DHS’s forthcoming biometrics system presents unmitigated privacy risks
The Department of Homeland Security‘s forthcoming biometrics system comes with partial and unmitigated privacy risks, from those posed by deepfakes to unintended sharing of sensitive data, according to an assessment released recently.
DHS intends to replace its Automated Biometric Identification (IDENT) system with the Homeland Advanced Recognition Technology (HART) system for storing and processing digital fingerprints, facial images and iris scans.
The Office of Biometric Identity Management will launch HART in four phases, with phase 1 covering data architecture, migration to the Amazon Web Services GovCloud and a matching capability this fiscal year. DNA is not part of phase 1.
Before agencies can begin using HART’s fingerprint matching and facial recognition services in law enforcement, immigration and background investigations, the system requires an authority to operate — pending a privacy impact assessment. That recently conducted assessment uncovered numerous, partially mitigated privacy risks, like that HART may collect and share more information than required because it does not distinguish between the services it provides when gathering biographic data.
Information sharing agreements dictate the data HART disseminates, but the Office of Biometric Identity Management does not own the data. Rather data providers choose what data to withhold using system business rules, which can block sharing in response to a query.
HART users can manually apply derogatory information, which may identify someone as unsuitable and degrade data quality, an unmitigated risk. But the DHS office does coordinate and train users on sharing derogatory information, according to the assessment.
Deepfakes — modified images or video using an algorithm to appear authentic — could also thwart HART’s iris and facial recognition services. OBIM is currently researching countermeasures.
“The OBIM Biometric Guidelines will recommend that data collectors use liveness detection devices at the point of collection in order to minimize the impact of deep fakes,” reads the assessment. “OBIM will also position itself with HART to evaluate the best biometric alteration detection tools in order to protect the system’s data integrity.”
OBIM currently retains juvenile biometrics in accordance with a DHS memo, but the agency is working to isolate the data because of the risk it produces inaccurate results as people age and due to poorer image quality.
The fact that HART relies on data from outside providers means OBIM can’t fully ensure people are aware that information collected on them is stored in the system. People may also not be aware of indirect data collection, though HART doesn’t retain fingerprints or facial images it links to the biographic information of those identified as bystanders or victims.
Data owners control retention schedules, which runs the risk that HART retains biometrics longer than needed. For that reason, the DHS Privacy Office recommended OBIM issue guidance on how long biometrics remain valid for comparison.
Records may not be deleted by data owners in a timely fashion, an unmitigated risk. While OBIM issues guidance on the Delete Encounter Service and DHS oversight offices may audit the process, the Privacy Office recommended OBIM set retention during organizations’ onboardings to automatically delete data and annually review those settings.
HART also doesn’t apply caveats alerting users to special protected class, refugee or asylee status, which could result in sensitive data being shared with unauthorized groups.
While foreign partners may audit data from HART, the lack of caveats also runs the risk they receive sensitive data. So the DHS Privacy Office recommended OBIM use caveats to make them aware of data use restrictions.
The Privacy Office also recommended OBIM establish a review cycle for filters placed on data with their owners and implement technology allowing users to read caveats.
A risk that people, and foreigners in particular, may not be able to correct inaccurate HART information is partially mitigated by the DHS Traveler Redress Inquiry Program (TRIP) process, according to the assessment.
OBIM plans to update the privacy impact assessment with each new phase of HART.
“Increment 2 will provide additional biometric capabilities to HART to meet customer needs and provide increased interoperability with agency partners and improved reporting features,” reads the assessment. “Increments 3 and 4 will include a web portal and user interface capability, support for additional modalities, and improved reporting tools.”