The facial recognition program is designed to catch “passport imposters” but has privacy advocates worried.
The next time you come back from overseas and flash your American passport at Washington, DC's Dulles airport, customs officers might take a picture of you and use facial recognition technology to figure out if you really are who you say you are.
On March 11, the Customs and Border Protection (CBP) quietly rolled out a new facial recognition pilot program to help custom officers catch "imposters," or people using a passport that isn't theirs, an agency spokesperson confirmed to Motherboard on Wednesday.
The pilot is part of a larger effort to modernize US customs practices with the use of new technologies as part of the Apex Air Entry and Exit Re-Engineering (AEER) Project. And it's only the first of at least three experiments labeled "Targeted Biometric Operations," according to a previously undisclosed CBP presentation obtained by Motherboard.
The goal of the pilot program, called "1:1 Facial Recognition Air Entry Pilot," is to figure out if facial recognition can be a useful tool in catching these imposters, but civil liberties activists worry this is the first step to create a database of law-abiding Americans' mugshots, which could create unforeseen privacy risks.
"That's definitely a dark road to be going down with a lot of potential for abuse."
"Here we have a program where individuals are not suspected of wrongdoing and are engaged in routine behavior," Jake Laperruque, a fellow at the Center for Democracy and Technology told Motherboard. "And they are being required to submit a piece of biometric data that could identify them later and that's going to be retained."
"That's definitely a dark road to be going down with a lot of potential for abuse," he added.
As part of the program, customs officers will have the ability to randomly select Americans coming back from abroad and take a picture of them. The ones that get chosen as high-tech lab rats can not opt out, according to CBP's Privacy Impact Assessment (PIA), a document published last week to notify Americans of the program and its potential privacy implications.
The officer will compare the photograph taken with that stored inside the person's passport chip, using a facial recognition algorithm developed by CBP. The software will then give "a match confidence score" determining how similar the two pictures are. At that point, the officer will have discretion to take further actions if the score flags that there's something wrong. But, CBP notes, the facial recognition technology won't be the only basis for admitting a traveler into the US or for "secondary inspection."
CBP is not providing a lot of details about the program. And the agency spokesperson did not respond to a series of detailed questions from Motherboard, but instead sent a single statement.
But slides from a presentation held on March 10 at CBP headquarters, which were leaked to Motherboard by one of the attendants, give us a glimpse of how the program works.
The overall pilot is expected to last 19 months, but CBP will only collect pictures for 60 or 90 days (this is unclear because the assessment says 60 days while the leaked slides say 90 days). After that, presumably, CBP will move on to an "analysis phase" for the remainder of the program.
CBP expects the facial recognition process to be extremely quick. Another slide of the presentation says it will only take between 5 to 7 seconds to snap a picture of the traveler, open the picture stored in her passport, and process the photo.
In the public document, CBP explained that the program will include several measures to quell privacy concerns.
First, the pictures won't be tied to the person's identity, as they will be stored in a database tagged only with the time and date they were taken at, according to CBP. But, potentially, this same technology could be used to tie identities to photographs. And critics say there are good reason to be wary, as the government has made misleading claims about security technologies before.. In 2010, a privacy watchdog found out that the infamous TSA full-body scanners could actually store and send images, contrary to the TSA's claims.
After the 19 months the program is expected to last, CBP promises it will delete the images from the server, unless the pictures become part of a criminal investigation.
Moreover, CBP promises that it won't share this picture with anyone else outside of the Department of Homeland Security (DHS), its parent agency.
"CBP remains committed to protecting the privacy of all travelers."
"The technology is a stand-alone system and will not communicate with any other parties, databases or systems," the CBP spokesperson told Motherboard. "CBP remains committed to protecting the privacy of all travelers."
Privacy advocates, however, are not convinced.
Dave Maass, an investigative researcher at the Electronic Frontier Foundation, a San Francisco-based digital rights advocacy group, says that the concern is over what happens when the pilot ends.
"Today, it's testing at the border, tomorrow it could be facial recognition deployed in public places," Maass told Motherboard. "Today, the photos taken are being kept segregated from other departments and agencies, tomorrow they could be shared for a whole host of other purposes."
In other words, is there a risk of mission creep?
Ralph Gross, a facial recognition expert at the Carnegie Mellon University Robotics Institute, says that while the program's privacy safeguards make it "fairly limited," CBP is not really making a good case for why this program is needed in the first place.
What the experiment does, he argues, is to automate something that customs agents already do, which is comparing your face to the picture on your passport.
"Why are they doing that in the first place? Do they feel that border agents aren't good at spotting imposters?"
"Why are they doing that in the first place?" Gross tells Motherboard. "Do they feel that border agents aren't good at spotting imposters?"
That's the key question. Are passport imposters that much of a problem?
The Government Accountability Office (GAO) estimated last year that the State Department issued 13,500 passports to people using the Social Security number, though not the name, of a deceased person. But it's unclear how many actual cases of passport imposters CBP encounters every year.
"CBP regularly identifies instances in which imposters attempt to enter the United States," the CBP spokesperson said, without providing more details or specific numbers.
It's also unclear how effective this facial recognition technology actually is. CBP says its laboratory tests were successful, but has not provided any data to back it up.
"The results of the lab testing are not available for public release," the CBP spokesperson said.
While CBP has yet to answer these questions, the program is already underway, undeterred.