Merkley, Markey, Booker, Warren, Sanders, Call for Immediate Halt of TSA’s Facial Recognition Technology and Practices at U.S. Airports

Washington, D.C. – Oregon’s U.S. Senator Jeff Merkley today was joined by Senators Edward J. Markey (D-MA), Cory Booker (D-NJ), Elizabeth Warren (D-MA), and Bernie Sanders (I-VT) in a letter to David Pekoske, Transportation Security Administration (TSA) Administrator, calling on TSA to immediately halt its deployment of facial recognition technology.

“Increasing biometric surveillance of Americans by the government represents a risk to civil liberties and privacy rights,” wrote the Senators.

Recent reports indicate TSA has been using and testing facial recognition technology for passenger screening at 16 major domestic airports and that TSA hopes to expand its use of facial recognition technology across the entire United States as soon as this year.

“Thousands of people daily are encountering a decision to travel or safeguard their privacy—a decision that threatens our democracy,” the Senators continued. “While TSA claims that facial identification scans are not mandatory, it is unclear how travelers will know that they can ‘opt-out,’ and what the consequences for travelers are if they choose to opt-out.”

The Senators’ letter further spotlights the racial discrimination this technology may exacerbate, referencing a study by the National Institute of Standards and Technology testing 18 million photos of over 8 million people. This study found that Asian and African American people were up to 100 times more likely to be misidentified than white men by facial recognition technology.

In addition to concerns about government misuse, the Senators also raised questions about whether TSA would be able to keep a vast trove of biometric data secure from bad actors, pointing to a 2019 data breach in which hackers stole thousands of photos of travelers from a Department of Homeland Security database.

“We urge the Agency to immediately halt its deployment of facial recognition technology,” they conclude.

The Senators urgently request answers to the following questions from TSA:

1. Please provide data on the accuracy and volume of TSA’s facial recognition technology program from 2020 to 2022 broken down by race, ethnicity, and gender that includes:

    1. the rate of false positives and negatives produced;
    2. the total number of travelers who had their face scanned by TSA;  
    3. the total number of travelers who opted out;
    4. the total number of cases where TSA stored its facial scans, instead of immediately deleting.
  1. How are travelers notified of their right to opt-out of facial recognition? What are the effects on a traveler who chooses to opt-out of facial recognition?
  2. Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?
  3. What training measures does TSA currently mandate for staff to regarding travelers who choose to opt-out of facial recognition technology?
  4. Has TSA ever shared biometric data with other government agencies? If so, which agencies and for what purposes?
  5. What measures is TSA taking to protect biometric data from cyberattacks or any other form of unauthorized distribution or release? How does TSA ensure the security of Americans’ data that third-parties have access to? Is TSA aware of any breaches of travelers’ biometric data collected at US airports? If so, please detail all such breaches.

Full text of the letter can be found here and follows below:

Dear Administrator Pekoske,

We write regarding the Transportation and Safety Administration’s (TSA) alarming use of facial recognition technology at domestic airports. Reporting indicates that TSA has been using and testing facial recognition technology for passenger screening at 16 major domestic airports, including some of the busiest U.S. airports, in cities like Atlanta, Dallas, Denver, and Los Angeles, and may expand its use across the entire United States as soon as this year.[1]

Increasing biometric surveillance of Americans by the government represents a risk to civil liberties and privacy rights. Currently if a U.S. traveler shows up to one of the 16 airports testing this technology, they will be met with a facial identification scanner before they can proceed to their flight. Thousands of people daily are encountering a decision to travel or safeguard their privacy- a decision that threatens our democracy.

While TSA claims that facial identification scans are not mandatory, it is unclear how travelers will know that they can “opt-out,” and what the consequences for travelers are if they choose to opt-out. When Senator Merkley flew out of DCA while TSA was piloting its facial recognition program, he witnessed TSA agents directing passengers to look at the facial identification scanner in order to verify their identity. In order for facial recognition identification scans to truly be completely optional, TSA agents must inform passengers of their rights, and there must be clearly visible signage notifying passengers of their ability to proceed without a facial identification scan.

TSA’s facial recognition is also likely to exacerbate racial discrimination. A 2019 study by the National Institute of Standards and Technology tested 18 million photos of over 8 million people and found that Asian and African American people were up to 100 times more likely to be misidentified than White men by facial recognition technology, testing 18 million photos of more than 8 million people.[2] American’s civil rights are under threat when the government deploys this technology on a mass scale, without sufficient evidence that the technology is effective on people of color and does not violate American’s right to privacy. According to a TSA spokesperson statement in July 2022, “TSA has no plans to limit [its] current use of facial recognition.”

In addition to government misuse, we are concerned about the safety and security of Americans’ biometric data in the hands of authorized private corporations or unauthorized bad actors. TSA’s new data could be hacked — we’ve seen it happen before. In 2019, the Department of Homeland Security’s photos of travelers, which are used in the agency’s facial recognition program, were stolen in a data breach.[3] As government agencies grow their database of identifying images, increasingly large databases will prove more and more enticing targets for hackers and cybercriminals.

Notably, in the Agency’s 2018 Biometrics Roadmap, TSA planned to extend biometric solutions to the public on an “opt-in” basis.[4] However, in the Agency’s 2022 document building on the Biometrics Roadmap, TSA states that biometric capture now occurs both when individuals opt-in and “where required”.[5]

We urge the Agency to immediately halt its deployment of facial recognition technology and respond to the following questions:

1. Please provide data on the accuracy and volume of TSA’s facial recognition technology program from 2020 to 2022 broken down by race, ethnicity, and gender that includes:

    1. the rate of false positives and negatives produced;
    2. the total number of travelers who had their face scanned by TSA;  
    3. the total number of travelers who opted out;
    4. the total number of cases where TSA stored its facial scans, instead of immediately deleting.
  1. How are travelers notified of their right to opt-out of facial recognition? What are the effects on a traveler who chooses to opt-out of facial recognition?
  2. Under TSA’s current system, do travelers who choose to opt-out face any additional consequences or additional screenings, pat-downs, interrogations, or even detention, beyond what they would have encountered at a non-facial recognition airport?
  3. What training measures does TSA currently mandate for staff to regarding travelers who choose to opt-out of facial recognition technology?
  4. Has TSA ever shared biometric data with other government agencies? If so, which agencies and for what purposes?
  5. What measures is TSA taking to protect biometric data from cyberattacks or any other form of unauthorized distribution or release? How does TSA ensure the security of Americans’ data that third-parties have access to? Is TSA aware of any breaches of travelers’ biometric data collected at US airports? If so, please detail all such breaches.

Sincerely,

 

###



[1] Fowler, Geoffrey A. “TSA now Wants to Scan Your Face at Security. Here Are Your Rights.” Washington Post, December 2, 2022. https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/.

[2] National Institute of Standards and Technology, “NIST Study Evaluates Effects of Race, Age, Sex on Face Recognition Software” (December 19, 2019), https://www.nist.gov/news-events/news/2019/12/nist-study-evaluates-effectsrace-age-sex-face-recognition-software

[3] Fowler, Geoffrey A., and Drew Harwell. “U.S. Customs and Border Protection Says Photos of Travelers Were Taken in a Data Breach.” Washington Post, June 10, 2019. https://www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/?itid=lk_inline_manual_15.

[4] “TSA BIOMETRICS STRATEGY.” Transportation and Security Administration. July 2018. https://www.tsa.gov/sites/default/files/tsa_biometrics_roadmap.pdf.

[5] “TSA IDENTITY MANAGEMENT ROADMAP.” Transportation and Security Administration. February 2022. https://www.tsa.gov/sites/default/files/tsa_idm_roadmap_2022-03-01_508c_final.pdf

en_USEnglish