Editor’s note: October is National Cybersecurity Awareness Month, and each week Blue Sky will be featuring a story about cybersecurity and related issues to highlight the importance of digital safety in airports and beyond.
Forget fumbling around for your passport or trying to find your crumpled-up boarding pass – those concerns could soon become a thing of the past.
The future of airport security is biometric identification, which uses data like facial scans, retina scans and fingerprints in place of traditional IDs, such as passports and driver licenses. Airlines, private companies and government agencies increasingly rely on biometric screening to improve and expedite security at select airports nationwide.
READ MORE: Nobody Wants To Get Hacked – Here’s How to Avoid It
Delta Air Lines partnered with U.S. Customs and Border Protection (CBP) and the Transportation Administration (TSA) last fall to launch the first “curb-to-gate” biometric terminal in the country for international travelers at Atlanta’s Hartsfield-Jackson International Airport (ATL). Delta has since added some biometric boarding options at airports in Minneapolis/St. Paul, Salt Lake City, Detroit and New York City.
“The expansion of biometrics and facial recognition throughout the airport environment represents the next generation of security identification technology,” said TSA Administrator David Pekoske when the biometric terminal was announced. “TSA is committed to working with great partners like Delta, ATL and CBP on developing and deploying new capabilities like these.”
So how exactly does it work? Prior to departure, Delta sends the flight manifest to CBP, which in turn builds a photo gallery based on passport and other identification photographs. Passengers have their pictures taken at the security checkpoint and the photos are compared with those in the flight manifest. If the match is made, CBP sends back the clearance to proceed, replacing the customary document inspections.
The program is optional, and Delta customers are free to use regular screening techniques if they wish. Delta says it does not save or store any of the data.
“We do feel the biometric terminal was a success,” Delta spokesman Drake Castaneda said. “Delta is fully committed to improving our customers’ travel experiences from start to finish, and these investments are reflective of that commitment.”
Delta has partnered with CLEAR, a private biometric screening company, as part of its development and deployment of the technology. CLEAR, which is certified by the Department of Homeland Security, is also working with United Airlines, and uses fingerprints and iris scans to verify a person’s identity in dedicated lines at select airports.
But CLEAR membership isn’t limited to Delta or United customers. CLEAR currently operates in more than 60 locations nationwide, including sports stadiums and more than 30 airports. Customers can purchase CLEAR for use in those locations for an annual membership of $179.
“We envision a frictionless future where you no longer need to carry cash, credit cards or IDs,” a CLEAR spokesman told Blue Sky. “Our biometric ID instantly connects your life from airports, sports arenas and beyond.”
CBP and the TSA are also key stakeholders in the emerging technology. CBP has been collecting biometric information since 2004, and began using facial recognition technology in 2013 to process international passengers at U.S. ports of entry, including more than 20 airports.
And in August, TSA began testing its own facial recognition system at McCarran International Airport in Las Vegas.
“We have seen airports adopting the technology, but there are a lot of questions about how it’s used and stored,” said Patrick Carreno, vice president of airport operations at Pittsburgh International Airport, which does not utilize biometric screening. “Right now, we are exploring how we want to proceed and monitoring the progress being made in the industry.”
Concerns about data security in biometric screening aren’t uncommon. CBP employs a four-step process, including encryption and secure storage, and deletes all customer data within 12 hours of verification. CLEAR also encrypts customer biometric data into a unique code.
Yet no approach is ever 100 percent secure, according to Derek Scheller Jr., a Pittsburgh-based cybersecurity expert who runs his own firm. CBP itself was breached in June, exposing photographs and license plates of less than 100,000 people.
“How is the data encrypted in transit as it’s going over the wire, and how is it encrypted and stored at rest?” Scheller said. “If it’s not encrypted to the highest extent, then you’re going to have an issue. And the flip side to that is even when it’s in transit, how is it being transmitted? At any time if there is any hole over the web where somebody can gain access to a system remotely, then you’re going to have a whole other can of worms that you’ve gotta watch.
“Without knowing how they’re securing it, it’s difficult to say. But if they’re doing their due diligence to keep it as safe as possible while still allowing work to be conducted, then that’s really all we can ask for.”
Nevertheless, Scheller thinks convenience will eventually win out over privacy concerns.
“It’s a catch-22,” Scheller said. “Am I comfortable with it? No. But does it ease up security and make travel a little bit safer as we are [better] able to catch the bad guy doing something they shouldn’t be doing? Yeah. So you gotta take safety with security and look at all aspects of it.”