by Jennifer Lynch and India McKinney, Electronic Frontier Foundation
In 2018, we learned that expanded biometric surveillance is coming to an airport near you. This includes face recognition, iris scans, and fingerprints. And government agencies aren’t saying anything about how they will protect this highly sensitive information.
This fall, the Transportation Security Administration (TSA) published their Biometrics Roadmap for Aviation Security and the Passenger Experience, detailing plans to work with Customs and Border Protection (CBP) to roll out increased biometric collection and screening for all passengers, including Americans traveling domestically. Basically, CBP and TSA want to use face recognition and other biometric data to track everyone from check-in, through security, into airport lounges, and onto flights. If implemented, there might not be much you can do to avoid it: the Department of Homeland Security (DHS) has said that the only way we can ensure that our biometric data isn’t collected when we travel is to “refrain from traveling.”
The roots of this program go back a few years. In 2016 and 2017, DHS began ramping up its plans to collect face images and iris scans from travelers on a nationwide scale. In pilot programs in Georgia and Arizona in 2016, CBP used face recognition to capture pictures of all travelers boarding a flight out of the country and walking across a US land border and compared those pictures to previously recorded photos from passports, visas, and “other DHS encounters.” Now, agencies plan to roll out the program to all international flights and border crossings. They’re also partnering with private airlines and airports to collect and maintain the data. The government has said it will retain photos of U.S. citizens and lawful permanent residents for two weeks and information about their travel for 15 years and retain data on “non-immigrant aliens” for 75 years. There are no restrictions on how long private companies can hold onto the data or what they can do with it.
Flying domestic won’t keep your biometrics out of a database. The TSA roadmap explicitly outlines plans for collection of any biometrics they want from all travelers, wherever they use the airport. In the future, their database could be used outside of an airport context — after all, TSA’s Precheck, as well as Clear (a private company), have already begun using their technology at stadiums to “allow” visitors a faster entry.
It’s unprecedented for the government to collect, store, and share this kind of data, with this level of detail, with this many agencies and private partners. And the risk to all of us is real. India’s Aadhaar biometric database, built to reduce corruption and expanded for use by other public and private groups, keeps getting hacked. It is not only cheap to buy the information of one of the 1.19 billion people in the database, but the hacks also allow for new information to be entered into the database. Rather than increasing security, India’s biometric database created more problems and opportunities for corruption.
This is all particularly shocking when you consider that, at bottom, much of this data is not reliable at all. There are significant accuracy problems with current face recognition software, especially for non-white and female people. For example, earlier this summer the ACLU published a test of Amazon’s facial recognition program, comparing the official photos of 435 Members of Congress with publicly available mugshots. The ACLU found 28 false matches, even in this relatively small data set. According to the FAA, 2.5 million passengers fly through US airports every day, meaning that even a 2% error rate would cause thousands of people to be misidentified every day.
These airport biometrics programs threaten privacy on a mass scale. By collecting and retaining face recognition data and partnering with private companies that face no restrictions on data sharing, DHS is laying the groundwork for a vast surveillance and tracking network that could impact all of us for years to come. DHS could soon build a database large enough to identify and track all people in public places, without their knowledge — not just in places the agency oversees, like airports, but anywhere there are cameras.
TSA should not move forward on this plan. In 2019, EFF will continue fighting to make sure that we all able to travel safely.
© 2018 Electronic Frontier Foundation, CC BY 3.0 US