Download:
pdf |
pdfPrivacy Impact Assessment Update
for the
Automated Commercial Environment
(ACE) Modernization
DHS Reference No. DHS/CBP/PIA-003(c)
September 26, 2023
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 1
Abstract
The Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP)
Automated Commercial Environment (ACE) Modernization effort includes two separate
modernization initiatives that include 1) a new user interface to streamline all ACE business
processes to track, monitor, manage and process commercial goods; and 2) enhanced truck
manifest functionality to assist the trade community and CBP Officers (CBPO) during truck
processing at U.S. ports of entry (POE) that integrates information from multiple scanning and
imaging technologies to provide CBP Officers with cargo, trip, driver, and vehicle details and
enable CBP Officers to make data-driven vetting decisions in real-time. CBP is publishing this
Privacy Impact Assessment (PIA) to serve as public notice of CBP’s new modernized ACE Secure
Data Portal (ACE Portal) and ACE Truck Manifest Modernization (TMM) effort and to outline
the privacy risks and mitigation of the agency’s use of personally identifiable information from
members of the public.
Overview
As the nation’s largest law enforcement agency, CBP is responsible for securing U.S.
borders while facilitating lawful travel and trade. To facilitate lawful and legitimate trade, CBP
conducts physical cargo exams, non-intrusive inspection scans1 of commercial vehicles, and
targeting activities to identify potential high-risk shipments.
In compliance with the Trade Act of 2002,2 truck carriers are required to submit electronic
truck manifests to CBP prior to a truck’s arrival at a U.S. port of entry. CBP stores these records
as well as reports on imports and exports from the trade community in the Automated Commercial
Environment.3 Trucks are required to submit advance cargo manifest through the ACE Portal or
Electronic Data Interchange (EDI) software.4 The carrier determines which approach best suits the
needs of their business.
CBP has developed a phased approach to deploying information technology system
enhancements in ACE to streamline truck functionality and improve the user experience for CBP
users, Partner Government Agency (PGA) users, and the trade community. The enhanced user
1
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE NON-INTRUSIVE INSPECTION SYSTEMS PROGRAM,
DHS/CBP/PIA-017, available at https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
2
Trade Act of 2002, Pub. L. No. 107-210, § 343.
3
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE AUTOMATED COMMERCIAL ENVIRONMENT,
DHS/CBP/PIA-003, available at https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
4
Electronic Data Interchange is an electronic communication framework that provides standards for exchanging
data via any available electronic means. Trade filers are able to electronically transmit import and export data to
CBP through Electronic Data Interchange.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 2
interface allows members of the trade community to enter information to facilitate the
transportation of goods across the border and ensures that CBP receives that information in a
timely manner. The ACE Portal allows easy access for the trade community to create a manifest,
create a bill of lading, and add account data, including data relevant to drivers, conveyances,
equipment, shippers, and consignees. The account holders may access their own account
information at any time. CBP Officers use ACE Truck Manifest Modernization to simultaneously
view consolidated information from multiple CBP systems to expedite legitimate trade while
keeping America’s borders secure.
Reason for the PIA Update
CBP is updating this Privacy Impact Assessment to provide notice and transparency about
the modernization effort for the ACE Portal and ACE Truck Manifest that will be deployed in
several phases. The modernization effort will also include the use of an optional mobile application
and a variety of technologies to improve CBP truck processing at the ports of entry.
ACE Portal Modernization
The modernization effort for the ACE Portal covers the transition of existing functionality
to an upgraded platform over four phases. CBP retired the current ACE User Interface in the ACE
Portal and replaced it with the new modernized User Interface to improve user experience. Trade
users no longer have the option to file manifests using the retired User Interface and are required
to use the new User Interface when filing manifests within the ACE Portal Modernization. This
phase will have no impact on the collection, maintenance, and use of data. The new User Interface
was deployed to allow users time to familiarize themselves with the interface ahead of the full
rollout.
CBP updated its website and is updating this Privacy Impact Assessment to notify the
public that ACE Portal users must link their accounts and transition to using the new login page
for the ACE Portal. To access the new ACE Portal, members of the trade community and
government users may click on the link on the legacy ACE Portal login screen or navigate to
https://ace.cbp.gov/s/login/. Users will be prompted to create a new username and password when
accessing the new ACE Portal for the first time. As of February 20, 2022, access to ACE through
the legacy login page is no longer available. Going forward, all account information is entered into
the new User Interface.
Modernization of the ACE Portal includes a rollout of several phases through 2023,
including a new login screen, a new home page, and upgraded account information display and
edit features with all supporting data. The notional deployment schedule for the transition of the
ACE Portal functionality is listed below:
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 3
ACE Portal Identity Verification and Secure Login at LOGIN.CBP.GOV
For the modernized ACE Portal, multifactor authentication (MFA) was added to the login
process that requires two or more verification factors to access an account. The ACE Portal will
rely on login.cbp.gov 5 and an identity authentication process for members of the trade community
and government users to access an account. The new multifactor authentication prompt requires
users to provide a security token code in addition to a username and password. The ACE security
token codes are temporary digital passcodes that verify an ACE user’s login credentials. Security
token codes are automatically sent to the email address associated with the ACE Portal account
after the user enters username and password, but the security token code expires after five minutes.
If the user did not receive a security token code by email, or the code has expired, users can click
“Resend Security Token.” If the user has not logged on within five minutes of a security token
code’s issuance, a new code must be requested and is required each time a user logs on to the ACE
Portal.
The following information is required to create a login.cbp.gov user profile:
•
Email address (also serves as User ID); and
•
Password.
ACE Truck Manifest Modernization
CBP deployed the ACE Truck Manifest Modernization – Phase 1 enhancements to a testing
environment on December 9, 2019, to familiarize trade users with the new ACE Truck Manifest
User Interface. In preparation for the deployment, account data stored in the legacy Truck Manifest
User Interface – including crew, commercial parties, and vehicles and conveyances – were
transferred to the new Truck Manifest User Interface on February 29, 2020.
CBP Officers use multiple CBP systems to conduct a full cargo inspection and
examination. CBP is deploying the ACE Truck Manifest Modernization effort to streamline
existing inspection processes by providing CBP Officers with a single view into the systems
needed to process commercial conveyances at land ports of entry. The ACE Truck Manifest
5
login.cbp.gov is not the same as the General Services Administration www.login.gov; rather, it is a user
authentication functionality through the Salesforce platform.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 4
Modernization, through new technologies, enhances the way the information is collected and
displayed for the CBP Officer working in the primary inspection booth at the port of entry. ACE
Truck Manifest Modernization assists CBP Officers inspecting a cargo vehicle during three phases
of the vehicle’s journey: pre-arrival, arrival, and inspection.
ACE Truck Manifest Modernization will be deployed through multiple phases and includes
a rollout schedule to all CBP ports of entry. The procedures for truck manifest processing at each
port of entry may vary based on traffic patterns and location within the northern and southern
border of the United States. The most up-to-date notional deployment schedule is available at
www.cbp.gov/ace.
Pre-Arrival
ACE Truck Manifest Modernization helps CBP collect information from cargo conveyance
operators prior to arrival at a port of entry. Operators are required to provide manifest information
which provides a basis for CBP’s cargo inspection operations. As part of ACE Truck Manifest
Modernization, CBP developed a mobile application called “CBP Truck QR.” Use of the CBP
Truck QR application is voluntary and speeds processing during inspection by allowing the trade
community to produce a Quick Response (QR) code or otherwise code the reprogrammable
memory in the Decal and Transponder Online Procurement System (DTOPS)6 radio-frequency
identification (RFID) tag with the ACE trip number, estimated date of arrival, and license plate
data of the truck. The QR Code or RFID coding can then be read at the port upon truck arrival to
identify the ACE trip.
Manifests
CBP uses manifest information as the starting point for all cargo related activities.
Manifests contain biographic information on drivers and crew, as well as information on goods
being imported into and exported out of the United States. Cargo vehicle operators are required to
submit manifests electronically to CBP at least an hour before the vehicle arrives at the border for
all standard manifests, and at least half an hour before arrival for the Free and Secure Trade
program7 manifests. For ACE Truck Manifest, CBP modernized the public-facing truck manifest
portal in ACE. The modernization did not include any changes to the information CBP collects
through the portal. Instead, the modernization effort creates a more user-friendly platform for
manifest submission.
6
Decal Transponder and Online Procurement System is a voluntary DHS program allowing shippers/cargo
operators to participate in an expedited pre-clearance process to speed up their border entry process. For more
information about the system, see DHS/CBP/PIA-002(c) Global Enrollment System (GES), available at
https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
7
The Free and Secure Trade (FAST) program is a commercial clearance program for known low-risk shipments
entering the United States from Canada and Mexico. Free and Secure Trade program enrollment is open to truck
drivers from the United States, Canada, and Mexico.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 5
CBP is using an optional QR Code in the ACE Truck Manifest Modernization. To use the
QR Code, users will need to print the code on the Truck Manifest Cover Sheet or display the QR
Code using a phone or mobile device.
While QR Codes are optional, the mutual benefits of using them include:
1. Uniquely identify the electronically filed manifest information associated with a
conveyance.
2. Minimize actions required of a driver.
3. Maximize match probability.
4. Allow the identified truck, trip, and manifest to be automatically associated with a
Non-Intrusive Inspection (NII) Multi-Energy Portal (MEP)8 integrated data
package.
CBP Truck QR
The CBP Truck QR mobile application is available as a free mobile download on the
Google Play and Apple App stores. Users are not required to create a login and no information is
stored locally on the device. Users submit trip information into the application which creates a QR
Code that the user will scan when they arrive at the port of entry. The mobile application
prepopulates the user’s trip information into ACE Truck Manifest for the CBP Officer to review
during primary inspection. The QR Code mobile application will be deployed at ports of entry
equipped with Multi-Energy Portal systems and/or Land Border Integration (LBI)9 technology
footprints, which both include QR, Decal and Transponder Online Procurement System RFID, and
license plate reader capabilities. CBP does not currently have QR Code or RFID readers at all ports
of entry; a list of ports of entry actively using such readers is available within the optional
application. While truck drivers are not required to use the optional mobile application, the
application helps expedite processing of trips at these ports of entry. At each port using QR Codes
and RFID, CBP will frequently communicate the benefits to trucker drivers and the ability to opt
out via email,10 handouts, and other existing communication methods, and indicate how they can
8
A Multi-Energy Portal (MEP) is a high-throughput, drive-through inspection system for the cargo container
portions of trucks. It utilizes multiple X-ray technologies to provide up to seven images of the cargo and is well
suited for high-traffic locations. Appendix A of this Privacy Impact Assessment provides a full list of CBP ports of
entry with Multi-Energy Portal capabilities and those ports of entry with plans to deploy the capabilities.
9
Land Border Integration was created by CBP to enhance border security through integration of technologies across
nearly all U.S. inbound land border crossings and includes such technologies as License Plate Readers (LPR),
Radio-Frequency Identification Readers (RFID), and Simplified Arrival. Beyond vehicle focused technologies, the
Land Border Integration program is designed to enhance security measures for inbound pedestrian, outbound vehicle
and pedestrian, and U.S. Border Patrol (USBP) checkpoint processing, and will improve existing primary processing
operations.
10
Individuals can sign up to receive trade related emails through the Cargo Systems Messaging Service. The Cargo
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 6
download the CBP Truck QR mobile application on their respective devices. A tear sheet will be
available for distribution, and CBP Officers located at ports of entry will inform truck drivers of
this tool during the primary inspection process.
Manifests are filed via the ACE Portal or Electronic Data Interchange application before
arriving at the port of entry. There are several options that the truck drivers can use to submit
manifest information to CBP. The truck drivers can use their device camera to scan their ACE
barcode to pre-populate the required fields or enter the manifest number manually into the Truck
QR application to generate the QR Code. Alternatively, the carrier can also directly log into the
ACE Portal or their system that interfaces with ACE Truck Manifest to print the barcode. The
barcode contains the manifest number and estimated date of arrival and is generated on the
manifest cover sheet along with a QR Code. After printing the cover sheet from the ACE Portal,
the driver can place it in the windshield of the vehicle or hold it up to the screen of the sensor
devices when they arrive to scan the barcode at the port of entry.
Truck drivers will use the CBP Truck QR mobile application and can input up to five data
elements to generate a QR Code.11 The information collected in the CBP Truck QR mobile
Systems Messaging Service is a part of ACE that maintains system messages which are posted publicly online or
through an email mailing list. The Cargo Systems Messaging System is available at
https://www.cbp.gov/trade/automated/cargo-systems-messaging-service.
11
A transponder is a device that sticks onto the windshield of truck(s) and grants drivers access to bypass through
RFID technology. The transponder contains a radio-frequency identification chip (RFID technology) that transmits
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 7
application includes:
•
Manifest number;
•
Estimated arrival date;
•
License plate numbers (tractor and truck trailer);
•
License plate country; and
•
License plate state.
The QR Code / Decal Transponder and Online Procurement System RFID coding application is a
frontend mobile application with no backend repository or services. The mobile application runs
locally on an individual’s personal mobile device.
The QR Code will be scanned and decrypted by the Multi-Energy Portal systems and/or
Land Border Integration cameras at the ports of entry. The QR / RFID data read at the MultiEnergy Portal flows to the Non-Intrusive Inspection Automated Radiological Data Integration
System - Cloud (ARDIS-C),12 a radiation data analysis system and repository for all Radiation
Portal Monitor (RPM) data, X-ray images, and data collected at ports of entry. This data consists
of data from the QR Code reader (e.g., carrier code, manifest number, estimated arrival date, and
license plate numbers); the Transponder reader (RFID) (e.g., conveyance transponder ID, and if
programmed, includes the carrier code, manifest number, estimated arrival date); the FAST card
reader (RFID)(Fast card number); and the License Plate reader (e.g., license plate number, state,
and country). The data then flows on to ACE Truck Manifest. The Land Border Integration
cameras are associated with a server on the CBP network which connects to the CBP ACE Cloud
environment via an Application Programming Interface (API), which will directly feed the
encrypted data to the ACE Truck Manifest. Once decrypted, CBP uses the information from the
QR Codes to retrieve biographic information on the driver and any passengers from ACE, as well
as manifest information. CBP Officer analysts at the Non-Intrusive Inspection command center
use the manifest information to assist in adjudicating the Multi-Energy Portal X-ray image
package, with the result of that analysis added to the ACE Truck Manifest trip record. CBP Officers
working in primary inspection lanes view this information in ACE Truck Manifest to process the
vehicle and occupants through inspection. CBP is currently exploring options to develop a
bidirectional exchange of information for the Truck Manifest Modernization to transmit
information about a vehicle and border crossing User Fee payment status. The RFID chip will signal a secure system
to display driver data for the CBP officer as the vehicle approaches the border inspection booth, and a MachineReadable Zone (MRZ) or barcode that the CBP officer can read electronically if RFID is not available.
12
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE RADIATION DETECTION PROGRAMS, DHS/CBP/PIA-031,
available at https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 8
information to Automated Radiological Data Integration System - Cloud to complete NonIntrusive Inspection’s integrated data package for each cargo crossing in the future.
Arrival at Port of Entry
CBP has deployed a variety of technologies at the port of entry that gather information
about the cargo vehicle, its contents, and occupants before the vehicle arrives at the primary
inspection booth. These include technologies that scan the contents of containers as well as those
that detect radiation levels in containers and vehicles. Additionally, CBP uses a variety of
technologies to locate trip information for cargo vehicles as they arrive in the port of entry, which
allows CBP Officers and Non-Intrusive Inspection analysts to view manifest information in ACE
Truck Manifest before the truck arrives at the primary inspection booth. As the cargo vehicle
arrives at the port of entry, it passes a number of ground loop or other sensors that trigger a series
of Multi-Energy Portal / Land Border Integration cameras and RFID reader technologies.
Depending on the port, such technologies may include the use of license plate readers,13 QR Code
readers, and RFID readers.
License plate readers capture an image of the license plate, perform optical character
recognition, and return that information to the ACE Truck Manifest system where the license plate
characters are matched in ACE against ACE trip information to locate the manifest associated with
the vehicle. The located manifest is displayed in ACE Truck Manifest to assist the CBP Officer
with adjudicating the vehicle during inspection. CBP will also use RFID readers to capture
information from the Decal Transponder and Online Procurement System tags used by most cargo
vehicle operators. If the RFID reader identifies a Decal Transponder and Online Procurement
System tag it will pull information off the tag and match it against the manifest information in
ACE to display manifest information in ACE Truck Manifest. A second RFID reader automatically
reads the driver’s Western Hemisphere Travel Initiative travel document to ascertain traveler
identity (i.e., only RFID-enabled Western Hemisphere Travel Initiative documents are read, such
as a Free and Secure Trade program card). CBP is currently piloting, with the plan to make
operational, the use of QR Codes to locate manifest information using personally identifiable
information, including the driver’s biometric facial images to verify their identity. This Privacy
Impact Assessment will be updated if the pilot becomes an operational program. When CBP
determines that the use of CBP Truck QR mobile application will be used operationally at other
ports of entry, CBP will update the www.cbp.gov website to provide notice to the trade
community.
13
License plate readers are used during the scanning process of commercial license plates prior to entry into the
United States. For additional information, including the privacy risks and mitigations associated with the technology
see DHS/CBP/PIA-037 Pre-Arrival Readiness Evaluation (PARE) Pilot, available at https://www.dhs.gov/privacydocuments-us-customs-and-border-protection.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 9
Facial Comparison
At ports of entry, CBP will take live pictures of vehicle occupants either at the pre-primary
inspection booth or as they arrive at the primary inspection booth. CBP will use the Traveler
Verification Service (TVS)14 to conduct one to one (1:1) facial comparison between a template of
the live photograph taken at the port of entry and a source photograph found within DHS holdings
by using the biographic information found on the ACE manifest. DHS holdings include, but are
not limited to, images from the Free and Secure Trade program and TECS Travel Document
Encounter Database (TDED).
CBP initially tested facial matching technology at the Brownsville and Buffalo Ports of
Entry and will expand the operational use of the technology to other ports of entry. The Buffalo
Port of Entry utilized similar technology and the pilot in that location ended in May 2023. CBP
plans to expand the use of facial matching technology to other CBP land ports of entry and will
update Appendix B of this Privacy Impact Assessment as it does so. Appendix B contains the
current list of ports of entry that utilize facial matching technology. At Brownsville Veterans
Bridge, biometric cameras are currently installed in four primary and two secondary vehicle lanes,
the Free and Secure Trade program and Empty “Primary” lanes at the canopy structure.
Brownsville Port of Entry intends to use a “remote Primary” for processing trucks. Within the
command center, CBP Officer Non-Intrusive Inspection analysts will review Multi-Energy Portal
and Z-Portal15 truck scans remotely, entering the scan adjudication results and their comments into
the Truck Manifest Modernization interface, where the comments will later be viewed by the
officer at CBP Primary Inspection (Primary) processing the truck. Empty trucks (and, on occasion,
loaded Free and Secure Trade program trucks) are to be processed remotely by a command centerbased Primary officer. The biometric photos captured by the Land Border Integration pre-primary
zone cameras are transmitted directly to the Truck Manifest Modernization system and, when the
resulting ACE trip manifest is selected, the biometric match result is displayed for the officer to
verify the driver’s identity.
Depending on the type of cameras installed at each port of entry, the photos will either be
captured at speeds of 10 miles per hour or less, or at a pause-and-look location where the
commercially owned vehicles momentarily stop to have the pictures taken. Once a photograph is
taken, the Traveler Verification Service will conduct a one to one (1:1) facial comparison with a
source photograph to verify identity.
The Traveler Verification Service is the back-end matching service for all facial
14
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE TRAVELER VERIFICATION SERVICE, DHS/CBP/PIA-056,
available at https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
15
The Z-Portal is a stationary gateway that vehicles drive through located near the entrance to the secondary
inspection area.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 10
comparison and conducts either one to one (1:1) or one to many (1:n) matching. In the cargo
environment, 1:1 matching is utilized, but 1:n could be leveraged in the future. If 1:n matching is
used in the future, this Privacy Impact Assessment will be updated accordingly. The live photo
image captured during the arrival process is matched to the document photo found in the TECS
Travel Document Encounter Database (TDED), which includes travel-related records such as
Department of State passports, immigrant and non-immigrant visas, and U.S. Citizenship and
Immigration Services Lawful Permanent Resident cards and other travel documents.16 CBP does
not retain the images of U.S. citizens after their identities are verified by the Traveler Verification
Service. Only photos of non-U.S. citizens are retained in the Traveler Verification Service for 14
days to confirm the individual’s identity in CBP Automated Targeting System (ATS-UPAX)17 and
for the full 75-year retention period in the Automated Identification Verification System
(IDENT).18 The Traveler Verification Service creates templates of the source photo image and the
live photo capture, and then compares the live capture template to the source template (known as
one-to-one matching, or 1:1). The match result (“Match,” “No Match,” or “Unable to Match”) is
then displayed for the CBP Officer in the ACE Truck Manifest application to assist the officer
during the admissibility decision process. The CBP Officer has the discretion to accept or not
accept the result and if there are inconsistencies that cannot be resolved at primary, the driver is
referred for a secondary inspection.
If no photo is on file in the TECS Travel Document Encounter Database or a match is not
made to an existing photograph, a “no-match” result will be returned. The “no-match” result will
display a blank source photo against the live photo in the ACE Truck Manifest system. A no match
result does not mean a person is inadmissible. After review of this information, the CBP Officer
will manually query the system, using the vehicle information and the occupants’ biographic
information, to identify the manifest and make a final determination.
Prior to reaching the camera locations, CBP will notify drivers and passengers via signage
that CBP will collect images of their faces for biometric matching. At the Brownsville Port of
Entry, any passengers located in the truck exit the truck before arriving at Primary by using the
crosswalk to be processed as a pedestrian. After the truck, driver, and cargo are processed, the
passengers are picked up by the truck driver before leaving the Exit Gate. Drivers and passengers
16
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE TECS SYSTEM: PLATFORM, DHS/CBP/PIA-021, available at
https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
17
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR THE AUTOMATED TARGETING SYSTEM, DHS/CBP/PIA-006,
available at https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
18
See U.S. DEPARTMENT OF HOMELAND SECURITY, NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE (NPPD), PRIVACY IMPACT ASSESSMENT FOR THE AUTOMATED BIOMETRIC
IDENTIFICATION SYSTEM, DHS/NPPD/PIA-002, available at https://www.dhs.gov/privacy-documents-cisa.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 11
who arrive at the Brownsville Port of Entry will have the opportunity to opt-out of photo capture
by choosing to utilize a lane that does not have photo capturing. Signage will indicate which lanes
are designated as opt-out lanes. Currently, all drivers and passengers are permitted to opt-out of
the photo capture; however, in the future (i.e., once a biometric capture solution is fully realized)
opt-out will only be available to U.S. citizens and other non-in scope travelers such as diplomats
and minors.19
Radiological Scans of Vehicles
In addition to technologies used to verify the identity of vehicle occupants and to locate
manifest information, as a commercial vehicle arrives at a port of entry CBP also uses technologies
to identify the cargo carried in the vehicles and potential radiological threats. ACE Truck Manifest
is connected to CBP’s Automated Radiological Data Integration System - Cloud system, which
functions as the system of record for data collected by scanners and associated sensors during nonintrusive inspections at ports of entry. The Automated Radiological Data Integration System Cloud serves as the interface between fielded Non-Intrusive Inspection systems and ACE Truck
Manifest, sharing select trip data elements like license plate, RFID, and QR with ACE Truck
Manifest. ACE Truck Manifest uses these elements to call up manifest information for a given
vehicle, creating a link between the ACE record and the Non-Intrusive Inspection record. Once
the X-ray images are adjudicated by the command center analyst, the Non-Intrusive Inspection
scan result is entered into ACE Truck Manifest for the Primary officer to reference. Radiation
Portal Monitor alarm data may also be integrated into ACE Truck Manifest. Information available
in ACE Truck Manifest may also be shared with the Automated Radiological Data Integration
System - Cloud to complete Non-Intrusive Inspection’s inspection record.
Primary Inspection
A short time after arriving at a port of entry, the vehicle will make its way to the Primary
inspection booth. As the truck arrives, CBP automatically compiles the information associated
with the vehicle that was collected pre-arrival and identified and associated with the vehicle upon
arrival. In Brownsville, a display monitor at the booth provides instructions to the driver to provide
any data that was not captured as the truck passed through the Land Border Integration technology
An “in-scope” traveler is any person who is required by law to provide biometrics upon exit from the United
States pursuant to 8 CFR 235.1(f)(ii). “In-scope” travelers include any alien other than those specifically exempt as
outlined in the CFR. Exempt aliens include: Canadian citizens under section 101(a)(15)(B) of the Act who are not
otherwise required to present a visa or be issued a form I-94 or Form I-95; aliens younger than 14 or older than 79
on the data of admission; aliens admitted A-1, A-2, C-3 (except for attendants, servants, or personal employees of
accredited officials), G-1, G-2, G-3, G-4, NATO-1, NATO-2, NATO-3, NATO-4, NATO-5, or NATO-6 visas, and
certain Taiwan officials who hold E-1 visas and members of their immediate families who hold E-1 visas unless the
Secretary of State and the Secretary of Homeland Security jointly determine that a class of such aliens should be
subject to the requirements of paragraph (d)(1)(ii); classes of aliens to whom the Secretary of Homeland Security
and the Secretary of State jointly determine it shall not apply; or an individual alien to whom the Secretary of
Homeland Security, the Secretary of State, or the Director of Central Intelligence determines it shall not apply.
19
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 12
lane. For example, if the QR Code is not captured, it will instruct the driver to hold up the QR
Code. If a live photo is not captured, the driver will be instructed to look into the camera, unless
the individual opts out and the driver will be directed to use a lane that does not have photo
capturing at a CBP port of entry. Any missing data will be sent to ACE Truck Manifest to complete
the manifest information.
In the Primary inspection booth, CBP Officers use the ACE Truck Manifest interface to
review the information previously collected throughout the process to make a decision on whether
the vehicle or occupants should be referred for further inspection or permitted to proceed into the
United States. Different dashboards within ACE Truck Manifest allow CBP Officers to view all
information needed to inspect and process the cargo and occupants of the vehicle. These
dashboards allow CBP Officers to review manifest information, including any holds that may have
previously been put on the vehicle (such as national security holds created by the National
Targeting Center). Additionally, ACE Truck Manifest will display any derogatory information
maintained in TECS on the occupants of the vehicle that may require additional inspection. Based
on the information in ACE Truck Manifest, CBP Officers will either admit the vehicle into the
United States or refer the truck for secondary inspection. These referrals will be saved as a note in
the history tab within ACE Truck Manifest.
Secondary Inspection
CBP Officers located at the secondary inspection site use ACE Truck Manifest by logging
into a Secondary Inspection dashboard to review the list of referrals on the cargo, crew and/or
vehicles, and the full manifest. Within the dashboard, the CBP Officer can review the driver’s
name, vehicle license plate number, equipment number, Free and Secure Trade program eligibility
status, CBP Officer remarks noted during Primary inspection, and the referral type to understand
whether the referral requires an agriculture, narcotics, immigration, national security, or trade
enforcement examination.
During inspection, the assigned CBP Officer will select a truck from a list within the ACE
Truck Manifest queue. Based on the type of referral, the CBP Officer will examine the referred
occupants by verifying the identity of the individuals, either through automated facial matching
conducted by ACE Truck Manifest or manual officer processing if the driver elects to opt out of
capturing their photograph. CBP simultaneously examines cargo and conveyances by reviewing
the details of the hits or rules pushed from the Automated Targeting System to ACE Truck
Manifest that match specific criteria on the Bill of Lading, Entry, or Vehicle Tag. After review,
the CBP Officer will select exam findings within ACE Truck Manifest, which provides a direct
link to the Automated Targeting System that allows the CBP Officer to review and record the
information. If the referral is based on the driver or crew member, the exam findings are recorded
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 13
in the Unified Secondary System,20 a consolidated secondary case management system that
provides access to a variety of CBP and other law enforcement systems to assist CBP officers in
reaching their decision. For cargo referrals, the CBP Officer will use Automated Targeting System
Import Cargo, formerly known as ATS-N, to evaluate and assess during the examination whether
the cargo is high-risk inbound cargo. The direct feed of information from the Automated Targeting
System to ACE Truck Manifest allows the CBP Officer to examine the shipment, waive the
physical examination, or determine whether enforcement actions are warranted, if any legal or
regulatory violations are confirmed. All inspection actions are entered into “exam findings” in the
Automated Targeting System and the transactional actions such as “holds” or “cleared” are stored
in ACE.
Exit Gate
After the manifest has been released in ACE Truck Manifest a CBP Officer will direct the
driver to exit the port of entry through the exit gate. A CBP Officer managing the exit gate will
use the exit gate dashboard within ACE Truck Manifest to verify that the truck has been cleared
and manually confirm in the system that the truck has exited the gate. If a truck has not been
cleared and attempts to exit the gate, the CBP Officer will stop the truck and detain the cargo and
crew for further inspection.
Privacy Impact Analysis
Authorities and Other Requirements
CBP has the authority to conduct inspections of travelers and conveyances upon entry
pursuant to its broad responsibilities and authorities, including:
20
•
Homeland Security Act of 2002;21
•
The Trade Act of 2002;
•
The Immigration and Nationality Act;
•
The Tariff Act of 1930, as amended;
•
6 U.S.C. § 202 Border, Maritime, and transportation responsibilities;
•
6 U.S.C. § 211 Establishment of U.S. Customs and Border Protection; Commissioner,
Deputy Commissioner, and operational offices; and
•
Section 7208 of The Intelligence Reform and Terrorism Prevention Act of 2004
See U.S. DEPARTMENT OF HOMELAND SECURITY, U.S. CUSTOMS AND BORDER PROTECTION,
PRIVACY IMPACT ASSESSMENT FOR UNIFIED SECONDARY, DHS/CBP/PIA-067, available at
https://www.dhs.gov/privacy-documents-us-customs-and-border-protection.
21
Pub. L. 107-296, 116 Stat. 2135.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 14
(IRTPA).22
ACE Truck Manifest maintains and uses data from the following DHS and CBP systems of
records:
22
•
DHS/CBP-001 Import Information System: This system of records permits CBP to
collect and maintain records on all commercial goods imported into the United States,
as well as information pertaining to the carrier, broker, importer, and other persons
associated with the manifest, import, or commercial entry transactions for the goods;23
•
DHS/CBP-006 Automated Targeting System (ATS): This system collects and reviews
data to efficiently perform risk assessments on information pertaining to international
travelers and import and export shipments attempting to enter or leave the United
States. ATS uses a rule-managed technology that facilitates the targeting of high-risk
travelers and cargo;24
•
DHS/CBP-007 Border Crossing Information (BCI): This system maintains information
about U.S. citizens, lawful permanent residents, and immigrant and non-immigrant
individuals who lawfully cross the U.S. border by air, land, or sea, regardless of method
of transportation or conveyance;25
•
DHS/CBP-011 U.S. Customs and Border Protection TECS: This system consists of the
enforcement, inspection, and intelligence records relevant to the antiterrorism and law
enforcement mission of CBP and other federal agencies that use TECS. The purpose is
to track individuals who have violated or are suspected of violating a law or regulation
that is enforced or administered by CBP, to provide a record of any inspections
conducted at the border by CBP, to determine admissibility into the United States, and
to record information regarding individuals, firms, and organizations to whom
DHS/CBP has issued detentions and warnings;26
•
DHS/ALL-004 General Information Technology Access Account Records System
(GITAARS): This system consists of information collected to provide authorized
individuals with secure log in access to DHS information technology resources;27 and
•
DHS/ALL-037 E-Authentication Records System of Records: This system allows DHS
to collect, maintain, and retrieve records about individuals, including members of the
49 U.S.C. § 44909.
See DHS/CBP-001 Import Information System, 81 Fed. Reg. 48826 (July 26, 2016).
24
See DHS/CBP-006 Automated Targeting System, 77 Fed. Reg. 30297 (May 22, 2012).
25
See DHS/CBP-007 Border Crossing Information (BCI), 81 Fed. Reg. 89957 (December 13, 2016).
26
See DHS/CBP-011 U.S. Customs and Border Protection TECS, 73 Fed. Reg. 77778 (December 19, 2008).
27
See DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), 77 Fed. Reg.
70792 (November 27, 2012).
23
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 15
public, who electronically authenticate their identities to access DHS systems (both
private and public facing).28
ACE Truck Manifest is an application in the ACE Cloud environment. A system security plan and
the authority to operate for ACE Cloud was completed on April 3, 2020.
CBP maintains import records for a period of six years from the date of entry pursuant to
National Archives and Records Administration Authority N1-36-86-1, General Records Schedule
9 Entry Processing, Items 4 and 5. There is no National Archives and Records Administration
schedule that exists currently for the records that are retained by the ACE Truck Manifest system
for biometric facial matching and these records will not be deleted until an approved records
schedule is in place. CBP currently maintains an approved schedule for U.S. citizen encounter
photos only. All photos, including photos of U.S. citizens, are held in the secure Traveler
Verification Service cloud matching service for no more than 12 hours after identity verification,
in case of an extended system outage. CBP does not retain photos of U.S. citizens, once their
identities have been confirmed; however, photos of non-U.S. citizens are retained in the Traveler
Verification Service for 14 days to confirm the individual’s identity in the CBP Automated
Targeting System (ATS-UPAX) and for the full 75-year retention period in the Automated
Biometric Identification System (IDENT). The Traveler Verification Service is the system of
record for biometric records and the Automated Targeting System is the system of record for CBP
Officer examination notes. Although ACE Truck Manifest queries the Automated Targeting
System, TECS National Crime Information Center (NCIC)/National Law Enforcement
Telecommunications System (NLETS) Service (NNSV), and Traveler Verification Service, the
system saves the data and each of these source systems maintains its own records retention
schedules; however, when an inspection occurs, the Automated Radiological Data Integration
System - Cloud pushes the data to ACE Truck Manifest.
ACE Truck Manifest queries information from multiple existing CBP source systems and
does not collect any new information, with the exception of the encounter photographs of the
driver, other passengers or crew members, and the vehicle’s license plate. The ACE Secure Access
Portal is covered by OMB Control number 1651-0105, Agency Information Collection Activities:
Application to use Automated Commercial Environment (ACE), which expires on September 30,
2024, and is the primary means for importers and other trade filers to submit information to ACE
and establish their accounts. The Traveler Verification Service is the source system for biometric
records and is covered by the Paperwork Reduction Act (PRA). OMB 1651-0138, Agency
Information Collection Activities: Biometric Identity expires on September 30, 2024.
Characterization of the Information
The information CBP uses and collects for ACE Truck Manifest is different depending on
28
See DHS/ALL-037 E-Authentication Records System of Records, 79 Fed. Reg. 46857 (August 11, 2014).
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 16
the technologies used by truck operators as well as the technologies available to CBP at the port
of entry.
CBP Truck QR Mobile Application – QR and coded Decal Transponder and Online
Procurement System RFID:
Individual profile accounts are not created for this application; however, users submit the
following information to create a QR Code:
•
ACE Manifest number;
•
Target arrival date;
•
License plate number(s) for tractor and trailer;
•
License plate state; and
•
License plate country.
ACE Truck Manifest System:
The carrier provides the following information directly to CBP:
•
Driver’s name;
•
Date of birth;
•
Gender;
•
Travel and identity documentation (e.g., Passport Number, Driver’s License
Number, State, Country of Citizenship); and
•
Vehicle data – License Plate Number, License plate image, Conveyance Type,
State, Country.
In general, the carrier submits the following information except for the shipment ID and the hold
status. The ACE Truck Manifest Modernization system internally generates the unique shipment
ID and receives the hold status from the Automated Targeting System:
•
Cargo manifest information (e.g., Shipment ID, Shipment Control Number,
Harmonized Tariff Schedule of the United States (HSUSA) Description, Shipment
Type).
Although a majority of the data elements listed below are derived from either the Bill of Lading
initially filed by the carrier or the Entry that is filed by the importer or broker, ACE Truck Manifest
Modernization receives the following information from the Automated Targeting System:
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 17
•
Cargo targeting information - Shipment ID, Shipment Type, On Hold, Filer Entry
Number, Standard Carrier Alpha Codes (SCAC)29 and Bill Number, Holds Count,
Estimated Arrival Date, Probable Country, Port Lad, Hazmat Indicator,
Conveyance Mot Name, Ultimate Consignee Name, Consignee Address,
Consignee Email Address, Shipper Name, Shipper Address, Shipper Email
Address, Harmonized Tariff Schedule of the United States Description, Quantity,
Unit, Entry Value.
As the driver encounters one of the cameras at the port of entry, CBP collects the following images:
•
Biometric images of the truck driver and crew members
•
The vehicle’s license plate number
CBP Employees and Contractors provide the following information:
•
Name and Hash ID.
ACE Truck Manifest Modernization does not use information from commercial sources or
publicly available data.
To continually improve upon the quality of the images, the DHS Science and Technology
Directorate (S&T) assists CBP in testing the effectiveness of various commercial, academic, and
government algorithms in matching facial photographs. S&T is analyzing the performance of
algorithms as a true positive rate, false positive rate, false match rate, and false non-match rate. To
confirm the identity of the individuals, facial matches are completed to ensure the crew members
arriving at the port of entry are the same individuals listed on the manifests. The images are
automatically pulled into ACE Truck Manifest to match against source photos in DHS holdings.
These source images are not altered. CBP continually tests and evaluates the accuracy of the
camera technology and the algorithms in the Traveler Verification Service to mitigate potential
adverse impacts, such as disparate treatment of drivers of a particular demographic.
ACE Truck Manifest pulls data directly from the source systems like TECS and the
Automated Targeting System. The information stored in the source systems is collected directly
from the individual, or a representative of the company. The data from the source systems is readonly and cannot be modified in the ACE Truck Manifest system.
QR codes use five values that are either input directly by the truck operators or scanned
from the respective ACE cargo manifests. The code is read by the scanners and not altered prior
to input in ACE Truck Manifest. Trade reported data can be corrected by CBP Officers in the ACE
29
A Standard Carrier Alpha Codes code is generally a four-letter code assigned by the National Motor Freight
Traffic Association to a trucking company. This code is used to identify the company to various organizations and
government agencies, CBP being one of those agencies.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 18
Truck Manifest. For example, the CBP Officer can update the license plate number, a misspelled
name, or date of birth during examination.
Privacy Risk: There is a risk that information may be exposed during transit by using
Bluetooth connectivity with the individual’s mobile device to connect to the RFID reader at ports
of entry.
Mitigation: This privacy risk is mitigated. CBP utilizes all of the standard Bluetooth
security features, such as pairing, bonding, authentication, encryption, message integrity, and
secure simple pairing that provides the standard level of protection when using Bluetooth.
Privacy Risk: There is a risk that the carrier may provide inaccurate information on the
truck driver or crew members in ACE Truck Manifest.
Mitigation: This risk is mitigated. The carrier maintains direct access to the information
in the ACE Secure Access Portal and may update the information at any time. After examination
of travel documentation, the CBP Officer can correct the information in ACE Truck Manifest by
manually reviewing travel and identity documentation prior to entry.
Privacy Risk: There is a risk that the use of facial matching technology via the Traveler
Verification Service may potentially result in disparate treatment based on race, gender, and/or
national origin or a false negative result.
Mitigation: This risk is partially mitigated. The CBP Privacy Office completed a CBP
Privacy Evaluation30 of the CBP Biometric Entry-Exit Program’s use of facial matching
technology on August 15, 2022, to determine whether the program collects, maintains, uses, and
shares information in compliance with the privacy mitigations in accordance with the conditions
outlined in the 2018 Traveler Verification Service Privacy Impact Assessment and the DHS
Privacy Policy Guidance Memorandum on the Fair Information Practice Principles.31
Additionally, CBP supported the National Institute of Standards and Technology’s (NIST) analysis
of facial recognition and identification for paperless travel and immigration.32 The testing
displayed that facial match rates have continued to improve over time as modern, more accurate
algorithms are used and that demographic differences in the tested dataset has little effect.33
See “CBP Privacy Evaluation Final Report of Traveler Verification Service,” available at
https://www.cbp.gov/sites/default/files/assets/documents/2022Sep/CPE%20Final%20Report%20Traveler%20Verification%20Service%2020220815%20Final_.pdf.
31 See “The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland
Security,” available at https://www.dhs.gov/publication/privacy-policy-guidance-memorandum-2008-01-fairinformation-practice-principles.
32
See “NIST Face Recognition Vendor Test (FRVT)” available at
https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8381.pdf
33
NIST Evaluates Face Recognition Software’s Accuracy for Flight Boarding | NIST. The test “focus[ed] on face
30
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 19
CBP is cognizant of the potential for bias and the associated privacy risks associated with
the use of facial matching technology and, therefore, continues to test and upgrade, as necessary,
the facial-recognition algorithm used in the Traveler Verification Service. CBP commits to using
a facial recognition algorithm that is consistent with the NIST standards and to ensure that
individual privacy is safeguarded, and any potential risks, including risks related to bias, are
appropriately mitigated.
Truck operators or passengers who experience a no-match determination in Traveler
Verification Service will receive a manual review by the CBP Officer. Further, no decisions on
admissibility may be made solely based on the facial matching results.
Privacy Risk: There is a risk that inaccurate information from source systems displayed
in the ACE Truck Manifest will adversely affect a vehicle or its occupants.
Mitigation: This risk is mitigated. Inaccurate information may not alone affect the
admissibility decision. ACE Truck Manifest queries information from multiple source systems to
ensure the accuracy of the data. If inaccurate information is displayed in ACE Truck Manifest and
does not match, the CBP Officer will not consider the information and will manually review the
driver’s travel document and manifest information before making an admissibility determination.
Privacy Risk: There is a risk that facial images captured within ACE Truck Manifest may
be of poor quality and, therefore, result in false negative matches.
Mitigation: This risk is partially mitigated. The primary mitigation of poor image quality
resulting in a false negative is that the biometric match is not the only factor in determining
admission. ACE Truck manifest uses biometric information and travel document RFIDs to query
the correct images as part of the facial matching process that is continually tested and evaluated to
ensure the accuracy of the camera technology and the algorithms. The received camera images are
compared against stored images within the Traveler Verification Service/the TECS Travel
Document Encounter Database databases to ensure mismatches are minimized. These images may
include photographs from previous entry inspection or other DHS encounters. Alternatively, the
CBP Officer has the option to conduct a manual inspection to ensure the validity of the driver and
crew travel documents if a match is not found or there is a negative match result, which mitigates
poor image quality. As noted previously, a failure to match may not serve as the sole basis for an
admissibility determination.
recognition algorithms’ performance under a particular set of simulated circumstances: matching images of travelers
to previously obtained photos of those travelers stored in a database.” This is also known as one to many (1:n)
matching. This test was conducted to assess the accuracy of use to confirm an airline passenger’s identity and to
“record the passenger’s official immigration exit from the United States.” “False negatives, though slightly more
common for women, were rare in all cases.” Id.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 20
Prior to deploying any modification to the technology or the process (e.g., the Vehicle Face
technical demonstrations), CBP conducts tests to assess potential impacts on the driver and crew
members and the accuracy of the information to ensure there are any potential adverse impacts are
mitigated. These tests are for assessment purposes only, and data collected during this process is
not used operationally.
Uses of the Information
CBP Officers use ACE Truck Manifest as a dashboard and a decision support tool
specifically for cargo truck processing during primary and secondary inspection to compare
traveler and cargo information against law enforcement, intelligence, and other data within other
CBP source systems instead of manually logging into multiple systems. As part of the effort to
modernize and streamline the process, CBP uses the system during primary inspection to
automatically submit photographs to Traveler Verification Service to biometrically confirm the
identity of drivers and their passengers; to display cargo manifest and holds data, and run rules
contained in the Automated Targeting System, to assist CBP Officers during evaluation of risks in
cargo inspections; and to help adjudicate entry of drivers and truck cargo into the United States.
ACE Truck Manifest provides CBP Officers located in secondary inspection with a centralized
dashboard to view the information displayed in the system and conduct a review of cargo, the
vehicle, and the occupants that are referred for further inspection. The system also allows CBP
Officers located at the exit gates to quickly review the information to clear the vehicles and allow
entry into the United States. ACE Truck Manifest allows CBP to do so in an expedited, automated
manner that improves processing time while also enhancing security screening. If potential
criminal information is discovered, the driver and/or crew members are referred to secondary
inspection.
ACE Truck Manifest does not conduct electronic searches, queries, or analyses in search
of predictive patterns or anomalies, nor does CBP use the facial images captured through this
process for such activities. Other CBP systems that provide information to ACE Truck Manifest,
however, conduct electronic queries and search for predictive patterns including the Automated
Targeting System.
The ACE Truck Manifest is only used by CBP personnel with a need to know. No other
DHS components have roles or responsibilities within this system.
Privacy Risk: There is a risk that manifest and holds information in the ACE Truck
Manifest system will be used for purposes other than to assess the admissibility of cargo and truck
drivers and passengers.
Mitigation: This risk is mitigated. Access to ACE Truck Manifest information is strictly
limited to individuals with a need-to-know the information to complete cargo and truck driver
admissibility review. Further, all CBP systems, including ACE Truck Manifest, are routinely
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 21
audited and monitored by the CBP Office of Professional Responsibility for unauthorized system
use, access, and queries.
Privacy Risk: There is a risk that unauthorized users will access information in the ACE
Truck Manifest system.
Mitigation: This risk is mitigated. Only authorized CBP personnel with an established
need to know can access the system and roles are established with certain permissions that must
be approved by supervisors before a CBP employee can gain access to those actions in the system.
Notice
Information related to the collection of information within the ACE Portal and ACE Truck
Manifest Modernization is provided to CBP for review by each ACE user or indirectly through a
CBP system connection. Privacy Act Statements displayed on the login screen for login.cbp.gov
and the ace.cbp.gov provide notice at the time of the collection. This Privacy Impact Assessment
and the related System of Records Notices also serve as a form of notice.
The availability of the voluntary QR / RFID code mobile application is communicated to
truck drivers via email, text, and during secondary inspections. It is completely voluntary and
available in the interest of expediting processing of truck cargo at ports of entry. CBP Officers
located at the Brownsville Port of Entry will provide a tear sheet for distribution and CBP will
hold Trade Day outreach events to provide notice to the trade community.
CBP will notify drivers and passengers that CBP will be collecting an image of their face
for biometric matching via signage. Drivers and passengers will have the opportunity to opt-out of
photo capture by choosing to use a lane that does not have photo capturing at a CBP port of entry.
At land ports of entry, cameras are used for facial comparison purposes along the Southwest Border
for pedestrian processing and issuing I-94s, with opt out provided to U.S. citizens. A test of facial
comparison, with opt out, in the privately owned vehicle lanes at select pilot sites is planned.
Signage will indicate which lanes are designated as opt-out lanes at the Brownsville Port of Entry.
If a passenger opts-out of biometric matching, the crew member can leave the vehicle and enter
the pedestrian crossing. The truck, driver, and passengers are directed to an opt-out area and will
be processed manually by a CBP Officer and may be referred to secondary inspection as required.
Regardless of the location and site-specific operations, drivers may opt-out of the MultiEnergy Portal X-ray scanning at specified points. For Multi-Energy Portals located in pre-primary,
a designated opt-out lane in pre-primary will be installed with appropriate signage situated in
advance of the Multi-Energy Portal locations. For Multi-Energy Portals located in post-primary or
secondary inspection areas, drivers may inform the primary CBP Officer of their desire to opt-out
of this scanning. If the driver opt-outs, the cargo conveyance may be referred for secondary
inspection based on the assessed risk and totality of circumstances. An opt-out inspection can
include any of the following: a Non-Intrusive Inspection technology scan without the driver
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 22
present, a quick visual inspection of the conveyance, a canine (K9) inspection, or the cargo may
be off-loaded at a loading dock for a more detailed physical inspection of the conveyance. These
alternative processing measures will not impose additional burdens or requirements on the
individual beyond what is necessary to complete the inspection process.
ACE Truck Manifest is used to process cargo and truck drivers entering the United States.
If truck drivers and/or passengers opt-out of processing, they would not be able to enter the
country. They must consent to CBP’s entry processing to be allowed to proceed to their final
destinations within the United States. However, occupants can choose to opt-out of photo capture
and/or Multi-Energy Portal X-ray scanning as other methods are available to enable them to be
processed for entry into the country. Signage will be displayed at the Port of Brownsville to provide
notice of the opt-out option for truck drivers and crew members who do not want to participate in
the biometric pilot.
QR Code use is also optional and meant to provide expediency in processing at ports of
entry. Truck drivers can choose not to create this code prior to entry at the border and can provide
the information to the CBP Officers directly instead.
Privacy Risk: There is a risk that truck drivers and crew members will not know that their
information is displayed in ACE Truck Manifest.
Mitigation: This risk is mitigated. Through signage, hand-outs, information posted on the
CBP website, and other communication, CBP notifies individuals before arriving and at the time
of collection at the Brownsville Port of Entry. In addition, this Privacy Impact Assessment, the
ACE, Automated Targeting System, Traveler Verification Service, and TECS Privacy Impact
Assessments, and related System of Records Notices are published on the DHS website and
provide notice.
Privacy Risk: There is a risk that truck drivers and crew members will not know that they
can opt out of the information collection for photographs and/or Multi-Energy Portal X-ray
scanning at the port of entry during truck processing.
Mitigation: This risk is partially mitigated. In addition to signage located at the Port of
Brownsville, CBP Officers provide hand-outs to truck drivers to advise the driver and crew
members that the photograph collection is optional and that they can request alternative processing
by a CBP Officer. Truck drivers can remain inside the truck while the Multi-Energy Portal system
provides an image or may opt-out at specific points located at the port of entry marked by signage.
The publication of this Privacy Impact Assessment also serves as notification.
Data Retention by the Project
ACE Truck Manifest records are not currently covered under any schedule. CBP is working
with the National Archives and Records Administration to develop a proposed records schedule to
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 23
destroy records six years after cut-off, but longer retention may be required for business use. Until
a schedule has been approved, these records will be maintained in the ACE Truck Manifest system.
CBP uses ACE Truck Manifest to automatically query and populate information from existing
source systems, such as the Automated Targeting System, Traveler Verification Service, and
TECS to validate and gather any missing information to assist the CBP Officer with making a
determination when examining the information presented for entry, and stores a copy of the data
in the system. Information about records and the retention schedules originating in the source
systems such as the Automated Targeting System, Traveler Verification Service, and TECS can
be viewed in the respective published Privacy Impact Assessments.
The underlying data will be encrypted in the QR Code that is retained on the driver’s mobile
devices until deleted by the respective users from CBP Truck QR.
Facial Images of non-U.S. citizens will be retained in ACE Truck Manifest and the Traveler
Verification Service for a period of 14 days and Automated Biometrics Identification System
[IDENT] for the full retention period of 75 years. CBP will save and store any license plate images
received and the live photo, the source photo, and the Traveler Verification Service facial image
match of the occupants in the system. The Traveler Verification Service maintains its own records
retention schedule.
Privacy Risk: There is a risk QR Code data stored on mobile devices, facial images, and
other personal information, including license plate numbers, may be retained for longer periods
than needed by the CBP Officers for port of entry processing purposes.
Mitigation: This risk is partially mitigated. ACE Truck Manifest queries information from
several source systems. The system will process biometric records, but they are maintained by the
Traveler Verification Service system that will conduct the backend biometric matching. The
Traveler Verification Service maintains its own records retention schedule. CBP is actively
working with the Office of Records and Information Management to finalize the schedule for
biometric facial matching records.
QR Code and RFID data can be deleted at the user’s discretion. Users can also request
CBP’s deletion of facial images via the redress process.
Information Sharing
CBP does not share the underlying data received from other CBP source systems or
information collected by ACE Truck Manifest outside of DHS. However, redacted license plate
data may be shared with the license plate reader vendor to improve accuracy of the license plate
reads and improve the system’s algorithm. CBP may share information from the source systems
in accordance with each respective System of Records Notice.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 24
Redress
Individuals seeking access to ACE Truck Manifest information may file a Freedom of
Information Act (FOIA) request with CBP at https://foia.cbp.gov/palMain.aspx, or by mailing a
request to:
U.S. Customs and Border Protection
Freedom of Information Act Division
1300 Pennsylvania Avenue NW, Room 3.3D
Washington, D.C. 20229
Fax Number: (202) 325-1476
There are no other changes to individual access, redress, and correction procedures since issuance
of the 2015 Privacy Impact Assessment.
This Privacy Impact Assessment and the applicable System of Records Notices for the
various source systems provide general notice regarding the procedures for correcting information
used by ACE Truck Manifest Modernization.
Privacy Risk: There is a risk that adverse information on individuals or cargo may be used
by ACE Truck Manifest and negatively impact admissibility into the United States and the
impacted individuals may not know how to request redress.
Mitigation: This risk is mitigated. CBP has described the redress procedures in this
Privacy Impact Assessment and the relevant source systems’ System of Records Notices. Any
negative information on cargo or truck drivers would originate from the source systems such as
ACE, Automated Targeting System, Traveler Verification Service or TECS. Any corrections or
omissions would need to be rectified through established processes for these source systems. Aside
from the biometric photo information collection, ACE Truck Manifest only queries information in
other systems and does not provide CBP Officers the capability to alter or store any of this
information.
Auditing and Accountability
All ACE Truck Manifest users have access to the system as defined by their specific profile.
Access is restricted based on roles and a demonstrated need to know.
User access is provided to CBP Officers to restrict access to information relevant to their
roles and responsibilities. These officers are provided system training and a user guide which has
been thoroughly vetted by all stakeholders. The user guide details each course of action for the
various ‘What if’ scenarios that may occur while using the program. For example, the user guide
instructs users on how to proceed with inspections when no facial match occurs within the ACE
Truck Manifest.
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 25
Field users (i.e., CBP Officers) are granted ACE Truck Manifest access after permission
has been granted by the user’s designated supervisor. For privileged users, such as production
support staff, permission must be granted by their designated supervisor and by an Entitlement
administrator. This controls the number of developers with access to production capabilities.
Contact Official
Thomas Mills
Executive Director
Cargo Systems Program Directorate
Office of Information & Technology
U.S. Customs and Border Protection
[email protected]
Responsible Official
Debra L. Danisek
Privacy Officer
CBP Privacy Officer
Privacy and Diversity Office
U.S. Customs and Border Protection
Approval Signature
Original, signed copy on file with the DHS Privacy Office.
________________________________
Mason C. Clutter
Chief Privacy Officer
U.S. Department of Homeland Security
(202) 343-1717
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 26
Appendix A: CBP Multi-Energy Portal (MEP) Locations
QR Code or RFID readers are not in use at all ports of entry but are considered part of the MultiEnergy Portal and Land Border Integration systems. Listed below are the current CBP locations:
Field Office
El Paso
El Paso
El Paso
El Paso
El Paso
El Paso
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
Laredo
San Diego
San Diego
Tucson
Tucson
Tucson
Detroit
Buffalo
Location
BOTA, TX
Columbus, NM
Presidio, TX
Santa Teresa, NM
Tornillo, TX
Ysleta, TX
Brownsville VIB, TX
Del Rio, TX
Laredo WTB, TX
Anzalduas, TX
Colombia Bridge, TX
Donna, TX
Eagle Pass 2, TX
Laredo WTB, TX
Los Indios, TX
Pharr, TX
Progreso, TX
Rio Grand City, TX
Calexico East, CA
Otay Mesa, CA
Mariposa, AZ
Mariposa, AZ
San Luis II, AZ
Gordie Howe, Detroit, MI
Peace Bridge, Buffalo, NY
�Privacy Impact Assessment Update
DHS/CBP/PIA-003(c) ACE Modernization
Page 27
Appendix B: Facial Matching Technology at CBP Land Ports of Entry
CBP is transforming and expediting lawful trade and security through use of Facial
Matching Technology at the land port of entry located at the Veterans International Bridge in
Brownsville, Texas. Future updates to the list of CBP land ports of entry with facial matching
technology can be found at https://biometrics.cbp.gov/land.
�
| File Type | application/pdf |
| File Title | DHS/CBP/PIA-003(c) Automated Commercial Environment (ACE) Modernization |
| Subject | PIA |
| Author | CBP |
| File Modified | 2023-09-28 |
| File Created | 2023-09-28 |