The US Department of Homeland Security (DHS) expects to have face, fingerprint, and iris scans of at least 259 million people in its biometrics database by 2022, according to a recent presentation from the agency’s Office of Procurement Operations reviewed by Quartz.

That’s about 40 million more than the agency’s 2017 projections, which estimated 220 million unique identities by 2022, according to previous figures cited by the Electronic Frontier Foundation (EFF), a San Francisco-based privacy rights nonprofit.

A slide deck, shared with attendees at an Oct. 30 DHS industry day, includes a breakdown of what its systems currently contain, as well as an estimate of what the next few years will bring. The agency is transitioning from a legacy system called IDENT to a cloud-based system (hosted by Amazon Web Services) known as Homeland Advanced Recognition Technology, or HART. The biometrics collection maintained by DHS is the world’s second-largest, behind only India’s countrywide biometric ID network in size. The traveler data kept by DHS is shared with other US agencies, state and local law enforcement, as well as foreign governments.

The first two stages of the HART system are being developed by US defense contractor Northrop Grumman, which won the $95 million contract in February 2018. DHS wasn’t immediately available to comment on its plans for its database.

Biometrics “make it possible to confirm the identity of travelers at any point in their travel,” Kevin McAleenan, US president Donald Trump’s recently-departed acting DHS secretary, told congress last year. The criteria used by US Customs and Border Protection (CBP) officers, a division of DHS, to screen out specific travelers as suspicious is top secret, but was determined in conjunction with Palantir, the Silicon Valley data-mining firm co-founded by controversial billionaire and ardent Trump supporter Peter Thiel. The EFF said it believes CBP could be tracking travelers “from the moment they begin their internet travel research.” As the group has noted, DHS says “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”

Deep intel

Last month’s DHS presentation describes IDENT as an “operational biometric system for rapid identification and verification of subjects using fingerprints, iris, and face modalities.” The new HART database, it says, “builds upon the foundational functionality within IDENT,” to include voice data, DNA profiles, “scars, marks, and tattoos,” and the as-yet undefined “other biometric modalities as required.” EFF researchers caution some of the data will be “highly subjective,” such as information gleaned during “officer encounters” and analysis of people’s “relationship patterns.”

EFF worries that such tracking “will chill and deter people from exercising their First Amendment protected rights to speak, assemble, and associate,” since such specific data points could be used to identify “political affiliations, religious activities, and familial and friendly relationships.”

But DHS and CBP already track relationships between travelers, and a recently unsealed criminal case filed in federal court demonstrates how effective the method can be. After a suspected drug trafficker fled from a security checkpoint inside San Francisco International Airport earlier this year, investigators analyzed his network of relationships. They identified a woman who claimed to be his girlfriend when the two flew to the US from New Zealand last January.

Their research revealed that the woman “had exhibited suspicious travel patterns,” and happened to be in the States at that time. She was set to fly to Sydney, Australia after only a three-day stay, and on another recent trip had spent just two days in the US before returning home.

CBP officers intercepted the woman on the jetway as she was boarding her flight. A search turned up about 0.33 pounds of pure methamphetamine hidden inside her clothing, neck pillow, and vagina.

Privacy concerns

EFF researchers said in a 2018 blog post that facial-recognition software, like what the DHS is using, is “frequently…inaccurate and unreliable.” DHS’s own tests found the systems “falsely rejected as many as 1 in 25 travelers,” according to EFF, which calls out potential foreign partners in countries such as the UK, where false-positives can reportedly reach as high as 98%. Women and people of color are misidentified at rates significantly higher than whites and men, and darker skin tones increase one’s chances of being improperly flagged.

“DHS is also partnering with airlines and other third parties to collect face images from travelers entering and leaving the US,” the EFF said. “When combined with data from other government agencies, these troubling collection practices will allow DHS to build a database large enough to identify and track all people in public places, without their knowledge—not just in places the agency oversees, like airports, but anywhere there are cameras.”

Hackers, who can seemingly now touch nearly every aspect of modern life, are also of concern. In June, CBP announced that a federal subcontractor had suffered a “malicious cyberattack,” resulting in the theft of tens of thousands of photos used in CBP’s facial-recognition database. The images were captured at a single, unnamed, US border crossing over a period of six weeks, and did not include passport details or other sensitive personal information, according to CBP. Less than a year earlier, the DHS inspector general’s office found that CBP had “not ensured effective safeguards for information, such as images and video, collected on and transmitted from” its border drone fleet.

Frank Slijper, project leader of the Arms Trade group at Pax, a Netherlands-based peace nonprofit, says we are all partially to blame for the existence of a creeping surveillance state.

“We have allowed it with social media platforms as well—we blindly embrace them until we realize how they start controlling our lives, and then get angry at Facebook,” Slijper told Quartz.

“Hopefully the general public becomes more aware of the risks that come with the more immediate advantages of all these new digital technologies [like] free social media, quickly paying [bills], smoothly going through airport control.”