Watchdog urges change of HART: Late, expensive US biometric ID under fire

Twice delayed and over budget, the US Department of Homeland Security (DHS) has been told by the Government Accountability Office (GAO) that it needs to correct shortcomings in its biometric identification program.

In a report issued on Tuesday, the GAO chided DHS for failing to stay on schedule and for cost overruns, and for cost estimates that don’t follow best practices for ensuring accurate calculations.

The watchdog agency also advised DHS to take various steps to address privacy concerns about the system, such as updating its 2020 Privacy Impact Assessment (PIA) “to fully describe the categories of individuals whose data will be stored in HART and the partners with whom the system shares information.”

The DHS PIA, the watchdog said, was missing key information, including “(1) individuals whose data will be stored in the system and (2) the partners with whom the system will share information. “

The report notes that there are about 140 partners involved and, given the varied retention periods for the data at issue, there’s a risk some partners may not properly dispose of personal information.

Back in 2015, the DHS Office of Biometric Identity Management (OBIM) decided to replace its existing identity management system, known as the Automated Biometric Identification System (IDENT), with “an enhanced, scalable, modular, and multimodal identity management system to be known as the Homeland Advanced Recognition Technology (HART) system.”

DHS envisions the system, initially projected to cost about $4.2 billion and to be completed by 2021, being used for applications like identity checks at border crossings, general law enforcement, intelligence operations, and interactions with international partners.

In 2019, the completion date was pushed back to June 30, 2024. Last year, a subsequent schedule adjustment and budget increase of $354 million left the project without a planned date of completion.

The HART project has become a magnet for concern about how the government will use and share biometric information, such as fingerprints, face scans and iris scans, DNA data, and other personal information.

In 2019, the DHS outlined some of HART’s technical characteristics in a Request for Information [PDF] from potential contractors. “HART will reside in the Amazon Web Services (AWS) FedRAMP certified GovCloud. Data will be stored in PostgreSQL databases for textual data and Amazon S3 data stores for image data. HART will feature a microservice architecture based on RedHat OpenShift. Biometric matching capabilities for fingerprint, iris, and facial matching will be integrated with HART in the AWS GovCloud.”

A 2020 report [PDF] from the Congressional Research Service outlines the legal risks of using facial recognition technology. Specifically, it explores potential free speech and unreasonable search claims under the First and Fourth Amendments, and equal protection/discrimination claims brought under the Fifth and Fourteenth Amendments.

In November 2021, The National Immigration Law Center published concerns [PDF] that DHS has failed to clarify how the HART system works, how the government will engage with commercial partners, and what safeguards will be put in place.

This mass biometric data collection is a deep invasion of privacy, an assault on human rights

And the following year, dozens of advocacy groups wrote [PDF] to Amazon Web Services CEO Adam Selipsky urging the company to end its plan to host HART.

“This mass biometric data collection by DHS is a deep invasion of privacy, an assault on human rights, and places hundreds of millions of people at risk of raids, detentions, deportations, and family separation,” the groups said. “By hosting DHS’ HART database, AWS is directly facilitating the creation of an invasive biometrics database that will supercharge surveillance and deportation, risking human rights violations.”

The GAO has listed nine recommendations, and says it will provide updates on its website once it can confirm that DHS has taken action. Two of these focus on applying best practices for cost estimates and the remaining seven cover privacy-related disclosures or commitments.

In Appendix IV of the report [PDF], Jeffrey Bobich, Director of Financial Management for DHS, says that the security agency concurs with the GAO recommendations and outlines how the cited concerns will be addressed. ®

READ MORE HERE