Date: March 12, 2019
Plans to bring facial recognition to major U.S. airports by 2021 are on a fast flight path, despite concerns about the new technology’s readiness.
President Trump in 2017 issued an executive order expediting the deployment of biometric verification of the identities of all travelers crossing U.S. borders. It stipulates that facial recognition identification be used in the top 20 U.S. airports for “100 percent of all international passengers,” including American citizens, by 2021.
The mandate to accelerate the timeline for implementation of a biometric system initially was signed into law by President Obama.
Critics have cited questionable biometric confirmation rates and the lack of adequate legal guidelines as potential hurdles to adoption of the facial recognition plan.
Nevertheless, the United States Department of Homeland Security is rushing to get those systems up and running at airports across the country, according to leaked documents obtained by the nonprofit research organization Electronic Privacy Information Center.
DHS is doing so in the absence of proper vetting or regulatory safeguards, and in defiance of the law, according to some privacy advocates.
EPIC on Monday made public a 346-page document revealing that U.S. Customs and Border Protection has been scrambling to implement a “biometric entry-exit system.” The goal is to have the facial recognition technology in place within two years.
The system would scan travelers’ faces aboard 16,300 flights per week. That process will involve more than 100 million passengers traveling on international flights out of the United States.
A component of this technology makes identification and protection easier, but there is also the potential for mistakes, suggested David Katz, a partner at Adams and Reese.
“We have to balance the possibility for a false positive or a mistake in identification against the security the technology ultimately provides to the larger population,” he told TechNewsWorld.
Muddled Flight Plan
The released documents explicitly state that no limits exist on how partnering airlines can use this facial recognition data. They do not clarify whether any guidelines exist for how other technology companies involved in processing the data potentially could use it.
During a data privacy meeting last December, CBP altered a previous condition by limiting participating companies from using the data, according to the documents, although how it would enforce that new rule is unclear.
There is no explanation of CBP’s current policies around data sharing of biometric information with participating companies and third-party firms. The documents note that CBP retains photos of non-U.S. citizens departing the country for up to 14 days. That holding period is for “evaluation of the technology” and “assurance of the accuracy of the algorithms.” It is unclear whether CBP intends to use retained photos for further training of its facial matching artificial intelligence.
CBP skipped portions of a critical “rule-making process” requiring the agency to solicit public feedback before adopting technology intended to be broadly used on civilians, the documents suggest. This is a touchpoint for privacy advocates concerned about the potential for privacy, surveillance and free speech violations that might result from the facial scanning technology.
It poses concerns, because facial recognition technology currently is troubled by issues of inaccuracy and bias, according to a Buzzfeed report on the documents provided by EPIC.
For example, the American Civil Liberties Union last summer reported that Amazon’s facial recognition technology falsely matched 28 members of Congress with arrest mugshots. Those false matches were disproportionately people of color.
No Rules, No Oversight
Facial recognition technology is already in use in 17 international airports, including Atlanta, New York City, Boston, San Jose, Chicago and two in Houston. It appears the U.S. government is working quickly to get it into every major airport in the country.
The U.S. has no laws governing the use of facial recognition. No courts have ruled on whether it could be considered an illegal search under the Fourth Amendment.
The accelerated deployment time might create more problems than it solves. According to the leaked documents, CBP wants facial recognition at “initial operating capability” by year’s end. The agency wants to use it for as many as 30 international flights across more than a dozen U.S. airports per day.
Rapid Deployment Planned
CBP began its first pilot for facial recognition technology in airports in 2016 at the Hartsfield-Jackson Atlanta International Airport. Once a day, for a flight from Atlanta to Tokyo, CBP officers biometrically matched passengers’ passport photos to real-time photographs. The pilot program involved all passengers between the ages of 14 and 79.
CBP three months later switched to a daily flight from Atlanta to Mexico City. By late 2016, CBP was running tests on an average of seven flights per week, according to the Buzzfeed report on the leaked documents.
CBP added more international airport locations in 2017. The number running the facial recognition technology now stands at 17 airports with three more in the planning stages.
During its 2017 expansion, CBP replaced its Departure Information System with a more advanced automated matching system, the Traveler Verification Service (TVS). It could be used in a virtual, cloud-based infrastructure capable of temporarily storing images and operating via a wireless network, according to the CPB documents. The new system automatically could transmit confirmation of a biometric match across other DHS systems once a passenger boarded a plane.
The goal for the rapidly expanding facial recognition sites was to further assess facial matching technology as a viable solution, according to the DHS Office of Inspector General (OIG) audit of the government’s facial recognition biometrics program published last year. CBP concluded from those tests that facial recognition technology was the best operationally feasible and traveler-friendly option for a comprehensive biometric solution.
Flaw-Riddled Results – or Not
The OIG audit provides a questionable track record for facial recognition accuracy. It covers the time the TVS was in use, from August to December 2017.
The field test results were unclear:
- CBP was able to provide biometric confirmation for only 85 percent of passengers processed;
- Its matches for certain age groups and nationalities were inconsistent;
- Its recognition of Mexican and Canadian citizens were notably problematic;
- CBP did not previously establish a reliable algorithm for photo matching.
The low confirmation rate poses questions about CBP’s ability to meet its deadline to confirm all foreign departures at the top 20 U.S. airports by fiscal year 2021, according to the audit.
Confirmation rates for CBP’s biometric exit system since have risen to 98.6 percent, according to an agency spokesperson.
Benefits Outweigh Risks?
Facial recognition technology can bolster passenger safety by removing threats. It can be an effective way to vet international travelers prior to their entry into the U.S.
“When utilized in collaboration with international law enforcement agencies or in conjunction with other private data sources, [it] has great potential to stop individuals who have been previously identified as bad actors by law enforcement from entering the country,” Adams and Reese’s Katz said.
In general, facial recognition can be more reliable than human beings performing similar functions, especially when an individual already has been identified by another source, he added.
Facial recognition technology represents a new wave of identity and authentication solutions. International travelers will be able to authenticate their identities much more easily when passing through Customs, according to attorney David Reischer, CEO of LegalAdvice.com.
“There will be no more searching for a passport and digging through pockets at check-in to show your boarding pass,” he told TechNewsWorld. “Going forward, a person’s face will be their passport. Travelers will now be able to access lounge and VIP facilities without having to show a membership card or a boarding pass. Airlines will be better able to personalize VIP services they provide.”
Privacy advocates maintain that Fourth Amendment prohibition of unlawful searches should limit the government from scanning, recording, matching and saving a person’s face in a massive federal database, noted Reischer.
“The right to privacy should prevent an unlawful scanning of a person’s face to be collected and saved in a central repository owned by the government,” he said. “There are legitimate concerns of a mass surveillance state developing, whereby an individual’s biometric data is obtained without a legitimate purpose.”
The two fundamental arguments consistently heard over the years against the use of biometric methods of identification — not just facial recognition — have focused on governmental abuse of power and the inherent risk of compromise, noted Matan Scharf, senior security solutions manager at Synopsys.
The first leaves the question of biometric identification open to debate, as to whether it is beyond the minimum required for effective boarder control. The second is the lucrative target for hackers the government’s plan could provide.
“Private information might be exposed in such a scenario, in which an individual can have their privacy completely destroyed without the ability to recover,” Scharf told TechNewsWorld.
Safe but Troublesome
Facial recognition, like most biometric methods of identification, has the inherent advantage of being considered relatively safe. It is hard to fool or circumvent, Scharf warned.
Concerns revolve more around how the technology is applied than its actual use. For instance, the different methods used for facial recognition vary in the level of integrity that they offer, such as the differences between a simple image and an infrared image. Some are easier to fool than others, he pointed out.
The most interesting advantage of the currently selected technology is that it is the only biometric identification method in which the sample, or the input used (that is, the person’s photo), has an inherent mechanism for self-destruction — aging.
“In that sense, compared to the current use of fingerprint scanners, this is a more privacy-enabling solution,” said Scharf.
Growing Public Approval
The general public may be more willing to forego privacy concerns over safety and convenience issues, a recent Acuant survey shows. Among its findings:
- Nearly a quarter of Americans (23 percent) who had ever been to an airport admitted to boarding a plane with nothing more than a credit card in place of an official, TSA-approved photo ID card.
- Fifty-nine percent thought that using biometrics when passing through TSA checkpoints would make flying safer — by increasing identification accuracy, for example.
- Almost half (46 percent) said they would feel safe and comfortable using ePassports — that is, passports with biometric information.
- Forty-five percent said they would be on board with using a digital ID, and 43 percent said they would be comfortable with retina scans to confirm their identity.
“Internationally, there are more use cases with biometrics in smart airports. There are more than 1 billion ePassports in service globally in more than 120 countries,” said Acuant CEO Yossi Zekri.
“Today this is mainly manifesting as a more expedient boarding process via eGates that use this technology, with the U.S. catching up with the rollout and trial of these gates,” he told TechNewsWorld.
The current controversy is focused on security and border control. However, there also is potential to use biometric technology to enhance the personal traveler journey by creating more customized retail opportunities, Zekri pointed out, and offering conveniences that perhaps seem out of a sci-fi movie today, but easily could be tomorrow’s reality.
What Do Privacy Advocates Want?
Travelers must be allowed to consent to their faces being scanned, said LegalAdvice.com’s Reischer. Any data that is acquired by the government during such a scan should be deleted after it is determined not to fit a database of known criminals.
“There is no reason that the government should be allowed to keep a permanent record of a person’s face and other biometrics without their explicit consent,” he said.
What is needed is a much broader national dialogue about the government’s collection and use of biometric technologies, maintainted Adams and Reese’s Katz. At the highest levels of our government, there should be concern and conversation about how such technologies are managed.
It is important “to ensure individuals’ rights to privacy are maintained, even as we seek to leverage the benefits of these technologies for national security,” he said.
While the mandate was signed into law several years ago, the technology may not yet be strong enough to be held accountable for national security measures, said Larry Trowell, principal security consultant at Synopsys.
“Let’s take the iPhone facial recognition software as an example. When it first came out, Face ID was alarmingly simple to fool,” he told TechNewsWorld. “Apple has since strengthened the functionality, and hopefully that is exactly what the CPB is doing in testing their facial recognition technology.”
By: Jack M. Germain