Privacy Impact Assessment Update
for the

Traveler Verification Service (TVS):
CBP-TSA Technical Demonstration Phase II
DHS/CBP/PIA-030(e)
August 14, 2018
Contact Point
Colleen Manaher
Planning, Program Analysis and Evaluation (PPAE)
Office of Field Operations
U.S. Customs and Border Protection
(202) 344-3003
Reviewing Official
Philip S. Kaplan
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 1

Abstract
The U.S. Department of Homeland Security (DHS) U.S. Customs and Border Protection
(CBP) is continuing to develop and expand its biometric entry-exit system for international flights
at airports throughout the United States. In partnership with the Transportation Security
Administration (TSA), CBP’s latest biometric technical demonstration will use the Traveler
Verification Service (TVS) cloud-based matching service to compare international travelers’
photos captured by CBP against previously-captured photos. CBP is updating this Privacy Impact
Assessment (PIA) to provide the public with notice regarding the second phase of its
demonstration with TSA.

Overview
Since 2017, U.S. Customs and Border Protection (CBP) has been engaged in a partnership
with the Transportation Security Administration (TSA) to test the Traveler Verification Service
(TVS) at the TSA security screening checkpoints of international terminals at select airports.
During this technical demonstration, CBP and TSA use TVS camera technology and matching
services to verify travelers’ identities at the TSA checkpoint. A recent demonstration, 1 which
served as a variation of the TVS exit process, leveraged the same technologies to automate what
has typically been a manual identity verification process by TSA’s Transportation Security
Officers (TSO). The demonstration used the Advanced Passenger Information System (APIS) 2
manifest data to create a gallery of travelers scheduled to board specified outbound international
flights during a defined period. The first phase, which commenced in October 2017, explored the
feasibility of using CBP’s biometric facial recognition and matching technologies for identity
verification at the TSA checkpoint at the TSA checkpoint.
In August 2018, CBP and TSA began Phase II of the technical demonstration. In a similar
manner to Phase I, based on the APIS manifest, CBP compiles a gallery of previously-acquired
facial images 3 of travelers who are scheduled to depart the United States on specified international
flights. The Automated Targeting System (ATS) Unified Passenger Module (UPAX) 4 creates
biometric templates of those photos and transmits them to the TVS matching service. 5 In Phase II,
the TSO, who serves as the TSA Travel Document Checker, directs all travelers with a boarding
pass for international outbound flights-only to a CBP-owned camera, which is placed near the
1

See DHS/CBP/PIA-030(d) Traveler Verification Service (TVS): CBP-TSA Technical Demonstration (September
25, 2017), available at www.dhs.gov/privacy.
2
See DHS/CBP/PIA-001 Advance Passenger Information System (June 5, 2013), available at
www.dhs.gov/privacy.
3
These images include photographs captured by CBP during the entry inspection, photographs from previous DHS
encounters, and photographs from the Department of State, such as U.S. passports and U.S. visas.
4
See DHS/CBP/PIA-006 Automated Targeting System (January 13, 2017), available at www.dhs.gov/privacy.
5
See DHS/CBP/PIA-030(b) Traveler Verification Service (TVS): CBP-TSA Technical Demonstration (May 15,
2017), available at www.dhs.gov/privacy.

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 2

podium at the TSA checkpoint for a photo capture. Passengers who request not to be photographed
may proceed to the TSO for standard inspection procedures. Once the photo is captured and
transmitted to the TVS, it is converted into a template and matched against the gallery of
preassembled templates of historical images described above. The TSO will receive the result of
this matching process on a TSA-owned tablet at the screening podium via a mobile-friendly
dashboard application developed by CBP for the TSOs. If the TVS confirms the traveler’s identity,
the CBP dashboard application will display the newly-captured image, along with biographic data
(full name and date of birth) of that passenger, for review by the TSO, who will direct the traveler
to the appropriate screening lane based on TSA’s standard security screening procedures.
If the TVS cannot capture an acceptable image of the passenger, or there is no match for
the traveler’s photo, the TSA tablet will display only the captured photo but no biographic
information, and the TSO will follow TSA’s standard procedures for verifying the traveler’s
identity, 6 and the traveler will proceed to the appropriate screening lane. In addition, CBP Officers
(CBPOs) receive an alert on the Biometric Exit Mobile Application (BE-Mobile) device, 7
indicating that for a particular traveler, there was not a match. For in-scope travelers, 8 the CBPO
may use the BE-Mobile device to verify authenticity, identity, and citizenship via biographic data
and an examination of travel documents. The CBPO can also use the device to determine the
appropriate course of action(s) for biometric capture or exemption, i.e., through new fingerprints,
photo captures, and/or the collection of additional biometric information from the traveler. During
this process, if the CBPO identifies actionable derogatory information on a particular traveler,
(e.g., the individual is found on the IDENT biometric watch list), the CBPO may escort the traveler
to the Federal Inspection Services (FIS) area to conduct further questioning or appropriate actions
under CBP’s law enforcement authorities.
DHS-branded signage placed in plain view near the TSA checkpoint, along with tear sheets
as requested, will communicate CBP’s request that outbound international travelers voluntarily
permit themselves to be photographed, along with instructions, alternative procedures, and
Frequently Asked Questions. Individuals who choose not to participate may request processing
under standard procedures by a TSO.

6

See https://www.tsa.gov/travel/security-screening/identification.
See DHS/CBP/PIA-026(a) Biometric Exit Mobile Program (June 29, 2018), available at www.dhs.gov/privacy.
8
In-scope travelers subject to BE-Mobile are travelers who meet the criteria established under 8 CFR § 215.8, which
generally includes all non-U.S. citizens with certain narrow exceptions. For a list of exempt aliens, refer to the 2015
BE-Mobile Air Test PIA (footnote 1), available at www.dhs.gov/privacy.
7

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 3

Fair Information Practice Principles (FIPPs)
The Privacy Act of 1974 articulates concepts of how the Federal Government should treat
individuals and their information, and imposes duties upon federal agencies regarding the
collection, use, dissemination, and maintenance of personally identifiable information (PII). 9 The
Homeland Security Act of 2002, Section 222(2) states that the Chief Privacy Officer shall assure
that information is handled in full compliance with the fair information practices as set out in the
Privacy Act of 1974.
In response to this obligation, the DHS Privacy Office developed a set of Fair Information
Practice Principles (FIPPs) from the underlying concepts of the Privacy Act to encompass the full
breadth and diversity of the information and interactions of DHS. The FIPPs account for the nature
and purpose of the information being collected in relation to DHS’s mission to preserve, protect,
and secure.
DHS conducts PIAs on both programs and information technology systems, pursuant to
the E-Government Act of 2002, Section 20810 and the Homeland Security Act of 2002, Section
222. 11 This PIA Update examines the privacy impact of the TVS and collection of facial images
by devices located at the TSA screening checkpoint as they relate to the FIPPs.

1. Principle of Transparency
Principle: DHS should be transparent and provide notice to the individual regarding its
collection, use, dissemination, and maintenance of PII. Technologies or systems using PII must be
described in a SORN and PIA, as appropriate. There should be no system the existence of which
is a secret.
CBP and TSA will continue to operate under similar principles of transparency as those
implemented for the entire TVS process. CBP is working closely with TSA to post signs and
provide tear sheets notifying travelers of the purpose of this initiative, as well as where to find
more information. Additionally, signs posted near the inspection area provide notice to individuals
regarding their ability to opt out of the technical demonstration; however they will still be subject
to regular TSA and CBP screening. Travelers who have questions related to TVS will be directed
to the CBP Info Center. 12 Information on this and other CBP biometric exit projects is available
on the official CBP public website. 13 Finally, CBP provides additional notice to the public through
the publication of this PIA Update and will publish updates or additional PIAs as necessary to
document future changes.

9

5 U.S.C. § 552a, as amended.
44 U.S.C. § 3501 note.
11
6 U.S.C. § 142.
12
See https://help.cbp.gov.
13
See www.cbp.gov/travel/biometric-security-initiatives for more information.
10

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 4

2. Principle of Individual Participation
Principle: DHS should involve the individual in the process of using PII. DHS should, to
the extent practical, seek individual consent for the collection, use, dissemination, and
maintenance of PII and should provide mechanisms for appropriate access, correction, and
redress regarding DHS’s use of PII.
There is no change to individual participation during Phase II of this demonstration. CBP
involves travelers in its collection of their personally identifiable information (PII), and provides
procedures for requesting alternative processing in accordance with CBP and TSA’s standard
procedures. In this case, the TVS relies upon information collected directly from the individual by
TSOs (i.e., the photograph captured at the TSA security screening checkpoint), as well as
additional information collected by the carrier (via the APIS manifest), and photographs collected
previously by CBP, DHS, or the Department of State. Individuals who choose not to participate in
the TVS process at the checkpoint may request processing under TSA’s standard procedures by a
TSO.

3. Principle of Purpose Specification
Principle: DHS should specifically articulate the authority which permits the collection of
PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
The purpose of the CBP-TSA partner process is consistent with the air exit partner process
described earlier in the original TSA PIA Update as well as the Partner Process PIA Update.14
CBP will continue to collect facial images as well as biographic information from the APIS
manifest, which is provided by the airlines, in addition to certain portions of the traveler’s itinerary.
Although CBP has previously collected biographic information from partners through the APIS
manifest, the collection of travelers’ images at the TSA checkpoint will expedite identity
verification and enhance security.

4. Principle of Data Minimization
Principle: DHS should only collect PII that is directly relevant and necessary to
accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the
specified purpose(s). PII should be disposed of in accordance with DHS records disposition
schedules as approved by the National Archives and Records Administration (NARA).
CBP’s continuation of the technical demonstrations at the TSA checkpoints will result in
an increase in the data it collects from the traveling public. In an effort to mitigate the impacts of
this expanded collection, CBP seeks to minimize the data it maintains by purging facial images as
quickly as possible after use. Each traveler’s biographic and biometric data is deleted from the
14

See DHS/CBP/PIA-030(c) Traveler Verification Service (TVS): Partner Process (June 12, 2017), available at
www.dhs.gov/privacy.

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 5

TSA-issued device, either at the time of the next passenger’s transaction or after two minutes,
whichever occurs first. All PII collected for the TVS transaction is stored in a secure database
within the CBP network. CBP does not retain images of U.S. Citizens in ATS-UPAX but does
retain images of non-U.S. Citizens for up to 14 days for confirmation of the match, as well as
evaluation and audit purposes. CBP deletes all photos, regardless of immigration or citizenship
status, from the TVS cloud matching service within 12 hours of the match.

Traveler Verification Service Retention Periods
System

ATS-UPAX

TVS Cloud
Matching
Service

TSA TVS
Dashboard
Application
(visible for
TSOs on
Tablets)

USC/Non-USC

Maximum Retention
Period

Reason for Retention

USC

N/A

USC photos are not stored in ATS-UPAX

Non-USC

14 days

Confirmation of travelers’ identities, evaluation
of the technology, assurance of accuracy of the
algorithms, and system audits

USC

12 hours

Temporary staging pending confirmation of
travelers’ identities and in case of an extended
system outage, prior to deletion from the TVS

Non-USC

12 hours

Temporary staging pending confirmation of
travelers’ identities and in case of an extended
system outage, prior to deletion from the TVS

USC

2 minutes (or when the
next traveler arrives,
whichever comes first)

To allow the TSO sufficient time to verify
identity and process travel documents if
necessary

Non-USC

2 minutes (or when the
next traveler arrives,
whichever comes first)

To allow the TSO sufficient time to verify
identity and process travel documents if
necessary

Privacy Risk: There is an overcollection risk that CBP may collect photos from individuals
at the TSA checkpoint who are not departing on an international flight.
Mitigation: This risk is mitigated by the fact that CBP and TSA are deploying this
technical demonstration at a checkpoint dedicated to international flights. All travelers screened at
this checkpoint are boarding international flights, for which CBP and TSA have collected APIS
manifests.

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 6

5. Principle of Use Limitation
Principle: DHS should use PII solely for the purpose(s) specified in the notice. Sharing PII
outside the Department should be for a purpose compatible with the purpose for which the PII was
collected.
CBP will use the information it collects at the TSA checkpoints in the course of this
technical demonstration under the TVS only for identity verification purposes as described earlier
in this PIA. CBP will only share entry and exit data consistent with the terms described in the
relevant SORNs. 15 CBP does not create border crossing records or enroll photos in IDENT
following this TVS collection at the TSA checkpoint because crossing the TSA checkpoint itself
does not constitute a border crossing.
Privacy Risk: There is a risk that CBP or TSA will use the photos captured under the TVS
at the TSA checkpoint for a purpose other than those specified for the original collection.
Mitigation: This risks is mitigated. TSA will only use these photos for identity verification
at the checkpoint and cannot access the photos after the inspection is completed. CBP will only
use the photos for identity verification and will only temporarily retain the photos as outlined above
for testing and auditing purposes.

6. Principle of Data Quality and Integrity
Principle: DHS should, to the extent practical, ensure that PII is accurate, relevant, timely,
and complete, within the context of each use of the PII.
There are no changes to the accuracy, relevance, timeliness, or completeness of the data
with this new phase of the project. CBP has developed technical specification requirements for its
TVS camera vendors because the quality of facial images dramatically impacts the performance
of all facial recognition algorithms. As described in the original PIA update, CBP regularly tests
the accuracy of its photo matching algorithms to achieve the highest possible accuracy. 16 CBP’s
testing has illustrated that high-quality facial images that meet the specifications above result in
good match performance.

15

See DHS/CBP-007 Border Crossing Information, 81 FR 4040 (January 25, 2016) and DHS/CBP-011 U.S.
Customs and Border Protection TECS, 73 FR 77778 (December 19, 2008).
16
CBP’s testing has illustrated that high quality facial images that meet the specifications above result in good
match performance. CBP requires an accuracy goal of 96% True Acceptance Rate (TAR) for facial images acquired
in an airport/seaport exit environment. CBP expects the TVS cameras to: (1) capture multiple images; (2) draw the
traveler’s attention to the camera, hold the traveler’s attention throughout the capture process, and alter the traveler’s
position when the process is complete; (3) include a “time-out” function in order to send the best-captured image of
the traveler if no image was able to meet the desired quality threshold; and (4) provide proper lighting.

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 7

7. Principle of Security
Principle: DHS should protect PII (in all forms) through appropriate security safeguards
against risks such as loss, unauthorized access or use, destruction, modification, or unintended or
inappropriate disclosure.
As with the technical demonstration process described earlier in this document, CBP stores
TVS information in secure CBP systems and temporarily in a secure cloud environment, and uses
a virtual private network with strong HTTPS/SSL encryption to transfer the data between the
camera at the TSA checkpoint, the TVS matching service, and CBP systems as well as for PII at
rest. Only authorized CBP and TSA representatives have access to the collection device, and only
CBP staff and cloud service provider personnel may have access to the cloud database.
Additionally, only authorized TSOs may have access to their TSA tablets and the mobile-friendly
dashboard application developed by CBP for TSA. No query or search is permitted using this
application, and users are unable to view historical data. The TSOs may only access the tablets via
a single sign-on with two-factor authentication, including the use of their Personal Identity
Verification (PIV) Card and Personal Identification Number (PIN). 17 For each traveler whose
photo is captured, any PII is purged from the TSA tablet, either when the next traveler arrives or
when two minutes have elapsed.

8. Principle of Accountability and Auditing
Principle: DHS should be accountable for complying with these principles, providing
training to all employees and contractors who use PII, and should audit the actual use of PII to
demonstrate compliance with these principles and all applicable privacy protection requirements.
As with the previous technical demonstration described earlier in this document, CBP’s
programmatic and technologic controls ensure only authorized access to the facial image data.

17

See DHS/ALL/PIA-014 Personal Identity Verification/Identity Management System (PIV/IDMS) (May 18, 2017),
available at www.dhs.gov/privacy.

 Privacy Impact Assessment Update
TVS: CBP-TSA Technical Demonstration Phase II
Page 8

Further, CBP deploys auditing tools within its systems to ensure appropriate retention and deletion
of data in accordance with the policies and procedures outlined in this PIA.

Responsible Officials
Colleen Manaher
Executive Director
Planning, Program Analysis and Evaluation
Office of Field Operations
U.S. Customs and Border Protection
202-344-3003
Debra L. Danisek
CBP Privacy Officer
Privacy and Diversity Office
U.S. Customs and Border Protection
202-344-1610

Approval Signature
Original, signed copy on file with the DHS Privacy Office.

________________________________
Philip S. Kaplan
Chief Privacy Officer
Department of Homeland Security