Your face is about to become your ticket. Airports in Spain are standardizing facial recognition, a technology that will allow users to speed up their passage through security controls without having to take out their documents or boarding pass. However, adopting this measure raises concerns about their security and privacy.
Vueling was the first airline in the country to implement this controversial identification method. In 2021, he launched the pilot program developed by AENA in Barcelona and, after deeming it a success, decided to install it at the airport of the Catalan capital and the airports of Madrid, Menorca, Palma de Mallorca and Ibiza. He announced on Wednesday that he would “soon” expand his scope to include the northern regions of Gran Canaria and Tenerife. Other airlines, such as Air Europa, Inter and Iberia, are also participating in this initiative.
Recognition systems using artificial intelligence (AI) extend to more and more aspects. They are used to unlock the mobile phone screen and to prove to your bank that you are the account holder. To do this, they analyze biometric data, which is extracted from each person's unique characteristics, such as fingerprint, iris, and face. Its uniqueness makes it particularly sensitive, as in the wrong hands it can facilitate forgery and impersonation.
Airports around the world, from London to Frankfurt, have been testing these and other technologies for years. In the United States, for example, it wants to extend to 430 points in the country. “We are convinced that the journeys of the future will pass through biometrics,” explains Javier Alvarez, CTO of Vueling.
But other voices doubt this trend. “Unfortunately, since 9/11, airports have become a test bed for the surveillance community,” warns Gemma Galdon, director of technology consultancy Eticas. Digital rights organizations, such as the Electronic Frontier Foundation, also view biometric standardization with concern.
European law prohibits the use of such AI systems in the vast majority of cases, but grants exceptions for those deemed to be of public safety importance. “Airports are important infrastructures for national security, so facial recognition is justified there,” says Borja Asoara, a lawyer expert in digital law and data protection.
Impact on privacy
The Vueling procedure is voluntary and requires explicit consent from clients. The IAG-owned low-cost airline has described this as an “experience enhancement” to make the sometimes stressful journey of boarding “as easy and comfortable as possible”. However, AENA explains on its website that the justification for choosing this technology is also based on the mission of “improving levels of safety, efficiency and effectiveness.”
Some experts are concerned about the impact this could have on user privacy. “What would happen if a cyberattack leaked your biometric data? It's a possible scenario,” warns Silva Oregon, a cybersecurity forensics expert.
Airlines and airports are one of the main targets of cybercrime. At the end of last year, Air Europe – part of AENA's facial recognition program – was the victim of a hack that resulted in a leak of banking data. The company advised its customers to block their credit cards, but what if the stolen information was your face?
Vueling specifies on its website that users' biometric data collected through its app will be managed by AENA. When asked by this newspaper, the General Director of Spanish Airports limited himself to pointing out that the base where all this sensitive information is stored “is in accordance with the legislation.” It also specifies on its website that data will only be kept “for a maximum of 24 hours after your flight closes.”
However, this does not guarantee that theft will not occur. “There is no security system in the world that is impenetrable,” Oregon says. “It is a matter of time, attention and resources,” he adds.
Biases and errors
Another potential problem with facial recognition is its reliability. In 2022, the European Data Protection Commission noted that these technologies “do not provide a final result, but are based on probabilities.” In other words: they could be wrong. Several studies have also concluded that statistical results run the risk of reproducing biases that often disadvantage racial minorities. “Identification has been shown to fail more with clients of color and middle-aged men,” Galdon warns.
Mistakes made by machines can have a real impact. In 2022, a 61-year-old man was imprisoned in Texas (USA) because the facial recognition system at Macy's falsely accused him of armed robbery. After being assaulted and raped in prison, he filed a lawsuit last week seeking $10 million in damages from the chain.
“Infuriatingly humble social media buff. Twitter advocate. Writer. Internet nerd.”
