Illustration of two people looking up at a tall fence.

CBP One: A Blessing or a Trap?

Amnesty International research relies on collaborations across multiple teams. The Security Lab recently had the opportunity to provide technical research support to a new report about the CBP One app. The report was researched and written by human rights experts from Amnesty International’s Americas Regional Office and Amnesty International USA, based on several research trips and numerous interviews with asylum seekers and local and international organisations. The Security Lab supported the research through a technical analysis of the CBP One application. 

The CBP One mobile application is the sole means of seeking asylum in the United States since the Asylum Ban (Circumvention of Lawful Pathways Final Rule) introduced by the Biden Administration on 11 May 2023. Under the Asylum Ban, individuals are required to use the CBP One application to schedule appointments at ports of entry in order to be considered eligible for asylum. 

Amnesty International’s new report CBP One – A blessing or a trap documents the human rights concerns associated with the application and sheds light on the implications of the Asylum Ban. Amnesty International considers that the Asylum Ban violates the right to seek asylum, as well as the principles of non-refoulement and non-penalization. 

“The use of the CBP One application conditions entry and access to asylum on appearing at a port of entry with a prior appointment, which is not feasible for some people,” said Ana Piquer, Americas director at Amnesty International. “While technological innovations could potentially provide for safe transit and more orderly border processes, programmes like CBP One cannot condition and limit the manner to seek international protection in the United States.” 

The application’s use of facial recognition, GPS tracking and cloud storage to collect data on asylum seekers prior to their entry into the United States raises serious privacy and non-discrimination concerns. While asylum seekers often lacked understanding of CBP One’s Privacy Policy, they agreed to it in order to use the application.  

Amnesty International’s Security Lab performed a static decompilation of CBP One with a view to identifying privacy and security concerns (decompilation is the reconstruction of source code from compiled machine code to render the code intelligible to humans). The analysis revealed that the application registers device information and unique identifiers with Google’s Firebase service. While this could have legitimate use cases, such as solving bugs that only occur on certain hardware configurations, the application does not disclose the use of Google’s services as a sub-processor and an opt-out option is not offered. Further, the privacy impact assessments of the application make no reference to the sharing of information with Google’s Firebase service. 

The CBP One application risks violating international human rights standards, particularly regarding privacy and non-discrimination, and reinforce border regimes that disproportionately affect marginalized groups, potentially leading to wrongful identification and denial of asylum rights. 

For more information, please refer to: