Immigration and Customs Enforcement has signed a $25 million sole‑source deal with Bi2 Technologies for over 1,500 fingerprint, iris and facial‑recognition scanners, raising questions about U.S. privacy law compliance, data‑subject rights and the need for stronger oversight of government biometric programs.
ICE’s $25 M biometric scanner purchase – what happened?
The Department of Homeland Security’s law‑enforcement arm, U.S. Immigration and Customs Enforcement (ICE), announced a $25.1 million contract with Bi2 Technologies for 1,570 biometric recognition devices. The scanners combine fingerprint, iris and facial‑recognition capabilities and can be deployed in both mobile units and fixed stations. Each device feeds data into Bi2’s Inmate Recognition and Identification System (IRIS), a database that already holds more than five million records from 47 states, plus driver‑license and vehicle‑plate information.
The award was made without a competitive bidding process. ICE justified the sole‑source approach by claiming Bi2’s technology is “unmatched by any competitor” and by pointing to a prior $4.6 million contract that served as a pilot for the same system.
If the rollout proceeds as planned, 1,770 scanners could be operating on American streets by May 2027.
Legal basis – how U.S. privacy statutes apply
| Law | Core requirement | Relevance to ICE‑Bi2 deal |
|---|---|---|
| Privacy Act of 1974 (5 U.S.C. § 552a) | Federal agencies must publish a system of records notice (SORN) and provide individuals with access, amendment, and accounting of disclosures. | ICE must ensure the IRIS database is covered by a current SORN and that individuals can request correction of inaccurate biometric data. |
| Federal Information Security Modernization Act (FISMA) | Agencies must implement security controls for federal information systems. | The Bi2 scanners and the IRIS backend must meet FISMA’s NIST‑800‑53 security baseline, including encryption of biometric templates at rest and in transit. |
| Executive Order 14028 (Improving the Nation’s Cybersecurity, 2021) | Requires zero‑trust architecture and supply‑chain risk management for federal IT purchases. | ICE’s sole‑source award bypasses the usual competition‑based risk assessments, potentially violating the order’s supply‑chain vetting requirements. |
| California Consumer Privacy Act (CCPA) / CPRA | Grants California residents the right to know, delete, and opt‑out of the sale of personal information, including biometric data. | If any of the scanned individuals are California residents, ICE must provide mechanisms to honor deletion and opt‑out requests, even though the agency is a federal entity. |
| Illinois Biometric Information Privacy Act (BIPA) | Requires informed consent before collecting biometric identifiers and mandates a written policy for data retention and destruction. | ICE’s collection of iris scans and facial images could be deemed a violation of BIPA unless a valid consent framework is in place, exposing the agency to statutory damages of up to $5,000 per negligent violation. |
| EU General Data Protection Regulation (GDPR) | Applies to any entity processing EU residents’ personal data, requiring lawful basis, data‑subject rights, and DPIA. | If any EU citizen is scanned, ICE would need a lawful basis (likely “public interest”) and must conduct a Data Protection Impact Assessment (DPIA) under Article 35. |
Impact on users and companies
For individuals
- Loss of anonymity: The scanners can match a person’s iris or face to a national database that includes arrest and immigration records, effectively erasing any expectation of privacy in public spaces.
- Risk of error and bias: Studies have shown higher false‑positive rates for people of color in facial‑recognition systems. An erroneous match could trigger detention, questioning, or denial of services.
- Data‑subject rights hurdles: Unlike private companies, federal agencies are not required to obtain explicit consent before biometric capture, limiting individuals’ ability to refuse.
For Bi2 Technologies
- Revenue boost but reputational risk: The contract secures a multi‑year, multi‑million‑dollar revenue stream, yet the public backlash over government surveillance may deter private‑sector clients.
- Compliance burden: Bi2 must now align its technology with FISMA, the Executive Order’s supply‑chain standards, and state biometric statutes such as BIPA. Failure to do so could result in costly civil penalties.
For ICE and DHS
- Regulatory scrutiny: The sole‑source award sidesteps the Federal Acquisition Regulation (FAR) competition requirements, opening the agency to congressional oversight and potential Inspector General investigations.
- Potential litigation: State attorneys general, especially in Illinois and California, could file suit alleging violations of BIPA and CCPA, seeking statutory damages that could quickly eclipse the contract value.
What changes are needed?
- Publish a comprehensive System of Records Notice for the IRIS database, detailing the categories of biometric data collected, retention periods, and individuals’ rights to access and correct records.
- Conduct a DPIA that evaluates the likelihood of false matches, the impact on vulnerable groups, and mitigation strategies such as algorithmic bias testing and human‑in‑the‑loop verification.
- Implement a consent‑or‑opt‑out mechanism for residents of states with biometric privacy statutes. Even if federal law does not require consent, providing it would reduce legal exposure.
- Adopt a transparent procurement process for future upgrades. Competitive bidding would not only satisfy FAR requirements but also allow independent security reviews of alternative vendors.
- Strengthen security controls: Encrypt biometric templates using FIPS‑validated algorithms, enforce strict access logs, and perform regular third‑party penetration testing to satisfy FISMA and the 2021 Executive Order.
- Establish an independent oversight board that includes civil‑rights advocates, technologists, and privacy lawyers to review the deployment schedule and audit compliance with state and federal privacy laws.
Bottom line
ICE’s $25 million deal with Bi2 Technologies dramatically expands the federal government’s biometric surveillance footprint. While the contract may be legal under current federal statutes, it collides with a patchwork of state biometric privacy laws and raises serious concerns under the Privacy Act, FISMA, and even the GDPR when EU citizens are involved. Without clear consent mechanisms, robust impact assessments, and transparent procurement, the program risks costly litigation, erosion of public trust, and the very civil‑rights harms it claims to prevent.
Readers who want to follow the story can track the contract details on the U.S. Government Contracts website and review the Bi2 Technologies product page for technical specifications.
Comments
Please log in or register to join the discussion