The U.S. Department of Homeland Security in December backed
off the idea of requiring facial scans of U.S. citizens entering and leaving
the United States. After seeming to propose the rule in its November unified
agenda, DHS came under fire from privacy advocates as well as the National
Institute of Standards & Technology, which concluded in a recent
cross-study that gender and racial bias is baked into facial recognition
algorithms across the board.
If there's not enough packed into that opening paragraph to
concern travel managers, here's something to consider: Airlines are rolling
forward with a bunch of facial recognition initiatives at international
airports throughout the U.S.—and there are plenty of other initiatives already
in play in Europe and other regions. China has the most sophisticated and
invasive initiative in place. But let's focus on the United States.
There are two layers of U.S. facial recognition applications
currently in play. The first is the official application used by U.S. Customs and
Border Protection to screen non-citizens as they arrive and depart. This
includes digital fingerprinting and taking scans of visitors' faces upon
arrival.
DHS asserts biometrics achieve more accurate and speedier
results than relying on humans to perform the same tasks. As a result, CBP has
rolled out optional facial recognition-powered clearance for U.S. citizens at a
number of major international airports. The biometric lanes are optional for
U.S. citizens, but privacy advocates say that springing such a choice during
the travel process does not adequately inform citizens about how their
information will be used, how long it is retained or what the alternatives are.
Casting the manual option as slower and more arduous, they say, also unfairly
penalizes those who choose it and actively pushes citizens toward the biometric
choice.
The second application is commercial. Airlines—particularly
Delta in the U.S.—are rolling out biometric boarding processes at major
airports throughout the country. The technology works in tandem with CBP,
snapping a photo at the gate and sending that to the CBP to match it with
photos already associated with the flight manifest. It's slick; it's easy; and,
according to the airlines, it significantly reduces the time it takes to board
large aircraft. And it's optional for all passengers; plus, airlines are
required to purge photos after 24 hours.
And customers like it. According to the International Air
Transport Association, they want more. IATA's 2019 Global Passenger Survey
found that "70 percent of passengers are willing to share additional
personal information including their biometric identifiers to speed up
processes at the airport." The report also noted that the percentage
willing to do this "increases in correlation with the number of flights
taken per year." That means business travelers.
So the question isn't whether biometric identification will
continue its march through airport processes, but how. And how will it be
monitored? Because there are risks.
- Data security: A CBP data breach disclosed in
June underscored that U.S. government data is hackable. The incident last year
involved a CBP subcontractor that transferred data to its own servers—outside
of official protocol—which were then hacked, transferring photos and license
plates of an estimated 100,000 people. The subcontractor continues to work for
CBP, according to the Washington Post.
- Baked-in bias: The NIST study showed that facial
recognition technologies have systemic weaknesses in terms of successfully
matching women and individuals of certain races to a large universe of photos.
Currently, CBP and airlines are comparing photos to small data sets, which
mitigates mismatches. Depending upon the application, misidentification could
be simply an inconvenience or could place an individual into a context of
suspicion.
- Mission creep: While we may not like to consider
this, it happens. And the proposed rule from DHS last fall was a sign that
facial recognition could easily be leveraged beyond its original intent, which
actually had its basis in a post-9/11 initiative. Requiring U.S. citizens to
submit to facial scans when leaving or entering the country stretched outside
the mandate of the 9/11 initiative, which focused only on foreign nationals. It
also seems to stretch beyond congressional authorization, which approved
funding for the initiative in 2017 based solely on collecting data from foreign
nationals.
Even though DHS stepped back from its proposed rule that
would have required U.S. citizens to submit to facial scanning, there's nothing
in particular stopping the administration from proposing it again. The fact
that customer demand is moving in the direction of biometrics nearly guarantees
that airlines and airports will push to do more with facial recognition
technology as well.
Certain states have begun to prepare for such eventualities.
The California Consumer Privacy Act and the specific Biometric Information
Privacy Act in Illinois are starting to address how biometric information can
be handled from a commercial standpoint. We can expect more state legislatures
to get into the fray on this—and we may be looking at a patchwork of
legislation as a result.
I predict legislation will begin to formulate on a federal
level as well. How far will it go? Currently, legislators on both sides of the
aisle have misgivings about how broadly facial recognition and other biometric
identification technologies should be implemented. Democratic Sen. Edward
Markey of Massachusetts and Republican Sen. Mike Lee from Utah, for example, both
are vocal about the use of the unregulated technology. What these or other
legislators might propose and how it might be received by each party remains to
be seen—but is definitely something to watch in 2020.