According to its February report, the U.S. Customs and Border Protection used facial recognition tools to scan over 23 million travelers’ faces at 30-plus points of entry in 2020, and failed to turn up a single example of an individual impersonating someone else at an airport.
<p>Facial recognition over the past several years has been an active tool within various government groups, whether at the local, state, or federal level. Regarding CBP, their use has the citizen or visitor standing in front of them with their passport. By scanning the passport and using the facial recognition system, the agent can determine if the person is the right person or an imposter. <br /><br />Having no imposters come through in 2020 and with 23 million coming into the U.S. could be due to lockdowns in various countries and restrictions on travel, which might have slowed imposters\’ progress to gain entry in the U.S. illegally.<br /><br />While the report does not provide any data or audit results, it\’s unclear whether the Government Assurance Office (GAO) conducted any test with a \"fake\" imposter to see if they could bypass the CBP. </p> <p>In cybersecurity or physical security, organizations want to test and monitor their perimeters, whether electronic or physical. These audits can determine any areas of improvement and if the processes and procedures are operating as required.</p>
<p>We should not assume that the CBP facial recognition tools have failed simply by a lack of imposter identification, as this may simply be the result of fewer individuals attempting to enter the country as a result of Covid. Nevertheless, while biometrics have a role to play in identification, it does face significant limitations. Most people don’t realise that Biometric authentication relies on a probabilistic model, not deterministic. When comparing a facial or fingerprint scan to the stored value, the system accepts a degree of variation. This is called the False Acceptance Rate (FAR) metric, which is the probability that the system will incorrectly identify a user as valid. Realising that facial recognition is simply verifying that the scan is ‘similar’ to the stored image, you can see that there is a real risk that the CBP tools are not detecting skillful imposters.</p>
<p>The system may not have identified anyone using false credentials, but I suspect the agency considers it a huge success in that it was able to collect a massive trove of images of visitors that can be directly linked to their passports. This is the holy grail of AI/ML system training data and will serve to improve the system dramatically over time.</p>