Congress has passed legislation at least nine times concerning authorization for the collection of biometric data from foreign nationals, but no law directly authorizes DHS to collect the biometrics of Americans at the border. Congress has authorized the collection of biometrics at the border from, variously, “every alien departing the United States,” “all categories of individual who are required to provide biometric entry data,” and “every alien participating in the visa waiver program,” but U.S. citizens have been conspicuously absent from the statutory text of every law under this program for the last 14 years. If Congress wanted to tell DHS to collect Americans’ biometrics at the border, it easily could have done so. It never has. Without explicit authorization, DHS cannot and should not be scanning the faces of Americans as they depart on international flights, as it is currently doing.

Even if it had the necessary authorization from Congress, DHS’ biometric exit program would still be legally problematic because DHS has failed to complete a rulemaking process, which the federal Administrative Procedure Act (APA) requires it to do. In a “notice-and-comment rulemaking,” an agency solicits and considers feedback from interested members of the public before adopting an important new policy. Rulemaking provides the public an opportunity to participate in agency policymaking, but it also serves to put the public on notice of what an agency is doing and why, and what rules apply to an agency’s new policy. In July, the Trump administration ordered DHS to initiate a rulemaking for the program by October 2017. But DHS has not even begun the required process, even though DHS has already scanned the faces of tens of thousands of travelers across nine American airports—more than 36,000 in Atlanta alone.

This is not the first time DHS has deployed a new privacy-invasive tool without conducting a required rulemaking process. In fact, a few years ago, under similar circumstances, a federal appeals court held that DHS was required to go through the rulemaking process before using body scanners at Transportation Security Administration (TSA) checkpoints.

DHS must conduct a rulemaking because mandatory biometric screening, like the body scanners program, constitutes a policy with the force of law. As the court found in the body scanners case a few years ago, even though requiring a passenger to pass through an existing checkpoint “is hardly novel,” the adoption of a new screening technology at the existing checkpoint may nevertheless amount to a substantive change necessitating a rulemaking when it raises substantial privacy interests. As with body scanners, privacy advocates have expressed deep concerns about airport biometrics, and DHS itself has repeatedly raised privacy interests as relevant to its face scanning systems. DHS is apparently aware of its obligation to conduct a rulemaking on biometric exit; several years ago, it initiated a rulemaking for a now-defunct fingerprint-based biometric exit program.

The fact that DHS’ airport face scanning program is only in operation at nine airports so far does not relieve DHS of its obligation to conduct a rulemaking process. As the court found in the body scanners case, rulemaking requirements apply at the point in time when an agency’s pronouncement is “of present binding effect.” In that case, even though body scanners were only in use in some airports, the court found that the scanners were nevertheless “binding” on passengers, because any individual passenger would still be “bound to comply with whatever screening procedure the TSA is using on the date he is to fly at the airport from which his flight departs.” Face scans at specific exit gates are similarly binding on the travelers who pass through those gates. Face scans are strictly mandatory for foreign nationals, and although DHS has said that face scans may be optional for some American citizens, it is unclear whether this is made known to American travelers. A rulemaking is therefore overdue.