JetBlue’s New Face Recognition Boarding Poses Privacy Risks
Program may help the Dept. of Homeland Security implement a biometric surveillance system that detects threats and suspicious activity
In a first-of-its-kind collaboration, JetBlue Airways announced last week that it will begin publicly testing a U.S. government face recognition system that verifies airline passengers’ identities by scanning their faces and checking against identity documents stored in U.S. government databases.
But the new system — which is initially being tested at the gate on flights to Aruba from Boston’s Logan Airport — also appears to be a step towards the government’s plan to roll out a new generation of advanced biometric surveillance technology at large U.S. airports. Based on documents released by the Department of Homeland Security (DHS), such a system could be used to do more than simply compare your face against your passport photo.
JetBlue is pitching its new “self-boarding” system as a way to “reduce friction points in the airport experience” by saving travelers time at the airport gate. According to the company’s press release, the face recognition program will not require customers to enroll their photos with the airline in advance. Instead, a camera at the gate captures each passenger’s face before boarding, and compares that image against photos from identity documents stored in U.S. customs databases, including U.S. passports and visas.
When asked for information about how long and for what purpose it retains photos and biometric data under the program, a U.S. Customs and Border Protection (CPB) spokesperson referred Vocativ to a recently-released Privacy Impact Assessment for CBP’s “Traveler Verification Service.” The JetBlue program represents the first official deployment of this service, which the agency first tested at Atlanta International Airport in July through November of 2016.
According to the Privacy Impact Assessment, photos taken at the gate are compared against “facial templates,” which are compiled from various sources in addition to visas and passport photos. In the 2016 pilot, these templates were assembled by sending face photos and biometric data to a risk analysis system called the “Automated Targeting System,” or “ATS-UPAX,” which according to a January 2017 Privacy Impact Assessment “compares information about travelers … against law enforcement and intelligence databases.” Specifically, the document says the targeting system incorporates data from a variety of opaque threat detection mechanisms, including “trend analysis of suspicious activity, law enforcement cases, and raw intelligence.”
It’s not clear from the document whether the CBP is actually using the Automated Targeting System to detect threats or run criminal checks on passengers who use JetBlue’s face recognition pilot program, and the CBP spokesperson would not elaborate when pressed for further comment. But given that the security agency has sought to roll out the Traveler Verification Service at major U.S. airports, privacy experts say the government has both the ability and the incentive to do so.
“It fits in line with what I think are really meritorious concerns about broader data sharing with these cameras, at the gate and throughout the airport,” Harrison Rudolph, a fellow at Georgetown University’s Center for Privacy and Technology who reviewed the documents, told Vocativ. “It certainly wouldn’t be surprising if when they scan your face, they also check it against a terrorist watch list.”
In response to Vocativ’s inquiries, both JetBlue and SITA — the company responsible for implementing the face recognition system — said they do not retain any traveler photos, and that each terminal at the airport gate transmits them directly to DHS.
A CBP spokesperson told Vocativ that photos of U.S. citizen travelers sent to the agency by the JetBlue program are only kept for a short time, whereas non-citizen data is retained longer under its “biometric exit” process, which is meant to verify when immigrants and U.S. visitors leave the country.
“CBP compares the live photo against the document photo presented to ensure the traveler is the true bearer of the document,” the spokesperson said in a statement emailed to Vocativ. “If the photo captured at boarding is matched to a U.S. Citizen Passport, the traveler is automatically determined to be out of scope for biometric exit purposes and the photo is discarded after a short period of time.”
The spokesperson referred Vocativ to the Traveler Verification Service’s privacy impact assessment, saying that photos of U.S. citizens, lawful permanent residents, and foreign visitors are retained in an “isolated part” of the Automated Targeting System “for no more than two weeks for confirmation of travelers’ identities, evaluation of the technology, assurance of accuracy of the algorithms, and system audits.”
“All newly-captured photos and templates will be deleted from ATS-UPAX within 14 days but will be deleted from the VPC no later than after the conclusion of the flight,” the spokesperson added. (VPC refers to the virtual private cloud used by the agency to store flight data.)
However, the agency made clear that biometric information derived from those photos is utilized to improve the system’s algorithms and augment individuals’ biometric templates. That means each time a person uses the DHS face recognition system before boarding a flight, it could strengthen the government’s ability to recognize that person’s face, both at the airport and in other places and contexts.
Despite JetBlue’s promise of more efficient air travel, it’s also unclear how much time the system will actually save. The process — which involves having each passenger stand in front of a camera for a few seconds before entering the flight deck — seems significantly more complicated than simply scanning each person’s boarding pass. Customers will also still be required to present their boarding pass while entering the security screening area, the airline said.
Whether or not it speeds up the boarding process, the program adds to a growing number of systems capturing biometric information from travelers at U.S. airports — many of which integrate with government databases used for national security purposes. In May, Delta began equipping baggage check areas with self-service kiosks that use face recognition to verify passengers’ identities. Another service called Clear similarly claims to streamline the airport security screening process in exchange for fingerprints and other biometric data.
Rudolph is wary of claims that JetBlue’s system will save travelers time — especially given the comparatively low accuracy rates of DHS’ face recognition system. Rather, he said, the company’s convenience pitch seems to be a red herring for a program that will allow DHS to implement long-discussed plans for implementing new biometric surveillance systems at U.S. airports.
“I think CBP envisions a day when your face is persistently tracked throughout the airport terminal environment, from the security checkpoint to the McDonald’s counter,” said Rudolph. “The really grave concern is when those face recognition systems are also checking against databases that aren’t just determining whether you’re supposed to be on the plane.”