Last week, the U.S. House Homeland Security Committee (the “Committee”) held a hearing on “Examining Physical Security and Cybersecurity at Our Nation’s Ports” that sought to identify and understand cyber threats posed by vulnerabilities at seaports, and explore potential mitigation strategies to protect industries and individuals at the nation’s borders. The hearing came on the heels of a new bill proposed by the House of Representatives and passed by the Committee on October 4, entitled the Border Security for America Act (the “Act”), that could implicate privacy concerns and data-sharing obligations of these same individuals and businesses. Among other heightened data collection efforts, the Act seeks to establish a biometric exit data system to collect and verify information on the movement of persons (e.g., passengers, longshoremen, crew members, and others) entering U.S. ports while having ”the least possible disruption” on the movement of cargo.
In advance of the cybersecurity hearing last week, the Electronic Privacy Information Center (“EPIC”), a leading public interest research center in the field, submitted a statement for the record to the Committee raising concerns about the Act. EPIC noted that “there are a lack of well-defined federal regulations controlling the collection, use, dissemination, and retention of biometric identifiers,” and highlighted the potential risks of combining biometric data with other Federal databases, which the Department of Homeland Security would be able to do under the Act’s exemption from existing government restrictions on personal data collection.
A potential benefit of biometric identification or authentication is that certain identifiers can be unique enough to be essentially impossible to fake, thereby mitigating some cybersecurity risks of unauthorized access or use of systems controlled by biometric access. However, if a biometric database like the one the Act could create (and ones that already exist for other law enforcement purposes) were to be compromised, it could result in dangerous vulnerabilities that would be difficult to mitigate. Although the Act takes the costs of implementation and potential risks of a biometric exit data system in general, it does not directly address privacy or security risks posed by such a system, or suggest a consent framework for how such data might be collected.
Although enhanced surveillance techniques can be important tools to combat physical and cybersecurity risks, their implementation without proper safeguards may result in the unnecessary collection of sensitive personal and business/employee data, particularly of subjects that engage in frequent cross-border activity, like the maritime industry. While the Act still has several steps to go through before becoming law, these recent developments provide insight into current legislative thinking around increased surveillance, and the trade-offs that can occur between cybersecurity and privacy as a result.