documents of other people who the travelers closely resembled.

Despite this, the agency’s announcement last week that it would extend this facial-recognition requirement to U.S. citizens as well was met with harsh criticism from human rights and privacy experts.

The DHS acknowledged that it has listened to the many concerns over its use of the technology in a meeting it held earlier this week with “leading privacy experts”–the third in “in an ongoing series of discussions about measures that CBP is taking to protect traveler privacy during the biometric facial comparison process at U.S. ports of entry,” according to the DHS statement.

The CBP already made changes to its facial-recognition system based on suggestions from these discussions, which also include members of Congress, according to the DHS.

The agency has reduced the maximum retention period for new photos of U.S. citizens from 14 days to 12 hours; set up strict rules so that airlines or other partners can’t keep traveler photos for their own business purposes; and enhanced signs and announcements at departure gates to alert people to the use of the technology, among other measures, it said.

Despite these efforts, the government’s collection of its citizens’ biometric identity data is troubling for many especially since agencies already have mishandled the security of stored data. In June, for instance, a data leak at the CBP exposed photos of the faces and license plates for more than 100,000 travelers that passed through checkpoints on the U.S.-Mexican border. The Office of Personnel Management also experienced a significant data breach in 2015 that resulted in the theft of fingerprint data of 5.6 million people.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles