According to a report released this week by the Department of Homeland Security’s inspector general, Customs and Border Protection was not adequately prepared for potential technical problems with its CBP One app, a mobile platform for scheduling appointments at U.S. ports of entry.
The agency failed to address important issues with the app’s functionality, including challenges related to language access, appointment availability and technological infrastructure, the DHS Office of the Inspector General said. CBP may also not be making optimal use of the data obtained from the app. And the app has security vulnerabilities in both the “application and its supporting infrastructure operating system,” which could make CBP One vulnerable to cyberattacks, the report said.
CBP One was created to streamline the process of collecting information on individuals entering the United States at the border without a passport or visa, particularly by enabling appointment scheduling, certain screening procedures, and processing at ports of entry.
But amid concerns about border security, CBP One has drawn attention from liberals and conservatives alike. Both human rights and immigrant rights groups have raised concerns about the app’s technical and user-friendliness limitations. Earlier this year, FedScoop reported that CBP was increasingly leaning toward using biometric technology in the app — which also raised concerns.
The inspector general said that CBP did not conduct a formal risk assessment before expanding use of the CBP One app “to meet its new operational goal of scheduling appointments for noncitizens arriving at the southwest border.” The OIG specifically cited issues with the third-party biometric technology provider, noting that use of the app far exceeded the number of scans originally expected by the contractor. As a result, border agents received an increased number of error messages.
Another problem was that some people were able to make a large number of registrations on the app to increase their chances of getting an appointment. Data released in the report showed that at least 10 people, all Russian or Armenian, were able to make hundreds of registrations on the app. The inspector general also said the app could have used some information to identify potentially suspicious activity. For example, some destination addresses from the same port of entry were listed hundreds of times.
Despite testing, CBP overwhelmed the infrastructure and demand for the app, which also reduced bandwidth and increased the number of error messages, the OIG said. Another challenge was that the app was developed with limited functionality and was restricted primarily to English, Spanish and later Haitian Creole. The report also pointed out a number of cybersecurity vulnerabilities.
CBP agreed to DHS’s three recommendations, which included developing a formalized risk assessment process for changes to mobile applications, establishing a methodology to conduct trend analysis using data generated in the CBP One app, and establishing routine assessments of CBP One applications to remediate vulnerabilities.
