TSA uses ‘minimum’ data to fine-tune its facial recognition, but some experts still worry
The Transportation Security Administration is planning to expand its facial recognition scanners to more than 400 airports, an agency official said.
The Transportation Security Administration is moving forward with plans to implement facial recognition technology at U.S. airports and is working with the Department of Homeland Security’s research and development component to analyze data to ensure that the new units are working correctly, agency officials told Nextgov/FCW.
A TSA official said the agency “is currently in the beginning stages of integrating automated facial recognition capability as an enhancement to the Credential Authentication Technology devices that had been deployed several years ago.”
The latest CAT scanners — known as CAT-2 units — incorporate facial recognition technology by taking real-time pictures of travelers and then comparing those images against their photo IDs. TSA first demonstrated the CAT-2 units in 2020 and began deploying the new screeners at airports in 2022. A Jan. 12 press release from the agency said it added “457 CAT-2 upgrade kits utilizing the facial recognition technology” in 2023.
“The CAT-2 units are currently deployed at nearly 30 airports nationwide, and will expand to more than 400 federalized airports over the coming years,” the TSA official said, noting that it is currently optional for travelers to participate in facial recognition screenings. Those that decline to do so can notify a TSA agent and go through the standard ID verification process instead.
The official added that the agency has “visible signs at all airports that have CAT devices with automated facial recognition technology” and has “updated all CAT device screens with clear language that notifies travelers they may decline having their photo taken.”
"Limited testing” to ensure accuracy
The agency’s CAT-2 units employ so-called one-to-one verification, where photos are generally compared against a government-issued identification, such as a driver’s license or passport, and then deleted from the scanner. This is often considered less privacy-invasive than so-called one-to-many matching, where a photo is compared against a larger database compiled of known individuals’ images to determine if there is a match.
A TSA factsheet on the agency’s use of facial recognition says photos “are not stored or saved after a positive ID match has been made, except in a limited testing environment for evaluation of the effectiveness of the technology.”
The TSA official said this limited testing environment “refers to a block of two to four weeks at a few, specific locations when TSA collects data to submit to DHS Science and Technology Directorate for independent analysis of match performance as a part of its continuous quality control process for the deployed technology in the operations and maintenance phase of its lifecycle.”
Arun Vemury — senior engineering advisor for identity technologies at DHS S&T — said “by default, the CAT systems do not record any information,” but added that TSA has “the ability in the field to change the system so that it actually can log data” when it wants to conduct a limited evaluation of the technology’s effectiveness.
“That data is actually just this minimum set of data,” he said. “We'll get the photo of the traveler, we'll get their photo from their travel ID document. It might be their driver's license, or their passport or whatever other identity document they may be able to use.”
Vemury stressed that “we don’t get the full set of data,” but said DHS S&T asks for travelers’ year of birth “because we want to have an approximate age of how old the person is” for testing purposes.
And even with the limited testing data that DHS S&T collects, Vemury said “we have agreements in place to kind of define what data can be shared and how it's going to be obfuscated or omitted.” These agreements, he noted, explicitly state that traveler names cannot be shared with DHS S&T.
“We talk about how we're going to securely transfer the data to S&T, we have limitations on who can access the data and what can be done with the data,” he added. “And then we have a retention period at which point — like after the study has been concluded or whenever TSA tells us to — we will wipe the data and will provide a certificate of destruction back to TSA so they can confirm that the data has been deleted.”
As of Jan. 23, Vemury said DHS S&T was not in possession of any facial recognition data from TSA.
When TSA collects data at specific screening locations to test the facial recognition technology, the agency official said it “will post signage at the airport in close proximity to the dedicated test lanes to provide immediate notice to passengers” and also have personnel “make handouts available that provide additional information about TSA’s screening technology and data protection procedures.”
“These signs and handouts will notify the public that participation is completely voluntary,” the TSA official added. “Additionally, in any future biometric technology tests involving the collection, maintenance, use or dissemination of [personal Identifiable Information], TSA will continue to be transparent by notifying the public and explaining the steps the agency is taking to safeguard individuals’ information. TSA will continuously assess and improve its passenger-facing biometric technology test communication materials.”
Privacy concerns
Some lawmakers, privacy advocates and experts have voiced concerns about the continued expansion of facial recognition, either proposing the implementation of new standards and requirements for the technology’s use or calling for a complete halt to the government’s rollout of the tech for security and law enforcement purposes.
A report issued earlier this month by the National Academies of Sciences outlined, in part, the potential benefits of facial recognition at airport security checkpoints, but said the White House, federal agencies and Congress need to develop regulations around its wider use.
The government’s growing embrace of facial recognition technology — for law enforcement purposes and for verifying IDs — has united some Democrats and Republicans in opposition to its expansion.
A bipartisan group of senators — led by Sens. John Kennedy, R-La., and Jeff Merkley, D-Ore. — introduced legislation in November 2023 that would ban TSA from using facial recognition and would repeal its authority to test the technology.
“It’s very troubling how quickly TSA is expanding its use of facial recognition,” Merkley told Nextgov/FCW in a statement. “Anyone worried about sliding toward a surveillance state should be paying attention.”
Kennedy also told Nextgov/FCW that “it’s astonishing that the TSA is expanding its invasive facial recognition program in the face of congressional concern,” adding that the agency “can bury its head in the sand and try to bulldoze our citizens, but their privacy concerns aren’t going away.”
Private advocates have also warned that TSA’s use of facial recognition normalizes the government’s broader use of the technology.
Jeramie Scott — senior counsel and director of the Electronic Privacy Information Center’s Project on Surveillance Oversight — called facial recognition “an invasive and dangerous surveillance technology,” adding that TSA’s use of it “basically endorses the use of facial recognition for identity verification.”
“That will ultimately accelerate the use of our faces as our ID, and that has some very important implications for privacy, civil liberties, civil rights and our democracy,” he said, adding that the lack of federal regulations around facial recognition’s use means that — despite TSA’s current privacy requirements — “what may be the safeguards today does not mean they will be the safeguards tomorrow.”
He also pushed back on TSA’s claim that it conducts “independent analysis” of collected data, since the agency falls under DHS’s authority.
“You can't say just because we handed it to a different part of the agency that that's an independent test in any meaningful way,” Scott said.
A future requirement?
As technology becomes more advanced, however, the head of the TSA and other experts view the wide adoption of facial recognition as inevitable.
During a discussion at the South by Southwest festival in March 2023, TSA Administrator David Pekoske said “eventually we will get to the point where we will require biometrics across the board because it is much more effective and much more efficient.”
Sheldon Jacobson — a professor of computer science at the University of Illinois at Urbana-Champaign who has studied aviation security for more than 25 years — agreed with Pekoske’s statement, saying “when it comes to airport security, facial recognition is the future.”
Since TSA is using one-to-one verification to conduct its facial recognition scans, Jacobson said in an interview that, “99.99% of people who post their own picture on Facebook are violating their own privacy more than that picture that's being taken at an airport security checkpoint.”
But for now, Jacobson — whose research on passenger screenings at airports provided the foundation for risk-based security that ultimately guided the implementation of TSA PreCheck — said “there’s still work to be done” when it comes to refining facial recognition for any type of full-scale rollout.
“As we move forward with airport security — and this is going to take five, ten or even more years — and there is much more of a ramp up with facial recognition and AI in general, what we're going to find is that the more you have the biometrics, the less physical screening you’ll need to have done,” he added.
Vemury also said that both DHS S&T and TSA are continuing to take steps to limit errors with facial recognition matching, including concerns about higher error rates resulting from racial or gender discrepancies with the technology.
“We use complimentary S&T laboratory evaluations, where we have volunteers come through and we'll use the informed and consented volunteers to help make sure that the system also works well, regardless of race and skin tone,” Vemury said.
But he added that TSA “has been very good about picking good technology so far,” noting that “if you look at like the top 10% of the technologies, there's no problem for most use cases” when it comes to matching discrepancies.