Homeland Security sued over secretive use of face recognition

The American Civil Liberties Union (ACLU) is suing the Department of Homeland Security (DHS) over its failure to cough up details about its use of facial recognition at airports.

Along with the New York Civil Liberties Union, the powerful civil rights group filed the suit in New York on Thursday. Besides the DHS, the suit was also filed against US Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Transportation Security Administration (TSA).

The ACLU says that the lawsuit challenges the secrecy that shrouds federal law enforcement’s use of face recognition surveillance technology.

Ashley Gorski, staff attorney with the ACLU’s National Security Project, said in a release that pervasive use of face surveillance “can enable persistent government surveillance on a massive scale.”

The public has a right to know when, where, and how the government is using face recognition, and what safeguards, if any, are in place to protect our rights. This unregulated surveillance technology threatens to fundamentally alter our free society and is in urgent need of democratic oversight.

The ACLU had filed Freedom of Information Act (FOIA) requests to find out how the agencies are using the surveillance technologies at airports – requests that the agencies ignored.

In its suit, the ACLU demands that the agencies turn over records concerning:

  • Plans for further implementation of face surveillance at airports;
  • Government contracts with airlines, airports, and other entities pertaining to the use of face recognition at the airport and other ports of entry;
  • Policies and procedures concerning the acquisition, processing, and retention of our biometric information; and
  • Analyses of the effectiveness of facial recognition technology.

As the ACLU’s complaint tells it, in 2017, CBP began a program called the Traveler Verification Service (TVS) that involves photographing travelers during entry or exit from the country.

The program involves the use of facial recognition technology to compare the photographs with faceprints that the government already has – a huge collection of biometrics that just keeps getting bigger. In June 2019, the General Accountability Office (GAO) said that the FBI’s facial recognition office can now search databases containing more than 641 million photos, including 21 state databases (a number that’s ballooned from the 412 million images the FBI’s Face Services unit had access to at the time of a GAO report from three years prior).

CBP’s piece of that burgeoning pie: as of June 2019, the agency had processed more than 20 million travelers using facial recognition, the ACLU says.

Major airlines and airports have partnered with CBP on TVS. As of August 2019, 26 airlines and airports had committed to employing CBP’s face-matching technology, and several airlines have already incorporated it into boarding procedures for outbound international flights.

It’s being done behind closed doors, the ACLU says. The public knows little about the nature of these partnerships, nor about the policies and privacy safeguards governing the processing, retention, and dissemination of data collected or generated through TVS.

It’s certainly not the first time that CBP has kept details about its images to itself. In June 2019, hackers managed to steal photos of travelers and license plates from a CBP database. In violation of CBP policies, the database had been copied by a subcontractor to its own network. Then, the subcontractor’s network had been hacked.

Initial reports indicated that the breach involved images of fewer than 100,000 people in vehicles coming and going through a few specific lanes at a single port of entry into the US over the previous one-and-a-half months.

While the image data wasn’t immediately put up for sale on the Dark Web, the breach showed that this type of data is of interest to hackers… and that government agencies are capable of losing control of it.

Separately, the TSA has outlined a plan to implement face surveillance for both international and domestic travelers, the ACLU’s lawsuit says. The complaint points to a document published by the TSA entitled “TSA Biometrics Roadmap” that describes how the TSA intends to partner with CBP on face recognition for international travelers; apply face recognition to TSA PreCheck travelers; and ultimately expand face recognition to domestic travelers more broadly.

Congress has authorized the DHS to collect biometrics from certain categories of noncitizens at border crossings. It hasn’t expressly given the go-ahead to collect faceprints from citizens, though. Citizens were given the right to opt out of the facial scans after the DHS faced intense backlash over a proposed regulation change that would have allowed the technology to be used on all people coming in or leaving the US.

Despite the backlash, however, the DHS hasn’t given up on those plans, the ACLU says.

Running tally of pushback

Opposition to the government’s pervasive use of the technology continues to strengthen. As of Thursday, Washington’s state Senate and House were still debating a bill to rein in facial recognition.

In October, the state of California outlawed facial recognition in police bodycams. Some of its biggest cities have gone further still in restricting the controversial technology, including San Francisco, Berkeley, and Oakland.

Outside of California, government use of facial recognition has also been banned in three Massachusetts municipalities: Somerville, Northampton and Brookline. New York City tenants also successfully stopped their landlord’s efforts to install facial recognition technology to open the front door to their buildings.

The ACLU’s Gorski said that when it comes to finding out how this technology is being used, it shouldn’t have to come to lawsuits:

That we even need to go to court to pry out this information further demonstrates why we should be wary of weak industry proposals and why lawmakers urgently need to halt law and immigration enforcement use of this technology. There can be no meaningful oversight or accountability with such excessive, undemocratic secrecy.


Latest Naked Security podcast

go top