
JetBlue explains to a passenger how it got a photo of her face - wizeman
https://boingboing.net/2019/04/23/in-this-twitter-exchange-jetb.html
======
tehjoker
This essentially gives the government much tighter control of a process that,
while decent, has some loose ends in it. For instance, document forging is
something that is less effective than it used to be given digital chips and
facial recognition.

It is of course legitimate for a democracy to check things like which plants
are coming across the border and to deny access or apprehend war criminals and
the like. However, the USG does not have a current record of using its powers
for good recently. Example: the muslim ban. Anyone who managed to get around
that is a hero even if it was illegal because it's an immoral policy.

Tighter control means tighter control of dissent. Want to find that soldier
with those leaked documents? Want to locate that journalist with news of
unseemly interventions in central America? Want to find those people of the
wrong race or religion that are the convenient scapegoat of the moment? Sure,
let's make border control more precise. Most people are actually decent and
should have default global freedom to move and work by birthright. US border
control is about denying people entry, but the main effect is denying ordinary
people with a minor effect of deterring crime.

~~~
Lost_BiomedE
We have yet to see another Stalin with all this new tech. Something I hope we
never see. I wish Gulag Archipelago was history 101 at university.

~~~
skrebbel
Xi Jinping is trying pretty hard.

~~~
_Codemonkeyism
Stalin is 10M deads in the lead.

~~~
ben_w
I thought most of those deaths were indirectly, resulting from agricultural
and economic policies and forced relocations and only a relatively (10%) small
number of executions?

If you include economic causes, you might need to include the excess mortality
of systematically impoverished communities in western nations — and I don’t
just mean “PoC in the USA”, as I can point to a UK study claiming the
government’s austerity policies since 2010 have caused 120,000 excess deaths:
[https://www.bmj.com/company/newsroom/health-and-social-
care-...](https://www.bmj.com/company/newsroom/health-and-social-care-
spending-cuts-linked-to-120000-excess-deaths-in-england/)

Also, if those deaths were related to economic policies, you probably have to
weigh them by population size.

Obviously that’s still a million executions more than most; I am not defending
him, this is just about making it an apples-to-apples comparison.

~~~
_Codemonkeyism
It looks like something of ~7M from the famines, ~2M from Gulags, ~1M from
executions, uncertain number from torture.

Numbers from

[https://en.wikipedia.org/wiki/Excess_mortality_in_the_Soviet...](https://en.wikipedia.org/wiki/Excess_mortality_in_the_Soviet_Union_under_Joseph_Stalin)

I'd say if famines are the cheapest way, many dictators with a genocide mind
set would do that if possible.

------
crazygringo
Most relevant details, from the last link [1]:

> _It took her photo, comparing her picture to a preloaded photo databased of
> all the passengers with tickets on this flight, and then she got a check
> mark, indicating she was cleared to board. The whole process took about five
> to six seconds._

> _The Aruba experiment is expected to last somewhere between 45 and 90 days._

> _" We're basically capturing that picture at the boarding gate, providing it
> to U.S. Customs and Border Protection. They're identifying the traveler,"
> Farrell said. "It's actually the U.S. government that's implementing the
> biometric matching system that does all the hard analysis and crunching of
> the data."_

> _A biometric exit system to track non-U.S. citizens using their faces or
> fingerprints has long been a congressional mandate, particularly after 9
> /11, to improve border security and identify people who've overstayed their
> visas._

> _Crockford says people don 't know how CBP might share that data with local
> police. CBP insists it'll discard photos taken of citizens, and only keep a
> database of non-citizens._

> _Customs and Border Protection has been piloting similar biometric tests at
> airports in Atlanta, New York and the D.C. area. And, according to a customs
> official, the goal is to deploy facial recognition tech widely by early next
> year._

I guess it must be comparing with their passport photo? (Or visa photo, for
foreigners?) It doesn't seem much different from the way you're already
required to show your physical passport and they check your photo manually.
It's also always been pretty normal to have your photo taken by countries when
passing through passport control. So I don't really see what the problem would
be here?

[1] [https://www.wbur.org/bostonomix/2017/06/21/jetblue-facial-
re...](https://www.wbur.org/bostonomix/2017/06/21/jetblue-facial-recognition-
pilot)

~~~
chatmasta
Is it really that useful to identify someone who has overstayed their visa
_when they are leaving the country_? Sure, you then know not to let them in
next time. But it seems like a lot of effort when there are so many people
overstaying their visa and _not_ leaving out of the airports.

That said, even as a libertarian, privacy-conscious person, I'm not sure I
have a problem with exit controls like this. It's important to know who is
crossing the border, in both directions.

But why do they even need the photo? Presumably the name is already on the
ticket... surely they can detect overstays from names + address alone, not
just photos?

~~~
gumby
> It's important to know who is crossing the border, in both directions.

Why?

And if there exists an important reason to know that someone is exiting the
country does that same criterion not also apply to exiting a state or city or
neighborhood?

I am not being sarcastic; I am genuinely unable to come up with a reason it's
important to track _who_ leaves almost any place, except in highly unusual
cases (e.g. "OK guys, chatmasta has gone; let's get to work planning the
surprise party for when he gets back")

~~~
URSpider94
Its worth pointing out that the US is literally the only country in the world
that I have visited, in my recollection, that does not have passport control
upon exiting the country.

~~~
biztos
I know it's not quite the same thing, but most countries in the EU have no
passport control upon exiting _or entering_ the country as long as it's within
the Schengen zone.

So France has basically no idea who shows up from Germany or leaves via
Belgium. The countries on the external borders are supposed to handle all
that.

Now I suppose it's possible there is a lot of data exchanged in real time and
so on, but it's also possible that is a complete mess and nobody really knows
anything, especially about citizens (GDPR).

~~~
lazerwalker
To the parent's point, though, passports ARE checked at the point you exit the
Schengen area, whereas they're generally not when you leave the US.

~~~
seszett
They are checked by the foreign country though, not by the country you're
leaving.

I have not crossed that many non-Schengen land borders, but as far as I
remember it was the same every time, when going from France to England through
the channel, Belgium to England by train, France to Switzerland (before
Switzerland joined Schengen) and Canada to the US.

~~~
lazerwalker
When flying from a Schengen area country to the US, border patrol on the
departing side is entirely managed by that country. Often e.g. United-operated
flights from larger European airports will have their own passport check, but
that always happens after you pass through the departing country's passport
control. At least, this is my personal experience flying between Germany and
the US ~once a month.

I have been to a few airports where you explicitly clear US customs at the
departing airport before leaving for the US — Vancouver, BC and Dublin Shannon
come to mind.

If you've overstayed your automatic 90-day Schengen area travel visa, a common
hack for backpackers and such is to intentionally leave the Schengen area from
someplace like France that's generally less strict about counting exact days
than many other EU countries.

To be fair, I don't have much experience flying from the Schengen area to non-
Schengen area non-US countries. It's totally possible this is all rigamarole
that the US government pressures other countries to do.

------
lucisferre
What is tiring me out about all this "technology improvement" in airport
check-in is how confusing it is and how often it changes.

There is no one clear process anymore.

Last week I went to board a flight and checked in using the phone app. At the
airport I needed to get a baggage ticket so I used the machine there for that,
but it basically had me go through the whole check-in all over again. On top
of that the first machine errored during the step to pay the baggage fee so I
ended up doing that again with another machine.

Afterwards I went to drop off my bag and was told the tag was not "active" and
I'd have to go to the desk.

What the hell is the point of any of these electronic options if at the end of
it all I still have to wait in line for an agent, stand there while they "mmm-
hmmm" at their computer and avoid eye-contact with me for 5 minutes just to
finally scan the tag I had printed and attached myself?

~~~
throwawayjava
Automation and self-serve makes sense even if N% of people fall through the
cracks. As long as N is small enough that you can comfortably reduce headcount
while not degrading customer experience.

~~~
lucisferre
In my case I'm pretty sure N is 100%

------
apcragg
Privacy concerns aside, I can't wait to read the "Facial Recognition let me on
the wrong flight when I got in the wrong line by accident" articles that are
going to come out of this. Unless these systems have some fantastic (1e-6)
P_{false alarm} rate or better, people are going to be mistaken for other
people and let on the wrong flight sooner or later.

~~~
dzhiurgis
You need at least 2 people for this mixup to happen...

~~~
fcarraldo
You don’t, really. Whoever is checked in first gets the seat. The second
person will be questioned, and hopefully it will be cleared up. With the
number of flights in and out of the US each day, it’s bound to happen unless
the false positive rate is extremely low, which would only be possible through
an extremely invasive cataloguing of photographs beyond those taken for DMV
and Passport photos.

------
jacklewis
Here in Australia we have automated passport control gates that scan a chip in
our passport then takes a photo of our face (and I assume does some matching
with our passport photo) before allowing reentry. It's quite quick and very
convenient. Although I'm not aware of any airlines being able to use the
system for boarding.

~~~
daurnimator
Note that is only for international travel.

In Australia, you don't need an ID for a domestic flight; and non-flyers are
permitted to walk to the gate, no boarding pass is required to go through
security.

~~~
6nf
There's some talk about changing this but I hope they don't. It's really
convenient to just walk on and fly - you can do Sydney to Melbourne door to
door in 2 hours.

------
joezydeco
I guess now we all know what the REAL ID act was about.

[https://www.dhs.gov/real-id](https://www.dhs.gov/real-id)

~~~
amichal
This was somewhat explicitly what REAL ID was about. Provide name age, address
and photo to the feds along with any related state ID info (which often
correlates easily with fed info). I would not be surprised if airport cameras
already put "citizen ids" on photos for the right folks...

~~~
Gaelan
IDK enough about this to know who's right, but the DHS denies this:

> Is DHS trying to build a national database with all of our information?

> No. REAL ID is a national set of standards, not a national identification
> card. REAL ID does not create a federal database of driver license
> information. Each jurisdiction continues to issue its own unique license,
> maintains its own records, and controls who gets access to those records and
> under what circumstances. The purpose of REAL ID is to make our identity
> documents more consistent and secure.

------
kruegel
> Was my image, in the space of those seconds, sent to CBP, run through a
> database, matched to a name, and then sent back to @JetBlue?

Actually, it was probably done in a fraction of a second.

~~~
unreal37
Yes, that was a funny thing she tweeted. So surprised that a few KB of data
was transmitted on a high speed network in under a second. :)

------
spullara
It is annoying that the title of the article is inaccurate. They use an API
that calls external government servers to compare the photos.

~~~
ShakataGaNai
To be fair, it's not clear how these devices work. It _sounds_ like they are
taking a photo, submittiting it to an API and waiting for a result. However
FTA linked in the Twitter exchange "preloaded photo databased of all the
passengers".

It implies that the devices that JetBlue are using for boarding, already have
all the photos in them. If this hardware belongs to JetBlue (rather than
CBP/DHS/etc), then one would be correct in saying that JetBlue has the
passengers photos. So we really don't know either way how this works.

I'll also add my personal anecdote: Recently I flew internationally out of SFO
(I live in the Bay Area) and CBP was there to take "exit photos" of everyone
with similar style devices. This was not part of the boarding pass process as
we still had to do scan tickets afterwards.

~~~
aepiepaey
The same article later states

> "We're basically capturing that picture at the boarding gate, providing it
> to U.S. Customs and Border Protection. They're identifying the traveler,"
> Farrell said. "It's actually the U.S. government that's implementing the
> biometric matching system that does all the hard analysis and crunching of
> the data."

So I'd say it's more likely that it is CBP who has the database (and not
JetBlue).

------
AnnoyingSwede
I am curious to how this would work if 2 twins travel together. If it would
mismatch or demand both to verify with a manual check?

------
tracker1
Given the new Travel ID requirements coming up, I'm not surprised in the
slightest by this.

------
tootie
Can biometric data be hashed like a password would be? Or is the signal too
noisy?

~~~
Rapzid
I would guess they encrypt whatever they send to DHS. Hashing would destroy
all the information required to make a match.

~~~
shoo
not necessarily, consider e.g. [https://medium.com/value-stream-
design/introducing-one-of-th...](https://medium.com/value-stream-
design/introducing-one-of-the-best-hacks-in-machine-learning-the-hashing-
trick-bf6a9c8af18f)

------
dbrgn
I sense there's a business opportunity for "finding another person's data that
looks very similar to you according to facial recognition models"...

If there is such a person, you could sign up with their name / birthdate and
walk through the control points without having to show your ID (which you
didn't bring "because you thought the face ID was sufficient").

------
Causality1
Yet another example that if something profitable is both technically possible
and legal, it IS being done whether you know about it or not.

------
rneiss
Delta too -- though they've been less responsive:

[https://twitter.com/RealPressSecBot/status/11232845870635130...](https://twitter.com/RealPressSecBot/status/1123284587063513088)

------
yalogin
I can bet that they have a copy of all photos on their servers. No company
will be foolish enough to build a business/service that relies on another
entity, much so a government organization that is not known for building
highly scalable services. This is a crucial part of their process and any
delays will impact their bottom line. So they have all faces with them and so
does every other company. Also, just the face is not enough, they need all the
other identifying info associated with it. So they got everything.

Also, the government organization is not foolish enough to build such a
service they get to be blamed for. They gave/sold that data away.

Just the face is of no use, the identifying information that goes along with
it is also given. So at this point any company in the US can just query your
entire info from your photo. Privacy is dead and it is provided as a service
by the government. Wonderful.

Question is can anyone get this data?

~~~
mienski
While I’m totally onboard with the privacy concerns, this is ridiculous FUD to
just assume that every company just took on the security and storage risk of
holding that data. Find me an enterprise department/exec that would willingly
take that on to support a trial.

The corporate bogeyman is a great story but I think you’re being a little
unrealistic here. These systems typically allow the picture to be sent in with
a name, and the system returns a success or fail response.

~~~
yalogin
I don’t think so. I am being completely reasonable and rational here. Let me
ask this, what is special about JetBlue? If JetBlue doesn’t host the service
on their data centers would they be willing to offer such a service? If a
government agency can reasonably be expected to not play favorites and offer
the service to anyone within reason, do you think they will be able to scale
it up and offer the kind of SLAa expected by money making businesses? Why
would an agency want to get in to that endeavor?

Please, offer me alternative view points rather than calling my theory FUD.

~~~
seandougall
Presumably the airline could always fall back on traditional paper/mobile
boarding passes if the system goes down. It’d mean a bit of a delay, but it’s
not like the whole operation would grind to a halt.

It’s true that we have no guarantee that the airlines won’t save our photos
along with our ID information, but they _could_ already have been doing that
for years. There just doesn’t seem to be that much reason why they would.

------
teekert
I work for a large company that uses genomics data for health care related
research. The GDPR is a huge pain in our butts. But man do I love the "people
over companies" attitude of this law as a citizen.

------
willart4food
It's kind of surprising that we're still surprised by this.

~~~
kzrdude
It's good that we are surprised. The total surveillance system is being
normalized far too quickly.

At this rate, in 10 years we will see even more "conveniences" like for
example automatic face id in shops and on websites that pull your payment
information and can authorize payments from your card/account - with no setup.

People will say "Kinda spooky how they can just take my money automatically
but it's convenient" and you'll be there to say "It's kind of surprising that
we're still surprised by this." ;-) I hope!

That will be underpinned by even larger surveillance and data collections on
people, that can do a lot of harm when/if data is leaked or the systems are
breached.

~~~
Ace_Archer
This is already closer than you think, Amazon actually has a physical store
exactly like this:
[https://www.amazon.com/b?ie=UTF8&node=16008589011](https://www.amazon.com/b?ie=UTF8&node=16008589011)

------
modzu
see also how Runa Sandvik got a copy of all her photos from the DHS:

[https://medium.com/matter/how-i-requested-my-photographs-
fro...](https://medium.com/matter/how-i-requested-my-photographs-from-the-
department-of-homeland-security-97ec2d51f7a0)

------
scarejunba
Honestly, if implanting a chip in my arm meant I could just walk through
immigration/customs/check-in without carrying anything I'd do it. I have
Global Entry so things are already pretty good but I'd give them anything to
ease the process. And it's not like I'm going to lose my arm in the normal run
of play so that's even better than my passport.

------
unit_circle
This is dope

------
breakingcups
That's just bizarre. This would never, ever, fly under the GDPR.

~~~
resoluteteeth
Are you sure? According to what the airline said, the airline doesn't have the
facial recognition data; rather they are just taking photos from passengers
who opt in to board via this method, and the photos only need to be stored for
a few seconds so they can be sent to DHS for verification.

The airline isn't taking or storing photos of passengers who don't opt into
this process, but it is presumably sending the government a list of all
passengers prior to boarding so that photos of passengers who opt in can be
verified. Would this violate the GDPR?

~~~
ProAm
> According to what the airline said, the airline doesn't have the facial
> recognition data

I absolutely do not believe the tweets from a company PR representative as to
how their technology actually works.

~~~
kruegel
Regardless of whether this PR person knows anything or not, I think the much
more likely scenario is that they are sending facial recognition requests to a
CBP API vs. building their own facial recognition database with 100s of
millions of identities out of thin air.

~~~
craftinator
But they have your photo after they take it, and the CBP verifies for them who
you are. From this information transfer, the airline can replicate the CBP
database entry for each person that it takes a picture of... In the long run,
they can build a facial recognition database of everyone who flies. Am I wrong
about this?

~~~
oh_sigh
No, but whether they actually are or not is another question.

They could also build the same database 10 years ago by taking your picture as
you scanned your boarding pass.

~~~
craftinator
I haven't done international travel (by normal means), have they always taken
your picture for that? Thanks for the info!

~~~
oh_sigh
No, but they could surreptitiously take your photo if they wanted to. I doubt
there is much expectation of privacy at an airport gate

