Lawmakers on Capitol Hill expressed concerns over the U.S. Customs and Border Protection’s use of facial recognition technology on American citizens, questioning CPB’s right to even collect it.

“You’ve kind of taken your own initiative to do some things beyond the scope of authority that Congress gave you,” Rep. Bennie Thompson, D-Miss., the chairman of the House Homeland Security Committee, said during a July 10 hearing.

John Wagner, deputy executive assistant commissioner at CBP, disagreed, saying that the agency is using the same facial recognition technology to track the entry and exit of foreign nationals in airports and to verify the identity of American citizens.

“We’re simply automating and using a computer algorithm to enhance this manual facial recognition existing process,” Wagner said.

At many airports across the country, this process is done manually. But there are facial recognition systems in place at airports such as Washington Dulles International and New York John F. Kennedy International, along with numerous other large U.S. airports, according to the CBP biometrics website.

Thompson said that Congress had only authorized CBP to collect photos from foreign nationals, not U.S. citizens.

Wagner acknowledged that Americans were not within the scope of current CBP’s biometric entry-exit program, but said that CBP had the existing authority to verify the identity of American citizens. He said that the CBP was using algorithms to verify that a person claiming to be a U.S. citizen is a citizen, and that CBP only holds photos of U.S. citizens for 12 hours before deleting them.

“What we’re doing is absolutely not a surveillance program,” Wagner said.

Some committee members called CBP’s collection of Americans’ photos as an “expansion,” but Wagner pushed back against.

Thompson asked CBP to provide the agency’s written policy regarding facial recognition and U.S. citizens.

Facial recognition technology is fraught with privacy and access concerns. The Washington Post revealed July 7 that the FBI and Immigration and Customs Enforcement (ICE) have been scanning millions of Americans’ driver’s licenses without their consent through state-run databases.

According to the Government Accountability Office, the FBI has access to more than 641 million face photos through its database.

In another recent scare, a data breach at a CBP subcontractor exposed traveler photos and license plates. CBP has said that the number of victims was below 100,000.

Lawmakers also pressed Wagner on that data breach. During the hearing, Wagner said that CBP was testing the subcontractor’s camera on the U.S.-Mexico border, facts which CBP did not specify in early June.

Wagner testified that the subcontractor breach was part of a standalone pilot program, disconnected from the CBP’s main network. The system didn’t have CBP’s typical security controls and audit capabilities, he said.

Wagner also said that the subcontractor could potentially face criminal or civil action in court, depending on the result of ongoing investigations.

“Depending on the circumstances of how the data was taken and the intentions and why and how it was used, there potentially could be criminal actions,” Wagner said.

To mitigate the risk of a similar event in the future, CBP is adding its usual security measures to its pilot programs, he said.

“Those are things being put into place now on all those systems to ensure that you can’t connect a portable media drive on that and extract information,” Wagner said. “Our main network has these protocols on them but we didn’t have them on this type of system.”