Privacy alert: US airport gets self-serve biometric screeners

Published: 9 May 2023
US airport general boarding
Image by Bandersnatch | Shutterstock

The US Transportation and Safety Administration (TSA) installs its first automated biometric screeners at the busy Baltimore Washington International Airport (BWI), raising privacy concerns among advocates and US lawmakers.

Three dozen of the credential authentication technology (CAT) units – each featuring a camera to match the photo on a person’s ID, with the person presenting the ID were installed at BWI security checkpoints last week.

TSA spokesperson for the Northeast, Lisa Farstein, said the self-serve units will "reduce touchpoints" by eliminating the need for TSA officers to handle passenger boarding passes or photo IDs.

ADVERTISEMENT

“The benefits: improved efficiency, convenient for travelers and enhanced security,” Farstein tweeted about the cutting edge technology.

The devices will also allow one TSA officer to staff multiple security gates simultaneously, streamlining the checkpoint process.

Christopher Murgia, TSA’s Federal Security Director for Maryland, said the second generation CAT-2 biometric screeners help to ensure the TSA knows exactly who is boarding flights.

“The system also confirms the passenger’s flight status by verifying that the individual is ticketed to fly out of that airport on that day,” said Murgia.

The facial recognition technology is said to enhance detection capabilities for identifying fraudulent documents at the security checkpoint, according to the TSA.

But not everyone is happy with the idea of their biometric data being held in storage servers being controlled by a government agency.

According to a January 2022 TSA privacy impact report on the automated technology, during routine screening operations, TSA will delete the Secure Flight passenger data stored on CAT-2 within 24 hours of the original flight departure time.

ADVERTISEMENT
TSA Cat biometic screener
Transportation Security Administration (TSA)

The report also states once a CAT-2 device matches the photo ID to the face of the person standing in front of it, the CAT-2 device immediately overwrites the live image when the next passenger scan begins, or if an agent logs out of the machine.

But in other instances, exactly how long a person’s image and information will be stored is murky at best.

For example, when a passenger presets their photo ID to a booking or airline agent, that photo is then held in the TSA’s Secure Flight system, the report states.

The Secure Flight system sends that photo to the CAT-2 screener in preparation for the passenger’s arrival, where they will go through the same authentication process, this time at the destination's security checkpoint.

An agent will compare the stored TSA photo to the photo ID manually presented by the passenger, or if the airport is equipped with facial recognition software, require the person to take another live photo for comparison on the spot.

How long those passenger photos are being saved for each leg of their trip is certainly not clear.

The report claims the TSA will collect "only the personally identifiable information directly relevant and necessary to perform identity verification and to assess critical operational and technological components of CAT-2."

Yet, the report also states the data from the CAT-2 device will be provided to the Department of Homeland Security’s Science & Technology Directorate (S&T) “pursuant to a Memorandum of Understanding“ – whatever that means.

It goes on: “The S&T will delete the data no later than 24 months following receipt in accordance with the approved TSA record retention schedule for security technology.”

ADVERTISEMENT

Definitely more than the 24 hours they have announced to the public.

Heathrow biometric scanners
Facial recognition scanners at Heathrow Airport, London

Another bone of contention for privacy advocates is the ability for individuals to opt out of the biometric facial recognition program all together.

The TSA states the agency “will only collect facial images and biographic information from passengers who opt to participate.”

But so far, the TSA has not provided a way for the public to choose either option.

In fact, in February, a half dozen US senators penned a letter to the TSA calling the use of facial recognition technology at domestic airports “alarming” and “a risk to civil liberties and privacy rights.”

“While TSA claims that facial identification scans are not mandatory, it is unclear how travelers will know that they can “opt-out,” and what the consequences for travelers are if they choose to opt-out, “ the senators wrote.

The senators also argue that the CAT-2 devices will most likely "exacerbate racial discrimination."

Citing a 2019 study by the National Institute of Standards and Technology, the senators pointed out that "Asian and African American people were up to 100 times more likely to be misidentified" by the technology than white people.

Besides government misuse of the sensitive data collected, the six senators also expressed concerns about threat actors hacking into TSA systems and stealing passengers' personal information.

ADVERTISEMENT

Meanwhile, Thursday, the TSA awarded the biometrics company Idemia Identity and Security of North America a federal contract worth $128 million to produce the new CAT-2, proving the TSA is full steam ahead with plans to roll out the devices to more airports this summer.

Idemia has already delivered over 2000 first generation CAT units to the TSA from a previous deal.

Those original CAT devices, which are not automated, are currently installed and being tested at 16 major airports around the nation, including Atlanta, Denver, Los Angeles, and Miami.

TWEET

Biometrics and facial scanning are already being used or planned to be used in several major airports in large cities and by at least two airline carriers around the world, including London’s Heathrow Airport, Frankfurt, Sydney, and the Dubai-based Emirates Airlines.

Italian’s privacy watchdog – known for its recent ban on ChatGPT over data privacy concerns (now lifted) – is currently suing low-cost Ryanair over the use of the technology in Italy.

The TSA said the CAT units contain a “library” of IDs allowing the unit to authenticate more than 2,500 different types of identification photo documents, including passports, military IDs, US Visas, and state driver’s licenses.

The agency also put out an RFI bid for biometric security firms to pursue compatible recognition technology that would allow passengers to be screened without having them stop walking, pose, or remove articles of clothing.

With current CAT-2 systems, an automated e-gate opens once the individual is verified, allowing them to proceed.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT