U.S. Needs to Tighten Oversight of How Airlines Use Facial Recognition Data: New Government Report

The pandemic has deepened aviation sector interest in facial recognition technology for providing a more contactless way to process passengers.

This week alone, Spirit Airlines, the U.S. budget carrier, began testing the biometric technology at some gates at New York’s La Guardia and Chicago’s O’Hare airports. Also this week, the U.S. Transportation Security Administration said it had begun testing a self-service facial recognition system to verify traveler identification at Washington, D.C.’s Reagan National.

But the push to adopt the technology needs to come with checks on how it’s implemented. That’s a takeaway from a September report by the U.S. Government Accountability Office, which found that U.S. Customs and Border Protection has stumbled when it came to auditing partners for data security in its collection of biometric data from passengers.

Customs has deployed facial recognition technology to 27 airports for travelers leaving the U.S., and 18 airports for arriving travelers. Its multi-billion-dollar effort has used facial recognition to recognize more than 16 million travelers. In a plus, the agency said the tech helped to pinpoint seven impostors, or people traveling under aliases, between 2017 and 2019.

People who believe government bureaucracies are incompetent may dismiss the findings as not relevant to the private sector. But reading the report suggested that the private sector needs attention, too.

The Customs agency system’s correctly identified 98 percent of travelers exiting the U.S. in operational testing, above the legal requirement. (When the systems miss, agents do in-person checks as a backstop.)

The agency blamed its 2 percent shortfall in accuracy on airlines not consistently photographing all travelers. Airlines and airport authorities currently take part voluntarily.

Here’s how it works: Airlines snap photos of passengers and pass them along to the agency. Those that don’t submit copies of passports and other identification.

When passengers arrive in the U.S., the customs agency’s camera kiosks snap pictures at the airport. Computers attempt to match the photos to confirm the person’s identity.

Airlines Working in the Dark

The voluntary and incomplete nature of airline and airport participation is a problem, the watchdog report found.

The government watchdog warned that the agency’s auditing is too lax. Customs and Border Patrol had only audited one airline to ensure privacy compliance. The agency also didn’t have a plan to audit the other 26 participating airlines.

Monitoring performance is critical for facial recognition technology. U.S. regulations don’t permit commercial partners to store photos or use them for business purposes.

But without auditing, who knows if airlines and airports have proper processes for destroying the images they capture?

A lack of checks about data security is another matter the report raised. The agency uses two-factor authentication and encryption to transfer photos among its systems. Agency systems convert traveler photos into templates that “cannot be converted back,” the report said.

But a lack of security audits mean we don’t know how well airlines and airports take adequate cybersecurity precautions to prevent bad actors from accessing the databases.

Looking Ahead

Today, there’s no specific legal requirement for U.S. citizens to provide biometric identifiers on entering or exiting the country. But if the government ever mandates that, it will need to do more to assure best practices for data management by its teams, airlines, and airports, as the new watchdog report suggests.

More urgently, airlines and airports are already putting their own biometric plans into place. They need to act now to watch their data privacy and security practices are consistent and effective.

Some skeptics dismiss privacy concerns as Luddites wringing their hands without good reason. But the data involved in facial recognition is high value and deserves heightened scrutiny. If an identity thief steals one of your passwords, you can open a fresh account. But if they steal “your face,” you’ve only got one face.