A government watchdog has criticized U.S. border authorities for failing to properly disclose the agency’s use of facial recognition at airports, which included instructions on how Americans can opt out.
U.S. Customs and Border Protection (CBP), tasked with protecting the border and screening immigrants, has deployed its face-scanning technology in 27 U.S. airports as part of its biometric entry-exit program.
The program was set up to catch visitors who overstay their visas.
Foreign nationals must complete a facial recognition check before they are allowed to enter and leave the United States, but U.S. citizens are allowed to opt out.
But the Government Accountability Office (GAO) said in a new report out Wednesday that CBP did “not consistently” provide notices that informed Americans that they would be scanned as they depart the United States.
“These notices are intended to provide travelers with information about CBP’s use of facial recognition technology at locations where this technology has been deployed, and how data collected will be used. The notices should also provide information on procedures for opting out, if applicable, among other things,” according to the watchdog. “However, we found that CBP’s notices were not always current or complete, provided limited information on how to request to opt out of facial recognition, and were not always available.”
Some of the notices were outdated and contained wrong or inconsistent information, the watchdog said. But CBP officials told the GAO that printing new signs is “costly” and “not practical” after each policy change.
CBP uses the airlines to collect biometric scans of a traveler’s face before boarding a plane. The data is fed into a database run by CBP, where face scans are held for two weeks for U.S. citizens and up to 75 years for nonimmigrant visitors.
As part of this cooperation, CBP is required to conduct audits to ensure that airlines are compliant with the agency’s data collection and privacy practices. But the watchdog found that CBP had only audited one airline, and as of May had “not yet audited the majority of its airline business partners to ensure they are adhering to CBP’s privacy requirements.”
The watchdog took issue with this following the 2019 data breach involving CBP subcontractor Perceptics, a license plate recognition company, which CBP accused of transferring travelers’ license plate data to its network without permission.
Hackers stole about 100,000 traveler images and license plate records in the breach, which were later posted on the dark web.
CBP said it concurred with the watchdog’s five overall recommendations.