Privacy Impact Assessment

Privacy Impact Assessment Update
for the

Customer Identity Verification (CIV) System
April 26, 2010
Contact Point
Donald Hawkins
Privacy Officer
U.S. Citizenship and Immigration Services
(202) 272-8000
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 2

Abstract
The United States Citizenship and Immigration Services (USCIS) is updating its Privacy
Impact Assessment (PIA) for the Customer Identity Verification (CIV) system to remove the
“Pilot” designation of the system and to address the further deployment of the system to all field
offices. The CIV system collects and uses biometrics (fingerprints and pictures) when an applicant
appears before USCIS in person at the time of an interview so that USCIS can verify that the
individual being interviewed is the same person for whom it conducted a background check and
collected other information at the Application Support Center (ASC). USCIS will use United States
Visitor and Immigrant Status Indicator Technology‟s (US-VISIT) Secondary Inspections Tool (SIT),
a web-based tool, that processes, displays, and retrieves biometric and biographic data from the
Automated Biometric Identification System (IDENT).

Introduction
During a review of the existing adjudication process, USCIS discovered that certain steps
within the application process could benefit from increased security measures to enhance national
security and deter fraud more effectively. One area of concern centers on establishing and
verifying the identity of persons applying for an immigration benefit. An applicant‟s biometric
identity is established the first time that person applies for a benefit. This is usually either overseas
when the person applies for a visa, or at an ASC when the person is fingerprinted for background
check purposes. One of the final steps in many benefits adjudication processes is an in-person
interview or exam with a USCIS Immigration Services Officer (ISO). Under the existing process,
USCIS does not conduct a biometrics verification of the person‟s identity at the time of interview.
This creates a risk that the person presenting themselves for the interview is not the same person
who was fingerprinted at the beginning of the benefit process at the ASC because documentation
can be forged or fraudulently obtained.
USCIS conducted the CIV pilot to assess the operational and technical viability of using
fingerprints to verify the identity of customers as part of the adjudicative process. The CIV system
verified an applicant‟s identity by comparing the biometrics of the applicant interviewing with the
adjudicator with the biometrics that were previously submitted by the applicant during the benefit
process or during other encounters with Department of Homeland Security(DHS), such as through
the US-VISIT program. Four field offices conducted a total of 1,317 verifications on Form I-485
applications during the pilot. The ID verification findings resulted in no mismatches, meaning
that the individual from the interview was identified as the same individual applying for the
benefit. As a direct result of the pilot, the additional encounter information uncovered 24 watch
list hits, or 24 cases where a benefit was denied due to the adverse information discovered by the
pilot.

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 3

A typical encounter using the CIV system begins when a USCIS applicant arrives for the
scheduled interview at a USCIS field office using the CIV system. The USCIS Information Officer
(IO) or Adjudications ISO, uses the A-Number recorded on the interview notice to perform a
query in US-VISIT SIT, which provides a secure remote access to the US-VISIT IDENT system. The
applicant is then asked to place their index fingers separately on the fingerprint scanner where
they are scanned electronically and sent to IDENT, where they are subsequently matched against
the fingerprint(s) on file in IDENT associated with the applicant‟s A-Number. In addition, USCIS
personnel take a digital photograph of the applicant which is stored in IDENT. This biometric
information is the same information collected by IDENT as part of the US-VISIT‟s existing process
for conducting an IDENT check upon an alien‟s entry into the country.
This interaction provides identity verification of the applicant and, if a match exists in
IDENT, enables USCIS to retrieve a list of previous encounters DHS has had with that applicant
based on their biometrics. This additional encounter information includes the circumstances
surrounding each previous time the applicant‟s biometrics were collected and submitted to the
US-VISIT IDENT system. The ISO then uses this information during the interview process.
Encounter information viewed by the ISO includes but was not limited to the following: date and
time of previous encounter; type of encounter (i.e. entry, exit, visa issuance); name given at the
time of the encounter; and the subject‟s picture. The adjudicator may use this additional
information to make a determination of whether the applicant is eligible for the benefit sought.
This is the same process as described in the USCIS CIV Pilot PIA, August 15, 2008.

Reason for the PIA Update
USCIS conducted the CIV Pilot to assess the operational and technical viability of using
fingerprints to verify the identity of customers as part of the adjudicative process. The purpose of
this update is to remove the “Pilot” designation of the system and to address the further
deployment of the system to all field offices. The fingerprinting and a 1:1 verification process
leveraged the SIT, part of the US-VISIT IDENT system. The pilot ran from September 15, 2008
through December 12, 2008. This pilot was deployed to four field offices, which conducted a
total of 1,317 verifications resulting in 24 watch list hits (1.82% of the individuals verified) or 24
cases that were denied benefits as a result of the adverse information uncovered by this pilot. The
ID verification findings resulted in no mismatches, meaning that the individual from the interview
was identified as the same individual applying for the benefit.
In identifying these individuals who otherwise would have been granted a benefit for
which they were not eligible, USCIS has enhanced their measures for national security. Further,
by conducting a biometrics check at the time of the interview, USCIS can have assurance that the
individual being interviewed is the same person for whom it conducted a background check and
collected other information at the ASC. As a result, USCIS determined that the pilot was a success

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 4

and that the CIV system should be deployed to all field offices. Other than expanding the CIV
pilot from the initial four field offices to all field offices, there will be no changes to the
deployment of the CIV beyond risks associated with additional PII being collected.

Privacy Impact Analysis
The System and the Information Collected and Stored within the System
As a result of deploying the CIV system to all USCIS field offices no new information will
be collected or stored that was not available during the pilot implementation. The CIV
deployment expansion will increase the amount of data being created and collected and once the
system is deployed to all field offices, all applicants will now be subject to identity verification.
Typically, during the in-person customer encounter, USCIS will ask the applicant to show
their identification, such as a Border Crossing Card, Permanent Resident Card, Passport, Reentry
Permit, Refugee Travel Document, or Visa, etc. Based on the information provided on the
identification document, USCIS will use the A-number, passport number and issuing country, or
Social Security number to retrieve the person‟s record in IDENT, and to initiate the identity
verification. USCIS personnel will also be able to retrieve an applicant‟s record in IDENT using the
following internal system identifiers: Fingerprint Identification Number, Encounter Identification,
or Enumerator.
Once the applicant‟s identifier has been entered into IDENT to initiate the identity
verification, USCIS will collect the index fingerprints and the applicant‟s digital photo for
submission directly into IDENT. USCIS will not keep a separate copy of this information. If
IDENT verifies that the person‟s fingerprints match those on file for the identifier, the verification
will create an encounter record in IDENT. This encounter will contain the person‟s photo,
fingerprints, the date and time of the encounter, and a label indicating that the encounter occurred
at a USCIS field office.
When USCIS personnel enter an applicant‟s identifier into the SIT, information from
previous encounters stored in IDENT are displayed. IDENT encounter history is then displayed
within the SIT. IDENT will provide details on previous encounters of the applicant in the IDENT
system.
Uses of the System and the Information
As a result of deploying the CIV system to all USCIS field offices there will be no new uses
of personally identifiable information, only the volume of applicants subject to verification has
altered. For the purposes of this system, USCIS will typically use the A-number to direct the
IDENT system to the correct set of biometrics for one-to-one verification. Once the identity is
verified, the information contained in IDENT‟s prior biometric encounters will be used in the

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 5

adjudication process to substantiate an applicant‟s claims, or to identify areas where material facts
have been misrepresented.
Retention
The US-VISIT‟s National Archives and Records Administration (NARA) approved retention
schedule has not changed. Records in IDENT will be retained until the statute of limitations has
expired for all criminal violations or until the records are older than 75 years.
The A-File retention schedule has been updated and approved by NARA. Previous
encounter information maintained in the A-file will now be retained in accordance with the A-file
retention schedule, which is 100 years from the date the applicants date of birth and then the file
is retired to NARA as a permanent record.
Internal Sharing and Disclosure
There have been no changes to the internal sharing and disclosure procedures since the CIV
Pilot PIA was published.
IDENT data may be shared with other DHS components, with the consent of US-VISIT, for
DHS national security, law enforcement, immigration, intelligence, and other DHS Mission-related
functions and to provide associated testing, training, management reporting, planning and
analysis, or other administrative use that requires the use of biometrics to identify or verify the
identity of individuals.
Information included in the A-file is shared, along with the entire A-file with Customs and
Border Protection (CBP), which performs the border and inspection processes; and Immigration
and Customs Enforcement (ICE), which performs the investigatory, deportation, and immigration
court functions. Although USCIS is the custodian of the A-File, all three components (USCIS, CBP,
and ICE) create and use A-Files. Information contained within the A-File may also be shared with
other components within DHS responsible for law enforcement activities and protection of
national security, specifically, Transportation Security Administration and the United States Coast
Guard.
External Sharing and Disclosure
There have been no changes to the external sharing and disclosure procedures since the
CIV Pilot PIA was published.
USCIS will not share any information external to DHS through the CIV system. However,
DHS does share information externally via IDENT and the A-file pursuant to routine uses set forth
in those systems‟ existing System of Record Notices (SORN). Under the CIV system, IDENT will

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 6

record the applicant‟s biometric verification encounter at USCIS. When IDENT returns to USCIS
the applicant‟s previous encounters, USCIS will print that information and file that information
into the A-file.
Notice
This PIA update notice will be published on the DHS website prior to full deployment of
the CIV system.
Additionally, within the instructions of each benefit form there is a „Privacy Act Notice‟
section detailing authority and uses of information. The incorporated statement is as follows:
“We ask for the information on this form, and associated evidence, to determine if you have
established eligibility for the immigration benefit for which you are filing. Our legal right to ask
for this information can be found in the Immigration and Nationality Act, as amended. We may
provide this information to other government agencies. Failure to provide this information and
any requested evidence may delay a final decision or result in denial of your Form #-### (Form
number of particular benefit)” The application also contains a signature certification and
authorization to release any information from an applicant record that USCIS needs to determine
eligibility, including biometric and biographic information. Specifically, the certification states, “I
authorize the release of any information from my records that U.S. Citizenship and Immigration
Services (USCIS) needs to determine eligibility for the benefit I am seeking,” thus serving as notice
that biometric and any other information may be used.
Notice of information collection is also provided by the following SORNs: Alien File (AFile) and Central Index System (CIS) DHS-USCIS-001, January 16, 2007, 72 FR 1755, and DHS
Automated Biometric Identification System (IDENT) DHS/USVISIT-0012, June 5, 2007, 72 FR
31080.
Individual Access, Redress, and Correction
The access, redress, and correction procedures for information collected as part of the CIV
system remains unchanged from the procedures identified in the CIV Pilot PIA. Additionally,
procedures for correcting a fingerprint misidentification or mismatch are described in the
Conversion to 10-Fingerprint Collection for the United States Visitor and Immigrant Status
Indicator Technology Program (US-VISIT) PIA, published November 15, 2007. The PIA is
available at www.dhs.gov/privacy.
In order to gain access to one‟s information collected by USCIS, a request for access must
be made in writing and addressed to the Freedom of Information Act/Privacy Act (FOIA/PA)
officer at USCIS, with the letter marked clearly “Privacy Act Request”. The envelope containing
this letter must also be marked “Privacy Act Request.” Within the text of the request, the subject
of the record must provide his/her account number and/or the full name, date and place of birth,

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 7

and notarized signature, and any other information which may assist in identifying and locating
the record, and a return address. For convenience, individuals may obtain Form G-639, FOIA/PA
Request, from the nearest DHS office and used to submit a request for access. The procedures for
making a request for access to one‟s records can also be found on the USCIS web site, located at
www.uscis.gov.
An individual who would like to file a FOIA/PA request to view their USCIS record may do
so by sending the request to the following address:
U.S. Citizenship and Immigration Services
National Records Center
FOIA/PA Office
P.O. Box 648010
Lee‟s Summit, MO 64064-8010
An individual who would like to make a FOIA/PA requests for their data in the IDENT
system may be submitted to this address:
US-VISIT Privacy Officer
US-VISIT Program
U.S. Department of Homeland Security
245 Murray Lane, SW
Washington, DC 20528
USA
Certain information may be exempt from disclosure pursuant to the Freedom of
Information Act/Privacy Act, because displaying the data in IDENT could inform the subject of an
investigation of an actual or potential criminal, civil, or regulatory violation, to the existence of
the investigation, and reveal investigative interest on the part of DHS or another agency. Access to
records could permit the individual who is the subject of a record to impede the investigation,
tamper with witnesses or evidence, and avoid detection or apprehension.
Technical Access and Security
Technical access and security procedures have not been altered since the PIA for the CIV
Pilot was published.

Privacy Impact Assessment Update
U.S. Citizenship and Immigration Services
Customer Identity Verfication (CIV)
Page 8

Technology
Privacy risks associated with the technology used for the CIV Pilot remain unchanged by
the expansion of the CIV system to all of the USCIS field offices.

Responsible Official
Donald Hawkins, Privacy Officer
U.S. Citizenship and Immigration Services
Department of Homeland Security

Approval Signature

Original signed copy on file with the DHS Privacy Office
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security