Introduction

     A policy allowing for an expanded biometric collection ignores the significant threat to privacy harms for anyone who engages, participates, or otherwise comes in contact with immigration in the country and poses a significant harm to immigrant communities, refugees, asylum seekers, unaccompanied minors, and crime victims. An expanded use of DNA and other biometric modalities perpetuates the harm against this vulnerable population by exposing them to their predators, in light of the weak privacy laws in the country.

     This article will focus on weighing the expected qualitative and quantitative benefits of any expanded use of biometrics by the government against the burden of the harms it presents. In October 2020, the Department of Homeland Security, on behalf of the USCIS, proposed that biometrics are to be collected from individuals filing immigration applications or petitions, see infra. Specifically, the agency proposed to require biometrics from U.S. citizens or lawful permanent residents when they submit a family-based visa petition to comply with the Adam Walsh Child Protection and Safety Act of 2006 (AWA). The Adam Walsh Act prohibits the agency from approving family-based immigrant visa petitions and nonimmigrant fiancé visa petitions if the petitioner has been convicted of certain offenses. This proposal was made despite no known challenges to the effectiveness of the sex offender registry system and background checks that the agency has been using and neither did it explain why an expanded biometric collection would help determine that a petitioner is disqualified from submitting a family-based visa petition under the Adam Walsh Act. This proposed rule was withdrawn as of March 2021. I revisit the issue and recapitulate the arguments for and against it.

Expected Benefits and Harms of an Expanded Biometrics Collection

     An expanded biometrics collection can be a way to increase the U.S. Government's capabilities of determining the identity of a child who may be vulnerable to gang affiliation, human trafficking child sex trafficking, forced labor exploitation, and alien smuggling. Moreover, the expanded use of biometric information may prove useful with its ability to limit identity fraud because biometrics technologies measure unique physical characteristics and more difficult to falsify than biographic documents.

     However, the overwhelming body of literature that warns against increased personal data collection naturally goes against this shift in priorities. As William Prosser wrote over 40 years ago, new technologies, such as biometrics, have given rise to a panoply of new privacy harms. Daniel Solove, in his work, ‘A Taxonomy of Privacy,[1]notes that some of the privacy problems we face today are different in nature, and do not track traditional conceptions of privacy. They involve efforts to gain knowledge about an individual without physically intruding or even gathering data directly from them (aggregation), or problems that emerge from the way that the data is handled and maintained (insecurity), the way it is used (secondary use), and the inability of people to participate in its processing (exclusion). Modern privacy problems emerge not just from disclosing deep secrets, but from making obscure information more accessible (increased accessibility) or from consistent observation or eavesdropping (surveillance).[2]

Privacy Harms and Data Insecurity

     Solove explains that the privacy harm in personal information collection is not only mere disclosure of one's identity but that it is a problem of insecurity – the harms caused by the way our information is handled and protected.[3]  Insecurity is related to aggregation, “as it creates risks of downstream harm that can emerge from inadequate protection of compendiums of personal data.” Insecurity is also related to identification—it often occurs because of difficulties in linking data to people.[4]

      Further, Solove observes that in cases involving the constitutional right to privacy, courts have sometimes recognized insecurity as a privacy harm.[5] Solove went on to explain that insecurity is the injury of being placed in a weakened state, of being made more vulnerable to a range of future harms. In Whalen v. Roe,[6] the Court observed that the government's collection of personal data for its record systems “is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures.” Thus, without any such statutory safeguards, it is reckless to expose individuals to future harms under the current privacy framework in the United States that does not give individuals the power to protect their privacy, such in controlling how their personal data is gathered, collected, stored, or sold, and more distressingly, how their biometric data is being used against them.

Redefining Biometrics and the Increase of Use of Other Biometric Modalities

      Increasing the biometric modalities to include palm prints, facial and iris image, and voice prints would allow the government to keep up with technological developments in this area and “adjust collection practices for both convenience for applicants and petitioners and to ensure the improved service for all stakeholders.”[7]

     This position fails to state how it, in keeping up with technological advancements in biometrics, would protect individuals from the increasing technological problems unique to the collection of biometrics. Biometric information collection poses risks that are much higher than general information and data security risks. The overwhelming problem is that biometric characteristics are irreplaceable and perhaps most importantly, “they are, by their nature, identifying information.”[8]  

     An imperfect definition of biometrics, by itself, diminishes the extent of potential harm created by its extensive collection. For our purposes, biometrics is properly defined as biological measurements of an individual's physiological or behavioral traits that may be used to identify that individual. Biometric characteristics can be broken down further into physiological characteristics, or those that concern the body's composition and measurements such as hand geometry, fingerprints, DNA, and face, retina, iris, or ear features; and behavioral characteristics which concerns a person's measurable patterns such as “typing rhythm, gait, and voice, which can be used to continuously identify an individual”.[9] Biometric data is unlike any other personal data collected about individuals; biometric characteristics are personal to each individual, permanent, and indispensable. Once an individual's characteristic is in a database, it is compared to new records.[10] Biometric authentication can then be used to either verify an individual's identity, or to identify an unknown person.[11]

Data Breach and Identity Theft

     As data breaches grow more common, collected and aggregated biometric data are at a high risk for security breaches even in the hands of the government. In 2014, for example, a data breach of government databases at the U.S. Office of Personnel Management led to the theft of an estimated 22 million people's personal data, where fingerprint data of about 5.6 million people was stolen.[12] As the breach at the U.S. Office of Personnel Management demonstrates, when biometric information is collected and stored in a database, there is always the possibility of that information being stolen and subsequently used.

      Stolen biometric information poses unique problems for consumers since biometric information is permanently associated with a use and once stolen, it is out of the user's control forever.[13] An individual cannot change his or her fingerprints or get new ones to replace stolen fingerprints.[14] This is aggravated by the fact under our current federal privacy framework, individuals do not have the explicit right to learn what information is collected and stored about them, who holds their personal information, or the methods that are used by entities collecting their personal information, or whether their personal information has already been compromised unless it shows up in the form of, say, credit card fraud. This is closely related to the problem of identity theft.

     Identity theft is made possible because we all have “digital dossiers”—extensive repositories of personal information about us—that are maintained by various companies and institutions.[15]  The FTC sums the problem up well: “Consumers face a landscape of virtually ubiquitous collection of their data.”[16] Thus, victims of identity theft are submerged into a bureaucratic hell where, according to one estimate, they must spend approximately two years and almost 200 hours to decontaminate their dossier.[17] The careless use of data by the government makes the crime of identity theft incredibly easy.[18]

Discrimination

     Scientific advancement in genetics could create a new way to discriminate against individuals that could be magnified by an extensive biometric collection as already recognized by U.S. laws.

     For example, the Genetic Information Nondiscrimination Act (GINA), enacted in 2008, recognized the need to protect individuals from discrimination based on their genetic information with regards to health insurance and employment.[19] A large part of the drive behind the enactment of GINA was the “fears of misuse of genetic information[,]” which parallels the growing fear of the misuse of biometric information.[20] Despite the fact that genes are “facially neutral markers,” Congress found that some genetic conditions are associated with certain racial groups, ethnic groups, or genders and thus could be used to discriminate against or stigmatize specific groups of people. Congress also found that federal law governing genetic discrimination was “incomplete in both the scope and depth of its protections.”[21] While some states had enacted their own laws prohibiting genetic discrimination, Congress found that the state laws varied on “approach, application, and level of protection” and were not only confusing but also did not protect the public from discrimination. These same concerns underlie the collection of biometric data.[22]

Complete or Partial DNA Profile or DNA Results

       DNA testing may provide a quicker and more effective technology as a means to demonstrate or verify the existence of a claimed genetic relationship than the current reliance on primary and secondary records and document-based evidence that may be unreliable or unavailable. However, the potential harm of this proposed scheme of genetic verification exceedingly outweighs any articulated purpose.    

      Mass DNA collection presents serious issues. First, mass collection could easily shift the purpose of DNA collection from one of identity verification to one of population surveillance. Collection of DNA profiles or DNA results could also open the floodgates to DNA profiling. DNA profiling can be used to discriminate against individuals whose profiles are deemed to pose safety and security risk through adverse selection that is automated through a biometric system that is designed, for example, with algorithmic bias. DNA profiling is extremely hazardous when results are inaccurate or are used to discriminate. The impending usage of a DNA warehouse, which could be deemed as a national DNA database, poses many possible risks of political and commercial abuse of such information as an affront to dignity,[23] or that could influence decisions on loans, hiring practices, insurance rates, or political harassment.[24] 

     Further, conformity with the privacy laws in the country such as the Privacy Act of 1974[25] is problematic in that it requires federal agencies maintaining personal data to “establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records.” Without appropriate safeguards and sufficient justification for warehousing DNA profiles, a mass DNA collection is bound to create a massive loophole of privacy violations.

End Notes

[1] Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006)

[2] Id.

[3] Id.

[4]Id.

[5] Id.

[6] Whalen v. Roe, 429 U.S. 589 (1977)

[7] "Collection and Use of Biometrics by U.S. Citizenship and Immigration Services," available at https://www.regulations.gov/docket/USCIS-2019-0007

[8] Hannah Zimmerman. "The Data of You: Regulating Private Industry's Collection of Biometric Information". Kansas Law Review, Kansas Law Review Inc. 2018: vol. 66(3).

[9] Salil Prabhakar et al., Biometric Recognition: Security and Privacy Concerns, IEEE SECURITY & PRIVACY, Mar-Apr. 2003, at 33, 33, available at http://biometrics.cse.msu.edu/Publications/GeneralBiometrics/ PrabhakarPankantiJain_BiometricSecurityPrivacy_SPM03.pdf.

[10] See Zimmerman, supra note 8

[11] Id.

[12] David E. Sanger, Hackers Took Fingerprints of 5.6 Million U.S. Workers, Government Says. Ruth Fremson/The New York Times, September 23, 2015, available at https://www.nytimes.com/2015/09/24/world/asia/hackers-took-fingerprints-of-5-6-million-us-workers-government-says.html

[13] See Zimmerman, supra note 8

[14] Id.

[15] See Daniel J. Solove, The Digital Person: Technology and Privacy in the Information Age. 97-101 (2004), New York University Press

[16] Anne T. McKenna, Pass Parallel Privacy Standards or Privacy Perishes, 65 RUTGERS L. REV. 1041, 1080-81 (2013).

[17] Id.

[18] Id.

[19] Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-223, 122 Stat. 881 (codified as amended in scattered sections of Titles 29 and 42 of the United States Code). See Jessica L. Roberts, The Genetic Information Nondiscrimination Act as an Antidiscrimination Law, 86 NOTRE DAME L. REV. 597, 599 (2011)

[20] See Zimmerman, supra note 8

[21] Id.

[22] Id.

[23] See Solove, supra note 2

[24] Id.

[25] See supra