The Transportation Security Administration released a sweeping plan last week to turn U.S. airports into the first large-scale, comprehensive application of face surveillance technology on the American public. This is not good news for privacy and civil liberties.

Under the TSA plan, which reads like a parody of warnings against “slippery slopes” in the expansion of surveillance technology, the agency would first streamline its partnership with the Customs and Border Protection’s new biometric exit program, which matches certain international travelers with their passport photos at the aircraft gate.

Meanwhile, facial recognition technology will supplant fingerprints as part of the emerging use of biometric check-in within the insidious TSA PreCheck program. The agency will then incorporate facial recognition into technology it’s developing that seeks to use biometrics and computers to replace agents in checking passengers’ IDs at security.

Finally, this would all culminate in the agency seeking to extend “biometric solutions to the general flying public.”

We know that the Department of Homeland Security has a sweeping technocratic vision for an all-biometric airport. In a briefing last year by DHS officials on CBP’s entry-exit facial recognition program, officials talked excitedly of a world where “your face is your passport” and biometrics are used not only for official status and identity checks but for everything in an airport, down to the purchase of goods in the duty-free shop. As The Verge reported last year, officials see current programs expanding into “an airport-wide system Customs officials call ‘The Biometric Pathway.’” One CBP official declared, “We’re going to build this for [Biometric] Exit…. But why not make this available to everyone? Why not look to drive the innovation across the entire airport experience?”

In the past couple of years, I’ve had discussions with and seen the presentations of a number of government officials and airport, airline, and other industry players on the subject of the future of airline security. The airport security community is looking at a wide variety of advanced tracking and surveillance technologies and has definitely embraced biometrics in a big way. One of the ideas floating around is “whole-airport security,” including “curb-to-gate passenger analysis.” That means extending the security architecture beyond the checkpoint, spreading it out across the airport through tracking of various kinds, including such things as video analytics. Face surveillance, of course, is key to that vision.

Some overseas airports have already tried to launch similar efforts. In China, where widespread use of face surveillance is part of an intensive regime of monitoring and control, the Shanghai airport has begun using the technology at check-in, security, and boarding gates. The Caribbean island of Aruba has launched a program with the hilariously Orwellian name “Happy Flow.” It promises “traveler-centric biometric technology, from curb to boarding!” Travelers are told, “Face it! You will love it!”

The TSA promises that its vision will be based on “opt-in” principles. That is certainly good — though it’s not hard to imagine that the ability to opt out will be either retracted by the TSA (as we have seen with body scans) or rendered so inconvenient as to be reduced to a protest for the stubborn. More broadly, the agency’s vision will not be possible without building a comprehensive face surveillance infrastructure that, once in place, will likely be technologically impossible to opt out of without wearing a mask.

In its new roadmap, the agency declares, “TSA will build the strategic, architectural, policy, requirements, and process infrastructure needed to support” its facial recognition systems, as well as “robust requirements and architecture foundation, strategic policy and legal alignment.”

That is a big part of what’s wrong with this approach to airline security. Having developed that infrastructure, the TSA will be creating something that is highly likely to spread beyond airports. The same bureaucratic imperatives for tracking and identification that are driving the TSA’s push for biometrics also fuel many other agencies, from the FBI and the DEA to local police departments to major retailers. And airport use of facial recognition threatens to normalize what is the most dangerous and easily abused biometric.

Having “your face as your passport” might be very convenient when you’re at a government checkpoint. But we don’t want to have to “present our passport” at every turn in American society, including walking down the sidewalk. If we build a system that turns our faces into passports that anyone can scan and store at any time, that’s exactly what’s likely to happen.

The TSA tries to argue that facial recognition has already been normalized thanks to technologies such as the iPhone X. But those who want to deploy controversial and invasive technologies are always quick to declare them “normalized” — and it is far too early to conclude that people will approve of these technologies. As I have argued before, people will always know the difference between facial recognition that is used by them and facial recognition that is used on them.

Doubling down on the wrong path

The TSA’s embrace of facial recognition should be seen as the latest step in the evolution of a security system oriented around identifying people. The government made a decision during the Bush administration to move away from an exclusive focus on improving physical security — making sure that nobody, no matter who they are, can get a weapon onto an aircraft — and to divert resources into identity-based (aka “risk-based”) security.

That decision was a giant mistake.

There are several problems with identity-based security. One is that knowing somebody’s name does not tell you whether they are likely to pose a threat to aviation. You have to know more than just their name (and gender and date of birth — the data currently collected about all travelers). “Identity” is an empty shell unless you flesh it out with information about a person. And just how much information does a government agency need to establish whether a person is a threat? As the ACLU has long argued, there will never be enough to satisfy the government. There is a logic of identity-based security, and it inevitably leads toward a regime of expanding information collection, surveillance, and tracking of individuals.

Even if the government were to collect unconscionable amounts of background information about every traveler, there is still no clear or defined way to use such data to judge the risk that person poses.

The push for more data on domestic American passengers included the ill-fated post-9/11 CAPPS II program, which envisioned doing background checks and generating security ratings on every flier using a wide array of commercial data. Under heavy political opposition, that program was eventually pared back to simple (though still very problematic) watchlist checks. And now we have the TSA PreCheck program, which positions the agency to begin putting more informational meat on the bones of traveler “identity.” The TSA is clearly angling to expand not only the number of people enrolled in PreCheck, but also the data used in its background checks. As one TSA official said in a presentation I attended last year, the use of commercial data by the agency “is back on the table, and we’re looking at ways to do it.”

Even if the government were to collect unconscionable amounts of background information about every traveler — their history, lifestyle, interests, associations, speech — there is still no clear or defined way to use such data to judge the risk that person poses. The current PreCheck program centers on a criminal background check, for example — but is there even any evidence that people with criminal records are more likely to attempt to attack a plane? Fortunately, attacks on aviation are rare. Predicting criminal behavior is always problematic, but there is virtually no data for attacks on aircraft.

And that is another big problem with the identity-based approach to aviation security: It is never subject to feedback or testing. The TSA has invested huge sums in its PreCheck program based on certain assumptions about who is a lesser threat to aviation. Now it proposes to invest significant resources in building a giant airport face-surveillance infrastructure. Yet, we have no idea whether this approach would be effective at actually protecting aviation, because unlike strategies for physical security, there is no real way to test it. Unlike say, systems for reducing common crimes such as credit card fraud, there is no way to get ongoing feedback on whether these systems are moving in promising directions or are utterly useless. More collection of data about travelers won’t change that. And in the absence of feedback, the TSA is able to just go along its merry way pretending it’s a rational system.

In short, the TSA’s desire to go all-in on airport biometrics represents an enormous further investment in a misguided approach to airline security that paves the way for future expansions in the collection and use of personal data on passengers — including insidious new forms of threat scores, security rankings, blacklists, whitelists, etc. — all without necessarily improving security. Instead of devoting its limited resources to such “risk-based security,” the TSA should be focusing more on physical security. There is a lot of new research and thinking underway on, for example, enhanced scanners, improved explosive detection, and more efficient “screening at speed” in which passengers are physically scanned as they walk down a hallway,

Identity-based security will increasingly have negative consequences, and pervasive facial recognition is both one of those consequences and a way of opening the door to others.