This post was originally posted on the Washington Post.

 

 

Before Santiago Gassó’s recent flight from Atlanta to Mexico City, a Delta Air Lines gate agent announced a new boarding procedure. Instead of showing an ID and receiving paper boarding passes, passengers could line up to be photographed.

“I didn’t show any form of picture ID, yet the machine that took the picture was able to recognize my face and issue the corresponding ticket with my information,” recalls Gassó, a scientist for a federal agency in Silver Spring, Md. “Frankly, I felt it was an invasion of privacy.”

He asked, “Is this legal?”

Yes, but it’s also controversial. The government, following a congressional mandate to build a biometric entry-exit system, is working with JetBlue, British Airways and Royal Caribbean on similar programs. And as the practice of photographing passengers expands, they are becoming more concerned. But it turns out the practice of collecting their biometric data is far more common than travelers may think.

Delta launched optional facial-recognition technology in Atlanta in 2018 after two years of testing. Since then, the airline has expanded biometric boarding to Minneapolis, Salt Lake City, New York, Detroit and Los Angeles. The carrier says 72 percent of customers in Atlanta preferred facial recognition as a boarding standard, mostly because it saves time. The airline says the technology can save an average of nine minutes when boarding a wide-body aircraft.

Delta says it handles photos with the greatest care. It transmits encrypted, de-identified information directly to U.S. Customs and Border Protection (CBP). The airline doesn’t save or store any images or biometric data. “Nor do we have plans to,” says Kathryn Steele, an airline spokeswoman.

CBP also says it treats biometric data by the book. It doesn’t retain the new images of U.S. citizens after they have been matched to photographs on file. The agency is committed to building a biometric entry-exit system “in a way that secures and facilitates lawful travel while protecting the privacy of all travelers,” says Nate Peeters, a CBP spokesman.

The problem, though, goes far beyond what a few airlines and cruise lines are testing. “It is common to have your fingerprints scanned and your picture taken at ports of entry around the world,” says Scott Shackelford, a professor of business law and ethics at Indiana University and chair of the school’s Cybersecurity Program. “It is legitimate to question who has access to these data.”

Fair question, CBP says. “We’ve established stringent business requirements for carriers, port authorities and other approved partners in the biometric facial comparison process,” CBP’s Peeters says. “Partners must provide access for CBP to audit compliance with these requirements. And partners can’t use photos taken during the biometric boarding process for any other purpose.”

Some say the worries are overblown. Biometric data is the key to a safer and faster travel experience, according to those developing the technology. “Consumers are becoming more comfortable using biometric technology on a daily basis, thanks in large part to Apple’s Face ID,” says Robert Prigge, chief executive of Jumio, a company that develops facial-recognition systems. “Why shouldn’t the same technology that enables you to unlock your smartphone also make for a more streamlined travel experience?”

Prigge and others say the benefits are undeniable. They include minimizing hassles and ensuring faster transit times — no need to fumble for your ID while standing at the gate. “Face-based biometrics can ensure with high levels of accuracy that only legitimate travelers make it onto a plane,” he adds.

CBP says biometric facial comparison has helped it thwart impostors who use the legitimate travel documents of people they resemble. Since 2018, the government has identified more than 200 impostors, thanks to biometric facial-comparison technology.

Others are worried. Bart McDonough, chief executive of Agio, a cybersecurity and IT consultancy, agrees that facial ID and other biometrics technology might make travel faster and easier. “But we must ask whether this convenience comes at a far greater cost,” he says.

McDonough says airlines and other travel companies don’t seem to be asking the tough questions about the technology. Among them: How is the data being protected? McDonough says centrally stored biometric data is a sought-after prize for hackers. He cites a 2015 data breach at the U.S. Office of Personnel Management in which more than 5 million sets of fingerprints were stolen.

The problem extends beyond a few airlines taking snapshots of passengers at the airport. CLEAR, which allows travelers to skip the travel document checker at security checkpoints, uses eye scans and fingerprints to confirm your identity. Global Entry kiosks take your picture. Facebook and Google have deployed sophisticated facial-recognition technology that can almost always recognize you.

“Interestingly, very few seem to have an issue using a fingerprint to access Disney World or other private-sector venues,” says Darren Hayes, a Pace University computer science professor.

Andrew Selepak, a media professor at the University of Florida, says the public doesn’t have options in some situations. “We are not given an alternative in locations that take biometric data,” Selepak says. “Instead, we are forced to comply as companies like Disney or the government take our unique personal data and track and monitor our movements.”

For now, you can opt out of facial recognition at the airport and use what CBP calls an “alternative means” of verifying your identity. In other words, CBP or airline officials will do it the old-fashioned way: by inspecting your travel documents. And you won’t lose your place in line if you prefer to use your ID.

But who knows what the future holds? Someday, it might be possible to verify your identity as you walk into the terminal without even notifying you. Now that would be scary.