Business Travelers Weigh Ease of Biometrics Against Privacy Concerns

The use of biometric information for security is on the rise, but some warn that travelers should be cautious about how their data is used. Pictured here is facial recognition technology used by KLM as part of a test program at Schiphol Airport. KLMSkift Take: Business travelers are embracing the increasing use of facial-recognition software and fingerprint reading at airports to speed lines, but privacy advocates raise concerns about the security of information and its potential use. — Hannah SampsonAt five airports across the U.S., travelers departing on some international flights are being asked to stick their faces in front of a camera before boarding the plane. The machine takes a photo and compares it with a database of images of people who are supposed to be on the flight. If the software finds a match, the person proceeds to board. If it doesn’t, the traveler gets additional screening from a security officer.
The facial-recognition program run by U.S. Customs and Border Protection, in its pilot stage but likely to expand next year, aims to increase security and keep lines moving. Those are two important goals for harried business travelers.
Corporate travel groups generally have supported the pilot program, while noting that it is in an early stage and that travelers’ personal information has to be tightly guarded. And the   U.S. government’s pilot program is just one of an increasing number of efforts around the globe to use biometric information for security screening.
“The truth is, I’d be willing to put a chip in my arm if I never had to wait in line,” said Craig Fichtelberg, co-founder and president of Chicago-area travel management company AmTrav Corporate Travel. “I definitely think business travelers will be the first adopters, in the same way that they were for TSA PreCheck and similar programs.”
For frequent flyers who are more concerned than Fichtelberg about sharing their personally identifying information, such as facial data and fingerprints, CBP offers some reassurances. Where CBP runs the facial-recognition program, according to the agency’s privacy assessment, photos captured as travelers board will be kept for 14 days to improve the matching algorithm, then deleted.
As of Aug. 1, the CBP is operating its pilot program in Hartsfield-Jackson Atlanta International Airport, Washington Dulles International Airport, George Bush Intercontinental Airport in Houston, Chicago O’Hare International Airport and McCarran International Airport near Las Vegas.
In three airports – Hartsfield-Jackson Atlanta International Airport, John F. Kennedy International Airport in New York and Boston Logan International Airport – the U.S. government is letting airlines operate the facial-recognition program. (Atlanta has both versions.) CBP recommends, but does not require, that airlines keep the matching results no longer than 14 days.
“The way the program is described now doesn’t sound too offensive,” said Michelle Richardson, deputy director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology in Washington, D.C. She recently participated in a meeting with CBP and privacy advocates. “But it’s very unlikely that it’s going to stay in this form going forward. For example, as it spreads to other airports, and the collection gets bigger, are you going to see other agencies asking for that information?”
Although flyers may be able to opt out in some cases, CBP advises in the privacy assessment: “The only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.” That means business travelers could have to choose between giving up personal information and forgoing a trip required for their jobs. Biometric data could include measurements of physical characteristics such as fingerprints, facial features, and iris scans.
Further, if flyers who refuse to submit biometric data are someday shunted into long, understaffed screening lines, that doesn’t count as a choice, said Adam Schwartz, senior staff attorney with the civil-liberties team of the Electronic Frontier Foundation, a nonprofit defending digital privacy.
“If one line is whizzed through with facial recognition and the other line has to stand there for two hours to get to one employee, that would not be full consent,” Schwartz said. “Travelers thinking about giving up biometrics for faster access to the plane ought to consider the long-term privacy consequences and what companies are going to do with the data.”
Already, travelers have been giving up more of their personal information in exchange for easier movement through security. TSA PreCheck and Global Entry, which provides expedited clearance upon arrival in the U.S., require fingerprints to enroll. And Clear, a private biometrics security company in expansion mode, needs an iris scan and fingerprint. One airline, Scandinavia’s SAS, has even implanted a chip in one employee’s hand for the purpose of testing easier boarding and lounge entry.
And globally, airlines outside the U.S. have been experimenting with facial-recognition software; KLM, for example, is testing it on flights departing Amsterdam. Starting in 2018, businesses operating in European Union countries will have to follow stricter regulations to protect personally identifying information of EU citizens. The U.S. doesn’t have comparable rules, noted John Michener, chief scientist and principal security consultant for Casaba Security. “In the U.S., we have free internet because we are the product,” he said. “We pay for the internet by our loss of privacy. And we made our bargain before people realized the extent of the damage.”
Among the chief concerns is that U.S. companies could sell information from facial-recognition databases. Facebook, for example, says it won’t directly sell user data, but it uses facial recognition to support its research into artificial intelligence that would improve ad targeting.
Also, databases can be hacked. In 2015, the U.S. Office of Personnel Management acknowledged that 5.6 million people’s fingerprints were compromised in a government data breach. Passwords can be changed if compromised; faces and fingerprints cannot.
Those risks should be weighed against the wear and tear on frequent travelers from current screening systems, said Mike McCormick, executive director and chief operating officer of the Global Business Travel Association.
“We generally are in favor of using biometrics,” he said. “Everything we’ve seen and heard so far has been positive. For business travelers, you really aren’t giving up any information that your company doesn’t already know about you and isn’t readily available.”
McCormick adds that it’s important for companies to communicate with employees about changes to airport security, listen to concerns, and provide opportunities for feedback.
“You hope the government systems are in place to protect that data, because you don’t want that falling into the wrong hands,” said Greeley Koch, executive director of the Association of Corporate Travel Executives. “From the standpoint of the business traveler, we’re looking for anything that makes it easier and faster to get through the horrendous airport experience. As we go toward other methods, the safety and security of this biometric data has to be paramount.”