At some airports, your face is your ID. Is your privacy at risk?
Every day in airports across America, travelers confront facial recognition technology.
It probably saves time. Federal officials say it’s making us safer. And for the millions whose mobile phones already recognize faces, this would seem nothing new.
But how does old-fashioned privacy square with all these head shots and database comparisons? Where does the data go? What happens if you say no?
These and other questions arise as government and industry leaders embrace biometric measures — especially facial recognition — and many privacy advocates resist.
Some travelers’ questions are easy to answer. Others, not so much.
Q. Who’s in charge?
A. The Department of Homeland Security’s U.S. Customs and Border Protection unit is leading the charge, promoting the technology as “the ideal technology path to a more seamless travel experience.” And President Trump added urgency with a 2017 order that called for security officials to make biometrics a priority.
Meanwhile, the Transportation Security Administration, another Homeland Security agency, has been collaborating with CBP on biometrics and has set a series of goals.
One is face-scanning travelers in TSA Precheck lines (and integrating that data with fingerprints). Another is face-scanning more domestic travelers (on a voluntary basis) and perhaps integrating that data with driver’s license data by way of Homeland Security’s REAL ID program.
How fast is this moving? In an April report, Homeland Security officials said that within four years, they intend to scan the faces of 97% of passengers, including U.S. citizens and foreign nationals, on outbound international flights.
A CBP spokesperson said Aug. 14 that the agency already has scanned the faces of more than 25 million passengers, apprehended 180 impostors and confirmed that more than 20,000 travelers had overstayed their visas.
Meanwhile, Britain, China, Singapore, Malaysia and the United Arab Emirates are exploring biometrics, and many airlines see this as a chance to speed operations. Among the U.S. carriers working with CBP: American, Delta, JetBlue and United.
One recent report predicted the facial recognition market worldwide would grow from $3.2 billion in sales in 2019 to $7 billion in 2024.
Q. How does facial recognition work?
A. Passengers submit to a photo at a gate or security checkpoint instead of showing a passport or boarding pass.
Authorities access encrypted cloud data, then compare the fresh image against existing images in government databases. If no match materializes, airlines or CBP officials ask for ID or run checks with more government sources.
CBP officials say the process takes just under two seconds per person, with an accuracy rate of more than 97%.
Airlines and airports often buy the cameras that take the photos, then link the resulting images to CBP’s biometric matching service (which relies on a “matching engine” from NEC Corp.). Airlines, airports and the TSA can access that matching service at check-in, bag drop, security checkpoints or boarding, the CBP spokesperson said.
Q. What happens to these new photos?
A. CBP says that “all photos of U.S. citizens are deleted within 12 hours of identity verification.” Images of noncitizens may be retained longer, even up to 75 years, depending on circumstances.
The CBP noted in a report last year that “an approved partner may collect photos of travelers using its own equipment under its own separate business process for commercial purposes.”
Q. What if I say no?
A. The CBP and TSA say that U.S. citizens have that right and that airport authorities should be ready to process travelers the old-fashioned way. (Some noncitizens can say no, but for many it’s required. For details, check CBP’s FAQs.)
CBP said it has not tracked the number of travelers opting out. The Electronic Frontier Foundation, a foe of facial recognition, warns that many travelers may not realize that they can say no.
Q. How many U.S. airports are doing it?
In an Aug. 14 email, a CBP spokesperson reported ongoing biometric exit operations (including facial recognition) at 22 U.S. airports.
The agency also is doing biometric entry processing at 11 U.S. airports and at airports in Abu Dhabi, Aruba and Dublin and Shannon, Ireland, that send travelers to the U.S. CBP is also scanning at three seaports in Florida and one in New Jersey. CBP location lists can be seen at cbp.gov/travel/biometrics.
Q. What do critics say?
A. Many warn that Customs and Border Protection technology is dangerously fallible, that facial recognition software elsewhere has delivered inaccurate results and that this new approach could undercut civil liberties. In San Francisco and Somerville, Mass., city councils have banned their police from using facial recognition software.
In Washington, U.S. Sens. Edward J. Markey, D-Mass., and Mike Lee, R-Utah, wrote a letter July 26 calling for greater transparency, warning of data leaks and asking why Homeland Security has failed to release a biometrics report that was due July 2.
“American travelers deserve to fully understand exactly who has access to their biometric data, how long their data will be held, how their information will be safeguarded, and how they can opt out of this data collection altogether,” Markey and Lee wrote.
The CBP spokesperson said Aug. 14 that Homeland Security’s biometric program report “is in the internal review process.”
Fight for the Future, a privacy advocacy group, has launched a banfacialrecognition.com campaign calling for travelers to avoid airlines that use the technology.