Innovation and convenience might be the aim, but as we know, these elements can often clash with proper security. And there’s more to suggest this might be the case in this instance: A rulemaking process requiring CBP to solicit public feedback before adopting technology such as biometric systems has not been carried out properly in advance of the rollout, the documents suggest.
What is the problem?
Firstly, the technology might not be ready for mass use. Facial recognition is not always accurate: In fact, according to Patrick Hunter, a director at One Identity the technology is notorious for false positives, where the software wrongly “thinks” it has a match. “In this context, someone’s profile stored on an unknown number of systems with unknown data attached to it can lead to some worrying, albeit rare, scenarios where you could be mistakenly identified as a criminal,” he says.
There are also privacy implications when collecting large amounts of data. Last month, it emerged that a company that operates facial recognition systems in China had exposed the personal information of 2.5 million people after leaving a database unprotected. As such, says Hunter, people should be concerned about what is being done with the data collected. “We also have to be concerned about those profiles being kept in databases that are not well secured. Where is the governance on these systems? Who is going to make sure that all those third parties are not breaking international laws? Government agencies may be exempt from GDPR, but third parties may not. These databases will store much more valuable information than simple username and passwords, and people’s biometrics could be used in more sophisticated identity thefts.”
According to Ian Thornton-Trump, security head AMTrust Europe, two rules apply: “If you can’t protect it don’t collect it” and “if you need to collect it, only collect the minimum amount required”.
He says: “It’s possible to reduce the attack surface with NIST security controls of course but the less data you keep, the less that data is worth to an adversary. So building security into the design is the best approach; plus robust encryption at rest and in transit is a great start. Lastly once the biometrics have been verified – and the person is not wanted or on a no fly list – the data can be deleted as it’s no longer needed. Most countries keep a record of arrivals and departures anyway; this is just a way to ensure that information is accurate at a biometric level.”
CBP claims to have issued several Privacy Impact Assessments relating to the program. The organization told Buzzfeed it had employed “strong technical security safeguards” and limited the amount of personally identifiable information used in the transaction.
But the U.S. doesn’t have any laws governing the use of facial recognition, which makes systems such as these far too easy to abuse.
Which airports are included in the facial recognition program?
Airports included are:
Washington (Dulles and Reagan)
Airlines supporting facial recognition include Delta, JetBlue, British Airways, Lufthansa, and American Airlines.
What does it mean for these types of systems in the U.S. and beyond?
In Europe, the EU General Update to Data Protection Regulation (GDPR) stipulates that biometric information is “personal data” and must be protected.
But facial recognition is already in use in the U.K. with the self-service e-passport “fast lane” for passport checks, says Martin Jartelius, CSO at Outpost24. He points out that it is also already deployed at locations such as subway stations in some European countries, “and its use for identification at a point of mandatory identification is not uncommon”.
But of course, these massive projects have widescale implications and should not be rushed. Jartelius says: “What is concerning is the rush for implementation and the risk of poor system design, security, and reliability as a result of the short time frame. It is simply irresponsible to rush past uncertainties related to legislation: rushing projects like these risks damaging the process of proper and secure implementation.”