According to a new report by surveillance law researchers, the US Department of Homeland Security's $US1 billion "Biometric Exit Program," which requires travellers submit to face recognition scans, may violate US federal law. Starting in June, several airports began mandating face scans at boarding gates for some international flights. The DHS has argued the program prevents identity fraud, but the researchers say the program is on shaky legal ground and has numerous technical flaws.
Released by Georgetown Law's Center on Privacy and Technology on Thursday, "Not Ready for Takeoff: Face Scans at Airport Departure Gates" makes a very clear first argument: The DHS simply doesn't have the authority to force anyone to hand over their biometric data. Congress has passed legislation permitting DHS to collect face data from foreign nationals, "but no law directly authorizes DHS to collect the biometrics of Americans at the border," the report reads. Additionally, the report argues that mandating face scans is such a huge expansion of the DHS's authority it should have been scrutinised during a public comment period before implementation, as required by federal law. Perhaps just as troublingly, the researchers found a number of technical flaws in both the software itself and how it's tested for accuracy.
The Biometric Exit Program's stated mission is to catch people exiting the country with false IDs. If Adam's visa expired and he had to leave the US, for instance, he could give his passport to David. David could leave the country with Adam's ID and, as far as the DHS knew, Adam was no longer in the US. By scanning the faces of people leaving the country, the argument went, the DHS could close this loophole.
According to the researchers, however, the DHS is using the wrong metric to check the system's accuracy. Instead of tracking how often it catches imposters using fake credentials - the program's stated purpose — the DHS measures accuracy "based on how often the system accepts travellers using their true credentials." This, the report says, is like hiring a bouncer without knowing how well he can spot fake IDs. As one of the report's co-authors told The New York Times, "It's telling that D.H.S. cannot identify a single benefit actually resulting from airport face scans at the departure gate."
The researchers say this false metric for success obscures a greater technical flaw. As explored by the center's landmark 2016 report, "The Perpetual Line-Up," federal face recognition software is less accurate on people with darker skin and misidentifies women more often than men, meaning those people could be targeted for manual fingerprinting at greater rates. Someone using false credentials will likely use the ID of someone of the same age, gender, race, and general appearance. Precision is obviously essential and it's not clear the DHS's technology is up to the plan
The report recommends the DHS end the Biometric Exit Program, at least until the DHS complies with rule-making laws, refines its accuracy, and, most crucially, is upfront about what it intends to do with all this face data.
"The face scan-based biometric exit program that DHS is beginning to deploy at international airports across the country is extremely resource-intensive," the report concludes. "But despite its $US1 ($1) billion price tag, the program is riddled with problems. It is unjustified. It is legally infirm. It may be technically flawed. And it may implicate serious privacy concerns."