A “custodial" cellphone-based facial scanning app would give users control over their biometric data

A “custodial" cellphone-based facial scanning app would give users control over their biometric data

Behind the camera: how biometric boarding is used in airports

Airlines are introducing biometric technology at gates to make traveling more seamless for customers deterred by onerous Covid requirements. Nevertheless, some concerns over privacy and the tech’s reliability still need to be addressed

The pandemic has made traveling considerably less appetizing and much more annoying, vastly increasing the amount of documentation necessary to enter a foreign country, bloating congestion in airports and complicating the process of planning a trip. 

Before Covid there were already boarding passes, passports, limits on fluids, onerous security measures, interminable queues at check-in; now there are passenger locator forms, vaccination certificates, pre-flight tests, post-flight tests, red zones, green passes, often obtained through different services and presented in different forms: in print, via a QR code, through an app, or a clumsy screenshot.

Seizing the moment, many airports are beginning to make use of biometric data — that is, things like fingerprints and facial scans — to safeguard and verify a sort of single, one-size-fits-all repository of a traveler’s documents. According to data from SITA, a company specialized in air communication and information technology and also focused on biometrics, some 67 percent of airports are already looking into this technology, which is supposed to be cheaper and provide a more seamless experience. The effort is being led by a range of private and public actors, often working in conjunction and including tech startups, government biometric programs, airline operators and subscription services.

SITA, which works with both private airlines and governments interested in the technology, is at the forefront of this tech. Sherry Stein, the head of technology strategy at the company, helped develop a biometric boarding system at San Francisco International with United Airlines, the major American carrier. SITA’s “Smart Path” technology made use of the airport’s existing infrastructure of kiosks and gates, building atop it a network of face-scanning cameras. The company has said half of all international flights at the airport were boarded through the new system in 2021. 

In an interview with Infra Journal, Stein explained how the tech works. A sophisticated camera, she said, is affixed to the check-in kiosk in the airport’s lobby, where, in an analogue context, the traveler would supply their passport details. With the Smart Path, the passport is scanned and cross-referenced with a photograph taken in real-time of the traveler’s face. Next, “high-quality facial-recognition algorithms create a ‘digital map’ of the facial characteristics from the collected images” — measuring variables like the distance between features — “which are then compared to determine the percentage likelihood that the two images are of the same person.”

Once complete, the traveler’s various credentials — boarding pass, Covid certificate, etc. — are all compiled into a single identity represented by the map of their face. From that point, they can access each new section of the airport by simply scanning their face again; a new photo is taken each time and compared with the first image. 

Stein said the use of facial-recognition algorithms reduces human fallibility; it is better, for instance, at discerning similarities in faces changed by the aging process. “Identity verification in travel has always relied on a manual process,” she said. “An airline or border agent looks at a photograph on a traveler’s passport and makes a judgment call to determine this is the same person as in the photograph. Passports are generally valid for 10-years from issuance, so over time, physical changes - facial hair, aging, glasses, etc - can have an impact on the accuracy of performing this task. While some agents may be able to reliably identify individuals every time, many are not, and therefore this process is prone to human error.” 

While biometric algorithms do falter when confronted with a longer period of aging — error rates reportedly increased by almost a factor of ten with subjects who had aged 18 years since their photos were taken — Stein said this figure pertained to algorithms that were out of the proverbial box and hadn’t been optimized. She added that the ten-year limit on adult passports, and five year limit on children’s passports, made unrecognizable changes to faces less likely. 

As such, Stein confidently credited airport biometrics with a thirty-percent increase in boarding efficiency, with scans taking under a second. One critical factor in speed and accuracy, she added, is customer familiarity with the technology; where biometric tech is only being rolled out minimally in small trials, it is harder to gauge the efficacy. One thing SITA tries hard to avoid is the inconvenience of the “rescan” in which travelers, failed by the biometric scanners, have to present to a border control official. This happens a lot: on a recent sojourn at Gatwick, a major London airport, this reporter watched the biometric border gates flash ominously red as travelers attempted to scan their faces. Time after time, they would give up and be referred back to the in-person desk—right where their troubles began. 

And yet, so far, people seem to have embraced the technology. Stein said that over the past few years there has been something like a 90 percent uptake among passengers; 73 percent of respondents to a survey, meanwhile, said they would be happy forking over their biometric data for greater convenience, even if that comes at the expense of privacy—a result of the pandemic, Stein said. 

“This new market has arrived on the back of Covid,” she added. “The question was: How do we create a touchless safe experience for domestic travelers?”

It may seem like putting all this significant data behind highly visible keys that can’t be changed (like a password can) would create a treasure trove for hackers. But Stein noted that biometric entry points are always supervised by humans who can easily detect an attempt at a fake—for instance, ‘Mission Impossible’ masks,” or “somebody trying to hold up a piece of paper with another person’s face.” She added that, at least with SITA’s tech, there is a stringent adherence to the European Union’s GDPR regulations, which requires that personal data can be removed at a customer’s behest. SITA also defers to the ethical best practices guide laid out by the National Institute of Standards and Technology, an agency that offers universal standards for biometrics, and ensures that “no data is held for any longer than required to complete the transaction it is directly required for.”

Nevertheless, the activist group Electronic Frontier Foundation, which advocates for a free and open internet, worries that governments could exploit newly created pools of biometric data. For instance Brazil, whose airports are regionally run and provide easy targets for identity frauds, has signaled its intention to cross-reference biometric data with large, internal databases holding similar information. In the case of, say, screening a potential airplane passenger for criminal records, this can go badly. “Arrest warrant databases, for example, are riddled with error, and include many people accused of minor offenses,” the EFF wrote in one article decrying the technology. The foundation also noted that biometric scanners often discriminate against non-white people. 

One possible solution has been to offer “opt-in” biometric screening that gives passengers a choice, such as that trialed at Hartsfield-Jackson Airport in Atlanta, in the US, by Delta Airlines. SITA, meanwhile, is trialing the use of a cellphone-based facial scanning app that would be “custodial”—that is, it gives users control over their biometric data and allows them to use it (or choose not to) at a variety of airports. Stein says that SITA is debuting that kind of cellphone technology at Ciampino Airport, on the outskirts of Rome (she also argues that the fears are unfounded, given that governments already have exhaustive databases of citizens’ passport photos.)

The scope of this kind of custodial tech has broad potential, and Stein imagines information about hotel bookings, car rentals, or even, in the future, medical data, being stored custodially in this way. SITA has already tried a comprehensive, phone-based identity management system with MasterCard at Dallas Fort Worth International Airport, and is working on open-source — that is, freely available for others to iterate on — digital health credentials with the government of Aruba, in the Caribbean, along with tech startup Indicio. In the blockchain world, meanwhile, developers are already working on ways to cryptographically secure these personal data troves. Soon enough, your face will be your all-in-one password for everything -- whether you like it or not.


Ben Munster - Freelance journalist covering Italy and tech. He has written for The New Yorker, Esquire and Private Eye, and is the semi-regular author of the Zero Knowledge column at Decrypt, a crypto news site, as well as the Rome correspondent for European tech news site Sifted. He lives in Rome.

More like this