Closing The Loop

In the not too distant future, airports could operate without boarding passes or even ID cards, whisking you away to your destination after a single biometric reading. That is, if a pilot program by the Transportation Safety Administration works out. The TSA is currently testing a new biometric identification system that could allow certain passengers to get through airport screening with a simple scan of the finger. If you’re tired of fumbling for your boarding pass while carrying your shoes, ripping off your belt, and chugging your last bit of water, giving the federal government your fingerprints might be the solution.

But some worry that the government’s use of biometric data raise pose significant questions, not only around civil liberties, but also cybersecurity. And as biometric use expands, those security concerns aren’t just confined to our government or our airports.

 

Pre-checked, Pre-fingerprinted, Pre-approved

The TSA is instituting a pilot screening program that uses the biometric information of passengers enrolled in TSA Precheck (technically, "Pre✓®") to make screening even faster. Precheck travellers already undergo pre-screening and a background check in order to pass through airport security quickly—with their water bottles full and shoes on. As part of the application process, some Precheck passengers submit their fingerprints to the TSA. It’s those fingerprints that are being used in airports as part of the new program.

 

We hope you’re as excited as #ThisGuy about innovative screening technology!  He’s one of the technicians setting up the biometric authentication technology (BAT). Besides having a super cool acronym, the technology matches passenger fingerprints to those that have previously been provided when travelers enrolled in #TSAPrecheck. This pilot program is voluntary and all participating passengers will also be subject to the standard ticket document checking process of showing their boarding pass and ID. Bummer, we know… But in the long term, this technology has the potential to eliminate the need for a boarding pass and ID altogether. The pilot starts this week and will take place at one TSA Pre✓® lane at the Hartsfield–Jackson Atlanta International Airport #ATL and another at the Denver International Airport #DEN starting this week. TSA will analyze the data collected during the pilot for potential implementation at other U.S. airports in the future.

A post shared by TSA (@tsa) on

The program launched in Denver International Airport and Hartsfield-Jackson Atlanta International Airport in mid-June.  The goal is to eventually eliminate the need for boarding passes and IDs in screening altogether—though for now those documents are still required.

In addition to the screening program, the TSA is also seeking to expand its collection of biometric data, allowing greater retention and use of not just fingerprints, but also iris scans and photo information.

Alongside the feds, more airlines are also instituting biometric identification systems. Last month, both Delta and JetBlue announced plans to begin using biometric data at certain airports. In Washington’s Reagan airport, Delta plans to scan fingerprints instead of boarding passes, while JetBlue wants to match flyers’ facial data in Boston and Aruba against U.S. Custom and Border Protection’s passport database.

Is it all a secret plan to establish a New World Older lead by secretive lizard people? If so, the Denver airport is a fitting place to start. It is not only controlled by the Freemasons, it’s a central part of the plan to institute a one-world government. And the airport’s underground bunkers are home to Reptoids, billionaires, and non-reptoid aliens.  

 

Biometrics, Privacy, Cybersecurity, and You

We’re kidding, of course, but you don’t have to be a conspiracy theorist or a “Gattaca” fan to be worried about the proliferation of biometric data in government hands. After all, there are no laws restricting how the government may use biometric data from such programs, Jeramie Scott, national security counsel for the Electronic Privacy Information Center, warned last month.

Now, EPIC has urged the agency to consider alternatives, citing the privacy and security risks associated with such collection. On the privacy front, EPIC notes that TSA biometric data goes to both the FBI’s Next Generation Identification database and the DHS’s Automated Biometrics Identification System. That means that such data “will be kept for decades beyond what is necessary for the stated purpose of collection,” according to the public interest group. Information in the FBI’s database, for example, is kept for 110 years or until 7 years after an individual's death. Information in the DHS’s database is stored for 75 years. Data stored by both the FBI and DHS can be shared with a wide variety of organizations, both domestic and international.

What’s more, that long-stored, sensitive information could be subject to a damaging data breach. In their comments to the TSA’s biometric-collection-expanding rulemaking, EPIC rattles off a host of recent DHS data breaches, such as:

  • The 2014 breach, involving a third-party contractor, that exposed the records of 25,000 employees, including undercover investigators.
  • The 2015 breach, again involving a contractor, that affected 39,000 people, including job applicants.
  • The 2015 hack, by a 16-year-old boy, that revealed information on nearly 30,000 FBI and DHS employees and compromised CIA Director John Brennan’s personal AOL email account.

A breach involving biometric data could result in significant harm, EPIC argues:

Several Internet of Things and mobile computing devices use biometrics for secure access and operation. As these devices become ever more integrated into people’s daily lives the security of biometric information will become increasingly important. If a database storing the biometric information of millions of individuals is compromised, individuals will be placed at substantial risk. Biometrics are unique to each individual person, if they are compromised then individuals’ privacy and security will be forever at risk.

 

Not Just Airports

These data breach concerns aren’t unique to data controlled by the government. In fact, many of us have been giving our biometric data to private actors for years. April Glaser’s 2016 survey of biometrics and security concerns for Wired highlights just how quickly companies have embraced consumer-level biometrics:

Since Apple introduced its incredibly usable biometric identification with Apple’s home button fingerprint sensor in 2013, the appetite for biometrics has expanded rapidly. Now MasterCard wants to use your heartbeat data to verify purchases. Google’s new Abicus Project plans to monitor your speech patterns, as well as how you walk and type, to confirm that it’s really you on the other end of the smartphone. Other apps are looking at the uniqueness of vascular patterns in the eyes or even a person’s specific gait to verify identities.

Such biometric data collection is bound to continue to spread in the future. On June 22nd, for example, the National Institute of Standards and Technology finalized its new digital identity guidelines. Those guidelines recommend the use of biometrics as one factor in a multi-factor identification system. The guidelines apply to the federal government, but they are often adopted by private parties as well.  

Such use of biometric data can enable greater convenience. Who doesn’t prefer unlocking their phone with a single tap of a finger rather than typing in a security code? But that data comes with risks. Risks not only as to how the government or other organizations will use such information, but how strongly it will be protected from breach or compromise.

Those risks aren’t just to the traveler or consumer, either—they extend to the organizations collecting biometric data as well. The lack of federal regulation around such data means that some states are moving to regulate the information themselves. Illinois’ Biometric Information Privacy Act, for example, has been cited in a host of lawsuits against tech companies who allegedly collect biometric data without authorization. Misuse of biometric information could give rise to civil liability, while a breach of biometric data could trigger state data breach notice requirements. All in all, the convenience of biometrics doesn't come without some significant tradeoffs.

But hey, who wouldn’t want to speed through TSA with a quick fingerprint scan?

This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.

Webinar: Protecting against Petya: Ransomware and the Future of Law Firm Cybersecurity 7/27/17

Subscribe To Our Blog

Webinar: Protecting against Petya: Ransomware and the Future of Law Firm Cybersecurity 7/27/17

Posts by Topic

Additional Topics >>>

Let us know what you thought about this post.

Put your comment below.