While cities and municipalities made clear strides to limit the use of face surveillance technology throughout 2019, airlines and government agencies tasked with identifying travelers have spent much of the year trying to expand its use. But while the Department of Homeland Security (DHS) and Customs and Border Patrol (CBP), along with several different airlines, did launch or conclude pilot programs that tested the waters of face recognition technology on travelers this year, they also saw significant push back — and in some cases, retreated.
Airports Fight Back
Just this month, officials at Seattle’s Sea-Tac airport halted a planned implementation of face recognition by Delta, voting unanimously to pause the use of face recognition until the Port of Seattle Commission, which manages the airport, can create policies to protect traveler privacy. Delta had planned to implement face recognition at the terminal by year’s end. This is the first time an airport has taken action against face recognition, but it likely won’t be the last. The Commission’s president, Stephanie Bowman stated, “We feel that our community expects more than to have this kind of technology rolled out without any public discussion or input.” Every airport official in the country — and every government official — should agree.
Travelers Fight Back
Travelers have been fighting back as well: earlier in the year a Twitter exchange between a passenger and a spokesperson for the airline JetBlue went viral, creating an outcry among travelers who were concerned about their biometric privacy and about whether or not there was an obvious way to opt-out of face recognition. Opting out is complicated by the fact that there are actually (at least) three different face recognition checkpoints coming into effect: airlines, using it as a boarding pass; CBP, using it to check against government databases when you’re entering or exiting the country; and the Transportation Security Administration (TSA), using it to compare your face against your photo identification throughout the airport. This is not to mention that many of the airlines are partnering directly with CBP on implementing the technology, complicating the opt-out rules even further. Unfortunately, despite this pushback, the opt-out procedures haven’t gotten any easier (for now).
It also isn’t easy to know whether (and where) to expect face recognition at the airport: there’s no single list of where you might encounter it, even as its use grows. By the end of 2019, Delta, United, JetBlue, Lufthansa, British Airways, and American Airlines were all working with CBP to launch face recognition for international travelers at terminals across the country. For now, the list of airports where pilot programs are or have been includes Atlanta, Houston, Washington (Dulles and Reagan), San Francisco, LAX, New York-JFK, Boston, Fort Lauderdale, Chicago, Seattle, Las Vegas, Washington, Houston Hobby, Dallas/Fort Worth, Miami, San Jose, Orlando, and Detroit — a threat that’s growing far too large to ignore.
In June, concerns that growing collections of biometric data create honeypots for hackers was, unfortunately, borne out, when a trove of CBP’s data, including license plate images and biometric data from traveler photos, was breached. Whether the images are taken from airline passengers, or those crossing the border in other ways, the risks to travelers remain the same: all government data is at risk of breach and misuse by insiders and outsiders, and increasing the size of those databases increases the risk. Even worse, the results of a breach of face recognition or other biometric data could be far more damaging than breaches of other identifying data, because our biometrics are unique to us and cannot easily be changed. So far, the public hasn’t gotten clear information about how many travelers were affected. CBP needs to be more transparent about this breach, and about how they’re protecting biometric data.
Congress Fights Back
In a series of hearings this year, Congress took various government agencies to task for their use of face recognition, including TSA and CBP. In a July hearing, Congress dismissed the TSA’s boasts that it had a 99% opt-in rate in their pilot, with several members pointing out that the tricky and unclear opt-out procedures undoubtedly lead to many travelers being scanned without their consent. Congress, like digital rights groups and the public, suggested that requiring travelers to opt out, rather than opt in, was a major problem. This hearing was one of several that saw Congress pushing for information on the authority DHS, TSA, and the FBI have to use face surveillance without consent.
Finally, DHS admitted that its roadmap for biometric data collection is subject to change under pressure. In early December, the agency announced its intention to use face surveillance on every international traveler, including U.S. citizens, sparking outrage. DHS quickly retreated under the pressure (and under the threat of legislation). DHS has said in the past that its goal is to use face surveillance on 97 percent of departing air passengers within the next three years, and on 100 percent of all international passengers in the top 20 U.S. airports by 2021. But besides creating a massive privacy threat that would be nearly impossible for travelers to bypass, requiring face recognition technology that was wrong even a small percent of the time would create havoc. And as far as we can tell, it’s wrong a lot: a 2018 report by the Office of the Inspector General found that an initial pilot program only had an 85-percent confirmation rate.
One thing is certain: fighting back against face surveillance — whether it’s on the land or in the skies — is working. 2020 will likely be an even bigger battleground year. These airport biometrics programs threaten privacy on a mass scale, but the vast surveillance and tracking network that DHS and other agencies are building can be stopped. EFF will continue fighting to make sure that we are all able to travel safely in the future.