In a viral exchange on Twitter this week, journalist McKenzie Fegan recounted how she looked into a camera, received a face scan, and then boarded an international JetBlue Airways flight.
“Did facial recognition replace boarding passes, unbeknownst to me? Did I consent to this?” Fegan tweeted at JetBlue.
A JetBlue Airways spokesperson responded, “You’re able to opt out of this procedure, MacKenzie. Sorry if this made you feel uncomfortable.”
But Fegan had more questions, and what followed roiled the privacy world:
Fegan: “Presumably these facial recognition scanners are matching my image to something in order to verify my identity. How does @JetBlue know what I look like?”
JetBlue: “The information is provided by the United States Department of Homeland Security from existing holdings.”
Fegan: “So to be clear, the government provided my biometric data to a privately held company? Did I consent to this? How long is my data held by @JetBlue? And even if I opt out at the scanners…you already have my information, correct?”
JetBlue: “We should clarify, these photos aren’t provided to us, but are securely transmitted to the Customs and Border Protection database. JetBlue does not have direct access to the photos and doesn’t store them.”
Unsurprisingly, this inspired a passionate reaction from airline passengers and privacy groups alike, even though JetBlue announced its “your face is your boarding pass” initiative back in November. Notably, JetBlue didn’t include any details about how to opt-out of the biometric screening process in its November press release, and the airline still hasn’t addressed privacy concerns over biometric screening.
The Electronic Frontier Foundation, an advocacy group with hardline stances on privacy, responded to the Twitter exchange with a lengthy blog post detailing how airline passengers and even retail customers can try to opt-out of facial recognition surveillance.
Meanwhile, the big news for most consumers is that retailers like Target are using and experimenting with facial recognition tech too. Peter Trepp, CEO of FaceFirst, a facial recognition tech company, told BuzzFeed that retailers amount to almost half his business. Retailers use the software to compare customers’ faces against a criminal database to stop repeat-offender shoplifters and prevent fraud.
A bill currently under consideration in California would require retailers to post signs near the entrance of their stores to let consumers know if they’re using facial recognition tech. According to Bloomberg, the California Retailers Association initially opposed the bill but withdrew opposition after the California Assembly extended the implementation deadline to June 1, 2020.
“The key to opting out of face recognition is to be vigilant,” EFF Digital Strategist Jason Kelley wrote in the blog post. “There’s no single box you can check, and importantly, it may not be possible for non-U.S. persons to opt out of face recognition entirely. For those who can opt out, you’ll need to spot the surveillance when it’s happening. To start, TSA PreCheck, Clear, and other ways of “skipping the line” often require biometric identification, and are often being used as test cases for these sorts of programs. Once you’re at the airport, be on the lookout for any time a TSA, CBP, or airline employee asks you to look into a device, or when there’s a kiosk or signage like those below. That means your biometric data is probably about to be scanned.”
Opting out isn’t easy. According to Kelley, you need to talk to a CBP agent or your airline in order to stop them from scanning your face — a process unlikely to please many passengers who already find dealing with airlines an arduous process.
Plus, Kelley notes, these airlines don’t have a terrific track record when it comes to handling sensitive personal data and user privacy.
“It’s easy for companies and agencies to tout the convenience of this sort of massive data collection and sharing scheme,” he wrote. “But as we’ve seen in notable privacy fiascos over the last few years — from Facebook’s Cambridge Analytica scandal, to the breaches of the Office of Personnel Management and Equifax in the U.S., to the constant hacking of India’s national biometric database, Aadhar—it’s the customers and passengers who will bear the burden when things go wrong, and they will go wrong.”
Businesses follow in the federal government’s footsteps with regard to surveillance technology. The USA PATRIOT Act allowed feds to wiretap Americans’ phones and scan their emails and financial records without a court order, so biometric screening is a natural next step.
The Department of Homeland Security’s Transportation Security Administration (TSA) rolled out a facial recognition software program last year, and senators Ed Market (D- Mass.) and Mike Lee (R-Utah) sent three letters to the DHS asking for more information, citing privacy concerns and subtly warning the DHS to provide an opt-out option for Americans.
Markey and Lee sent a fourth letter to the DHS in March, repeating their concerns and calling for a pause on the program until the DHS addresses their privacy concerns.
“We have repeatedly called on the agency to honor their personal commitment to complete a rule-making to establish privacy and security rules of the road,” said Senators Markey and Lee. “Despite these commitments, DHS has failed to follow through and appears to be expanding the program. Further, DHS has a statutory requirement to submit a report to Congress detailing the viability of biometric technologies, including privacy implications and accuracy. DHS should pause their efforts until American travelers fully understand exactly who has access to their facial recognition data, how long their data will be held, how their information will be safeguarded, and how they can opt out of the program altogether.”
As Kelley wrote in his blog post, the DHS, airlines and retailers haven’t provided a guarantee that their face scanners even have adequate cybersecurity to protect customers’ sensitive biometric data.
“Trading privacy for convenience is a bad bargain, and it can feel like the deal isn’t always one we have a choice in,” he said.