Last month, the Homeland Security Advisory Council (HSAC) published a report from its Biometrics Subcommittee with recommendations that will affect how the Department of Homeland Security (DHS) deals with biometric privacy and security issues going forward.
In April of 2020, Acting Secretary Wolf asked the Biometrics Subcommittee to examine how the Department approaches biometric-driven identity management, and whether the Department would benefit from a more unified approach to this data. More specifically, the Acting Secretary requested recommendations from the Subcommittee in several areas, to include how DHS can establish a multi-year biometrics strategy and implementation plan with performance metrics and oversight; best practices in creating a biometrics enterprise and governance process; how DHS can better communicate with the public, Congress and stakeholders about how it manages biometric information, to include information regarding new and unique uses of biometrics information; and how DHS can improve its biometric collection, storage, matching, analysis and sharing capabilities.
This report is noteworthy for a couple of reasons. First, several of the Subcommittee’s findings represent best practices that could be deployed across the private sector to both increase the understandability of an organization’s biometric practices, and to manage reputational risks that are associated with this form of data collection. Second, certain recommendations, if implemented, could impact biometric and other technology companies seeking to do business with DHS or its components, especially where recommendations put forward increasingly centralized oversight and review processes. Below are some key findings for contractors and the private sector who deal with biometrics.
Examining Biometrics Use Cases Across DHS
The Subcommittee undertook a thorough examination of each DHS operational component that collects, maintains, uses or shares biometrics information, as well as overall DHS policies and practices. For an idea of the size and scope of the Department’s biometrics-related operation, the report cites collection numbers from just one operational component, Customs and Border Protection (CBP), which screened and collected biometrics from approximately 79 million foreign nationals arriving in the United States during the 2019 fiscal year.
The Subcommittee also completed case studies to review the functioning, efficiency, and efficacy of the DHS biometrics enterprise, looking at three areas in particular: 1) CBP’s Biometric Exit Program, 2) opportunities to leverage biometrics between DHS components, and 3) the necessity for a uniform but “nimble” biometrics oversight and review process. Importantly, through these cases studies, the Subcommittee was able to review specific programs and operations that cover the full scope of DHS’ biometrics enterprise – reviewing the Department’s use of facial recognition tools, multifactor biometrics identity management (e.g. facial images, fingerprints, iris scans, etc.), and the utilization of DNA to establish familial connections between individuals the Department contacts.
Storage and Protection of DHS’ Biometric Data
The Biometrics Subcommittee thoroughly examined the Department’s storage and security practices surrounding its vast biometrics repositories, reviewing both component-level practices and enterprise-wide biometrics support offices, like the Office of Biometric Identity Management (OBIM). In reviewing these practices, the Subcommittee concluded that “the protection of biometric data, particularly in association with biographic data, should be …part of implementation plans submitted by DHS component agencies for review by a [central] DHS Biometrics Oversight and Coordination Council (BOCC).” Additionally, the Subcommittee recommended implementing policies that reflect the differences between biometric data and its potential use cases, for example, drawing policy distinctions between biometrics used for identity matching, background checks, or data collected for law enforcement and intelligence purposes.
Examination of Bias in Facial Recognition Systems
As part of its review of the CPB Biometric Exit Program, the Subcommittee met with the team from the National Institute of Standards and Technology (NIST) that completed the December 2019 Technology Report (NISTIR), Face Recognition Vendor Test (FRVT), Part 2: Demographic Effect. This NISTIR evaluated the demographic specific performance of 189 matching algorithms used in facial recognition technologies. Generally, the NISTR found that the majority of algorithms demonstrated large variations in matching performance across demographic groups. Importantly, the Subcommittee makes clear that NIST’s findings also show that many of the leading tools and algorithms, like those deployed by CBP, did not show statistically significant matching variances in demographic groups. Interestingly, the Subcommittee also surmised that “one of the promising benefits of the use of biometrics, if properly developed and deployed, is the reduction in potential racial bias that can occur either consciously or unconsciously from human subjectivity.”
Communications and Outreach to Stakeholders
The Subcommittee rightfully concludes, “[i]nforming Congress, the public, media and relevant stakeholders of new uses of biometrics is especially important, particularly as some uses, particularly FR, are controversial and raise privacy concerns.” The Subcommittee’s report credits the Department for its effective use of publicly available System of Records Notices (SORN) and Privacy Impact Assessments (PIA) to communicate the scope of the information collection, potential uses and sharing of the data, information storage and security practices, and other various privacy risks associated with the program. However, the Subcommittee concluded “[w]here use of a new biometric modality, or new use of an existing biometric modality, is being introduced, the Subcommittee believes that the responsible DHS component agency should do more than issue a PIA … [i]t should have a thoughtful communication plan which outlines the purposes and limitations of the new use … should be coordinated through the agency’s public and congressional affairs offices, in coordination, as necessary, with the DHS public affairs and legislative.”
In the end, the Subcommittee put forward ten recommendations to the Acting Secretary to better manage and oversee the DHS biometrics enterprise. Private sector organizations managing or processing biometric data would be well served to review and understand several of the Subcommittee’s recommendations to help manage risks associated with this unique data set. Specifically, companies could at the below proposals to help manage a biometrics enterprise:
Establish a Biometrics Oversight and Coordination Council (BOCC), with broad representation from the operational components to review and assess policy and practices across the organization. BOCC protocols should provide a fast-track process to approve pilots and emergency uses of biometrics, to include direct interaction between executives, and the relevant component head.
Each component using biometrics shall designate one official within such agency with the responsibility for overseeing uses of biometrics for the agency.
In addition to an implementation plan, every new use of a biometric should require a communication/outreach plan.
As part of this implementation plan, the component proposing a new use of biometrics or a new biometric has the responsibility for evaluating and presenting the technical aspects, including matching and analysis, of the biometric and how it is to be integrated into operational protocols in support of organizational goals. The component agency or the BOCC should call upon research and development offices, as needed, to assist with the technical evaluation of the proposed biometric.
While it remains to be seen whether a new Administration, acting through new leadership at DHS, or Congress will carry forward on any of these recommendations, many of these practices and changes could be incorporated into DHS’ biometric operations by component or office-level processes changes. Nonetheless, the Subcommittee’s work will undoubtably garner a great deal of interest with congressional leaders and policy makers who will be looking at DHS operations in the coming year. More broadly, given the breadth and scope of the DHS biometrics enterprise, some of these recommendations may become programmatic best practices that could spread to other departments and agencies in the federal government. Companies and contractors looking to do business with the government should understand how federal program offices view these matters and what burdens might come with those business relationships. Last, and as we have seen in other similar areas, how the federal government views and handles the implementation of new, privacy-sensitive technologies can oftentimes become standards of practice for the technology companies. While legal and regulatory burdens on the federal government differ greatly from those on the private sector, tightening trends in federal practices can raise the level of expectation on companies handling similarly sensitive data.