The Transportation Security Administration has set out an alarming vision of pervasive biometric surveillance at airports, which cuts against the right to privacy, the “right to travel,” and the right to anonymous association with others.

The FAA Reauthorization Act of 2018, which included language that we warned would provide implied Congressional endorsement to biometric screening of domestic travelers and U.S. citizens, became law in early October. The ink wasn’t even dry on that bill when the Transportation Security Administration (TSA) published their Biometrics Roadmap for Aviation Security and the Passenger Experience, detailing TSA’s plans to work with Customs and Border Protection (CBP) to roll out increased biometric collection and screening for all passengers, including Americans traveling domestically.

This roadmap appears to latch on to a perceived acceptance of biometrics as security keys while ignoring the pervasive challenges with accurately identifying individuals and the privacy risks associated with collecting massive amounts of biometric data. Furthermore, it provides no strategy for dealing with passengers who are unfairly misidentified.

Worst of all, while the roadmap explicitly mentions collaborating with airlines and other partners inside and outside the government, it is alarmingly silent on how TSA plans to protect a widely distributed honeypot of sensitive biometric information ripe for misuse by identity thieves, malicious actors, or even legitimate employees abusing their access privileges.

TSA PreCheck is Not a Blank Check

The roadmap proposes significant changes to what the government can do with data collected from more than 5 million people in the TSA PreCheck program. It also proposes new programs to collect and use biometric data from American travelers who haven’t opted into the PreCheck program.

The TSA PreCheck program has long been billed as a convenient way for travelers to cut down on security wait times and speed through airports. All a traveler has to do is to sign up, pay a fee, and allow TSA to collect fingerprints for a background check. However, the roadmap outlines TSA’s plans to expand use of those prints beyond the background check to other uses throughout the airport, such as for security at the bag drop or for identity verification at security check points.

TSA has already rolled this out as a pilot program. In 2017, at Atlanta’s Hartsfield-Jackson Airport and Denver International Airport, TSA used prints from the PreCheck database and a contactless fingerprint reader to verify the identity of PreCheck-approved travelers at security checkpoints at both airports. TSA now proposes to make the pilot program permanent and to widen the biometrics used to include face recognition, iris scans, and others.

Even more concerning, the roadmap outlines a strategy to capture biometrics from American travelers who haven’t enrolled in PreCheck and who never consented to any biometric data collection from TSA. Instead of giving passengers the option to opt in, TSA plans to partner and share information with other federal and state agencies like the FBI and state Departments of Motor Vehicles to get the biometric information they want.

While Congress has authorized a biometric data collection exit program for foreign visitors—supposedly to help monitor visa compliance by using biometrics to track foreigners leaving the country—the roadmap explicitly outlines plans for TSA and CBP to collect any biometrics they want from all travelers—American or foreign, international and domestic—wherever they are in the airport. That data will be stored in a widely shared database could be used to track people outside the airport context. For example, TSA’s Precheck as well as Clear have already begun using their technology at stadiums to “allow” visitors a faster entry.

This is a big, big change. It is unprecedented for the government to collect, store, and share this kind of data, with this level of detail, with this many agencies and private partners. We know that security lines are a huge pain, but we are concerned that travelers getting used to biometric tracking in the airport context will be less concerned about tracking in other contexts and eventually throughout society at large.

Device Security and National Security Are Not the Same

The roadmap also makes the huge assumption that people will not object to this expanded collection. It states that “popular perceptions [of biometrics] have evolved to appreciate the convenience and security biometric solutions can offer in the commercial aviation sector.” In other words, it claims that travelers using biometrics like fingerprints and facial recognition programs to unlock their phones and laptops, will be less concerned about Department of Homeland Security agencies collecting biometrics to store in government databases for unspecified, myriad uses.

The problem with this claim is that those two things are not the same.

Apple software, for one example, allows consumers to use biometrics (currently, fingerprints and faceprints) to unlock their devices. However, Apple has specifically built in privacy and security protections that prevent the biometric data from being stolen. Apple does not enable third party software to access the original biometric data. Plus, unlike federal agencies, Apple stores the original biometric information on your phone, not in a central, searchable database intended for use by multiple government and private partners over many years.

Additionally, TSA seems to be ignoring the risk that relying heavily on biometric data for identification may actually create new national security risks that the federal government is ill-equipped to handle. For example, India’s infamous Aadhaar biometric database, which was built by the Indian government to reduce corruption and expanded for use by other public and private groups, keeps getting hacked. It is not only cheap to buy the information of one of the 1.19 billion people in the database, but the hacks also allow for new information to be entered into the database. Rather than increasing security, India’s biometric database created more problems and opportunities for corruption.

Implementation Issues and Cost Overruns

Finally, this roadmap glosses over the weaknesses of facial recognition technology as a means to identify travelers and ignores the challenges CBP has already faced rolling out their biometric exit program.

We’ve written many times before about the significant accuracy problems with current face recognition software, especially for non-white and female people. For example, earlier this summer the ACLU published a test of Amazon’s facial recognition program, comparing the official photos of 435 Members of Congress with publicly available mugshots. The ACLU found 28 false matches, even in this relatively small data set.

CBP has claimed to have a 98% accuracy rating in their pilot programs, even though the Office of the Inspector General could not verify those numbers. According to the FAA, 2.5 million passengers fly through U.S. airports every day, meaning that even a 2% error rate would cause thousands of people to be misidentified every day.

TSA’s roadmap does not acknowledge these accuracy problems, much less outline an efficient way to allow wrongly identified travelers to complete their trips. Additionally, the roadmap does not acknowledge the need to allow travelers to opt out of the system.

But even if the claims about the advances in biometric software and technology are true, the Office of the Inspector General has also reported that CBP consistently and substantially underestimated the cost of their biometric exit program to the American taxpayer. To close some of the funding gaps, CBP would have to depend on the airports and airlines to purchase the necessary biometric equipment and to provide staff to implement the program. In short, for CBP and TSA to achieve their goals, they must force American travelers to hand over their biometric data to private companies.

What’s Next

TSA should not move forward on this plan without addressing the serious security concerns and without providing a reliable, convenient way for travelers to opt out of the program. Even if biometrics provided a reliable identification system for travelers, the kind of system and database the roadmap outlines could make it more difficult for people to travel, in direct conflict with the agency’s mission “to protect the nation's transportation systems to ensure freedom of movement for people and commerce.”