How Biometric Technologies Are Being Used Today
Biometric technologies are currently used for a number of congressionally authorized or mandated security applications throughout the U.S. government.
The Aviation and Transportation Security Act of 2001 (P.L. 107-71) granted the Transportation Security Administration the authority to employ biometrics for passenger screening and airport access control. The Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) required the Department of Homeland Security to operate a biometric entry and exit data system to verify the identity of foreign nationals seeking to enter or exit the United States. These applications are intended to expedite screening processes and reduce human error rates.
Biometric technologies are also used by law enforcement agencies, such as the Secret Service and Federal Bureau of Investigation, to assist in the investigation of crimes and to identify missing persons and persons of interest.
Department of Defense Applications
The Department of Defense has used biometric technologies “to identify, target, and disrupt enemy combatants and terrorists” in Iraq, Afghanistan, and elsewhere. The Government Accountability Office has assessed that, between 2008 and 2017, DOD used biometric technologies “to capture or kill 1,700 individuals and deny 92,000 individuals access to military bases.”
Data Security Gaps
According to a November 2023 DOD inspector general report, some DOD components have been operating biometric technologies that do not have data encryption capabilities and do not require certification of destruction or sanitization of biometric data when biometric devices are disposed. The report notes that “this could jeopardize force protection by providing adversaries with the biometric information and identities of friendly forces and other individuals assisting the United States.”
Section 1523 of the FY2025 National Defense Authorization Act (NDAA; P.L. 118-159) directs DOD to update DOD Directive 8521.01E—which establishes the department’s policy and bureaucratic responsibilities for biometric technologies—within 180 days of the act’s passage. The update is to include standards for data encryption and protection on biometric collection devices, a requirement to sanitize biometric data from collection devices and hard drives prior to disposal, and a requirement to maintain records of the sanitization. Congress may monitor the status of this update, which has not been published to date.