CBP doesn’t consistently notify air travelers about facial recognition tech use, privacy: GAO

Customs and Border Protection (CBP) is not consistently notifying travelers about its use of facial recognition technology or privacy options in US airports, according to the Government Accountability Office (GAO).

As of May, 2020, CBP has deployed facial recognition technology across 27 airports in the United States to biometrically confirm travelers’ identities upon departing the country.

“Ensuring that privacy notices contain complete information and are consistently available would help give travelers the opportunity to decline to participate, if appropriate” — GAO

However, according to the GAO, CBP “has not consistently provided complete information in privacy notices or ensured notices were posted and visible to travelers.”

Without being notified that facial recognition technology is being used, passengers are left in the dark about what type of information is being collected and of their right to opt-out.

“Ensuring that privacy notices contain complete information and are consistently available would help give travelers the opportunity to decline to participate, if appropriate,” according to the GAO.

In February, CBP Deputy Executive Assistant Commissioner, Office of Field Operations John Wagner testified before the House Committee on Homeland Security that the CBP had been informing travelers about the use of facial recognition technology and their ability to opt-out.

“We notify travelers at these ports using verbal announcements, signs, and/or message boards that CBP takes photos for identity verification purposes, and they are informed of their ability to opt-out” — John Wagner, CBP Deputy Executive Assistant Commissioner

“When airlines or airports partner with CBP on biometric air exit, the public is informed that the partner is collecting the biometric data in coordination with CBP,” Wagner testified.

“We notify travelers at these ports using verbal announcements, signs, and/or message boards that CBP takes photos for identity verification purposes, and they are informed of their ability to opt-out.

“Foreign nationals may opt out of providing biometric data to a third party, and any US citizen or foreign national may do so at the time of boarding by notifying the airline-boarding agent that they would like to opt out,” the CBP deputy executive assistant commissioner added.

CBP has partnered with over 20 commercial airlines to ensure passenger privacy requirements, and it can audit those partners to make sure they are meeting the privacy standards, but so far, CBP has only audited one of its airline partners, according to the GAO.

“Until CBP develops and implements an audit plan, it cannot ensure that traveler information is appropriately safeguarded,” according to the GAO.

GAO testing found that the facial recognition technology deployed at US airports had exceeded its accuracy goals, correctly identifying 90 percent of travelers, but “but did not meet a performance goal to capture 97 percent of traveler photos because airlines did not consistently photograph all travelers.”

The GAO made the following recommendations for CBP’s use of facial recognition technology, its accuracy, and passenger privacy concerns:

• Ensure privacy notices are complete
• Ensure notices are available at locations using facial recognition technology
• Develop and implement a plan to audit its program partners for privacy compliance
• Develop and implement a plan to capture required traveler photos at air exit
• Ensure it is alerted when air exit performance falls below established thresholds

According to Wagner, biometric entry-exit is not a surveillance program, CBP does not use hidden cameras, and CBP uses only photos collected from cameras deployed specifically for this purpose and does not use photos obtained from closed-circuit television or other live or recorded video.