Answer: In 2004, Congress required DHS to develop a biometric entry and exit system. In 2013, Congress transferred the entry/exit policy and operations to U.S. Customs and Border Protection (CBP). As part of the border security mission, the agency is deploying new technologies to verify travelers’ identities – both when they arrive and when they leave the United States – by matching a traveler to the document they are presenting.

Just before departure, international travelers’ photos are taken, by either CBP-owned cameras or equipment provided by the airlines or airport authority. CBP compares these photos with images from passports, visas and other travel documents in a secure environment using the Traveler Verification Service (TVS). These images include photographs taken by CBP during the entry inspection, photographs from U.S. passports and U.S. visas, and photographs from previous DHS encounters. CBP creates a record of the traveler’s departure from the United States in APIS as well as the Arrival and Departure Information System (ADIS) for lawful permanent residents and nonimmigrant aliens. See the TVS Privacy Impact Assessments (PIA) for more information.

The authority to collect biometrics from U.S. Citizens is based on the outbound border search authority, and the requirement for all U.S. Citizens to be in possession of a valid U.S. passport. These authorities are included in 8 CFR 235.1 and 8 U.S.C. §§ 1185(b).

The authorities include:

• 1996 Illegal Immigration Reform and Immigrant Responsibility Act: Creation of an automated system to record arrivals and departures of non-U.S. citizens at all air, sea, and land ports of entry
• 2002 Enhanced Border Security and Visa Entry Reform Act, the Intelligence Reform and Terrorism Prevention Act of 2004, and the Implementing Recommendations of the 9/11 Commission Act of 2007: Establishment of a nationwide biometric entry-exit system.
• Consolidated Appropriations Act of 2016: CBP Authorization to spend up to $1 billion in certain visa fee surcharges collected over 10 years for biometric entry and exit implementation
• Executive Order 13780, “Protecting the Nation from Foreign Terrorist Entry into the United States” March 9, 2017: DHS requirement to “expedite the completion and implementation of a biometric entry-exit tracking system for in-scope travelers to the United States.”
• 8 U.S.C. §§ 1185(b): Discusses the requirement for U.S. Citizens to have a valid passport for both entry and exit.

Individuals seeking to travel internationally are subject to the laws and rules enforced by CBP and are subject to inspection.  If a U.S. citizen, however, requests not to participate in the Traveler Verification System, specified agreements between CBP and the partner airline or airport authority will guide alternate procedures.  For some participating airlines, a traveler may request not to participate in the TVS and, instead, present credentials to airline personnel before proceeding through the departure gate.  In other cases of an opt-out, an available CBP Officer may use manual processing to verify the individual’s identity.

CBP is committed to protecting the privacy of all travelers.  Toward this end, CBP has embedded four primary safeguards to secure the data and reduce the potential that the photos may be lost or stolen:

• Secure Encryption: CBP uses HTTPS/SSL encryption for data transfer between the camera, the Virtual Private Cloud (VPC) and CBP systems as well as for PII at rest.
• Biometric Templates: CBP creates biometric templates of each of the (1) historical photos and (2) newly-captured exit photos for matching and storage.  What are biometric templates?
  • Strings of multiple numbers representing images
  • Can be matched against other templates that represent facial images
  • Irreversible—cannot be reverse-engineered for viewing by anyone outside of CBP
• Brief Retention Periods: All photos and templates are deleted from CBP systems within 14 days of capture and are purged from the TVS cloud matching services before the conclusion of the flight. However, CBP biometrically confirms the exit of in-scope U.S. citizens, creates an exit record and maintains these records in accordance with the published PIAs and System of Records Notices (SORN).
• Secure Storage: Facial images are stored in secure CBP systems and secure cloud environment (for a very brief period of time), thus mitigating potential privacy risks.
  • The Cloud Service Provider (CSP) will adhere to the security and privacy controls required by National Institute of Standards and Technology (NIST) Special Publication 800-144, “Guidelines on Security and Privacy in Public Cloud Computing,” and the DHS Chief Information Officer.

The CBP Office of Information and Technology (OIT) has conducted an initial security review of the Virtual Private Cloud (VPC), the cloud-based matching service, and approved the system for interim deployment; a full security review and privacy compliance review will follow in early 2018.

CBP temporarily retains all photos for up to 14 days in CBP systems to support system audits, to evaluate the TVS facial recognition technology, and to ensure accuracy of the facial recognition algorithms. CBP deletes all biometric data—newly taken photos, templates and match scores—from the TVS cloud matching service by the end of the flight.

The images taken will be used to assist the CBP Officer in determin­ing that the traveler is the true bearer of the document. The photos will be deleted within 14 days of capture. CBP is dedicated to protecting the privacy of all travelers. More information is available at www.dhs.gov/privacy-impact-assessments. Click on "CBP" at the left and Traveler Verification Service or "TECS" for more information.

CBP partners do not collect photographs under CBP authorities. The air carriers, who work in partnership with CBP, are collecting images pursuant to their relationship with the travelers.  They may use the photographs consistent with that authority, choose to share those images with CBP for the purposes of efficiencies and the enhanced accuracy of traveler identity verification, which meet the statutory biometric exit mandate.

As part of its agreements with industry partners, CBP requires its partners to encrypt the biometric data, both at rest and in transit. However, because CBP partners sometimes store photos temporarily using their own IT infrastructure, CBP cannot fully mitigate these inherent security risks. Only authorized representatives of the approved CBP partner will have access to the collection device.

Updates will be published prior to each future change for full transparency and in compliance with the Privacy Act and E-Government Acts. The website will be updated, as needed, with PIA’s published regulations.