The US-VISIT Program

Bruce Schneier wrote a great piece on the US-VISIT program for the current Crypto-Gram. My first thought, upon reading about the program on Slashdot about a week ago, was: where does Canada fit in it? This came up in answering one of the frequently asked US-VISIT questions on the U.S. Department of Homeland Security Web site: while Canada is not part of the U.S. Visa Waiver Program, existing agreements with the U.S. exempt most Canadians from having to submit their biometric data. Of course, this can change based on national need.

My second thought was retention. It's easy to collect data, but keeping track of what you've collected, throwing it out when you're done with it, that's tougher. To their credit, the U.S. DHS conducted a privacy impact assessment on the US-VISIT program that addressed many of the fair information practices, including limited collection, accuracy and individual access:

There is also some duplication in the types of data collected by each system. These inconsistencies and duplication result in some heightened degree of risk with respect to integrity/security of the data, and to access and redress principles, because personal information could persist on one or more component systems beyond its period of use or disappear from one or more component systems while still in use. These risks are mitigated, however, by having a Privacy Officer for US-VISIT to handle specific issues that may arise, by providing review of the Privacy Officer’s decision by the DHS Chief Privacy Officer, and, to the extent permitted by existing law, regulations, and policy, by allowing covered individuals access to their information and permitting them to challenge its completeness. Additionally, as an overarching mechanism to ensure appropriate privacy protections, US-VISIT operators will conduct periodic strategic reviews of the data to ensure that what is collected is limited to that which is necessary for US-VISIT purposes.

What's interesting is that this quote is taken from the section entitled Retention and Destruction. At no point does it discuss the destruction or deletion of the biometric data. And, again, it's easy to keep data around just in case. The scary part is, though, when new systems are being developed and those involved are looking for ways to save money, to avoid reinventing the wheel, these piles of data are pretty enticing. What happens if I'm separated from my biometric data? Oh, that's John because he sent us this biometric data electronically, and look! It matches. No, actually it's just the person who has access to that data; it's been sitting on this decommissioned kiosk for the last two years, but hey, no worries, because you know what? John's fingerprints don't change a whole heck of a lot.

Yes, I know most sensible systems will only use stored biometric data in comparisons with what they get from me, right there, but convenience, assumptions, time constraints... System designers, project managers... They make mistakes. I'd just prefer that my data trail wasn't there, ready to be mucked with.