In June 2017, JetBlue Airways collaborated with U.S. Customs and Border Protection (CBP) and Société Internationale de Télécommunications Aéronautiques (SITA), a multinational IT company, to trial the world’s first biometric boarding system using facial scanning.1 The test took place at Boston Logan Airport and allowed passengers to board without a paper ticket.2 Rather than handing their ticket to a gate agent, a special camera took the passenger’s photo and sent it to U.S. authorities where it was compared against passport and visa photos for verification.3
JetBlue is not the first company to implement biometric scanning into its boarding processes. In fact, the technology has been widely adopted amidst claims that it will help identify visa overstays, improve efficiency, and improve the passenger experience in airlines around the world.4 In the U.S., over fifteen airports have implemented biometric scanning5 and a report published by SITA in March 2018 indicates that “63% of airports and 43% of airlines plan to invest in biometric ID management solutions” by March 2021.6
Since the implementation of biometric scanners in U.S. airports, DHS has amassed a database of over ten billion biographic records, with over ten million more added each week; one of the largest databases of personal, biographic, and biometric data in the world.7 The database “contains more than 200 million unique biometric identifiers and accesses more than 100 million biometric transactions every year.”8 Recent support from Congress, including, in 2016, the authorization of one billion dollars to fund implementation of biometric scanning in U.S. airports,9 means that widespread biometric scanning across U.S. airports, and the continued collection of citizens’ biometric data, is a basic inevitability. Yet, implementation has occurred prematurely and at the cost of American civil liberties.
The U.S. Constitution contains no express right to privacy but the Bill of Rights reflects the concerns of James Madison and other framers for protecting specific aspects of privacy including privacy of beliefs, privacy of the home, privacy against unreasonable searches, and privacy of personal information. In addition, the Ninth Amendment states that the “enumeration of certain rights” in the Bill of Rights “shall not be construed to deny or disparage other rights retained by the people.10 In J. Goldberg’s Griswold concurrence, this amendment was broadly read as protecting privacy in ways not specifically provided by the first eight amendments.11 Further, since 1923 onwards, the Supreme Court has broadly read the Fourteenth Amendment to guarantee a fairly broad right of privacy, including child-rearing decisions, the possession and viewing of pornography, and termination of medical treatment.12 These holdings seem to reflect the idea that certain types of privacy are an “intrinsic value,”13 one which, though not explicitly written into the Constitution, should nonetheless be protected.
However, specifically within the context of national security, privacy rights have arguably contracted. For example, post 9/11 changes to the law such as the USA Patriot Act have eroded many privacy rights while allowing for invasions such as wiretaps, internet monitoring, and other forms of domestic intelligence gathering (so long as the person being surveilled did not honestly and genuinely believe that the location under surveillance was private).14 These developments suggest that perhaps biometric scanning of American citizens in the public sphere is merely an inevitable part of this progression.
Amidst ambiguity regarding the scope of American privacy rights, The Privacy Act of 1974 (hereinafter “Privacy Act” or “the Act”) provides one of the only meaningful restraints on the government’s use of personal data.15 The Act articulates important limitations on how the Federal Government should treat individuals’ information and imposes duties upon federal agencies regarding the collection, use, dissemination, and maintenance of personally identifiable information.16 Until 2018, the Act represented one of the only legal limitations on DHS’s collection and use of biometric and other personal data.
On July 31st, 2018, however, DHS revealed that it sought to be exempted from the Privacy Act.17 Through a Privacy Act Notice of Public Rulemaking (NPRM), DHS proposed to change the way in which biometric data was stored.18 More specifically, the department proposed to exempt its IBBC database, which stores “a wide range of sensitive information,” including biometric data on “individuals who are merely affiliated/associated with or represent an individual filing for immigration benefits” (i.e., not just the data of non-citizens), from several significant provisions of the Privacy Act.19 Pursuant to this notice, numerous organizations, including the Electronic Privacy Information Center (EPIC), published comments scathing the change and recommending that the exception be narrowed, noting that the scope of information which could be collected is “broad and ambiguous.”20 Then, in June 2019, DHS issued a second NPRM, this time seeking to expand the “applicability of the previously issued exemptions from the Privacy Act of 1974 to account for modified routine uses.”21 If passed in its current form, the IBBC will essentially grant DHS a license to use personal data in a nearly unrestrained manner, for anything DHS considers “routine,” and without regard to the Privacy Act.
The only clear solution is increased transparency and federal legislation. Without explicit federal legislation, DHS can essentially “change their minds on how they use the data at any time.”22 To the average consumer, biometric scanning represents an exciting new era of technology. However, the scanning of U.S. citizens is legally infirm and implicates serious constitutional concerns. In order for biometric scanning to continue, DHS should be transparent regarding its storage, use, and sharing of biometric data.