Customs and Border Protection says AI model cards are ‘law enforcement privileged’

The “nutrition labels” for two artificial intelligence-based border security applications used by a Department of Homeland Security component are too sensitive to be fully released to the public, according to the agency, a stance that some government experts say could be overly broad.

In response to a Freedom of Information Act request by FedScoop, Customs and Border Protection recently released model cards for the border security apps that were heavily redacted. The cards are supposed to reveal how well these AI systems actually work and other technical specifications.

The documents concern two AI use cases: a passport anomaly model and a commodity detection model. The first system, the agency said, is meant to help CBP officers identify passports that might need further examination. The second combines computer vision, a neural network, and object detection technology to predict what commodity code should be associated with an image.

Model cards are descriptions that explain the basic parameters of how an AI system is designed and what it does.

“It is meant to be a tool for communicating specific requirements and potential risks and harms for any associated algorithm or AI system that is being used,” explained Varoon Mathur, an AI engineer who previously worked for the Department of Veterans Affairs and the Federal Trade Commission. 

“It’s not that the model card doesn’t usually exist. I think this sort of proves that they do, and they’re generally used as an acceptable form of translating engineering requirements,” Mathur added. “But the amount of sensitive information sometimes in these documents prevents folks from wanting to put them out there.”

Almost every aspect of the model cards was redacted by CBP, including details about technical composition, passport validation indicators, and performance for the first model. For the second model, information about training data and intended use was blacked out. All of the redactions cited exemptions to FOIA related to law enforcement techniques. 

“CBP FOIA and use-case [Subject Matter Experts] redacted the information to ensure law enforcement privileged information regarding targeting model methods, weaknesses, and resolutions remains unknown,” said a spokesperson for the DHS component. “This information would also educate adversaries on threats and techniques and assist them in evading law enforcement if CBP provides information on how it builds, trains, and applies these AI models — causing the models to become obsolete.”

Still, one page of the passport model documents reveals that the passport indicators for the system are passport number, issue date, date of birth, and issue country — and that the system uses an ensemble model that combines logistic regression, conditional probability, date range, and association rules.

“A unique ensemble model exists for each of the 64 passport models,” noted a page of the technical specifications. “The model uses passport data from Automated Targeting System-Passenger (ATS-P), electronic chip (eChip) data, and Visa.”

It’s not clear why those details were included on a single page when the rest were redacted. 

The State Department and the Federal Aviation Administration have both released similar specifications in response to public records requests, FedScoop reported previously.

Alex Howard, a government transparency advocate, said he was surprised the law enforcement exemption was applied, rather than one concerning proprietary business information. 

“These look like overbroad exemptions that might be successfully challenged on appeal or in court, with respect to the public interest value of understanding how a public agency is using data and AI for law enforcement purposes,” Howard said. 

“While it’s likely that they’d claim sources and methods must remain secret, the data used to train the AI is critical to understanding any inherent bias or discrimination present in the tool,” he added. “The vendor for the service shouldn’t be secret, either.”