Legal Brief: Airport Facial Recognition and Privacy

As I write this, I am traveling on a “red eye” (overnight) flight from Los Angeles to New York after a long week of meetings and depositions. I have traveled a lot lately, which means crowded security lines at the airport. They are not fun, but I know airport security is critical to our safety.

In the old days, airport security was provided by private companies. The 9/11 tragedy changed all of that, and Congress soon passed the Aviation and Transportation Security Act, creating the Transportation Security Administration (TSA) – resulting in much stricter security measures.

Over the years, the TSA has evolved to adopt various technologies to strengthen security and expedite passenger processing. One of its newest developments is its facial recognition scanning system. In use at nearly 250 airports across the United States, it replaces traditional methods like showing an ID and a boarding pass.

Called Credential Authentication Technology (CAT-2), TSA’s facial recognition technology reduces wait times, speeds up boarding, and improves the accuracy of identity verification security checks by comparing passengers’ faces to the photo on their passport or Real ID. Before a flight, the passenger presents a boarding pass and ID at the security checkpoint. Their face is scanned by the CAT-2 system, compared to the ID photo, and if identity is confirmed, the passenger is cleared.

Having traveled a lot lately, I can validate that the technology works for its intended goal: to spped up the security line. And I like it.  

Privacy Implications

The process is fast and easy; however, some have privacy fears and concerns – claiming the system is too invasive, potentially inaccurate, and violates core privacy principles. They think personal data could be misused or stored without consent, and being falsely flagged as a security threat is a quick way to ruin a trip, or at least cause delays due to misidentification. 

TSA claims travelers can opt out of facial recognition without penalty; however, some fear opting out results in suspicion and leads to delays getting through security or even possible detention.

Anecdotally, the method of opting out was not apparent to me in my travels. While the option may exist and may be posted, it is not posted prominently, and I have yet to see a passenger exercise that option.

Passengers need clear information about their options to opt out without meaningful repercussions. According to TSA, photos taken by the system are discarded shortly after use. To comply with core data privacy principles, it is important that TSA not store biometric information (including images) for the long-term or share that information with other parties, including other government agencies (except for legitimate and contemporaneous law enforcement purposes).

For the system to gain widespread acceptance, TSA must focus on improving accuracy, transparency, and making it easy for passengers to understand. If safeguards exist, they should be published prominently at the actual checkpoints – not in some random regulation somewhere that nobody (except law nerds like me) will read.

Success will depend on how TSA manages to balance efficiency with transparency, and whether the public embraces a balance between security and privacy. By improving communication, offering better options for opting out, and addressing privacy concerns head-on, TSA can increase the likelihood that travelers will embrace this new technology.