The GAO’s Rebecca Gambler credited the CBP for making progress in its audit program, and for posting privacy notices for the public at border checkpoints.
US Customs and Border Protection needs to audit more of its partners in its countrywide biometric border protection program, according to a representative from the Government Accountability Office. Speaking during a House Homeland Security subcommittee hearing, Rebecca Gambler added that the CBP’s audits need to extend not just to more of its airline partners, but also to land and seaport partners.
As Nextgov reports, the GAO had previously noted in 2020 that only one of the CBP’s partners – which numbered 27 at the time – had been audited by the CBP with respect to its privacy and security policies. Through its biometric border screening program, the CBP has been matching travelers’ faces to their passports and its own databases, and the sensitive data it has been collecting needs to be protected.
Gambler, the Director of the GAO’s Homeland Security and Justice team, told the subcommittee hearing last week that the CBP has now conducted five audits of “partners in the air environment”. Meanwhile, the border screening program has expanded dramatically, with the CBP’s “Simplified Arrival” system now scanning travelers entering the country at all US airports, and having the capability of scanning those leaving the country at 32 airports.
Similar face-scanning border control systems, though lacking the “Simplified Arrival” branding, are now in place at 26 seaports and all 159 land ports.
From the GAO’s perspective, that level of scope requires more security and privacy audits. “To fully implement our recommendation,” Gambler explained, “they need to audit partners not just in the air environment, but also in the land and sea environment, and they need to ensure they’re conducting those audits on their contractors and vendors as well.”
That could mean an audit for a company like Carnival Cruise Line, which has been working with the CBP to extend biometric screening to cruise ship passengers. And the recommendation is not merely a sensible precaution: in 2019, the CBP revealed that one of its subcontractors had fallen victim to a cyberattack that leaking biometric and license plate information of individuals who were scanned when crossing a land border. The CBP may be able to protect its own databases, but it must also ensure that its partners have the same capability.
The GAO’s Gambler, for her part, credited the CBP for making progress in its audit program, and for posting privacy notices for the public at border checkpoints. But the CBP will also face pressure from lawmakers, with Rep. Nanette Barragán, D-Calif., the chair of the House Homeland Security Subcommittee on Border Security, Facilitation and Operation, asserting during the hearing that the CBP must build “a robust system for conducting audits”, which “are vital to building public trust.”
Aug. 3, 2022 – by Alex Perala