A Dramatic Expansion of Biometrics Proposed by Department of Homeland Security

By Jennifer K. Wagner, J.D., Ph.D.


On Sept. 11, 2020, the Department of Homeland Security (DHS) issued a notice of proposed rulemaking (NPRM) on the “Collection and Use of Biometrics by U.S. Citizenship and Immigration Services.” The NPRM involves a dramatic shift in policy, expanding the types of biometrics collected and broadening the use of biometrics significantly. Despite the complexity and magnitude of the proposed policy changes within the NPRM, DHS has limited the opportunity for public comments to a mere 30 days, requiring comments to be submitted by Oct. 13, 2020.


What is in this NPRM?

In its announcement of the NPRM, DHS indicated that its intention was to reduce the immigration system’s reliance on documents and other forms of biographical information to demonstrate identity and familial relationships and expand its reliance on biometrics.


DHS seeks to establish its own standard definition of “biometrics” that would apply uniformly. Based on this new definition and deployment of a novel term of art (“authorized biometric modalities”), DHS will determine for itself which kinds of biometrics it will collect and use. This rhetoric device of “biometric modalities” would presumably enable DHS to collect and use palm prints, voice prints, iris scans, facial imaging, and DNA data even in contexts in which the statutory authority only anticipated or referenced signatures, fingerprints, and traditional photographs. Notably, DHS is expressly advancing its interest in mass collection of facial imaging “specifically for” use with highly controversial facial recognition technologies, which (1) were already known empirically to have been heavily biased and remain heavily biased and (2) have increasingly drawn fierce criticisms from Congress. Another major change proposed by DHS is to eliminate age restrictions for biometrics to allow for their collection and use for across the lifespan (from pre-womb to tomb, so-to-speak) and to eliminate the presumption of good moral character for people under 14 years of age.


Additionally, DHS expressly plans to authorize the collection and use of biometrics for a wide range of purposes, including “[i]dentity enrollment, verification, and management in the immigration lifecycle; national security and criminal history background checks; determinations of eligibility for immigration and naturalization benefits; and the production of secure identity documents.” (85 FR 56355). This expansion marks a dramatic shift toward continuous dataveillance of not only immigrants but also U.S. citizens and lawful permanent residents. The NPRM itself notes DHS made the decision to move “beyond only eligibility and admissibility determinations” in order to enable “identity management” and “enhanced vetting.” (85 FR 56350) This pursuit of “enhanced vetting” from the current administration has involved a blunt approach to the Privacy Act of 1974 and a major departure from agency privacy practices that recognized the critical importance of nuance, context, and discretion in the application of the Privacy Act of 1974 to non-resident foreigners.


What is the broader significance of the NPRM to biometrics and data privacy in the United States?

Data privacy is highly contextualized and compartmentalized in the United States, where, contrary to other parts of the world, data protection is not yet recognized as a fundamental human right. The “enhanced vetting” and discontinuation of privacy protections for those who are not U.S. citizens or lawful permanent residents has major implications for the future of privacy and dataveillance for everyone in the United States. Interestingly, footnote 30 of the NPRM directs readers to https://www.dhs.gov/privacy for the DHS Privacy Impact Assessment for Continuous Immigration Vetting (Feb. 14, 2019), but no such document is available at that location, and the item is not listed among the “Privacy Reports” or among “Privacy Policy” materials. Rather, those interested in this privacy impact statement must work to find it.


The privacy guidance currently in place is that which was rushed in February 2017 following Executive Order (E.O. 13,768) issued on Jan. 25, 2017, which mandated agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” (emphasis added). Parts of that Executive Order were already deemed unconstitutional, and privacy experts who analyzed E.O. 13,768 for the World Privacy Forum have concluded it could “fatally undermine” the then fragile EU-US Privacy Shield Agreement. On July 16, 2020, that privacy shield was, in fact, invalidated by the Court of Justice of the European Union in its Schrems II decision, albeit without direct reference to E.O. 13,768. The Court of Justice explained (with emphasis in the original):


In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.


Another perplexing aspect of the proposal involves the DHS plans for “transitioning to a person-centric model for organizing and managing its records” (85 FR 56351). This—what appears to be the beginning of a mandatory national biometric database for “identity management” (1) containing comprehensive dossiers of biographical information as well as DNA, faceprints, and other biometrics, (2) relying upon immigrants and their sponsors as the initial data subjects to develop and test those policies and processes, and (3) providing flexibility for DHS to make future changes to the types of biometrics (these so-called “biometric modalities”), the scope of individuals to whom the practices might be applied, and purposes for using the biometrics—is a highly complex and controversial initiative that requires close scrutiny and proper advance planning for the technical and ethical debts associated with it. In 2013 the late Justice Antonin Scalia wrote in a dissenting opinion (in a case involving law enforcement’s collection and use of DNA data pursuant to specific statutory authorization from Congress to do so), “Perhaps the construction of such a genetic panopticon is wise. But I doubt that the proud men who wrote the charter of our liberties would have been so eager to open their mouths for royal inspection.”


Details regarding data sharing with other agencies are absent from the NPRM; however, the NPRM does purport to give DHS considerable leeway by allowing DHS to share, for example, DNA test results and DNA data “with other agencies where there are national security, public safety, fraud, or other investigative needs.” How does this proposed identity management system of the U.S. DHS differ from, for example, the reported dataveillance tactics used by the Chinese government against the Uighurs and other ethnic minorities, which sparked an advisory warning from the U.S. Department of State, Commerce, Homeland Security, and Treasury on July 1, 2020? In that advisory warning, the U.S. government criticized the “unprecedented, intrusive, high-technology surveillance system across Xinjiang” and called into question the veracity of the government’s justification (i.e., combatting terrorism and religious extremism), noting that “surveillance infrastructure is facilitating human rights abuses, including abuses of the right to be free from arbitrary and unlawful interference with privacy, religious freedom, freedom of movement, and freedom of expression, which are protected by the Universal Declaration of Human Rights (UDHR).”


While DHS notes in the NPRM that those required to submit biometrics “could possibly be apprehensive about doing so and may be have concerns germane to privacy, intrusiveness, and security, Data security can be considered a cost.” (SIC, 85 FR 56388); however, the phrases “cybersecurity,” “data privacy,” “information privacy,” “data access,” “data misuse,” “bias,” “data justice,” and “dataveillance” are wholly absent from the NPRM, making it unclear how much attention has been paid to these key considerations.


Concluding Remarks

While many might agree that the U.S. immigration system is in dire need of modernization and that there might also be legitimate reasons to carefully modernize collection and use of biometrics within that system, this NPRM raises significant questions as to whether DHS has attempted to hijack the constitutionally-protected role of Congress to make and reform immigration law and whether the proposed policy would itself violate international human rights.


Quite simply, this is an “all hands on deck” situation. While input from experts in immigration, family, constitutional, administrative, and national security law is unquestionably needed, the importance of cybersecurity and data privacy law attorneys and scholars weighing in on the ramifications of this approach to biometrics proposed by DHS cannot be overstated. The public has a window of opportunity—albeit a rapidly closing window of opportunity—to voice perspectives on the NPRM issued by DHS on the “Collection and Use of Biometrics by U.S. Citizenship and Immigration Services” (Docket Number USCIS-2019-0007). Comments are due by October 13, 2020 and may be submitted at https://www.regulations.gov/document?D=USCIS-2019-0007-0001.



Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics & Health Care Policy at Geisinger. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *