By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.
Last week, Jet Blue customer and US citizen MacKenzie Fegan was asked to look into the camera of a facial recognition scanner – rather than present a boarding pass or her passport – to be allowed to board a flight leaving the US.
She tweeted her concerns to Jet Blue, and the thread went viral.
I encourage readers to read the entire thread: it’s short and covers the crucial issues: consent; and how the information is acquired and stored.
I just boarded an international @JetBlue flight. Instead of scanning my boarding pass or handing over my passport, I looked into a camera before being allowed down the jet bridge. Did facial recognition replace boarding passes, unbeknownst to me? Did I consent to this?
— MacKenzie Fegan (@mackenzief) 17 April 2019
Techdirt highlighted the lame JetBlue response in A Seamless Journey Awaits You On The Outbound Flights: All You Have To Give Up Is Your Face:
JetBlue responded to Mackenzie Fegan with the sort of apology one offers on Twitter: I’m sorry this made you feel [x]. The option no one at JetBlue will point out to you remains an option.
You’re able to opt out of this procedure, MacKenzie. Sorry if this made you feel uncomfortable.
Note that it’s “this” and not “we.” This is how a corporate entity absolves itself of responsibility while nominally offering an apology. Good stuff.
How Long Has This Been Going On?
ABC News reports that certain US airports are indeed using facial recognition scanners to allow passengers to board flights, using a database compiled and maintained by U.S. Customs and Border Protection:
JetBlue announced the roll-out of its “fully-integrated biometric self-boarding gate” at JFK International Airport in a press release from November 2018.
The announcement boasted that passengers wouldn’t need to pre-register or anything and all they needed to do was approach the camera for a photo match and march their way into the plane.
JetBlue is not alone in participating in this scheme, according to Gizmodo, What Your Airline Won’t Tell You About Those Creepy Airport Face Scanners. American Airlines, British Airways, Delta, and Lufthansa have also signed on.
The Hill today examined the wider Department of Homeland Security (DHS) program:
DHS has been implementing its “biometric exit” program, which photographs some visitors when they are departing the U.S., for years, expanding to 15 major airports with plans to reach five more. President Trump in 2017 signed an executive order speeding up the rollout of the face-scanning technology, and Congress in 2016 authorized up to $1 billion over the next 10 years to implement the program.
The stated purpose of the program is to identify non-U.S. citizens who have overstayed their visas, but it captures the faces of U.S. citizens as well. The agency says it has successfully identified 7,000 people at major U.S. airports who have overstayed their visas.
The DHS report published last week, which was provided to the House and Senate judiciary committees, is the latest sign that Customs and Border Protection (CBP) — DHS’s largest federal law enforcement agency — is fast-tracking the implementation of the program at the country’s largest airports.
Privacy and Moi
I should mention, I’ve long been concern about privacy issues. So, as a new MIT student in 1979, I opted out of allowing the Institute to use my social security number as my student ID. I don’t consent to allow those whiz bang full-body scanners to scan me when I pass through US airports – and instead, I’m resigned to DHS taking their sweet time to find someone to hand inspect me. And I still don’t have a smartphone.
Nonetheless, the DHS facial recognition juggernaut trundles on, despite myriad problems.
I’ll just mention two here.
How Is It Secured and Verified?
Embedded in this misguided facial recognition system is our old friend the biometric identification fairy. Iv’e debunked this false god at length here. To repeat: one major problem with using biometrics to verify identity is that when such systems are hacked or corrupted – as they inevitably will be – victims will not be able easily to get new fingerprints, retinas, or faces to allow them access to whatever biometrics were being used to verify their identities.
Flawed Software: Misidentifications
Current facial recognition software is deeply flawed, and not randomly skewed.
So, previous reports indicate that facial recognition software provides less accurate results for women and people with darker complexions, according to Gizmodo:
Over and over again, facial recognition systems have been found to be less accurate when identifying women and people with dark complexions. Just last year, the ACLU found that Amazon’s face-scanning system matched 39 percent of non-white U.S. representatives to mugshot photos.
When it comes to CBP’s face-scanning program, we don’t even know how biased it may or may not be. Asked if the CBP’s facial scans had a disparate impact on any demographic groups, a CBP spokesperson told Gizmodo the agency was “still looking further into this question.” (A CBP official gave a similar answer in 2017.)
These are not the only misidentification concerns, according to The Hill:
DHS face scans have been shown to misrecognize U.S. citizens, as well as young and old people, at higher rates, according to a September audit of biometric exit by the DHS Office of the Inspector General.
U.S. citizens, according to the watchdog report, were up to six times more likely to be rejected by DHS than non-U.S. citizens last year. And individuals under the age of 29, who accounted for 18 percent of all passengers, accounted for 36 percent of all passengers rejected by DHS’s system.
What’s the DHS response been to objections over misplaced reliance on biometrics? Well, the same as it has been since the DHS originally announced its facial recognition program in 2017, as Techdirt DHS Goes Biometric, Says Travelers Can Opt Out Of Face Scans By Not Traveling first noted at that time: a waffly variation on: Don’t Fly.
Some of the reports I’ve seen indicate that people can at the moment opt out of the DHS procedures – although I’d not be surprised to see that option is limited to US citizens only. But I don’t think procedures for doing so are altogether transparent, even now, while this program is being phased in.
What Is to Be Done?
I’m not alone in my concerns about the DH roll-out of facial recognition to international travellers leaving the US through its airports – a project being undertaken with scant attention to transparency, oversight, public input – or evenlstandard rule making procedures of long-standing
In March, Senators Edward Markey and Mike Lee reiterated earlier calls for agency rulemaking on the issue, to set rules of the road – so far to no avail, according to heir press release:
Senators Edward J. Markey (D-Mass.) and Mike Lee (R-Utah) released the following joint statement regarding the release of new documents obtained from the Department of Homeland Security (DHS) and Customs and Border Protection (CBP) that detail the expansion of facial recognition technology to all international travelers traveling through the top 20 U.S. airports by 2021. The documents make it clear that American citizens will be swept up in this practice as the CBP admits there is not enough time to separate U.S. citizens from non-U.S. citizens. The documents also reveal that airlines do not currently face any limits on how they can use travelers’ facial data after being tasked by the CBP to retain the equipment necessary to implement facial recognition screening.
“Since the Department of Homeland Security began scanning travelers’ faces at U.S. airports, we have repeatedly called on the agency to honor their personal commitment to complete a rulemaking to establish privacy and security rules of the road,” said Senators Markey and Lee. “Despite these commitments, DHS has failed to follow through and appears to be expanding the program. Further, DHS has a statutory requirement to submit a report to Congress detailing the viability of biometric technologies, including privacy implications and accuracy. DHS should pause their efforts until American travelers fully understand exactly who has access to their facial recognition data, how long their data will be held, how their information will be safeguarded, and how they can opt out of the program altogether.”
Markey reiterated these concerns in a statement to The Hill, reported today:
“The Department of Homeland Security is plowing ahead with its program to scan travelers’ faces, and it’s doing so in absence of adequate safeguards against privacy invasions, data breaches, and racial bias,” Sen.Ed Markey (D-Mass.) said in a statement to The Hill. “Homeland Security should change course and stop its deployment of facial recognition technology until it meets that standard.”
The CBP to date has failed to complete parts of the formal rulemaking process that requires federal agencies to solicit public comments, notwithstanding the strenuous objections of privacy advocates.
Over to The Hill again:
“DHS wants to scan your face before it has issued formal rules to protect your privacy,” Harrison Rudolph, an associate at Georgetown Law’s Center on Privacy and Technology, told The Hill. “Without rules, there could be little that stands in the way of DHS breaking its privacy promises. That’s deeply alarming.”
Neema Singh Guliani, a senior legislative council at the American Civil Liberties Union, told The Hill that she is concerned by CBP’s refusal to establish rules around how passengers can opt out of face scanning.
“The agency has not undertaken any rulemaking to clarify how it’s going to use this information, what privacy protections will apply, what recourse individuals may have in the event that their privacy is violated,” Guliani said. “They haven’t provided clarity or information as to how U.S. citizens or others can opt out of face recognition.”
The Electronic Privacy Information Center (EPIC) has been active on this issue. It previously filed a lawsuit about a facial recognition program at the Mexican border, and last month released documents obtainedvia a Freedom of Information Act (FOIA) request on the airport program.
There’s precious little attention to privacy issues emerging on the 2020 agenda, as far as I can see.
Readers: What do you think?