Study of the Government of Canada's use of Biometrics in the Border Continuum

1. EXECUTIVE SUMMARY

The Government of Canada (GoC) uses biometrics to identify individuals with a level of confidence beyond what is possible absent such techniques.

Biometrics play a fundamental role in the border continuum, which includes the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air. In the course of this study, the National Security and Intelligence Review Agency (NSIRA) examined activities conducted by the Canadian Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in this area.

Biometrics are sensitive personal information. The identification of persons by virtue of their biological characteristics raises privacy and human rights concerns. There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. At the same time, identifying individuals entering the country – and consequently determining whether they have a right to enter, or what risks they might pose – serves a national security function. In this way, the use of biometrics requires an assessment of the balance between privacy and security.

This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the GoC’s biometric activities in the border continuum.

The study identified a set of observations linked to nine overarching themes:

  1. Biometrics and National Security. The centrality of national security as a justification for biometric activities has waned over time relative to other objectives, such as identity management and traveller facilitation. This makes it challenging to assess biometric activities in general as national security activities. Future NSIRA reviews may focus more narrowly on biometric activities that directly engage national security.
  2. The Steady-State Activities. The steady-state biometric activities in the border continuum are generally well-supported by current legal authorities and are consistent with international practice.
  3. Expanding Use of Biometrics over Time. The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. This trajectory is driven partly by advancing technological capabilities, partly by evolving challenges in identity management. It is reflected in other jurisdictions around the world. Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
  4. Pilot Projects. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place for the conduct of the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
  5. Evolving Legal and Societal Norms. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required. The border is, comparatively, a space in which greater intrusiveness is considered reasonable – but the boundaries of those justifications are not limitless, and will require careful calibration moving forward.
  6. The Dual-Use of Biometrics. NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report. Even where they pose demonstrable benefits, new uses of biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law. The principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.
  7. Technical Systems. There is significant overlap between the technical systems and databases used across the steady-state biometric activities. The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.
  8. Visibility into Algorithms. Departments and agencies have limited visibility into how the algorithms they use for biometric analysis operate. Each department and agency did, however, demonstrate that performance metrics are known and tested, and that custom thresholds are used when appropriate.
  9. Preventing Bias and Discrimination. IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies under review have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

These observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

List of Acronyms

AFIS – Automated Fingerprint Identification System

BEP – Biometrics Expansion Project

BSO – Border Service Officer

BTD – Biometrics Transformation Directorate

CBP – US Customs and Border Protection

CBSA – Canada Border Services Agency

CI – Central Index

CIBIDS – Canadian Immigration Biometric Identification System

CIC – Citizenship and Immigration Canada

CJIMS – Criminal Justice Information Management Service

COSMOS – Consular Management and Operations System

CoT – Chain-of-Trust

CSIS – Canadian Security Intelligence Service

CPIC – Canadian Police Information Centre

CPO – Canadian Passport Order

CTOB – Chief Transformation Officer Branch

DOJ – Department of Justice

DTC – Digital Travel Credentials

DRDC – Defence Research and Development Canada

EFCD – Electronic Fingerprint Capture Device

eTA – Electronic Travel Authorization

EURODAC – European Asylum Dactyloscopy Database

FOSS – Field Operations Support System

FOTM – Faces-on-the-Move

FRS – Facial Recognition Solution

GBA+ – Gender-Based Analysis Plus

GCMS – Global Case Management System

GoC – Government of Canada

IAPI – Interactive Advanced Passenger Information

IATA – International Air Transport Association

IBAS – Interdiction and Border Alert System

ICAO – International Civil Airline Organization

ICES – Integrated Customs Enforcement System

IIS – Immigration Information Sharing

INTERPOL – International Criminal Police Organization

IRCC – Immigration, Refugees, and Citizenship Canada

IRIS – Integrated Retrieval Information System

IRPA – Immigration and Refugee Protection Act

IRPR – Immigration and Refugee Protection Regulations

KTDI – Known Traveller Digital Identity

LBFC – Land Border Face Capture

M5 – Migration 5 group

NCIC – National Criminal Information Centre

NIST – National Institute of Standards and Technology

NPP – Notice of Proposed Procurement

NSIRA – National Security and Intelligence Review Agency

NSP – National Security Policy

NTWG – New Technology Working Group

OBIM – Office of Biometrics and Identity Management

OGD – Other Government Department

OPC – Office of the Privacy Commissioner

PIA – Privacy Impact Assessment

PIK – Primary Inspection Kiosk

PKI – Public Key Infrastructure

PMP – Passport Management Program

POE – Port(s) of Entry

PPMI – Passport Program Modernization Initiative

PROVE-IT:FRiV – Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video

RCMP – Royal Canadian Mounted Police

RTIDS – Real Time Identification System

SCIDA – Security of Canada Information Act

SFV – Systematic Fingerprint Verification

SL – Passport System Lookout

SLTD – Stolen, Lost Travel Document (INTERPOL)

TBID – Travelers Biometric Identification Determination System

TC – Transport Canada

TRBP – Temporary Resident Biometrics Program

VAC – Visa Application Centre

WEF – World Economic Forum

Glossary of Terms

Algorithm. A set of rules or calculations applied to data that generate an interpretable or reportable result.

Automation/Automated Decision-Making. Automated decision-making is the process of making a decision by automated means without any human involvement.

Biometric. The measurement and analysis of biological characteristics, such as fingerprints, iris patterns, retinas, DNA, and hand or face geometry, and to the analysis of certain behavioural
characteristics, such as voice, gait or typing rhythm.

Biometric Data Subject. An individual whose individualized biometric data is within the biometric system. Biometric Information. Biometric information refers to biometric data records (data record containing biometric data such as a biometric sample or aggregation of biometric samples at any stage of processing).

Biometric Template. Set of stored biometric features comparable directly to prove biometric features.

Enrolment. Act of creating and storing a data record attributed to a biometric data subject, containing non-biometric data and associated with one or more biometric samples, biometric templates, or biometric models attributed to a biometric data subjects and used as the object of biometric comparison.

Facial Recognition. Automated recognition of individuals based on their facial characteristics.

False-Negative. Failure to associate a biometric probe and a biometric reference belonging to the same biometric data subject.

False-Positive. Incorrect association between a biometric probe and a biometric reference from
different biometric data subjects.

Identity Management. The set of principles, practices, policies, processes and procedures used to realize an organization’s mandate and its objectives related to identity.

One-to-one verification. Process in which biometric probe(s) from one biometric data subject is compared to biometric reference(s) from one biometric data subject to produce a comparison score.

One-to-many identification. Process in which biometric probe(s) from one biometric data subject is compared against the biometric references of more than one biometric data subject to return a set of comparison scores.

Biometric probe. A biometric sample or biometric feature set input to an algorithm for biometric comparison to a biometric reference(s).

2. AUTHORITIES

The National Security Review Agency (NSIRA) conducted this study under section 8(1)(b) of the National Security and Intelligence Review Agency Act.

3. INTRODUCTION

Background
  1. Biometrics enhance the government’s ability to know who you are. The measurement and analysis of unique biological characteristics – including, inter alia, fingerprints, iris patterns, and facial features – facilitates the identification of individuals to a level of confidence beyond what is possible absent the use of such techniques. Biometrics can be layered with traditional identifiers – such as name, date of birth, place of birth, gender etc. – to enhance the government’s identification process.
  2. Knowing who you are – including verifying that you are who you claim to be – has benefits for national security. At the border, in particular, questions about identity are paramount: who has the right to enter the country, who does not, and who might pose a threat to the security of Canada and Canadians?
  3. At the same time, the identification of persons by virtue of their biological characteristics raises acute privacy and human rights concerns. Biometrics are intrinsically personal information, and are largely immutable (i.e., they cannot be easily changed, as can passwords or other identifiers). There is public apprehension about the government’s use of biometric analysis, as reflected in discussions regarding the use of facial recognition technology and, relatedly, its possible disparate impact on marginalized groups. As biometric technology is increasingly integrated into public spaces, it will be important for government and for Canadians to consider the associated calibration of security, privacy, and human rights.
  4. This report informs, contextualizes, and contributes to this conversation by presenting NSIRA’s foundational study of the Government of Canada (GoC)’s biometric activities in the border continuum, with a focus on activities relating to the screening of foreign nationals seeking admission to Canada and the identification of passengers travelling internationally by air.  The immediate objective of the study was to map the biometric activities occurring in this space. This includes examining the collection, retention, use, and disclosure of biometric information, as well as the legal authorities under which said activities occur. The baseline for an informed public discussion is accurate information about which activities are being pursued by the GoC and whether/how they are authorized in law.
  5. The study also considered the reasonableness and necessity of these activities, studying the accuracy and reliability of biometrics, including the possibility of discrimination on the basis of identity factors like race and gender; the proportionality of their collection, retention, use and disclosure; and the transparency with which the GoC discusses its use of biometrics and their contribution to national security.
  6. NSIRA’s ability to look across departments and agencies and to make both specific and general observations – to examine the forest as well as the trees – was particularly valuable in assessing a wide and growing biometric landscape.
  7. In addition to informing an important public conversation, the report’s broad treatment of biometric activities in the border continuum advances NSIRA’s work in two ways. First, it identifies several more narrow areas of interest or concern, to which NSIRA may return in future targeted reviews. Second, it defines a set of criteria against which NSIRA may review the GoC’s use of biometrics in national security and intelligence activities – both within and beyond the border continuum.
The Study

Scope

  1. The border is distinct from other public settings. There are security imperatives that arise when individuals cross sovereign boundaries, such that the state is justified in taking measures not permissible in other contexts. While privacy rights and civil liberties do not disappear, expectations of privacy and of free movement are significantly lower. In considering the GoC’s biometric activities, therefore, it was practical to separate the border continuum from other settings; what might be overly intrusive in the latter may be justified in the former. Further, the border can serve as a testing ground for new biometric techniques and technologies, which then spread to other areas. If there are public concerns about biometric technology more generally, the border may serve as a harbinger of things to come and ought to be scrutinized accordingly.
  2. In this study, we examine the collection, retention, use, and disclosure of biometric information and evaluate, where applicable, said activities against the criteria outlined below. We reviewed relevant policy and legal frameworks as communicated by departments and agencies, to inform our assessment of reasonableness and necessity, and to establish foundational knowledge that will inform future compliance assessments in the biometrics space. Our assessment of reasonableness and necessity was conducted at a high-level, reflecting on the themes, trends and issues manifest in considering the GoC’s biometric activities in the border continuum as a whole. We did not conduct independent verification or audit of the claims or activities themselves.
  3. In the course of this study, NSIRA examined activities conducted by the Canada Border Services Agency (CBSA), Immigration, Refugees, and Citizenship Canada (IRCC), and Transport Canada (TC). The study also extended to the Royal Canadian Mounted Police (RCMP), which plays a supporting role in one of the major IRCC-led programs in the border continuum.
  4. NSIRA also surveyed the history, and possible future, of biometric activities in the border continuum. The biometric landscape is not static, nor are practices in traveler facilitation and border security. Much of the public concern regarding biometrics (in particular over something like facial recognition technology) has to do with what lays just over the horizon, rather than simply any activity currently taking place. To this end, discussion of past activities, programs, and pilot projects illustrate the expansion of biometrics that has culminated in the present moment. Similarly, several pilot projects and initiatives known to be in development serve as examples of what may be to come. This wider lens contextualizes present activities and thus helps fulfill the broader objectives of the study.

Criteria

  1. A set of basic criteria guided NSIRA’s assessment of the GoC’s present biometric activities in the border continuum:
    • Compliance. NSIRA examined the legislative and policy framework governing departments’ and agencies’ collection and use of biometrics. It examined the enabling legislation’s compliance with the Canadian Charter of Rights and Freedoms and Privacy Act; considered the safeguards and features of the departments’ or agencies’ enabling statutes and regulations as applies to their biometric programs; and reviewed applicable departmental and Treasury Board policies.
    • Proportionality. Proportionality, in this context, weighs the government’s objectives in using biometrics against any impacts on individuals’ privacy or human rights. Generally speaking, NSIRA expects that any intrusions on the rights and freedoms of individuals be readily justifiable and offer important benefits to pressing and substantial objectives.
    • Accuracy. Because biometrics are fundamentally designed to identify individuals, it is important that they do so accurately, such that they can effectively contribute to the government’s objectives in a given activity/program. Biometric analysis (including the use of algorithms) is subject to error rates and false-matches that can have significant consequences for individuals. Relatedly, algorithms used for biometric analysis are susceptible to demographic performance variables which could give rise to bias or discrimination.
    • Transparency. In light of the GoC’s National Security Transparency Commitment of 2017, this criterion generally assessed the public transparency of biometric activities in the border continuum. It emphasized the availability of information regarding the type of biometrics collected and the connection of biometrics to GoC priorities, including national security.
    • Data Security. Given the sensitive nature of biometric information, protection of said data throughout the so-called “privacy lifecycle” (collection, storage, transmission, and destruction) is particularly important. As such, NSIRA assessed the policy frameworks of the activities under review for data security protections, such as encryption, access limitations, and privacy-by-design principles.
  2. Collectively, these criteria informed NSIRA’s assessment of the lawfulness, reasonableness and necessity of the departments’ exercise of their powers as concerns the use of biometrics in Canada’s border continuum. Our observations highlight potential issues and areas of concern, which may serve as a basis for subsequent in-depth review of particular activities.

Methodology and Information Requirements

  1. NSIRA received information from departments and agencies in the form of briefings, written responses, and documents. The latter included policies, procedures, project reports, technical studies, operational bulletins, manuals, correspondence, websites, and relevant legal opinions.
  2. In addition to information obtained from departments and agencies, the nature of the study – dealing with a broad category of information widely used and heavily scrutinized across the globe – meant that a significant volume of open-source research was pertinent. As such, NSIRA examined media reports (both domestic and international), industry reports, academic research, think tank reports, government reports/documents from other jurisdictions, and intergovernmental and non-governmental organization research on biometrics and related technology. What emerged was a sense of the common standards, themes, risks, and even lexicon associated with biometrics, all of which helped inform NSIRA’s observations regarding the GoC’s biometric activities in the border continuum.
The Report
  1. The body of the report is organized into three descriptive sections, presented in chronological order:
    • Biometrics Past: a discussion of the history and evolution of the use of biometrics in the border continuum, including relevant pilot projects and key expansions along the way;
    • Biometrics Present: a description of current, steady-state biometric activities; and,
    • Biometrics Future: a discussion of the role biometrics are likely to play in the border continuum moving forward, based on present trajectories.
  2. The concluding section unpacks overarching themes and observations pertinent to the study objectives outlined above. While some of these observations are specific to a particular program or activity, others apply horizontally across various aspects of the study. The mélange reflects both the nature of a foundational study and the unique, crosscutting mandate that NSIRA enjoys. Our observations are intended to contribute to Canadians’ understanding of the complex and evolving use of biometrics in the border continuum, and to shape how NSIRA as an organization engages with this area in future work.

4. BIOMETRICS PAST

  1. IRCC began collecting fingerprints from asylum claimants and deportees in 1993, partly as a consequence of the rise in global migration volumes following the end of the Cold War. Canada received 37,000 refugee protection claims in 1992, up from just a few thousand annually for the balance of the 1980s. The resulting pressure on the system led, in part, to the introduction of Bill C-86 in June 1992, which included several provisions designed to enhance the efficiency and integrity of Canada’s immigration and refugee system, among them the fingerprinting of asylum claimants and deportees. This provision generated public criticism, with the government eventually amending it to include the deletion of fingerprints if/when an individual became a Canadian citizen. Ultimately, the purpose of the collection was to introduce processing efficiency into the system and to enhance both fraud detection and fraud deterrence through rigorous identity management.
  2. Over the subsequent years, the collection and use of biometrics in the border continuum has steadily expanded, such that nearly everyone entering Canada by air – whether a foreign national or Canadian citizen – now has their biometric information collected and/or analyzed in some way. How did we get from there to here? The present section addresses this question by describing the evolution of the GoC’s activities over time, highlighting key moments, programs, and projects that animate it along the way.
9/11
  1. The terrorist attacks of September 11, 2001, dramatically altered Canada’s national security landscape. The 2001 budget reflected the new priorities of the day, with $7.7 billion over five years allocated to security measures, including $1 billion to immigration screening and enforcement and $1.2 billion to border security initiatives.
  2. These outlays came on the heels of explicit recommendations from a parliamentary committee to, among other things, “modernize border management to accommodate future security and trade needs” and “test and implement […] advanced technologies in […] border processing operations.” The latter recommendation included the suggestion that “biometric technology in the form of fingerprint or retina scanners could […] be considered to identify individuals […] crossing the border.” The report also called for the reactivation and full implementation of the NEXUS program, which had been a cross-border travel pilot project between the US and Canada launched in November 2000 but suspended in the wake of the attacks.
  3. The central plank of post-9/11 US-Canada border security cooperation, however, was the Smart Border Declaration, signed on December 12, 2001. Accompanied by a 30-point Action Plan, the declaration guided US and Canadian efforts to enhance border security. The very first item on the Action Plan was the introduction of “biometric identifiers”, calling for the two countries to “develop on an urgent basis common biometric identifiers in documentation such as permanent resident cards, NEXUS, and other travel documents to ensure greater security.” Also of note were the provisions to expand information sharing in the visa and refugee/asylum context.
  4. The two countries explicitly framed the Smart Border Action Plan as an effort to “develop a zone of confidence against terrorist activity”. In the US, the Final Report of the National Commission on Terrorist Attacks Upon the United States (more widely known as the “9/11 Commission Report”) expressed this logic, calling for a “biometric screening system” that would encompass the entire border continuum, from passport and immigration application to arrival at ports of entry, along with information sharing between jurisdictions. Canada’s 2004 National Security Policy (NSP) similarly foregrounded biometrics in its chapter on border security. The NSP noted that Canada would “work toward a broader use of biometrics” and “examine how to use biometrics in [its] border and immigration systems to enhance the design and issuance processes of travel and proof-of-status documents and to validate the identity of travellers at [Canada’s] ports of entry.” For both countries, biometrics were seen as a means of identifying possible terrorists crossing the border. 9/11 had fused border security to national security, turning identity management – hitherto primarily associated with efficiencies and fraud – into a national security priority.
  5. In Canada, the NSP set the basic outline of the GoC’s current steady-state biometric activities: facial recognition in the issuance and use of travel documents (Passport Program) and fingerprints and the validation of identity at ports of entry (Immigration Program). We return to these in Section 5.
  6. In the balance of this section, we briefly describe the key biometric activities and programs adopted in the years following 9/11.
ePassport
  1. Though standard in the document for decades, passport photographs were not considered “biometrics” until passports became machine-readable. The 2003 International Civil Aviation Organization (ICAO) guidelines on ePassports, also commonly referred to as “biometric passports,” therefore mark the introduction of biometric identifiers to the document on the international stage. Canada committed to the ePassport in 2004, though actual implementation unfolded in stages over subsequent years, with the full rollout occurring in 2013. Hundreds of other jurisdictions adopted the ePassport during this period, gradually establishing it as an international recommended practice for official travel documents. Canada’s current iteration of the ePassport is discussed in paragraphs 95-112, below.
  2. In addition to the “smart chip” embedded in the ePassport and containing the facial photograph, the government also pursued facial recognition in the passport application/issuance process. The first Privacy Impact Assessment (PIA) for what was then known as the “Facial Recognition Project” was crafted in 2003, though full implementation under the guise of the “Facial Recognition Solution” (FRS) did not occur until 2010. The system used facial recognition to help assess entitlement to a Canadian passport or other official Canadian travel document. The specific objectives of the program were: to detect fraud, support the authentication of identity, and prevent passport issuance to ineligible applicants. We discuss the current iteration of the FRS, which is a key component of the steady-state Passport Program, in paragraphs 95-112, below.
Temporary Resident Biometrics Program (TRBP) (2009-2018)
  1. The “Temporary Resident Biometrics Program” (TRBP) – initiated in 2009 and operational by 2013 – marked a significant expansion of the collection of biometrics in the immigration context. Under the TRBP, biometrics (fingerprints and a digital photograph) were collected by IRCC (then-Citizenship and Immigration Canada [CIC]) as part of temporary resident applications from 30 nationalities. The fingerprints were screened “against fingerprint records of known criminals, past refugee claimants, persons previously deported, and previous immigration applicants” held by the GoC. Once the application was approved and the applicant arrived in Canada, the CBSA verified the biometrics ensuring that the person presenting was the same individual that had applied. In 2014, biometrics collection was expanded beyond temporary resident applications to include overseas refugee and resettlement applications.
  2. According to the GoC, biometrics were adopted as a means to access more complete and accurate information, so as to inform admissibility decisions made under the Immigration and Refugees Protection Act (IRPA) regarding temporary resident applicants. The TRBP’s use of biometrics therefore supported identity management goals, with national security – the identification of individuals who might pose a security threat – constituting a supporting feature of the larger program.
Beyond the Border (2011) and Immigration Information Sharing (IIS) (2013-2016)
  1. In 2011, Canada and the US issued the joint declaration Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness and its accompanying “Beyond the Border Action Plan”. The plan made a commitment to increase information sharing between the two countries. Canada and the US had shared immigration information on a case-by-case, ad hoc basis since 2003, but the process was labour intensive and consequently limited in volume.
  2. The resulting program was the Immigration Information Sharing (IIS) initiative, which made it possible for Canadian and American authorities to systematically exchange immigration information on the basis of a biometric match between their respective immigration databases – a capability that became fully operational in August 2015. For example, all biometric-required applicants to Canada had their fingerprints systematically checked against US fingerprint holdings at the time of enrolment. In the event of a match, the US returned relevant immigration information (e.g. biographical information to confirm identity, the outcome of any previous immigration applications, etc.) to IRCC, to help inform decisions about admissibility. The arrangement was reciprocal, meaning the US similarly queried Canadian immigration fingerprint holdings, with Canada returning immigration information in the event of a match. As characterized by a 2015 implementation report, this capability helped to “counter identity fraud, strengthen identity management and provide valuable information to inform respective admissibility determinations.”
  3. The IIS was, in many ways, the natural extension of TRBP. Whereas TRBP made it possible to screen an applicant’s biometrics against domestic databases, IIS extended this capability to US databases, thereby increasing the range of information obtainable through biometric querying.
Information-Sharing Pilot between CBSA and IRCC/CIC (2013-2016)
  1. Beginning in 2013, a two-phase pilot project between CBSA and IRCC/CIC explored the benefits of leveraging facial recognition through information sharing. The impetus for the project was the experimental querying of 72 photographs of individuals wanted by the CBSA against IRCC/CIC’s passport database. The querying was intended to verify whether any passports had been issued to individuals subject to CBSA warrants for arrest under the IRPA (under genuine or false identities), thus helping protect the integrity of the passport system, while also facilitating enforcement of the IRPA. The CBSA and IRCC rely on sections 7, 8(2)(a) and 8(2)(e) of the Privacy Act for the use and disclosure of this information.
  2. Using facial recognition, the one-to-many identification of these 72 individuals identified three individuals who had fraudulently acquired travel documents. On the strength of these results, the organizations drafted a Memorandum of Understanding (MOU) in December 2013 to share photographs of 1,000 individuals wanted on active CBSA warrants and ran a one-to-many identification against the passport database using facial recognition. This time, 15 individuals were found to have submitted fraudulent passport applications.
  3. In 2015, another round of the project was initiated under a subsequent MOU, raising the number of queries to 3,000 individuals. Also expanded was the scope of information that could be returned as a result of a positive match. Whereas the 2013 MOU only authorized the sharing of information related to document fraud, the 2015 MOU authorized the sharing of any derogatory information relevant to the enforcement of the IRPA. Appendix III of the Information Sharing Annex to the 2017 IRCC-CBSA MOU established this information sharing on a permanent basis.
Research into Facial Recognition
  1. In addition to the expansion, refinement, and leveraging of biometric activities associated with passports and immigration, the GoC explored additional uses of biometrics, including facial recognition, through research into emerging technologies and pilot initiatives, testing possible applications in the border continuum.

Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video (PROVE-IT: FRiV) (2011-2013)

  1. In 2011, CBSA led the “Pilot and Research on Operational Video-based Evaluation of Infrastructure and Technology: Face Recognition in Video” (PROVE-IT: FRiV) project. PROVE-IT: FRiV examined, in a lab setting, the possible use of live-capture facial recognition in a controlled environment, such as an airport. Researchers evaluated commercial products and tools available for this purpose, and determined that “face-based surveillance” was ready for live use in “in semi-constrained environments.”

Faces on the Move (FOTM) (2014-2017)

  1. Building on the findings and results of PROVE-IT: FRiV, CBSA launched the “Faces on the Move” (FOTM) pilot project in 2014. FOTM involved the live video capture of the facial images of travellers as they passed through Toronto Pearson International Airport Terminal 3 for a six-month period between June 2016 and November 2016.
  2. Project-specific video cameras were installed to capture facial images in the immigration arrivals area, primary inspection, and toward the exit following primary processing. Facial images were checked in real time using facial recognition against two image databases: a “control” watchlist comprised of 65 CBSA volunteers, and an “operational” watchlist of 4,860 previously deported individuals, generated by CBSA. The CBSA volunteers conducted over 1,200 test walkthroughs over the course of the six-month demonstration. At the same time, approximately 15,000 to 20,000 travellers per day were screened against the operational watchlist, of which forty-seven were correctly detected by the system. All records of personal information were to be destroyed at the end of the project, save those that served an administrative purpose, which would be retained for two years following the date of their last use in keeping with section 6(1) of the Privacy Act and section 4(1)(a) of the Privacy Regulations.
  3. The immediate purpose of FOTM was to raise the technology readiness level of facial recognition to the point of being ready for live, real-time implementation in a controlled environment. Further objectives included the establishment of privacy and security protocols governing the deployment of facial recognition and the development of Canadian industry offerings in the facial recognition space through partnership with CBSA and access to the CBSA’s operational environment (i.e. the border). Longer-term strategic goals included promoting the “efficient flow of people across Canada’s borders” and addressing “evolving threats to public safety at or before the border…while respecting Canadian values including the right to privacy.” Ultimately, FOTM was couched as a building block toward future applications of facial recognition in the border continuum and “similar security scenarios (transportation facilities, shopping malls, stadiums, mass public events).” The lessons from FOTM were to inform a “roadmap” for the use of “science and technology […] for face surveillance, specifically at the border.”
  4. According to the project’s final report, FOTM experienced several policy challenges, “including concept of operation, deployment constraints, public notification, data security, data retention/purging rules, and legality of enforcement based on face recognition and privacy issues.” These and other challenges were likely to “influence face surveillance future deployments and/or technology road maps.” Nonetheless, it recognized that the combination of advancing capabilities and relaxing public resistance to facial recognition technology “will drive the need for continual investment in both the science and the application of face recognition based surveillance.”
  5. Prior to the demonstration period, a PIA conducted for FOTM in consultation with the OPC had brought additional issues to light. This resulted in certain changes to the project, including dropping plans to use watchlist photographs from multiple government agencies and foregoing plans to advise enforcement agencies of a previously deported person’s presence if the individual was not intercepted by the CBSA before leaving the port of entry. The consultants’ final report for the project “recognized that should facial recognition be deployed for long-term, operational use, the PIA would have to be redone and updated to identify potential ongoing risks that did not affect the short-term FOTM project.” Furthermore, CBSA recognized that, were FOTM to become a permanent program, the use of facial recognition would require an update to its Policy on the Overt Use of Audio-Video Monitoring and Recording Technology, and to the description of the related CBSA Personal Information Bank57 (PIB), PPU 1104, which did not include “biometric information.”
  6. Indeed, public signage and notice about the cameras was limited during the demonstration period. Signage at Terminal 3 of Toronto Pearson’s International airport stated that “[t]his area is under video surveillance,” but made no mention of facial recognition. Similarly, the November 19, 2012, version of the CBSA’s Privacy Notice on Video Monitoring and Recording, referred to in the PIA for FOTM, discloses that “[c]ameras may […] monitor the movement of travelers and goods from one point of CBSA operation to another, for example, from primary to secondary,” but does not provide notice of a facial recognition capability. These lacunae in the notice provisions appear to have been acknowledged in the final report on FOTM, however, which notes that the machine learning component “may require an extension to the current [privacy and security] protocols.”
  7. To date, FOTM or similar use of facial recognition has not been adopted as an ongoing activity. Other operational priorities, including the deployment of Primary Inspection Kiosks (PIKs) at select airports, took precedence at the time the project was completed, and CBSA has not indicated plans to revive FOTM. The technology for FOTM was removed from the airport at the end of the pilot.
  8. The CBSA relied on its powers of examination under sections 15-18 of IRPA to authorize the FOTM project, explaining that “[t]hese sections require all persons seeking entry to Canada to submit to an examination of their persons and documents” and “allow for the presentation of photographic evidence of an applicant’s identity.” Indeed, section 15(3) of IRPA authorizes “an officer [to] … examine any person carried by [a means of transportation bringing persons to Canada],” and to examine “any record or document respecting that person.” Section 16 of IRPA further specifies that “[a] person who makes an application must answer truthfully all questions put to them for the purpose of the examination and must produce [at this examination] a visa and all relevant evidence and documents that the officer reasonably requires.” In the case of a foreign national, this evidence includes “photographic and fingerprint evidence.” The CBSA did not request legal assessment from the Department of Justice (DOJ) as to whether these authorities would support the FOTM pilot program.
  9. The CBSA’s reliance on these general powers of examination to conduct facial recognition on travelers as they make their way to the point of processing is of concern to NSIRA. The legislative authorities relied on by the CBSA presume an overt interaction between the traveler and CBSA officials, and the knowing presentation by travelers of their individual documents, fingerprints and photographs during their examination. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. NSIRA is of the opinion that further legal advice would be required in order to ensure that the use of facial recognition in Canadian airports (or elsewhere at the border) is well-founded in the CBSA’s legislative authorities.
  10. Moreover, with respect to the pilot’s compliance with section 8 of the Charter, the CBSA explained that a legal opinion from the Department of Justice (DOJ) was not required because “no information [was] being collected above and beyond the CBSA’s current use of CCTV technology.” The pilot used “the existing surveillance infrastructure” and “did not introduce any additional (audio or video) at ports of entry.” As such, the CBSA was of the opinion that FOTM did not engage privacy or other concerns that would necessitate legal consultation.
  11. As described in paragraph 39, however, project documents indicate that new cameras were installed for the demonstration period. Moreover, these arguments under-value the effects of facial recognition technology on individuals’ privacy. The important fact is not the installation or absence of new cameras, but rather their ability to conduct facial recognition. This new aspect of what is being collected arguably changes the subject-matter of the search. As the OPC has recommended, PIAs (and, in NSIRA’s view, assessments of lawful authority) should be renewed when new technologies are used, in order to ensure that the subject-matter of the search – and its privacy implications – are well-understood. Notices should also be updated to ensure that the use of facial recognition is clearly made known to the public, unless operational imperatives justify a lower degree of transparency.
  12. The deployment of such technology, whether on a short-term or long-term basis, must be carefully studied and be fully supported by legal authority and a sound policy framework. The FOTM demonstrated genuine benefits for the execution of the CBSA’s duties at the border, specifically the identification of individuals of concern. Individuals previously deported for inadmissibility are known to attempt re-entry into Canada under assumed or false identities. The 47 “real hits” during the six-month demonstration window of FOTM attest to this fact. As noted in other contexts, of course, national security is one among many interests supported through better identity management. Further, findings of inadmissibility on security grounds (s. 34 of the IRPA) constitute a comparatively small portion of overall inadmissibility decisions. At the same time, rare events can have extreme consequences. National security cases are, by their nature, infrequent but serious.
FASTER-PrivBio Project (2015-2017)
  1. FASTER-PrivBio was a ‘proof of concept’ project that developed a prototype mobile application that facilitated the application and approval of electronic travel authorizations (eTAs). It was led by IRCC in conjunction with CBSA and other partners (including the University of Ottawa and Ryerson University). The application captured a digital photograph (selfie), extracted the digital photograph contained in the ePassport chip, compared the two using facial recognition (one-to-one comparison), and validated the authenticity of the travel document. Upon successful enrolment, the application would then create a ‘client token’ facilitating movement through the travel continuum for low-risk travellers. The project incorporated a ‘Privacy-by-Design’ framework, with a specific emphasis on addressing the privacy concerns raised by the use of biometrics.
  2. Two basic security benefits were envisioned: first, the facilitation of low-risk travellers would allow resources and attention to be applied elsewhere, including toward higher-risk travellers in manual processing. Second, the application would automatically check enrolled travellers against CBSA, IRCC and other applicable (e.g. International Criminal Police Organization [INTERPOL]) biographic watchlists, thereby identifying individuals of concern. This latter function, however, would largely replicate existing screening in the eTA process.
  3. The project closed in 2017 having successfully demonstrated its intended deliverables. Its key takeaways included the viability of mobile (smartphone-based) biometric credentials (including adequate data security protections, according to project participants), compatibility with ePassports and related IRCC systems and infrastructure, and the robust identity verifications possible through such a system. The next phase of the project was to work toward live implementation, set to occur under the “Chain-of-Trust” (CoT) initiative. CoT development continues at present and is covered in Section 6, paragraphs 151-155, below.
Biometrics Expansion Project (2015-2020)
  1. Initiated in 2015, the Biometrics Expansion Project (BEP), as its name suggests, marked another significant increase in the collection of biometrics in the immigration stream. Building on the TRBP, the BEP expanded the collection of biometrics to all persons (unless exempted) making a claim, application or request under the IRPA. The BEP incorporated the IIS initiative and extended automated immigration information sharing, including through biometric querying, to other international partners in the Migration 5 (M5) group, which comprises the immigration agencies of the United States, Australia, New Zealand, and the United Kingdom. The BEP also broadened the capacity for fingerprint verification at Canadian ports of entry (POE) through the introduction of automated Systematic Fingerprint Verification (SFV) at eight international airports (see paragraph 73) and the addition of discretionary fingerprint verification at secondary inspection at an additional 11 airports and 40 land POE.
  2. The BEP closed in 2020 and the biometric activities it established were transferred to steady-state operations. As such, the activities described here are addressed in Section 5, paragraphs 63-94, below.
Assessing Biometrics Past
  1. This section surveyed the development of biometric activities in the border continuum over the past several decades, highlighting key moments, programs, and pilots along the way. Taken collectively, several themes emerge.
  2. First, the GoC’s collection and use of biometrics has steadily expanded. In the immigration context, for example, what began with deportees and asylum claimants in 1993 culminated in 2018 with all persons (unless exempted) making a claim, application or request under IRPA.
  3. Second, the commitments and priorities established in the wake of the 9/11 attacks spurred the adoption of biometrics in the early part of the millennium, setting the foundation for the basic architecture of biometric activities in the border continuum today. In this context, the rationale for biometric adoption was national security. Identifying individuals meant possibly identifying terrorists.
  4. Third, identifying individuals is also (and increasingly) about broader identity management. For CBSA and IRCC, biometrics contribute to overall organizational goals, not just national security objectives. As the immediacy of 9/11 receded, broader identity management became a relatively larger part of the rationale for collecting and using biometrics. This shift reflected a more balanced logic for biometric adoption, embracing their overall utility rather than emphasizing the smaller – though important – national security subset.
  5. Fourth, as biometric activities have expanded, so too has the overlap and/or shared responsibility between organizations in their design and implementation: between government departments/agencies (e.g. IRCC and CBSA); between jurisdictions (e.g. Canada and the US, and Canada and other international partners); and between the public and private sector (as the GoC engages industry partners). Such closer cooperation may have implications for individuals’ privacy rights, for possible future uses of biometrics, and also underscores the importance of sound data security across these various institutions.
  6. Fifth, traveller facilitation has emerged as another force behind biometric adoption, to improve efficiency at the border and to reflect evolving societal norms about the use of technology. As the FASTER-PrivBIO project suggests, the development of new biometric activities takes for granted traveller familiarity with digital devices. At the same time, individuals are likely to be more comfortable adopting relatively intrusive technologies when they do so voluntarily and consensually. This tension – between expectations of convenience and expectations of privacy – is likely to shape public dialogue over biometrics moving forward.
  7. Sixth, and related to the above, the expansion of biometrics has coincided with a growing emphasis on privacy and privacy protections. Many of the pilots and projects described in this section explicitly addressed such concerns, including by adopting so-called “Privacy-by-Design” principles, which are intended to proactively protect personal information. This dynamic reflects the development, over time, of the wider understanding (whether on the part of government, industry, the legal community, or academia) as to the particular risks associated with the collection and use of biometrics. Some applications of biometric analysis – for example the facial recognition used in the FOTM project – carry more risks than others, and ought to be scrutinized accordingly.

5. BIOMETRICS PRESENT

  1. This section focuses on the GoC’s steady-state biometric activities in the border continuum. The balance of the section examines the role of biometrics in the immigration and Passport programs, respectively. For each, we examine how biometrics serve program objectives (noting, as relevant, their collection, use, retention, and disclosure) and consider the criteria outlined in Section 3. The end of the section examines the process of “arriving into Canada”, which includes the analysis of traveller and NEXUS member biometrics by automated kiosks at Canadian airports. Throughout, we highlight the relevant national security considerations.
Immigration Program
  1. IRCC is responsible for screening the admissibility of potential permanent and temporary residents coming to Canada. As part of this process (hereafter the “Immigration Program”), IRCC employs biometrics, in cooperation with CBSA and the RCMP. As IRCC characterized it to NSIRA, for biometrics in the Immigration Program: “IRCC collects, the RCMP stores, and the CBSA verifies.”
  2. IRCC collects (all ten) fingerprints and a digital photograph in support of applications for temporary resident visas or status, work permits, study permits, temporary resident permits, and permanent residency, and in support of refugee and asylum claims. The collected biometrics are stored in two databases: photographs are stored in the IRCC’s Global Case Management System (GCMS) and fingerprints are stored in the RCMP’s Automated Fingerprint Identification System (AFIS). The digital photograph, while ICAO compliant, is not used for facial recognition and may not be of sufficient quality for that type of analysis. As such, we focus primarily on fingerprints in our description and analysis of activities.
  3. Biometrics are collected and enrolled at multiple service points, both in Canada and abroad, with the vast majority (approximately 90%) occurring at Visa Application Centres (VACs). VACs are commercial service suppliers, managed by private companies, contracted by IRCC to deliver biometric enrolment overseas.
  4. The collection phase is a sensitive juncture given the personal nature of biometric information. The primary concerns here relate to privacy and the security of biometric data. Media reports have highlighted concerns about VACs, questioning whether adequate privacy protection can be maintained given the central role of private contractors based outside of Canada. Possible links between the subcontractor administering Canada’s VAC in Beijing and Chinese security forces have also been scrutinized. Foreign governments have an interest in knowing who is applying to come to Canada – the information can be leveraged to monitor, suppress, harass, coerce, threaten or otherwise harm an individual. The possible interception or theft of biometric data is especially concerning, given its possible use in monitoring, surveillance, and identification.
  5. IRCC has taken steps to ensure the flow of biometric information (including collection and transmission) at VACs is controlled. Contracts with VAC providers stipulate that they must abide by Canadian privacy laws. IRCC further states that oversight of VAC contractors occurs through audits and site reviews, conducted by Canadian officials, at VAC locations. All biometric information collected outside of Canada is said to be encrypted before being transmitted back to IRCC servers located in Canada (photographs in GCMS) and to the RCMP (fingerprints in the AFIS). Once successfully transmitted, IRCC states that the information is deleted from the point of collection.
  6. Given the nature of operating in certain foreign jurisdictions, however, there remain challenges to securing the information provided by applicants at VACs. Some VACs are located in countries with national interests inimical to those of Canada – the national security consequences of security breaches at these VACs may therefore be particularly acute. While the scope of the present study precluded in-depth examination of the security arrangements at VACs, NSIRA may wish to revisit the issue at a later date.
  7. In the border continuum, Canada leverages (or uses) the collected biometrics in three ways: for screening at enrolment (with any returned information informing decisions about an application), for verification upon arrival at a Canadian POE, and for ongoing assessment of admissibility (or immigration status) once an individual is present in Canada.
  8. Screening at enrolment is automatic, and includes both domestic (Canadian) and foreign databases. For enrolment, IRCC or CBSA submits the collected fingerprints to the RCMP. Fingerprints and biographic information are then compared against the RCMP’s criminal and immigration fingerprint repositories (the latter includes fingerprints collected as part of previous applications). Fingerprints are also queried against the immigration databases of Canada’s M5 partners.
  9. Information returned from domestic and foreign screening informs decisions on admissibility – including possible inadmissibility on IRPA s. 34 security grounds. Biometric immigration information sharing with the M5 partners includes sharing of derogatory alert codes. Information that indicates a potential national security concern may be referred to the Public Safety portfolio (including CSIS and CBSA) for additional security screening. While foreign screening also occurs using biographical information, biometrics confer the additional advantage of identifying matches to previous applications associated with different names and/or with discrepant biographical information.
  10. Following the screening process, biometrics are used by the CBSA to verify the identity of enrolled foreign nationals arriving at a Canadian POE. This ensures – to a level of confidence beyond what is generally possible absent the use of biometric information – that the individual granted a visa or permit is the same individual entering Canada.
  11. The mode of verification varies between POE. At eight international airports, Systematic Fingerprint Verification (SFV) occurs through Primary Inspection Kiosks (PIKs). PIKs are automated kiosks used to process travellers through customs and immigration at major Canadian airports (for more on the PIK see paragraphs 125-137, below). The PIK captures fingerprints and transmits biometrics to the RCMP for one-to-one matching against the traveller’s reference fingerprint in the RCMP database. Where SFV is not available, Border Services Officers (BSOs) verify identity by comparing the traveller’s enrolled photograph with the individual presenting in front of them, while fingerprint verification occurs on a discretionary basis at secondary inspection using CBSA’s LiveScan device.
  12. Biometrics are also used to assess ongoing admissibility. That is, they serve as a means to connect individuals to information that could affect their immigration status and/or future immigration applications (for example interaction with law enforcement that might indicate inadmissibility).
  13. The retention period for biometrics collected is partially contingent on the application’s outcome. For both temporary resident and permanent resident applications refused on the grounds of what the IRCC considers “serious inadmissibility” (sections 34-37 of the IRPA), biometrics are retained until the individual’s 100th birthday.
  14. This extended retention period provides security benefits as biometrics can help identify an individual should they submit a subsequent application at any (realistic) point in the future, even if submitted under a different name. Extended retention also makes such identification possible for domestic and/or foreign partners with querying access to the immigration database. Should the individual receive a record suspension, criminal rehabilitation, or ministerial relief, the retention period reverts to the typical 15 years from the date of biometric enrolment. This caveat is important, as it realigns the retention of an individual’s biometrics beyond the resolution of the underlying circumstances which warranted the extended retention.
  15. At the end of the retention period, biometric information is disposed of by IRCC according to disposition authorizations issued by Library and Archives Canada. With respect to fingerprints held by the RCMP, an automated electronic purge transaction request is transmitted by IRCC and a confirmation of the purge returned.
  16. In 2021, IRCC discovered a privacy breach related to the retention of immigration fingerprints and photographs beyond their prescribed retention period. The information belonged to individuals who attained Canadian citizenship meaning that, according to IRCC biometric retention policy, fingerprints and photographs associated with their immigration file should have been deleted. IRCC notified the OPC in February 2021 about the issue, and notified affected clients, by email, in March 2021. A public notification was placed on the IRCC website.
  17. The disclosure of biometric information raises privacy considerations and calls for attentive consideration of their subsequent use. Given that biometrics are personal information, the current legal framework requires that the GoC only use them for the purposes for which they were obtained (namely, determining an individual’s admissibility to enter, or remain in, Canada); for a use consistent with that purpose; or as otherwise authorized by law.
  18. The automated querying that occurs between Canada and its M5 partners involves an anonymous biometric (fingerprint) search, with no identifying biographic information included; if a match is detected, relevant immigration information is returned; if there is no match, the receiving country sends a nil result. In either case, the receiving country is required to purge and not retain the fingerprint. The system is designed, ultimately, with the intention that no biographic and/or immigration information is exchanged unless both parties already possess the biometric in their databases – an important privacy protection measure. Further, the automated agreements specify that any information exchanged will pertain to third-party nationals only; that is, Canada will not send or receive information on Canadian citizens or, with the exception of asylum claims, permanent residents.
  19. Less frequent case-by-case (or ad hoc) exchanges may result in the actual exchange of underlying biometric information (whether photographs or fingerprints) if the information is deemed, by the requesting party, relevant to enforcing that party’s immigration and citizenship laws. Such exchanges are subject to caveats regarding use, onward disclosure, and retention, which apply to any information disclosed (not just biometrics), but which are not legally binding on the participants. IRCC further indicated that ad hoc exchanges of biometric information may also occur with international partners beyond the M5, “with either the consent of the individual to whom the information pertains, or pursuant to section 8(2)(a) [i.e. the consistent use provision] of the Privacy Act.”
  20. The primary sources of authority for the collection, use, and disclosure of biometric information in the Immigration Program are the IRPA and the Immigration and Refugee Protection Regulations (IRPR). Specifically, s.10.01 of the IRPA authorizes the collection of biometrics for the purposes of enrollment and verification pursuant to an application under the Act. Under s. 10.02 of IRPA, the Minister may issue regulations respecting the implementation of these processes, through the IRPR. The Regulations specify to whom the biometrics requirements apply, the type of biometrics at issue, and guide their collection, processing and verification. Section 16(1) of the IRPA requires that individuals making an application under the Act submit truthfully to examination and produce “relevant evidence and documents” while 16(2), which applies only to foreign nationals, specifies that such evidence includes “photographic and fingerprint evidence”. IRCC also cites s. 4 of the Privacy Act as authorizing their collection of biometrics, given that the information relates “directly to the administration of [IRCC’s] immigration programs.” They note further that, consistent with s. 7 of the Privacy Act, biometrics “will only be used for the purposes for which it was collected, or for a use consistent with that purpose.”
  21. In terms of the IRCC’s disclosure of biometrics to international allies, s. 7 of the IRPA authorizes the Minister, with the approval of the Governor in Council, to enter into an agreement(s) with the government of a foreign state(s), for the purposes of the IRPA. Multiple such agreements are part of the IRPR, which cover Canada’s information sharing activities with each M5 partner including: the ‘Agreement between the Government of Canada and the Government of the United States of America for the Sharing of Visa and Immigration Information’; the ‘Annex Regarding the Sharing of Information on Asylum and Refugee Status Claims to the Statement of Mutual Understanding’; and the bilateral automated exchange arrangements with the Governments of Australia, New Zealand and the United Kingdom. These agreements provide for the disclosure of biographic and biometric data between the parties to the extent “necessary, relevant and proportionate to achieve [the administration and enforcement of the parties’ citizenship and immigration laws].” Provisions in each agreement also govern the destruction of the information, the correction of previously disclosed information, and grant the Minister a discretion to refuse to disclose information detrimental to Canada’s national interests.
  22. Such disclosures would also be consistent with s. 8(2)(f) of the Privacy Act, which allows for the disclosure of personal information under an agreement or arrangement between the Government of Canada and a foreign state, for the purpose of administering or enforcing its laws. Ad hoc exchanges with partners beyond the M5 are conducted pursuant to the consistent use provisions of s. 8(2)(a) of the Privacy Act.
  23. Canadian law enforcement may also access fingerprints collected by IRCC during the immigration application process for law enforcement purposes. Section 13.11 of the IRPR allows the RCMP to use – or disclose to other law enforcement agencies in Canada – any biometric information and specified, related personal information for the purpose of establishing or verifying a person’s identity in order to prevent, investigate or prosecute an offence. This information may also be used to establish or verify the identity of a person whose identity cannot reasonably be otherwise established or verified because of a physical or mental condition or because of their death. In other words, when law enforcement agencies submit fingerprints collected in the course of its duties to the RCMP — or the RCMP itself verifies a fingerprint — both criminal and immigration repositories, containing the fingerprints of foreign nationals and permanent residents, are included in the search. Section 13.11(2) of the IRPR allows the following personal information to be used or disclosed: the individual’s fingerprints and the date on which they were taken; their surname and first name; their other names and aliases, if any, their date of birth, their gender, and any file number associated with the biometric information or related personal information.

Assessing the Immigration Program

  1. Biometrics facilitate identity management in the Immigration Program. First, the enrolment of biometrics ties an application to an individual. Second, biometric querying screens applicants against domestic and foreign databases, with the information returned as part of these queries informing decision-making regarding their admissibility into Canada. Third, biometrics are verified upon arrival at a Canadian POE to ensure that the individual presenting is the one to whom a visa or permit has been granted. Finally, biometrics are retained for a specified period (varying between application streams) so as to both assess continuing admissibility (status) under the IRPA and allow foreign nationals to submit subsequent applications without having to re-enrol their biometrics.
  2. National security benefits are a consequence of robust identity management. National security is a component of, rather than the sole impetus behind, the use of biometrics. Enrolling biometrics at the application stage serves as a potential deterrent to individuals who might otherwise apply for mala fide purposes. Biometric screening of domestic and foreign databases helps identify individuals who are inadmissible (including, potentially, for reasons of national security). Verifying biometrics upon arrival ensures that the individual authorized to enter and not an individual posing as that person is the individual who does enter. The retention of biometrics which includes the retention of biometrics tied to applications denied for reasons of national security allows for the ongoing assessment of admissibility under the IRPA (including s. 34) and facilitates the reciprocal querying of foreign databases. Without biometrics, such exchanges would rely on biographical information, which is more susceptible to fraud and/or error.
  3. Unique to each individual and easily captured by digital technology, fingerprints are generally regarded as accurate and reliable means of identification. However, both CBSA and IRCC noted potential concerns in relation to Gender Based Analysis Plus (GBA+), which is an analytical process designed to assess how diverse groups of people may experience policies, programs and initiatives. Specifically, some groups have more difficulty than others having their fingerprints captured, including individuals working in certain trades (which may indicate lower socio-economic status) and women (due to a biological difference in finger ridges). Mitigation strategies at the collection stage included training for operators, and operational guidelines as well as a regulatory provision (R12.8 of the IRPR) that allow the application process to continue if fingerprint capture is not possible.
  4. Similarly, research has shown that fingerprint-matching algorithms – such as those used during SFV – may be less accurate for certain ethnic, gender, age, and socio-economic groups. Examples include individuals of East Asian origin, women, those working in certain trades, and older individuals. These groups may be subject to higher error rates when their fingerprints are verified (e.g. compared to an existing fingerprint holding). Mitigation strategies identified by CBSA included hardware and software adjustments that would improve the ability of PIKs (the kiosks used for SFV) to capture and analyze fingerprints.
  5. In terms of transparency, there is significant material available to the public regarding biometrics and the immigration application process. Much of this content is practical in nature, intended to guide prospective applicants in the provision of their biometric information. IRCC also explains the program benefits of using biometrics, including that they help facilitate entry into Canada, ensure that the person seeking entry is the same as the one who was granted a visa, permit, or permanent residence, and to help prevent the use of stolen, borrowed, or altered visas and/or permits to enter Canada. While national security justifications are provided, the emphasis is on service delivery and the broader imperatives of identity management.
  6. Overall, fingerprints appear to be a reasonable, appropriate choice of biometric to use in the immigration system. They can be collected relatively easily, with little intrusion, and while they are reliable identifiers, they offer comparatively little extrinsic evidence about individuals’ lifestyles or personal choices. Moreover, they offer a vital inter-operability across domestic immigration and law enforcement systems, as well as with those of nearly all foreign jurisdictions. The privacy costs of relying on biometrics for immigration screening therefore appear to be reasonable and proportionate to the benefits they convey to the state and the integrity of its immigration system.
  7. Once collected, the use of biometrics for screening and verification are proportionate to the objective of identity management. From a national security perspective, decisions about admissibility – who may and who may not enter the country – are fundamental. So, too, is the desire to prevent fraudulent entry. At the screening stage, biometrics are particularly helpful in linking information across databases – e.g. in connecting information about an individual held in domestic or foreign repositories. The ability to make such linkages even in the face of multiple names or biographical profiles – perhaps cultivated for mala fide purposes – is largely unique to biometrics as a class of information. Likewise, verification – confirming that an individual is who they say they are when presenting at the border – is significantly enhanced through biometric analysis.
  8. The activities are not without risks, however. The availability of immigration biometrics to Canadian law enforcement, for example, has the potential to stigmatize the immigrant population by associating them with criminality. In 2015, the European Union’s EURODAC (European Asylum Dactyloscopy Database) was heavily criticized by civil rights groups for “criminalizing” asylum seekers by making their fingerprints available to European law enforcement agencies. While held in different repositories, immigration and criminal fingerprints exist within the same RCMP system, and both are searchable by law enforcement, including when attempting to identify latent fingerprints taken from crime scenes.
  9. There are benefits to making immigration fingerprints available to law enforcement, most immediately in assisting police with the enforcement of Canadian criminal law and, consequently, in returning information to IRCC and CBSA which may be relevant for enforcing the IRPA. At the same time, if the fingerprints of all Canadian citizens were in the possession of the government and searchable by Canadian law enforcement, that too would benefit the enforcement of Canadian law, though few – if any – would consider such an arrangement proportionate or desirable. It is therefore legitimate to question whether the availability of immigration fingerprints – collected in the course of applying to come to Canada – to law enforcement is proportional in all circumstances, or whether it should be limited to certain serious offences.
Passport Program
  1. The Passport Program, led by IRCC, is responsible for “issuing, refusing to issue, revoking, withholding, cancelling, recovering and providing instructions on the use of Canadian passports and other travel documents.” The program’s ultimate purpose is to enable the travel of eligible Canadian citizens, permanent residents, and refugees. Preventing individuals who are ineligible or not entitled to a passport from obtaining and travelling under official documents is the obverse of this goal. A subset of applicants will be ineligible for reasons related to national security. Established pursuant to the royal prerogative on passports, the Canadian Passport Order (CPO) constitutes the main legal framework for the issuance of regular and temporary passports by the Passport Program. It provides the authority for IRCC to collect and use personal information, including biometrics, for the processing of applications and determining an individual’s entitlement to a passport. IRCC maintains that this collection is consistent with s. 4 of the Privacy Act, given that collection relates directly to the administration of a lawfully authorized program.
  2. Specifically with respect to biometrics, s. 8.1(1) of the CPO allows IRCC to convert an applicant’s photograph into a digital format and insert it on the electronic chip in the ePassport. Section 8.1(2) facilitates the use of the FRS by authorizing the conversion of the photograph into a biometric template “for the purpose of verifying the applicant’s identity, including nationality, and entitlement to obtain or remain in possession of a passport.” This provision similarly authorizes the use of the System Lookout-Facial Recognition System (SL-FRS) described below.
  3. As with the Immigration Program, the full range of benefits associated with biometrics extend beyond national security outcomes. According to IRCC, the “use of biometrics in the Passport Program does not per se constitute a security and intelligence activity.” Rather, as in the immigration context, biometrics serve identity management, with potential national security benefits downstream of that broader ambit.
  4. Two identical, printed facial photographs, meeting certain International Civil Aviation Organization (ICAO) standards, must be submitted as part of applications for all Canadian travel documents. According to IRCC, all application information is transmitted via secure systems, and all facial recognition data traffic is secured through encryption.
  5. The collected photograph is used for two purposes. First, it is screened using facial recognition to help establish identity and inform an assessment of the applicant’s eligibility and entitlement to Canadian travel document services. Second, it is embedded in the document and used by border officials to validate the identity of the holder when crossing an international border.
  6. The applicant’s digitized photograph is transferred to the Facial Recognition Solution (FRS) application. The FRS then converts the image into a biometric template using a proprietary algorithm and stores it in an accompanying database. If the application is linked to a previous application, such as renewals or the replacement of lost or stolen passports, one-to-one facial verification is performed against the applicants’ previous template(s). For both renewals and new applications, one-to-many facial identification is performed against existing templates (approximately 55 million, from previous applications) in the FRS database from adult (age 16+) applicants and photographs supplied as part of the Passport System Lookout (SL). The SL-FRS , as it is called, is effectively a watchlist comprised of individuals who are considered high-risk for identity fraud, including those known to have a history of using false identities or multiple aliases, or who have otherwise been identified by security partners – including CSIS and the RCMP – as high-risk for such behaviour. The precise criteria or circumstances for inclusion on the list are not clear, and appear to be highly discretionary. IRCC caveats, however, that “only a small number of IRCC Passport Program officers have the ability to add entries to the list.” The list has been in operation since February 2018, and currently includes fewer than 100 individuals.
  7. According to IRCC, the use of the FRS protects the integrity of the Canadian passport. IRCC cites 2016 ICAO guidelines on security in the issuance of travel documents noting that the issuance phase – or the “beginning of the chain” – is becoming the primary target for fraud given “the rapid development of new technologies and new security techniques” which make forgery increasingly difficult, including, for example, the security features associated with the ePassport.
  8. The authority to refuse passport applications for national security reasons lies with the Minister of Public Safety, as per the CPO. Biometric screening through FRS may inform that decision-making process by detecting identity fraud or flagging individuals from the SL-FRS. No such decisions are automatic; individuals on the SL-FRS may still be entitled to a passport or travel document following review.
  9. Preventing fraud (whether through deterrence or detection) in the issuance of official travel documents offers clear national security benefits. The movement of mala fide actors across borders threatens both international and Canadian security. While identity fraud is committed for a host of reasons – including criminal, financial, or personal – the possibility that terrorism, espionage, or other national-security threats may involve the misuse of passports is well documented. Again, rare events can have significant consequences.
  10. The second fundamental usage of the collected biometric is by way of the ePassport itself during the course of international travel. When the passport is issued, the facial photograph is both printed on the biographical page and embedded as a digital image on an electronic chip within the document.
  11. The embedded digital photograph enables three-way verification between the image on the passport, the image on the chip, and the person presenting the passport. Certain countries – including Canada (see the discussion of the PIK in paragraphs 125-137, below) – leverage facial recognition technology for this purpose. The result is greater confidence in a) the integrity and authenticity of the document, and b) that the individual presenting the document is the individual to whom it was issued. The chip is digitally signed using Public Key Infrastructure (PKI) techniques allowing for the verification of the document against the issuing country and to ensure that the data contained within has not been modified.
  12. Photographs submitted as part of passport applications, as well as the biometric templates derived therefrom, are retained until an applicant has reached 100 years of age. IRCC assesses that this retention period is consistent with the practices of international partners (e.g., the United Kingdom and Australia), and balances, in their estimation, the need to issue secure, trusted travel documents with the requirements of the Privacy Act to retain personal information only for as long as necessary. Hard paper copies of the passport applications, including photographs, are retained for six weeks following conversion to digital format, and subsequently shredded.
  13. The length of the retention period facilitates identity management as individuals renew their passports over the course of their lifetime. Each returning adult applicant (e.g. renewal, replacement, etc.) can be verified through the FRS against previous applications from the same individual. Similarly, one-to-many FRS screening includes templates from most adult applicants, maximizing the scope of detecting possible identity fraud.
  14. IRCC discloses photographs and related biographic information collected by the Passport Program to other government departments (OGDs). Unlike in the Immigration Program, these disclosures are not systematic. Rather, they come in response to ad hoc requests from OGDs with criminal, national security, and intelligence mandates. The OGDs make the requests pursuant to their own legislation, and their scope is circumscribed by s. 4 of the Privacy Act. According to IRCC, the context of many of these requests is often the need for information regarding Canadians travelling abroad to engage in foreign conflicts or unlawful acts.
  15. Such requests can involve confirmation or validation of biometric information provided by the OGD against passport records, or identifying individuals of security concern by processing a photograph provided by the OGD through the FRS. For example, the RCMP may identify a person of national security concern, but have only a photograph of the person (e.g. from their social media presence); CSIS may provide IRCC with a photograph of an individual they are investigating but cannot identify. Alternatively, the RCMP and CSIS may share photographs of known individuals with the IRCC. The purpose of these checks is to ensure the person has not obtained a passport under another identity. The IRCC states that, for the RCMP, the scenarios described herein may require the RCMP to obtain a Production Order, depending on the particular circumstances of the request.
  16. In both cases, the IRCC converts the photograph provided by CSIS/RCMP into a biometric template and runs it through FRS. In the first instance, in the event of a possible match, the IRCC would return limited biographic and/or biometric information to the RCMP or CSIS to assist in confirming the person’s identity. In the second instance, the IRCC may validate the person’s previously known identity and confirm whether the person’s photograph is associated to any other identities logged by the Passport Program. The scope of information disclosed by the IRCC, in both cases, depends on the nature of the investigation and its authorities to disclose.
  17. The IRCC discloses this information pursuant to s. 5 of the Security of Canada Information Disclosure Act (SCIDA), if applicable, or may rely on s. 8(2)(e) of the Privacy Act in the case of specific requests. Section 5 of SCIDA allows the IRCC to disclose information to the RCMP, CSIS and other specified institutions where it is satisfied that the disclosure will contribute to the exercise of the recipient institution’s jurisdiction in respect of activities that undermine the security of Canada. To disclose under SCIDA, the IRCC must also be satisfied that the disclosure will not affect a person’s privacy interest more than is reasonably necessary in the circumstances. In contemplating such disclosures, the IRCC affirms that it first obtains sufficient details to ensure these conditions are met. In other instances, such as when the disclosure is to assist a law enforcement investigation, the IRCC may rely on s. 8(2)(e) of the Privacy Act to provide specific investigative bodies with information they have requested in writing, for the purpose of enforcing Canadian law or carrying out a lawful investigation. Where a production order or warrant supports the OGD requests, section 8(2)(c) of the Privacy Act authorizes the disclosure of information for the purpose of complying with the warrant.
  18. In addition to these disclosures to assist national security or law enforcement investigations, the IRCC may disclose information to the Department of Public Safety, where necessary to assist the Minister of Public Safety in rendering a decision under the CPO. Sections 10.1 and 11.1(2) of the CPO authorize the Minister of Public Safety to decide that a passport should not be issued, or that a current passport should be revoked or cancelled, when such action is necessary to prevent the commission of a terrorist act or protect the national security of Canada or a foreign state. By virtue of this authority, the IRCC may collect information on an ongoing basis to verify an individual’s continued entitlement to possess the document. The IRCC also relies on the CPO to disclose, to the Minister of Public Safety, information necessary to support his decision on such matters. In practical terms, this includes IRCC’s disclosure of the relevant passport application, including the digitized photo, to Public Safety. Section 5 of SCIDA and section 8(2)(a) of the Privacy Act (on consistent use) further support these disclosures.

Assessing the Passport Program

  1. A significant source of public concern regarding the use of facial recognition is the possibility that the technology will be inaccurate. In the passport context, false positive identification could lead to inconvenience and/or additional investigative attention for individuals. False negatives, by contrast, worry operators, as they potentially undermine the security benefits of the system.
  2. The FRS has certain natural advantages with respect to accuracy. First, it predominately uses high-quality probe images (templates extracted from passport photographs taken according to ICAO specifications) and searches them against the same (a gallery populated by templates extracted from passport photographs). Exceptions are the images on the SL-FRS and images supplied by OGDs for checking against FRS, which may be of lesser quality. Second, the matching process is not time sensitive (as would be the case in a live environment such as a POE). Adjudication – triage, analysis, and investigation – of possible matches (one-to-many) or non-matches (one-to-one) can be conducted thoroughly before any decisions are made which affect individuals.
  3. A related concern is that certain groups will be disproportionately affected by system inaccuracies. Extant research has demonstrated that age, gender, and ethnicity, among other factors, may influence the ability of a facial recognition system to accurately identify individuals, leading to possible bias and discrimination.
  4. IRCC employs several mitigation measures. First, enrolled templates are stored in one of six separate galleries according to age (adults 16+ and children under the age of 16) and self-identified gender (male, female, or other). Age and gender are known to be confounding factors in facial recognition; separating the database into galleries according to these characteristics allows thresholds to be adjusted as necessary to improve the performance of the system.
  5. In January 2021, IRCC completed an evaluation of a next generation algorithm for possible use in FRS. The results were favourable in terms of the accuracy observed in testing, and implementation of the new algorithm is set for 2021-22. Specifically, the new algorithm demonstrated superior performance in terms of age and gender disparity as compared to the algorithm currently in use. The new algorithm demonstrated improvement in matching photographs taken at lengthy time intervals (e.g. 15 years), which is directly relevant to passport renewals. The testing did not evaluate, however, the algorithm’s performance with respect to race and ethnicity.
  6. IRCC provides public information regarding the use of facial recognition in the passport application process. The photograph guidelines posted on the IRCC website state that “The [ICAO] recommends that passport photos be taken with a neutral expression. This lets us use facial recognition systems to help prevent fraud.” Similarly, a Privacy Notice Statement is included on passport application forms, describing the collection, use, disclosure and retention of personal information, including biometrics.
  7. The biometric embedded on the electronic chip in the ePassport does not constitute a significant risk or expansion beyond what was included in analog passports prior to the ePassport’s implementation. What is on the chip – the facial image and biographical information – is also on page 2 (the biographical page) of the physical document itself.
  8. By contrast, the issuance process – including the use of FRS – directly implicates both biometric information and national security considerations. Preventing mala fide actors – including those posing a threat to national or international security – from obtaining bona fide travel documents warrants stringent processes and security measures during the issuance phase. At the same time, information collected and used in the context of the issuance process will impact all individuals – millions of Canadians and individuals living in Canada – who apply for a passport or other official travel document.
  9. The key consideration is whether the privacy impact of the FRS is commensurate with the benefit to national security associated with its collection, use, retention, and disclosure of biometric information.
  10. The OPC’s recent investigation into the RCMP’s use of facial recognition services supplied by the private firm Clearview-AI is worth considering in this context. In that case, the OPC found that the RCMP’s leveraging of biometric information collected by Clearview-AI from social media and other internet sources violated the Privacy Act because Clearview-AI’s collection of that information had been unlawful. More relevant for the present discussion, however, is the OPC’s characterization of the practical effect of law enforcement’s use of Clearview AI, which meant that “billions of people essentially found themselves in a ‘24/7’ police line-up.” That is, the existence of their biometric information in a database available to law enforcement meant they were subject to identification by law enforcement at any time.
  11. In national security investigations, there may be different policy justifications, security benefits, and disclosure limitations that render use of the IRCC’s passport database proportionate. The disclosure of this information by the IRCC to the RCMP is also supported by law (see paragraph 111). The connection between passport biometrics and the investigations and activities of the RCMP, CSIS and CBSA remains a striking example, however, of the connections made possible by biometrics. Moving forward, NSIRA may wish to review these arrangements, to assess their reasonableness and necessity in terms of balancing individual interests (privacy, liberty, etc.) and the state’s security goals.
Arriving into Canada
  1. The Passport and Immigration programs are the major programs governing Canada’s border continuum. Together, they help manage the processes by which individuals enter the country, largely by providing the documentation that makes international travel possible. Related to these larger programs is the actual process of arriving at a POE and going through Canadian customs and immigration. While the above discussions of both Immigration and Passport touched on these processes, this section discusses two additional activities that involve the analysis of biometric information to verify the identity of individuals arriving into Canada.

Primary Inspection Kiosks (PIKs)

  1. Primary Inspection Kiosks (PIKs) are automated, self-serve kiosks present at ten major Canadian airports. The kiosks facilitate the immigration and customs process for international arrivals into Canada.
  2. As discussed in relation to the Immigration Program, biometrically-enrolled foreign nationals are subject to biometric verification upon arrival into Canada. At airports equipped with Systematic Fingerprint Verification (SFV), this occurs through PIKs. Additionally, PIKs validate ePassports and help verify the identity of ePassport holders (including Canadians) using facial recognition (one-to-one matching) technology.
  3. In 2019, PIKs processed 21,853,422 individuals, an average of 59,872 travellers per day. This means that most individuals – whether Canadian or foreign – arriving in Canada by air have their biometrics analyzed in some way (either as biometrically-enrolled foreign nationals, ePassport holders, or both). CBSA derives its authority to collect information from individuals as they arrive in Canada from s. 11 of the Customs Act and ss. 15 and 18(1) of the IRPA.
  4. The PIK facilitates risk assessment by sending passport and biographical information to CBSA for processing in real time. CBSA uses the information to check the traveller against existing traveller processing systems. This includes the Interdiction and Border Alert System and the Integrated Customs Enforcement System.
  5. According to CBSA, all information passes between the PIK and CBSA through an encrypted tunnel and is purged prior to the next traveller using the device.
  6. The use of the facial photograph embedded on the ePassport’s electronic chip is for identity verification at the kiosk and during primary inspection. Facial recognition – or facial “matching” as it is called by CBSA in this context – occurs on a one-to-one basis by extracting the digital photograph from the chip and comparing it to a live photograph of the traveller captured by the kiosk. A match score is generated, based on the vendor’s proprietary algorithm, and the score is sent to the CBSA to determine whether it is above or below a pre-determined threshold. The result is printed on the PIK receipt. The CBSA itself defines the match/no-match threshold; it is not determined by, nor shared with, either the vendor or Airport Authorities.
  7. The PIK receipt also includes the facial photograph taken by the kiosk. The traveller presents the receipt to a Border Services Officer (BSO); in the event of a no-match, the BSO may correct obvious non-technical errors (for example, one individual was photographed twice as part of a group of two travellers) through visual verification, ask additional questions, and/or refer the individual to secondary inspection on a discretionary basis.
  8. The inclusion of the photograph on the receipt was a significant issue in the 2012 PIA conducted for the PIK project. CBSA justified the practice on the basis of efficiency (quicker processing by the BSO collecting receipts) and security (preventing receipt swapping prior to egress at primary inspection). The PIK receipt – including the printed photograph – is retained by CBSA for seven years. The OPC expressed concerns regarding this retention period given the presence of the traveller’s photograph. In essence, the retention of these photographs constitutes a database of (nearly) all travellers who enter Canada. While CBSA asserted that the photographs are not searchable nor used for facial recognition purposes, OPC noted the sensitivity of retaining biometric information in centralized databases and has urged CBSA to consider mitigation strategies.
  9. The CBSA details the necessary specifications and requirements for PIKs, but relies on Airport Authorities to procure both the hardware and software (including the algorithm used for facial matching). This means that different versions exist at different airports across Canada. The accuracy of the facial matching process consequently varies between locations. The algorithms are proprietary, meaning CBSA does not have visibility into precisely how they operate, though it does have access to data on accuracy and performance through the US Department of Commerce’s National Institute of Standards and Technology (NIST) as well as from in-house performance testing.
  10. In 2020, CBSA evaluated the performance of the four face-matching algorithms integrated in the three kiosk designs currently in use, and determined that opportunities existed to improve performance in certain airports by adjusting facial matching thresholds. The testing similarly examined issues of possible demographic bias. The results suggested that small discrepancies along the lines of gender (lower matching rates for females) and age (lower matching rates for younger and older) did exist in airports using a particular algorithm. Recommendations for mitigation included shifting vendors and/or setting gender-specific match thresholds, though the latter option was considered potentially problematic in terms of inviting higher false positive match rates.
  11. Public reporting has expressed concern that higher facial matching error rates for certain ethnicities might result in more frequent referrals from PIKs to secondary inspection. It has been observed, for example, that rates of referral are higher for nationals from Iran and Jamaica, as compared to countries such as Iceland and Denmark. The CBSA indicated to NSIRA that no referrals to secondary inspection occur as a result of the facial matching process (i.e. there are no referral codes associated with facial matching leading from the PIK to secondary inspection). In practice, however, a failed match will lead to greater scrutiny as a BSO at primary inspection assesses the reason for the failed match. It is possible that discretionary referrals to secondary occur as a result; the CBSA does not track statistics associated with this scenario.
  12. CBSA is aware of concern regarding possible bias associated with higher facial match error rates for certain ethnicities, and points to improvements in the overall accuracy of algorithms that will help close any gaps in performance across demographic categories. Further, CBSA notes that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” Given the significance of the public interest and concern associated with possible bias, NSIRA encourages CBSA to continue its work in this area. In addition to technical solutions aimed at further closing identified gaps, an examination of the implications of facial matching errors on travellers might suggest policy solutions to mitigate any possible disparate impacts.
  13. The PIK will continue to play an integral role in future applications of biometric technology at Canada’s international airports. As noted in the CBSA’s 2021-22 Departmental Plan, the agency is set to integrate the PIK into new applications of mobile technology with the aim of further streamlining the customs and immigrations arrival process.

NEXUS

  1. NEXUS is a voluntary trusted traveller program intended to expedite border crossing between the US and Canada for preapproved, low-risk travelers (“NEXUS”). Section 11.1(1) of the Customs Act authorizes the Minister to administer such programs, by allowing him to authorize persons to present themselves at the border “in an alternative manner.” The program is jointly managed by CBSA and US Customs and Border Protection (CBP). As mentioned in Section 4, although NEXUS began as a pilot initiative prior to 9/11, it was expanded and implemented following the attacks with an eye toward robust identity verification and traveller facilitation in the context of enhanced border security.
  2. In 2019, NEXUS underwent a “modernization” process, which saw the adoption of the PIK facialmatching model into NEXUS-dedicated kiosks for air arrivals, replacing iris scans with facial matching as the biometric modality for identity verification. In order to facilitate facial matching, CBSA collects the biometric from electronic passports, stores it in the NEXUS database, and uses the photograph to verify identity during travel. The process is similar to how the PIK operates in other traveller streams and produces roughly similar outcomes. The main difference here is that the photograph taken at the kiosk is matched against the traveller’s image in the NEXUS database. NEXUS’ purpose in using the passport photograph is the same as in the regular PIK process: to verify the individual’s identity prior to allowing them admission into Canada. NEXUS’ use of the passport photograph was preferred because the image provides better facial recognition matching (given that it was taken according to ICAO specifications) as compared to the membership photograph (taken by border services officers under varying conditions – light, background, distance, etc.). NEXUS participants are informed of the extraction of their passport photograph for facial matching purposes.
  3. NEXUS’ voluntary nature, and the consistent purpose of using the passport photograph within NEXUS to facilitate identity verification and travel, renders this second use of the ePassport photograph reasonable in NSIRA’s view. The consistency of purpose between the programs also respects the norms and the requirements of sections 7 and 8 of the Privacy Act.
  4. The use of the passport photograph for facial matching within NEXUS is nevertheless noteworthy as an example of when it has been beneficial to use an existing biometric in an additional program. The dual-use of biometrics in this case is relatively benign, but the dynamic which produced it – that is, the convenience, availability, and possible value-added (accuracy in identification) of existing biometric information – is likely to be common to scenarios which may be of more concern, as discussed below (see paragraphs 191-201, below).

6. BIOMETRICS FUTURE

  1. We expect the landscape detailed in the preceding sections of this report to change significantly in the short-, medium-, and long-term. In this section, we highlight select projects and initiatives to illustrate how biometrics in the border continuum are likely to evolve, and to mark key points of consideration for Canadians – and NSIRA – as we move into this unfolding technological future.
  2. The GoC has publicly committed to continued research, development, and deployment of biometric technologies in the border continuum. For instance, Budget 2021 allocates $656.1 million over five years (beginning in 2021-22) and $123.8 ongoing to the CBSA for the “modernization” of Canadian borders. CBSA “proposes to utilize new technologies, such as facial recognition and fingerprint verification” as part of such efforts.
  3. The agency has announced the creation of an Office of Biometrics and Identity Management (OBIM) under a newly formed Biometrics Transformation Directorate (BTD) within the Chief Transformation Officer Branch (CTOB). CBSA indicated to NSIRA that the purpose of the BTD is to coordinate biometric initiatives (including design, implementation, and operation) across the agency. In addition to its coordination role, OBIM will act as a Centre of Expertise and focal point within CBSA for guidance on the appropriate use of biometrics. This will include developing and managing CBSA’s biometrics governance, risk and compliance framework. A June 2021 Notice of Proposed Procurement (NPP) solicited proposals from contractors for aid in establishing the OBIM and “to work with the [CBSA] in researching, planning for and rapidly developing a strategy and roadmap related to the use of Digital [sic] solutions enabled by supporting technologies in biometrics, in response to the COVID 19 situation and other operational priorities.” The proposal further specified that the successful contractor would aid in “the development of a comprehensive approach and plan to manage, evolve and adapt in using biometrics” to fulfill CBSA’s mandate and objectives. As part of this coordinating function, the OBIM will review current steady-state biometric activities and make recommendations where necessary for aligning them with overarching CBSA standards and objectives.
  4. With respect to immigration, CBSA’s Departmental Plan 2021-22 commits to “explor[ing] measures to standardize the collection of biometric information on potentially inadmissible travellers to strengthen compliance verification at the border.” In July 2021, IRCC released a tender notice soliciting industry information regarding the procurement of a next generation Canadian Immigration Biometric Identification System (CIBIDS). The new system will “take advantage of the latest technologies […] to modernize [IRCC’s] biometric technology solution” and may include the “design and development of a new IRCC custom Biometric Collection Solution.”
  5. “Next generation” development is occurring in the Passport Program as well, with “a new passport booklet, incorporating advancements in technology to enhance the document’s durability and security features” aimed, in part, at “alignment with documents issued by our Five Nations Passport Group partners.” Phased rollout of the new ePassport will occur between 2023 and 2024.
  6. Passport issuance, similarly, is undergoing “modernization”, as part of an ongoing process initiated in 2013 to facilitate the transition of the Passport Program from the Department of Foreign Affairs, Trade and Development to CIC (now IRCC). The Passport Program Modernization Initiative (PPMI) is a multi-year project that is scheduled to be completed in 2023. PPMI intends to streamline “all aspects of Passport Program operations” and “keep pace with evolving international passport issuance and identity management best practices.” The initiative also aims to systematize passport services across intake locations, and lay “the foundation for online passport services and automation to improve the service experience.”
  7. In June 2020, IRCC issued an NPP for a “Passport Digital Services Project” that “will allow Canadians to apply online for passports, using a computer, tablet or mobile device, as a convenient alternative to mail-in or in-person service options.” The procured platform will transmit passport applications – including digital photographs – from individuals to IRCC. Media reporting in early 2021 indicated that IBM was selected as the successful bidder. The proposed system has generated privacy concerns, particularly with respect to transmitting biometric information (digital photographs) over a private platform. We can expect the tension illustrated here, between convenience and privacy, to be a key theme in public conversations surrounding new biometric activities in the coming years.
  8. In this vein, CBSA’s Department Plan 2021-22 highlights several experimentation and innovation initiatives involving mobile technology (e.g. smartphones), including “explor[ing] digital identity concepts and opportunities to pilot digital identity in the travel continuum from a border management perspective.” Digital Identity refers to paper-less identification, whereby trusted and secure digital proof of one’s identity replaces traditional, physical documentation (e.g. passports, driver’s licenses, etc.).
  9. A Digital Identity is typically linked to an individual through biometrics. ICAO’s first iteration (Type 1) Digital Travel Credential (DTC), for example, “binds” a traveller to their Digital Identity by way of the biometric embedded in the ePassport, limiting the need to produce the physical document during travel. The DTC is an international project that, while coordinated by ICAO, includes input from jurisdictions around the world and encompasses several future iterations (Types 2 and 3). IRCC and CBSA are currently members of ICAO’s New Technology Working Group (NTWG) and the NTWG’s Digital Travel Credentials (DTC) sub-group. Ultimately, the long-term vision of the DTC project is to replace physical passports with Digital Identity “tokens” (which would include the facial photograph from the ePassport) stored on mobile devices.
  10. As discussed in Section 4, IRCC and CBSA’s FASTER-PrivBIO Project (2015-2017) also explored the use of identity “tokens,” stored in a mobile application, in the context of Electronic Travel Authorizations (ETAs). FASTER-PrivBIO closed in 2017, and “Phase II” of the project became the Chain-of-Trust (CoT) initiative, led by CBSA in collaboration with IRCC, Defence Research and Development Canada (DRDC), the University of Ottawa, and industry partners.
  11. CoT further explored the adoption of mobile technology in the eTA process, while also expanding to include other steps in the travel continuum. As described in CBSA’s Blueprint 2020 Report (published in December 2018):
    • [t]he Chain of Trust process would require travellers to download an app to their smartphone and create an account including a unique identifier built from their biometrics. At every stage of the trip – from flight reservation, to obtaining a boarding pass, to disembarking the plane – the traveller’s data would be collected and used to speed up the traveller’s passage. Just before landing, the traveller would create an e-declaration and digitally sign it using biometric facial verification. Upon arrival, cameras would match the biometric face to the traveller’s unique identifier.
  12. The purpose of the process, ultimately, is to enhance risk assessment. Linking traveller information to traveller identity throughout the travel continuum (including by using facial recognition as an individual moves through the airport) facilitates the flow of low-risk travellers (including by minimizing touch-points with border control, a feature that will take on additional significance in the context of post-COVID 19 travel), while enhancing the detection of possible high-risk travellers.
  13. In 2018, a simulated prototype demonstrated the basic features and process flow of the CoT to Canadian government officials. While the prototype project closed in 2019, the overarching CoT initiative continues, as per CBSA’s 2021-22 Departmental Plans, through the deployment of “small-scale minimum viable products to assess feasibility in a live environment and obtain user experience feedback.” The stated goal of CoT remains the streamlining of “traveller identification through the use of digital travel credentials and biometrics.” Notably, CoT is explicitly aligned with other international initiatives and projects, including ICAO’s DTC, reflecting the extent to which coordination exists in the broader ecosystem of biometric experimentation.
  14. To be clear, the features of CoT described above do not reflect current practice at the border, nor do they represent commitments from CBSA (or any other GoC entity) regarding what the traveller experience will look like in the future. By the time the CoT, some version of it, or a new project operating in similar terrain, is implemented, the specifics of how biometrics verify identity or travellers move through the airport may have significantly changed. Nonetheless, the trend lines are apparent, as Digital Identity, mobile technology, and biometric verification converge on the traveller experience.
  15. An additional example is the Known Traveller Digital Identity (KTDI) pilot project, led by Transport Canada (TC) in collaboration with the World Economic Forum (WEF), the government of the Netherlands, and commercial partners. In 2018, Canada announced its participation in the WEF’s broader KTDI vision and, in 2019, committed to a proof of concept pilot project which would operate between Canadian (Toronto-Pearson and Montreal-Trudeau) and Dutch (Amsterdam-Schiphol) airports on Air Canada and KLM Royal Dutch Airlines flights.237 This project may access required funding under Budget 2021, which proposes $105.3 million over five years to develop an approach to digital identity for air travellers.
  16. KTDI will combine blockchain technology and facial recognition to “provide a seamless and secure air travel experience facilitated via a mobile application.” Travellers will have their facial photograph captured for one-to-one matching against their ePassport photograph at different touch points in the travel continuum (e.g. boarding and customs). They will be able to “push” their information (including their facial biometric) to relevant partners (e.g. airlines or Dutch or Canadian customs) at their own discretion, or revert to conventional identity verification (e.g. ePassport) at any time. While TC will interface with CBSA to conduct checks on ePassports at enrolment (to verify authenticity and ensure that the document is not lost or stolen) no passenger risk assessments will be conducted.
  17. At the time of writing, the pilot is not yet live. The COVID-19 pandemic has impacted both the project’s timelines and its operational context. Originally, part of the rationale for KTDI was to accommodate increasing traveller volumes; although the pandemic has led to a decrease in travel volumes, it has also amplified the need for low-contact, ‘touchless’ travel. Indeed, the budget commitment noted in paragraph 156 was linked to the GoC’s investment in “safe air travel […] that limits transmission of COVID-19 and protects travellers.” For present purposes, the KTDI is important for what it suggests about the general trajectory of biometrics in the air travel and border continuum.
  18. The Canadian KDTI pilot traces its origins to the broader KDTI vision articulated by the WEF. In the WEF’s KTDI concept, passports would effectively be replaced with digital credentials stored on mobile devices, while facial recognition-enabled gates (often referred to as smart gates or egates) would allow passengers to transit through airports from arrival to boarding to customs and exit with little to no interruptions. Other elements of the travel experience – for example hotel and car rentals, or shopping at duty free – would also be incorporated. Over time, travellers would compile a trail of interactions – or “attestations” – from various entities (border control, commercial entities) that cumulatively built trust in that individual. Risk profiles, supplemented by security screening, would help determine the level of scrutiny applied to a traveller by relevant authorities. Further, the Digital Identity “wallet” (encrypted mobile application) would include more than just passport information and biometrics, storing bank information, health records (including proof of vaccinations), educational degrees, credit scores, etc.
  19. This broader vision is ambitious. The Canadian KTDI pilot – even as it evolves to reflect post-COVID priorities – is decidedly more circumspect in its aims. TC was clear in communications with NSIRA that the pilot (while including the WEF as a partner) is distinct from, and not beholden to, the broader WEF vision. Yet the sheer ambition of the latter indicates a probable trend in the future of international travel. As this report has demonstrated, the use of biometrics tends toward expansion over time. Concomitant advances in mobile technology – including the development of secure Digital Identity platforms, predicated on biometrics – find natural application in the border continuum, where identification is key and, increasingly, so is convenience.
  20. However, enhanced convenience continues to rub up against privacy concerns, particularly with respect to facial recognition technology. A robust public debate is emerging regarding the legal authority for the use of facial recognition in public spaces. Jurisdictions around the world are grappling with how to manage the proliferation of facial recognition technology, in some cases issuing moratoriums or outright bans on new applications of the technique until its implications are properly considered and new legal and/or regulatory frameworks governing its use are established. The OPC’s recent investigations into the use of Clearview-AI by the RCMP reflect the Canadian salient of this broader conversation.
  21. The basic contours of the debate are whether existing frameworks for the handling of personal information (in some cases drafted decades ago, before the advent of facial recognition and other biometric technology) are adequate or whether specific legislation is required, designed explicitly for facial recognition. Greater specificity in legislation would enable standards to be set as to when the use of facial recognition is appropriate and proportional. It would also enhance the transparency of the norms set by Parliament and provide public information about the circumstances in which Parliament considers facial recognition to be lawful and reasonable in promoting security and convenience in Canadian society.
  22. The OPC is currently drafting new privacy guidance on biometrics, for both the public and private sector, intended to shape how the technology is applied moving forward. While the border context is distinct from other public settings when it comes to privacy, applications of biometric technology at the border cannot be exempt from emerging legal and societal norms. The development of new activities must be aware of such challenges, and account for shifts in the legal and regulatory landscape.
  23. Public concern is likely to be most acute with respect to live capture facial recognition, in the vein of the FOTM pilot discussed in Section 4. Static, one-to-one verification of identity at mobile kiosks – for example as currently takes place at PIKs – is well-established, and allows travellers to know when facial recognition is being used. Roving, one-to-many identification – in which biometrics are captured at a distance – are the source of more anxiety. Consider, for example, the legal challenge to the use of this type of facial recognition in the UK and the multiple calls for moratoriums with respect to the use of facial recognition in public places.
  24. Given the developments described above, NSIRA expects that biometric information will be systematically incorporated into the traveller experience across the border continuum moving forward. Security considerations and general identity management will remain important, but so too will traveller convenience and, in the wake of COVID-19, ‘touchless’ or decongested travel. The use of mobile technology and Digital Identities reflect broader societal trends that are particularly well-suited for application in the border continuum. Informed consent, and/or specific, transparent legal authorities are important considerations for ensuring that such applications occur lawfully and with sound public understanding surrounding when biometrics are collected, how they are used, and how they are protected when in the possession of the government.

7. OBSERVATIONS

  1. This report has documented and described the GoC’s use of biometrics in the border continuum. The scope of these activities is large and growing. For government, biometric information offers a firm foundation for identity management. At the same time, civil society groups, academics, and other concerned Canadians worry about the privacy implications of the government collecting, using, retaining, and disclosing information about immutable physical characteristics. The fundamental purpose of the present study was to inform this ongoing conversation, to both demystify present government activities and evaluate them from NSIRA’s unique, crosscutting perspective. In this final section, we leverage that perspective to articulate our observations according to nine general themes.
1. Biometrics and National Security
  1. Biometrics enhance identity management; identity management at the border in turn serves national security. As outlined in Section 4, the impetus for the expanded collection and use of biometrics, particularly post-9/11, was their purported national security benefits.
  2. Nonetheless, the centrality of national security as a justification for biometric activities has waned over time relative to other objectives.
  3. First, there were the broader benefits associated with identity management, including assessing admissibility and entitlement, preventing fraud, and introducing efficiencies into service delivery. Of note, the CBSA and IRCC do not currently characterize their steady-state biometric activities primarily in national security terms. The Passport Program’s purpose is to enable the travel of eligible Canadians, while the Immigration Program’s purpose is to manage the flow of foreign nationals into Canada, the vast majority of whom arrive for legitimate reasons. Biometrics are information about individuals that facilitate these functions. The benefits to national security, in each instance, are a consequence of the robust identity management to which biometrics contribute. More recently, traveller facilitation has risen to the fore, with programs and pilots incorporating biometrics and mobile technology in pursuit of “seamless” and “touchless” travel (the latter of particular interest given COVID-19).
  4. Although biometrics extend beyond the national security domain, the national security outcomes they support are undeniable. Part of identity management is identifying mala fide actors, including possible terrorists, Canadian extremist travellers, and other national and international security threats. Biometric screening for both immigration and passport applications, for example, includes querying databases (domestic and foreign) that may return information pertinent to national security (e.g. presence on a watchlist, suspected terrorist activity, previous national security convictions, multiple identities, etc.).
  5. The assessment of these programs’ proportionality must therefore be done in light of the full panoply of benefits that biometrics contribute to Canada’s activities at its border. This includes their benefits for identity management in admissibility and passport decisions, traveller screening, and also national security.
  6. As pertains to areas for future NSIRA review, the present study’s overview of the border continuum highlighted several possibilities:
    • The collection of biometrics at Visa Application Centres (VACs). Here the national security concern stems from personal information – including biometrics – passing through VACs operating in high-risk jurisdictions and run by private contractors and sub-contractors. A review of VACs would include the risks associated with the collection and transmission of biometric information, but also cover the broader security arrangements and national security implications pertaining to the overall operation of such locations.
    • Instances where biometrics link information across databases for national security purposes. For example, when automated querying occurs with M5 partners in the immigration context, what are the statistics and other metrics associated with national security outcomes (e.g. information that leads to a decision of inadmissibility on IRPA s. 34 grounds)? What about case-by-case exchanges with M5 and other partners that occur because of national security concerns? Finally, what role, if any, has biometric information played in cases where the Minister of Public Safety has denied, revoked, or cancelled a Canadian passport for reasons of national security? These examples illustrate the potential for review of national security activities made possible by biometrics. In such instances, the balance between privacy and security – between protecting sensitive personal information and the security objectives of the state – suggests a clear role for NSIRA in terms of reviewing lawfulness, reasonableness, and necessity.
    • Other situations where biometrics collected for one purpose are subsequently used for any other program or purpose (see the discussion of dual-use in paragraphs 191-201, below).
2. The Steady-State Activities
  1. Overall, the GoC’s steady-state biometric activities in the border continuum are well-supported by current legal authorities and are consistent with international practice.
  2. The IRCC and CBSA’s use of biometrics in their steady-state programs is well-established and supported by detailed, statutory authority. Canada’s collection and verification of fingerprints and facial photographs in the immigration context is also consistent with that of other M5 members. By design, the use of fingerprints facilitates information sharing with the M5, who similarly collect fingerprints in support of their own immigration programs and to enforce domestic immigration law.
  3. The Canadian ePassport, similarly, adheres to standards established by the International Civil Aviation Authority (ICAO), which mandates the use of facial photographs as a biometric measurement. Globally, more than 140 countries currently use ePassports based on ICAO specifications, making the system interoperable and facilitating international travel for Canadian passport holders. The use of facial recognition in the passport application process is consistent with ICAO guidelines and best practices on the issuance of travel documents.
  4. The legislative framework for the steady-state activities provides a solid basis for the collection, use, retention and disclosure of biometrics as part of the GoC’s immigration and passport programs. Nonetheless, there may be more targeted areas of concern, as articulated below.
3. Expanding Use of Biometrics over Time
  1. The use of biometrics in the border continuum has significantly expanded over the last three decades, and is likely to continue expanding in the future. The trend is driven, in part, by advancing technological capabilities and evolving challenges in identity management.
  2. Beginning with asylum claimants and deportees in 1993, the collection of biometrics now covers all non-exempt foreign nationals entering Canada and, through the passport program, all Canadian citizens who apply for a passport as well as permanent residents who apply for a Certificate of Identity and refugees who apply for a Refugee Travel Document. The Biometric Expansion Project was initiated with the expressed aim of widening the scope – collection, sharing, and use – of biometrics. The M5 partners meet regularly in working groups to refine and enhance (frequently, to extend) the immigration information that is shared between them. Pilot and research projects conducted within the last several years have examined the use of facial recognition technology in airports, while others have explored the integration of mobile technology into biometric identity management in the travel continuum.
  3. Undoubtedly, developments in technology drive some of this momentum. We can do more, so we do. Leveraging new capabilities to enhance program delivery is a legitimate objective. At the same time, however, such technological determinism cannot justify the collection of sensitive information in its own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for intended objectives.
  4. Also at play is the impetus to keep pace with other jurisdictions. As countries around the world expand their biometric activities, it is natural for Canada to do the same; doing so facilitates global travel for Canadians, makes it easier for non-Canadians to travel to and through Canada, and helps Canadian officials identify possible security risks (as in M5 information-sharing). Yet keeping up with others, even Canada’s close international partners, is not on its own a valid justification for the expanded collection and use of sensitive personal information. Again, each new activity must be assessed, and justified, independently.
  5. Exploiting the possibilities created by technological developments and keeping pace with other jurisdictions cannot justify the expanded use of biometrics in their own right. New biometric activities must be justified according to the necessity and proportionality of collecting and using biometrics for particular, intended objectives.
4. Pilot Projects
  1. Pilot projects and initiatives raise more concerns than do steady-state activities, as they risk being implemented on an experimental basis, without sufficient legal analysis or policy development. These projects represent an area of continued interest for NSIRA.
  2. Pilots are vehicles of expansion: a forum for new techniques and technologies that may strain the proportional balance between the government’s goals and intrusions on personal privacy. Furthermore, there tends to be less public information available to Canadians about pilot activities. In this report, we describe several such projects, though it was beyond the scope of our emphasis on current activities to determine whether any single pilot was proportionate in terms of its collection and use of biometrics.
  3. Nonetheless, an illustration of the challenges and possible concerns associated with pilots is provided by the Faces-on-the-Move (FOTM) project. The pilot relied on legislative authority under sections 15-18 of the IRPA; yet, these provisions were drafted before facial recognition technology was contemplated. NSIRA is not satisfied that sections 15-18 of the IRPA provide clear authority for the collection of travellers’ facial biometrics, particularly prior to – and away from – the point of formal examination. In the future, legal advice should be sought to ensure that any similar activities are well-founded in the CBSA’s legislative authorities and consistent with the requirements of s.8 of the Charter. Attention must also be paid to the policy framework governing pilot activities to ensure the proper characterization of the affected personal information. Privacy notice statements and public signage should also ensure an appropriate degree of public transparency about the deployment of new technologies and the purposes for which they will be used.
  4. Pilot projects that entail the collection of private or personal information must receive commensurate legal and policy attention. Despite the temporary or experimental nature of a project, NSIRA expects that departments will conduct the analysis necessary to ensure that legal authority is in place to conduct the activity, and that the attendant collection, use, retention and disclosure of personal information is well-governed by policy.
5. Evolving Legal and Societal Norms
  1. The public debate surrounding legal authorities questions whether existing standards and protections are sufficient for regulating biometric activities or whether new standards and protections are required.
  2. This debate is growing, especially as relates to facial recognition technology. Biometrics are personal information, but they have particular features that may set them apart: they capture immutable personal characteristics, they allow for reliable identification at a distance, and they act as unique identifiers that can be used to discover and connect information about individuals across multiple datasets. The question is whether it is appropriate to treat biometrics as being commensurate with other personal information collected by the government in the course of its programs and activities. Are specific legal regimes necessary to create standards that appropriately reflect the potential intrusiveness and sensitivity of certain biometric data, and ought there be specific use limitations beyond those currently applicable by virtue of the Privacy Act?
  3. The Office of the Privacy Commissioner (OPC) commented on this issue in the context of its recent investigation into the RCMP’s use of facial recognition via the private firm Clearview AI. “Canada’s privacy laws were designed to be technology neutral”, wrote the OPC, “which is positive, given the pace of technological change compared to that of legislative modernization. However, the risks of [facial recognition] technology are such that […] specific rules may be warranted.” The report further noted that many jurisdictions around the world have developed privacy laws which specifically regulate biometric activities. Quebec is presently the only Canadian jurisdiction to have enacted a law that specifically addressed biometrics. Other jurisdictions are calling for, or implementing, outright bans on facial recognition technologies. The European Data Protection Supervisor, for example, has called for a ban on facial recognition in public spaces, arguing that such applications constitute a “deep and non-democratic intrusion into individuals’ private lives.”
  4. Civil liberty organizations have been vocal in raising concerns about biometric activities, as have academia and the media. Governments, meanwhile, can benefit from new capabilities and innovation in pursuit of program objectives, but must do so in a way that respects fundamental human rights. The tension at the core of this debate – how to achieve government objectives efficiently and effectively, while safeguarding individuals’ privacy – is familiar. It is the tension manifest in national security activities more generally, as society balances individual rights against collective protection. In the present context, this evergreen dilemma is catalyzed by advancements in technology, which widen the government’s toolkit while also widening the scope of possible intrusion on individual privacy, specifically the collection and use of sensitive personal data. Moving forward, the question of how biometric activities are designed, implemented, and regulated will be determined, in part, by shifting societal norms, established legal principles (including Charter considerations), and long-standing Canadian values associated with democracy and individual rights.
  5. While the border is, comparatively, a space in which greater intrusiveness is considered reasonable, the boundaries of those justifications are not limitless, and will require careful calibration. For NSIRA, as for other review bodies, evolving legal and societal norms will shape how considerations such as compliance and reasonableness ought to be applied.
6. The Dual-Use of Biometrics
  1. Dual-use refers to when biometrics collected for one purpose are subsequently used for any other program or purpose. The logic is appreciable. Biometrics constitute robust identifying information about individuals; if they are useful in one context, they are likely to be useful in another. However, this dynamic constitutes one of the main privacy concerns associated with biometrics.
  2. NSIRA observed several instances of possible dual-use of biometric information in the activities examined in this report.
  3. First, photographs collected under the Passport Program are also used for facial matching purposes in NEXUS.
  4. Second, fingerprints collected from foreign nationals as part of immigration applications become searchable by law enforcement in the course of criminal investigations. While the RCMP maintains separate repositories for immigration fingerprints and criminal fingerprints, both are searched when law enforcement submit fingerprints for identification purposes.
  5. Third, CSIS, RCMP and CBSA can submit photographs to IRCC to have them checked against passport and travel document application photographs using facial recognition. This can occur in the context of national security or law enforcement investigations in an attempt to identify an unknown individual, to determine if a known individual has multiple identities, and/or to assist in the execution of a warrant.
  6. Dual-use does not always present a compliance issue. Indeed, many such uses are well-supported in law given the “consistent use” standard in s. 8(2)(a) of the Privacy Act, the ability for certain institutions to request personal information under s. 8(2)(e) of the Privacy Act, and other sector-specific legislative provisions (see, for example, paragraphs 85, 109, and 112, which outline the authorities that govern the law enforcement uses discussed above). With respect to NEXUS, in particular, the use of passport photographs is a clear consistent use (see paragraph 140). Privacy concerns are further muted given the program’s voluntary nature and individuals’ prior consent.
  7. However, even where they pose demonstrable benefits, new uses of previously collected biometrics must be carefully considered to ensure their reasonableness and proportionality. In addition, all new uses must be justified and well-authorized in law.
  8. Though authorized by law, the situations in which biometrics collected in the border continuum are leveraged for purposes outside of that continuum (such as when investigative agencies use biometric information initially compiled for immigration or passport purposes) may be worthy of particular scrutiny. NSIRA may return to these cases as it contemplates future review of biometric activities.
  9. Additionally, the principle of “purpose limitation” may be a way of guarding against unjustified dual-use in the context of biometric activities.
  10. Purpose limitation involves explicitly stipulating the specific purpose for which the collected biometrics will be used, with a commitment to not use them for any additional purposes in the future. It is well established in UK and European jurisprudence and is more restrictive than “consistent use.” While the “consistent use” principle reflects the GoC’s standing commitment to limit the repurposing of personal information, the standard ought to be read as narrowly as possible for biometric information. Again, biometrics are unique compared to other personal identifiers because they are essentially permanent and immutable. This means that once they are collected, if they are not subject to clear retention/deletion policies and purpose limitations, the government has a ready repository of information for identifying individuals in the future – perhaps in activities that are less benign than the activities under which the biometrics were originally collected.
  11. It is premature for NSIRA to make a finding on whether the possible instances of dual-use identified above are reasonable or proportionate. Future review, whether by NSIRA or another review body, may consider the question in greater depth.
7. Technical Systems
  1. NSIRA reviewed high-level technical information about the activities documented in this study. This included information pertaining to the various systems and databases used in the course of the GoC’s biometric activities.
  2. There is significant overlap between the technical systems and databases used across the steady-state biometric activities.
  3. Both the Passport Program and Immigration Program use the Global Case Management System (GCMS), and IRCC, CBSA and RCMP have access to GCMS. In the immigration context, facial photographs are stored in GCMS, while fingerprints are sent to the RCMP and stored in one (immigration) of several repositories of the Automated Fingerprint Identification System (AFIS). The immigration repository is then searchable by domestic law enforcement and can be queried by Canada’s M5 partners for immigration purposes.
  4. The passport and travel document applications in the Passport Program, meanwhile, are stored in both GCMS and in IRCC’s Central Index (see Annex A), though IRCC has communicated that a full transition to GCMS is planned moving forward. The digitized photograph from the application is sent to IRCC’s FRS, converted into a biometric template, sent for evaluation in the FRS database, and stored in the CI. In both the Immigration Program and Passport Program, the intake of applications – and biometrics – employ a range of systems at different intake locations around the world, all of which connect back to IRCC servers in Canada.
  5. The overall architecture of this system – biometric collection, transmission, and storage in the course of the GoC’s activities in the border continuum – is complex, though not necessarily problematic.
  6. In keeping with the foundational nature of the study, NSIRA makes these observations as a first step in mapping the relevant systems architecture. This mapping, summarized in Annex A, will support NSIRA should it choose to review in detail the various technical systems used for biometrics in the course of border activities, including how they overlap and what privacy or security issues, if any, might arise from the present structure.
8. Visibility into Algorithms
  1. In addition to the public concern about governmental surveillance noted above, there is related apprehension about automated decision-making and about decision-making aided by automation, particularly when it occurs in conjunction with biometric identification. The general concern with respect to algorithms and automation is that the decision-making process is opaque, even to the human operators who rely on the algorithms or systems to do their work.
  2. In the Immigration Program, Passport Program, and at PIK kiosks, IRCC, CBSA, and the RCMP have limited visibility into how the algorithms used operate.
  3. The algorithms are procured from private vendors, and the details of how they work are proprietary. They are, in this sense, essentially a ‘black box’. NSIRA supports greater transparency in how algorithms work when analyzing personal information. Such transparency is necessary for third-party verification of the algorithms’ accuracy and reliability and would enhance public confidence in both the algorithms’ ability to function fairly and without discrimination and in the departments’ ability to mitigate any shortcomings in that respect.
  4. Each department and agency did, however, demonstrate that performance metrics (e.g. error rates) are known and tested, and that customizations (such as adjusting match thresholds) are applied when appropriate.
  5. Moreover, for IRCC’s FRS, and for the RCMP’s AFIS, human intervention occurs to either verify system results or complete matches if necessary. Facial matching at PIKs, by contrast, occurs without human adjudication, though any obvious errors may subsequently be corrected by BSOs through visual verification.
9. Preventing Bias and Discrimination
  1. Related to the opacity of algorithms is the possibility that automated biometric analysis – e.g. facial recognition and fingerprint matching – may be subject to bias. It is well documented in the academic literature, for example, that many facial recognition algorithms are less reliable in identifying women, the very young and very old, and individuals with darker skin tones. Similarly, fingerprint capture and matching may be more difficult and/or less accurate for females, particular ethnic groups, and individuals working in certain trades (which may reflect socio-economic status). Given that important decisions in the border continuum – including the issuance of official travel documents, the granting of visas, asylum, and/or residency status, and possible referral for additional questioning/inspection during the immigration and customs process – are informed by automated analysis, the possibility of systematic bias is of concern.
  2. IRCC and CBSA have conducted preliminary analyses to explore how their biometric activities may impact diverse groups of people, though the implementation of possible mitigation strategies was not always apparent.
  3. For example, CBSA’s GBA+ for the PIK, completed in May 2016, suggested that the agency apply gender-specific thresholds for facial matching; an October 2020 analysis on possible gender bias at PIKs made a similar recommendation. For facial recognition in both FRS (IRCC) and PIK (CBSA), recent performance testing explicitly addressed the possibility of demographic bias. This analysis noted minor imbalances in terms of gender accuracy, but emphasized that advancements over time (updated algorithms) have steadily reduced, though not eliminated, the gap.
  4. In some contexts, technological advancements have helped to reduce, but not eliminate, differential impacts.
  5. The work to comprehensively address these issues – beyond noting that small discrepancies do exist – remains to be done. CBSA noted, for example, that its “work in this area is nascent and is not yet conclusive with significant work still to be conducted.” This includes GBA+ on facial recognition technologies, work on the visibility of bias in data, and the development of possible policy mitigations. Similarly, IRCC stated that “further demographic bias assessments will […] be conducted” following the implementation of a new algorithm in the FRS.
  6. This is not to suggest that efforts to mitigate possible bias have been insufficient to this point; rather, both IRCC and CBSA have demonstrated that they are aware of possible issues and committed to future work in this area. However, such efforts should not be confined to accuracy testing, and relying on improving algorithms. Solutions at the policy level should also be explored, including the implementation of previously identified mitigation strategies and the analysis of the possible consequences of biometric errors for the experience of affected individuals.
  7. A commitment to continuing to minimize discrepancies in the algorithms’ function for diverse groups, and to ensure such differences are taken into account by the human decision-making that follows biometrics screening, will continue to be important in ensuring the reasonable use of these algorithms in the future.
  8. More work remains in terms of mitigating differential impacts on segments of the population. At the same time, the departments and agencies examined in this study have demonstrated their awareness of possible systemic inequalities and their commitment to addressing them.

8. CONCLUSION

  1. Biometrics play a fundamental role in the border continuum. The Government of Canada uses biometrics to verify and establish identity. The question of who is coming into the country – and whether they have a right to – is more confidently answered as a result. In the immigration context, this involves the screening, verification (at arrival), and ongoing assessment of admissibility of foreign nationals coming to Canada as temporary or permanent residents. Applicants for Canadian passports (and other official travel documents) are screened to confirm eligibility to passport services and entitlement to a passport, and subsequently use their biometric, embedded in the ePassport, during the course of international travel. These two streams converge at Canadian airports, where CBSA verifies the identity of travellers using facial recognition at automated kiosks.
  2. The purpose of this study was to examine and contextualize these activities. We looked back, tracing the evolution of the GoC’s biometric activities in the border continuum, noting a shift from strict national security objectives to broader goals of identity management. We looked forward, to possible future biometric applications, including the adoption of Digital Identities, and even greater systematization of biometrics into the overall traveller experience.
  3. Our observations are meant to inform both the Canadian public as it contemplates the government’s collection and use of biometric information, and NSIRA as it plans future review of the same. We noted that the steady-state activities are well-supported by current legal authorities, and are consistent with international practice. At the same time, certain areas raise potential concern. These include pilot projects, which are vehicles for experimentation and require careful legal consideration; the ongoing possibility of systemic inequalities across diverse groups of people resulting from algorithmic biometric analysis; and the possible dual-use of biometric information, including the availability of biometric information to investigative agencies.
  4. Public debate about the government’s application of biometric technology will continue to evolve, driving change in the legal and regulatory frameworks associated with such activities. As such, continued scrutiny from NSIRA is warranted, particularly in those instances where the collection and use of biometric information is justified by explicit reference to national security outcomes.

Annex A. Technical Note: Immigration and Passport Program Systems

This technical note provides details on the technical systems used in support of identity management for the Immigration Program and identity management in the issuance of Passports.

Systems Map
Figure 1 Systems Map: Department, Program, System
Immigration Program
Systems Inventory List and Description
Systems Inventory supporting the Immigration Program
System Name Owner Accessed By Description and Purpose Interconnections
GCMS IRCC IRCC, CBSA, RCMP Global Case Management System (GCMS) COSMOS
AFIS RCMP IRCC, CBSA, RCMP Automated Fingerprint Identification System (AFIS) RTIDS, CPIC,
NCIC
CIBIDS IRCC IRCC, CBSA Canadian Immigration Biometric Identification System (CIBIDS)
EFDC IRCC CBSA, Service Canada,

VACs

Electronic Fingerprint Capture Device (EFDC) CIBIDS
LiveScan CBSA CBSA LiveScan is a device used to electronically capture and transmit fingerprints. In addition, LiveScan allows the biometric query of the US criminal databases (FBI IAFIS).The Criminal Record Check workflow can be used to confirm a NCIC result (biographic query of the US criminal system). FBI IAFIS
IAPI CBSA CBSA, TC, The Interactive Advanced Passenger Information (IAPI)
LBFC CBSA CBSA Land Border Face Capture (LBFC) Project CIBIDS, AFIS
RTIDS RCMP Real Time Identification System (RTIDS)
TBID CBSA CBSA Travelers Biometric Identifier Database (TBID) RTIDS
FOSS CBSA CBSA Field Operations Support System (FOSS)
IBAS CBSA CBSA Interdiction and Border Alert System (IBAS) CSIS, SLTD, PIK, I-SLTD
ICES CBSA CBSA Integrated Customs Enforcement System (ICES) CSIS, CPIC
US NCIC US DHS CBSA United States National Criminal Information Centre (NCIC) CPIC, CIBIDS
System Functional Descriptions

Global Case Management System (GCMS) is IRCC’s integrated and worldwide web-based system used to process immigration and citizenship applications. It stores applicants’ photographs and fingerprints and allows IRCC to process applications for diplomatic and special passports, refugee travel documents, and certificates of identity. In addition, GCMS is used for biometric information sharing between Canada and the M5 Partners (U.S., Australia, and New Zealand). Biometric information not associated to an individual is held in a “biometric holding tank” managed by IRCC. Biometric information may be “unassociated” due to a technical glitch or an input error.

Automated Fingerprint Identification System (AFIS) is the RCMP owned system capable of storing and comparing fingerprints. The system uses a proprietary commercial vendor algorithm.

Canadian Immigration Biometric Identification System (CIBIDS) and its Biometric Collection Solution (BCS) is the main system used for the collection and enrolment of both fingerprints and digital photographs. In addition to biometrics, the CIBIDS records biographical data as listed on the biographic data page of the applicant’s passport or travel document.

Electronic Fingerprint Capture Device (EFDC) are fingerprint enrollment devices used to capture fingerprints for the CIBIDS system. These devices used in Canada (such as at Service Canada centres) and abroad in Visa Application Centres must operate in accordance with RCMP NPS-NIST-ICD 2.1.1 guidelines. Vendors who implement the systematic fingerprint verification solution used at collection points must comply with the above guideline.

LiveScan kiosk machines are used to capture digital fingerprint images, biographic information, and digital photographs from travelers. The information collected through LiveScan kiosks are electronically submitted to the RCMP through the RTIDS for traveler identification and verification. The RCMP sends back the information to the machine where a CBSA officer reviews the results. Livescan machines can enrol refugee prints into the Immigration database on behalf of IRCC and Livescan machines can request the RCMP to transmit the fingerprints to other foreign systems on a manual basis, such as the FBI.

The Interactive Advanced Passenger Information (IAPI) program, implemented in March 2016, mandated commercial air carriers to provide passenger data to CBSA prior to departure to Canada. CBSA relays back to the air carrier with “board” or “no-board” for each traveler. This project denies boarding to passengers deemed inadmissible to Canada. The system outlines specific carrier messaging requirements, which airlines must adhere to when submitting passenger name record data.

Land Border Face Capture (LBFC) Project was piloted by CBSA and Face4 Systems Inc., to identify and evaluate technologies and methods for facial image capture through vehicle front windshields. The project’s goal is to enhance land border security by means of efficient facial recognition. The LBFC Project used two camera systems and concluded that both were adequate for one-to-many identification matching in the context of land board capture.

The RCMP’s Real Time Identification System (RTIDS) maintains the national repositories for criminaland immigration fingerprints. RTIDS includes the Automated Fingerprint Identification System (AFIS), a Verification subsystem, a National Police Services National Institute of Standards and Technology (NPS-NIST) NNS server and works in tandem with the Criminal Justice Information Management Service (CJIM). The NNS manages the RTIDS submissions and responses, the CJIM server manages criminal record updates, and the Verification subsystem verifies a set of fingerprints collected at Canadian border point of entry against the set obtained during the application process to confirm the individual’s identity upon arrival to Canada.

Travelers Biometric Identifier Database (TBID) is used by CBSA to store RCMP fingerprint reference numbers (IIDs) along with other biometric enrollment details derived from primary inspection kiosks during traveler pre-screening.

Field Operations Support System (FOSS) Until 2014 the FOSS application was used to collect applicant biographic and biometric data in support of the processing of refugee applications. The biographic data was stored in the FOSS database while the biometric data (fingerprints) were stored in the Legacy Refugee Database at the RCMP, In 2014, the FOSS application was decommissioned and replaced by GCMS (application processing) and CIBIDS (biometric collection).

Interdiction and Border Alert System (IBAS) is an automated system used for risk assessments and data processing on biometrically enrolled travelers. IBAS is used to determine a person’s admissibility by verifying other systems and databases, such as the Canadian Security Intelligence Service (CSIS) lookout or Interpol’s Stolen, Lost Travel Document (SLTD) database. This system functions as a CBSA backend verification system through the Primary Inspection Kiosk (PIK) Service.

Integrated Customs Enforcement System (ICES) is, similarly to IBAS, a CBSA backend system used to determine a biometrically enrolled traveler’s admissibility by using biographic data to conduct indices checks similar to IBAS and CPIC.

The United States Department of Justice National Criminal Information Computer (NCIC) is used by CBSA during biometric enrolment to determine if there is a biographical match for criminality screening or to determine if previous records exist within the USA, which could raise doubts about the applicant’s identity.

Passport Program

The passport program uses facial recognition to help determine the entitlement of an applicant to hold a Canadian passport or travel document.

Systems Inventory List and Description
Systems Inventory supporting the Passport Program
System Name Owner Accessed By Description and Purpose Interconnections
IRIS IRCC ESDC, GAC Integrated Retrieval Information System (IRIS) GCMS, COSMOS
FRS IRCC IRCC Facial Recognition Solution (FRS)
COSMOS GAC IRCC Consular Management and Operations System (COSMOS) IRIS
GCMS IRCC IRCC Global Case Management System (GCMS) COSMOS/PMP, Central Index

 

Integrated Retrieval Information System (IRIS) is used by the Passport Program to manage passport and travel document applications and to issue Passports. This activity is presently transitioning to GCMS. IRIS interfaces with the ePassport Personalization System (EPPS), which was the software used by passport printers to provide the information necessary to produce the main biographic page and write data on the electronic radio frequency identification chip (RFID). The EPPS was developed by the Canadian Bank Note Company (CBN). The IRIS system has three components:

Central Index (CI): Master index of passport records, which includes digitized images of passport application forms and supporting documentation.

Work in Progress (WIPs): Databases used to process and store passport applications that are in process; data is transferred to the Central Index post-production (i.e. after passports are issued.

System Lookout (SL): Database containing index biographic details (names, date of birth) on individuals whose passport entitlement may require further review or investigation under the Canadian Passport Order.

Facial Recognition Solution (FRS) is used in the administration of the passport program for new applications and renewals. It is a biometric identification technology used to authenticate identities and detect fraud. The technology converts an applicant’s picture into a digital biometric template and compares it to a database of over 55 million adult applicant photos to validate their identity. The templates are stored within the FRS database.

The FRS software vendor provided Facial Recognition User Guide, outlines the procedures used to perform all tasks available in the FRS software. Before using the system or making any analysis decisions, IRCC employees must complete mandatory training offered by IRCC on Facial Comparison. IRCC’s Integrity Risk Management Branch, which is responsible for the FRS, also monitors the usage, user access, system behaviours, accuracy, demographic variances, and other FRS system or user issues on an ongoing basis.

Consular Services Management and Operations System (COSMOS) is the platform used by GAC to intake travel document applications while providing consular assistance abroad. Passport applications are managed through a Passport Management Program (PMP) module, which interfaces with IRCC’s IRIS to transfer case files. The module allows for passport application intake, processing and printing. Only staff that have achieved passport certification with IRCC’s authorization may access PMP. Biographical information is digitized and stored in either COSMOS or IRIS.

Departmental Responsibilities and System Interconnectivity
Figure 2: Departmental Responsibilities and System Interconnectivity
[1] Biometric Enrollment (IRCC)

IRCC is the primary department responsible for the biometric collection and management in support of its Immigration Program. Biometric and related biographical information [fingerprints, biographic data, live photograph] are collected at an enrollment location and securely transmitted to CIBIDS at IRCC. Once CIBIDS receives the biometric and related biographical data, the fingerprints are securely transmitted to the RCMP RTIDS. Once the RCMP conducts automatic searches, the results are provided to IRCC into the GCMS case file. The biographic data and live photograph from CIBIDS are stored in the GCMS case. Once these checks are completed, a Visa Officer makes a final decision and if a temporary resident visa is approved, a notification is sent to CBSA to add to their operational files.

[2] Criminal and NS Screening (IRCC)

Once an applicant is enrolled, checks are conducted to inform decisions on admissibility. These checks involve several queries based on submitted fingerprints and biographic data and start with GCMS sending fingerprint checks to RTIDS which then uses AFIS for automatic fingerprint identification. This step interfaces with additional systems such as CPIC, CSIS indices as well as foreign indices checks. If flags are identified, they are sent back to GCMS for an Immigration Officer to review. If no adverse results, this is recorded in GCMS and the applicant data is submitted to CBSA FOSS to be registered for the applicant’s arrival into Canada.

[3] Identity Verification of Arrivals & Admissibility Enforcement (CBSA)

When an applicant arrives at a port of entry and they present themselves through a primary inspection kiosk or a LiveScan terminal, Systemic Fingerprint Verification is conducted to confirm the identity of the person through TBID and AFIS. CBSA will conduct additional screening through IBAS, ICES and FOSS. Separately, should a temporary resident become known to law enforcement, any fingerprint enrollment in CPIC will trigger a flag sent to CBSA’s FOSS system which will then send a flag to IRCC’s GCMS system for potential matches of temporary residents.

[4] Passport Program Issuance Management (IRCC)

Domestic Passport and travel document applications are managed in the IRIS or GCMS systems which use the FRS system to match a facial biometric template against existing records to verify applicant identities and prevent fraud. If abroad, the COSMOS system is used to process the application and interfaces with IRIS, with the case file eventually being stored in the Central Index.

Privacy Preference Center