The Only Thing That Can Fix Air Travel Is Your Body
But what happens when a corporation has access to your biometric data? Clear wants to find out.The Only Thing That Can Fix Air Travel Is Your Body
But what happens when a corporation has access to your biometric data? Clear wants to find out.
What are you willing to give up to skip the line? What line? Well, it could be any line, but for this thought experiment, let’s say it’s the line at the airport. The line to get your boarding pass from the limited number of machines, or the godforsaken bag-check line. That’s followed by the security line, which, bag or no bag, one must shuffle through. Perhaps you have TSA Precheck. But if your airport is a commuter hub, there will likely be a line for that, too. And then there’s the line to hand over your boarding pass. And if you clear all of that, you can finally — finally — sit down on an airplane.
Now there’s another option. All you need to do is turn over all of your biological data. A growing contingent of companies is using biometrics to disrupt the line, and they’re doing so by identifying you more quickly than ever. But that could mean more than just a faster trip through the airport.
One of these companies is Clear. You may have already seen its stations while checking in for a flight; they’re nondescript kiosks that look an awful lot like a typical digital check-in station. But instead of swiping your credit card and pulling up your ticket, the company needs a few other details. First, Clear uses a knowledge-based assessment test; the system asks a series of personal questions based on commercially available data. Questions like, “Out of these five addresses, which one were you living at in 1992?”
“Based on this, we’re able to determine statistically that you are who you say you are,” says Clear chief administrative officer David Cohen. The machine then captures your fingerprints, performs an iris scan, and snaps a photo of your face. “We have a tokenized version of you now,” he says.
After the enrollment process, you can go directly to the airport’s security checkpoint, where there’s a dedicated lane for Clear users. There you’ll find another Clear pod, where your fingerprints, eyes, or face are scanned, and then you move to the physical bag check. (Clear is also testing a system at some airports that will let you use its kiosks for biometric bag check, lounge access, and plane boarding.) Clear’s thinking is simple: At the airport, keep your license and boarding pass in your pocket; your biometrics will do all the work.
“It’s like replacing the bank teller with the ATM,” says Cohen. Clear, a for-profit business, charges $15 a month for its service, or $179 a year. And for that, one of the most frustrating experiences in a traveler’s life can be mollified.
While Clear is primarily focused on convenience, the other half of any company in the business of identity verification is security. Evolv Technology is a sort of inversion of Clear: Its foremost focus is venue security, and it accomplishes this with an identity verification system that comes housed in portable pod-kiosks that look similar (though they aren’t functionally identical) to Clear’s. Evolv launched about four years ago to focus on protecting what CEO Michael Ellenbogen calls “soft targets” — an unprotected area through which people, goods, or vehicles are frequently moving. Think a mall or an airport. “Most of those places don’t have any screenings, and what we’ve seen is these days, virtually anything can be a target.” Evolv is already in airports, stadiums, train stations, and other locations around the country, and it can be had for about one-third the cost of a traditional body scanner.
Evolv has developed a new kind of body scanner called the Edge, which is far faster than what we’re used to going through at the airport. Current body scanners require about two seconds to process; Evolv’s takes about one one-hundredth of a second. Evolv gathers information, reconstructs it into a 3-D image, and analyzes it via software to see if there are “materials of interest.” This AI system makes the decisions, and if it finds something of note, it will highlight that data point for the operator, who can take it from there.
“It doesn’t require you to empty your pockets out, to take your phone out,” says Ellenbogen. “It speeds everything up. Right now, we do about 600 people an hour, which is two to three times the typical [speed] of a checkpoint.”
Evolv’s Edge isn’t replacing the security line process at the airport, though it is in airports. This is more of a front-door solution, an addition to what’s already in place with scanners, security workers, and systems like Clear and TSA Precheck. The idea is to make a space safer, but also help move things along if potential concerns are found before the security line. In other spaces, like concert venues or stadiums, it can replace the clog of people being manually checked via pat-down or scanning wands.
Your pockets aren’t the only thing that Evolv is scanning. It can also use facial-recognition technology should a client venue want that feature. “One of the things that we set out to do … is connect these different silos of currently disconnected information. After something like 80 percent of attacks, we hear that the attacker was known to the authorities,” says Ellenbogen. “So it’s a little frustrating hearing that, because it’s not helpful after the fact for the person who’s responsible for protecting that stadium.”
What Evolv can do is scan the face of a person going through its machine and check their face against a venue’s database. Regardless of what the venue chooses to do with that information — whether it’s a local drunk causing trouble at a ballgame or someone on TSA’s watch list — Evolv has created an experience that allows these spaces to more easily track their inhabitants. Between Clear and Evolv there is a common thread: We’re being tracked. Is that a bad thing?
Once upon a time, air travel was glamorous. The drudgery of squeezing into a car for hours or hauling one’s self to a train station for an even longer journey paled in comparison to the sophistication of flight. But today, airports are associated with chaos and tedium, and in this century, with seemingly endless lines.
Flying changed after 9/11. More people are flying than ever before, at the same time that federal budget cuts are limiting airport inspector personnel. Beleaguered travelers are demanding a fix, even if it comes at the cost of a fingerprint and an iris scan. At the same time these frustrations are mounting, the technology needed to alleviate them is getting better. Imaging sensors for high-res photos and fingerprints are improving their sensitivity and becoming more affordable; processor power to make these machines work faster and more efficiently (not to mention smaller and more portable) has exponentially improved. Most importantly, perhaps, is our increasing comfort with biometric-scanning technology, like Fitbits, cellphone thumbprint unlock features, and voice-enabled devices like the Echo (not to mention the soon-coming iPhone Face ID system). “Our growth is certainly part and parcel to the growth of biometrics,” says Clear’s Cohen.
The company is not the first to introduce biometric identification to the airport. INSPASS (Immigration and Naturalization Services Passenger Accelerated Service System), which launched in 1993, took international passengers’ handprints to speed up the customs process. INSPASS was phased out in 2003 and replaced with Global Entry, which takes fingerprints and a photo to move international travelers through the airport. It requires an in-person interview as well as a “rigorous” background check, and it costs $100 for a five-year license. TSA Precheck, which launched in 2011 and benefits stateside travelers, requires an interview, background check, and fingerprinting, and costs $85 for a five-year pass.
These, of course, are federal initiatives. Clear, a private company, says it’s not a competitor to these programs, and positions itself as a complementary service. Many of their customers, the company says, already have TSA Precheck. Clear isn’t trying to speed you through the part where you have to take your shoes off and put your laptop through the scanner; it’s just trying to get you to the front of that line more quickly. (Another distinction: Clear is not approved for international use.)
According to spokesperson Michael England, the Transportation Security Administration has regulatory oversight over RTPs, or registered traveler programs, like Clear, and monitors airports to make sure RTPs aren’t violating any TSA rules. “There is no data transfer in either direction between TSA and RTPs,” England wrote in an email. “However, RTPs are required to present their customer data to TSA on demand during inspections.” The people hired by RTPs have to go through TSA-mandated threat-assessment screenings and trainings, and airports are required to ensure their equipment is up to date.
Clear is treated like any other vendor at the airport — the business goes through the same process as Hudson News or Dunkin’ Donuts. Clear pays the airport to be there and then works with the airport to get its equipment installed. How much money Clear makes and how much the airport makes depends on the deal struck with that airport.
While Clear and Evolv don’t meet the same need, they overlap in some respects. “The more information we can provide, then the better the whole process is going to be for everyone,” Evolv’s Ellenbogen says. Increasing security usually means lines get longer. But Evolv says it can make a place more secure and prevent bottlenecks, and Clear can speed passengers through the airport with little more than a swipe of their fingertips. Taken together, theoretically they make the airport a safer, easier experience.
One important distinction between Clear and Evolv is opt-in-ability. When you enter a place like an airport, you know you’ll walk through a body scanner and have your ID checked; if you sign up for Clear, you know you’re getting your fingerprints scanned. But what about if a mall uses Evolv — should there be a big opt-in button outside clarifying that your face is being scanned and checked against a database? Well, no, not really, says Juliette Kayyem, who was President Obama’s assistant secretary for intergovernmental affairs at the Department of Homeland Security. (Kayyem, now a security analyst for CNN, is also an adviser for Evolv.)
“What is your option then? You don’t have a right to fly, you don’t have a right to go to a concert. Those are privileges, and part of the privilege assumes you’ll go through security,” Kayyem says. While Kayyem is a security expert, she is also focused on what she calls “flow,” meaning that despite the dangerous times we live in, consumers and the market demand that things keep moving. “A couple million people go through domestic airports a week, so you just can’t stop the system. I had a friend who was head of security at LAX, and he said if they close one gate, just one gate, because of a security thing, that is felt in Singapore 14 minutes later. The system can’t stop,” says Kayyem. “What we try to do in security is minimize the risk, maximize the defenses — but also remember we have to promote flow.”
Kayyem says that after 9/11, the security focus turned to footprints — people on the ground. More cops, more security workers, more border control agents. Things like that don’t work, she says. “I think we actually need more surveillance drones. I don’t think we need more custom and borders guys.” It’s time to shift thinking to higher-tech systems, she says — which, generally, are housed in flow-friendly pods à la Evolv and Clear — instead of hiring more security workers.
There’s no infrastructure upgrade required of the airport itself, since Clear’s technology comes in its kiosks. “The only thing we need from them is real estate,” says Cohen. But that is oversimplifying the situation — where there is an identification database, there are significant risks, from racial profiling to security breaches.
“Any system can be hacked,” says Thomas Keenan, author of Technocreep: The Surrender of Privacy and the Capitalization of Intimacy. “Equifax is a great example. They’re supposed to be such a paragon of security, so you just have to assume that this can be hacked. And it’s really a question of how much data they’re keeping on you.”
Clear, at least the old Clear, went through a hack of its own once upon a time. The company used to be under a different ownership group, Verified Identity Pass, or VIP. Though it was operated by another umbrella company, Clear offered the same service: using biometric data to get you through the airport more quickly. In 2009, after a data breach and a bankruptcy filing — amid rumors that it was going to sell its consumer data to third parties — the company was bought by Alcear and relaunched under new management in 2010.
Ryan Singel wrote about the incident for Wired at the time. “They said that they lost a laptop that had 33,000 people’s enrollment information and then claimed they found it in the closet,” says Singel. “Somebody had logged into it. But from everything that came out there was never any proof that anyone’s biometric data had been leaked, but they just kind of had shoddy security practices — like the laptop wasn’t encrypted … basic stuff that you would expect any company that was working in that space to do, but they didn’t.”
Clear is under new management, with new plans and strategies, as well as new security practices. Today, Clear is in 24 airports and has more than 1.4 million users. The new company also made explicit in its privacy policy that customer data cannot be rented or sold.
Unlike Social Security numbers or driver’s licenses, it’s much more difficult to steal biometric data. And increasingly, consumers are being asked to trade their data for convenience — your DNA is suddenly up for bartering as well, thanks to technology advances and an uptick in our comfort with basic biometric tools.
Heading to Ronald Reagan Washington National Airport anytime soon? Make sure to visit Monét and take a look at our kiosks featuring artwork from Bill Crandall.
Posted by CLEAR on Monday, November 28, 2016
But Clear isn’t focused only on your biometric data. It’s also a security company. Clear is a qualified anti-terrorism technology, a designation granted by the TSA and the Department of Homeland Security. After Clear’s relaunch, it required some persuading to get port authorities on board. “[Airports] wanted to do it, and they wanted to serve their customers, but they also had legitimate security concerns,” says Cohen. “The questions they had initially were certainly around security, but we were able to overcome those pretty quickly. DHS approval meant a lot.”
Cohen says the relationship with TSA and DHS has been “an evolution,” but that the company is “in a good place now” with the national security departments. “They’re constantly asking us questions and validating our operation.” The government’s faith in the system seems fair: It is difficult to fool a biometric system, especially one that is being used in public and under the scrutinous eyes of TSA agents and Clear personnel alike. But security is the heart of the matter. While it’s hard to fake someone else’s biometrics, it’s also hard — impossible, actually — to change them if they are stolen. So what happens if Clear is hacked and user biometric data is breached? I couldn’t quite get an answer to that question. Cohen assured me that security and privacy are of the utmost importance to Clear and that it is taking every precaution possible and adhering to TSA and DHS standards for protecting consumer data.
Thomas Keenan explains there are several ways that biometric identification can work. “Very often they don’t actually capture your full fingerprint. They turn your fingerprint into a number, and then the next time you walk up to it you hold your finger there and matches part of it up,” he says. But Keenan doesn’t know specifically how Clear’s technology works and, in the interest of security, the company would not detail its methodology.
“If they were storing images of the fingerprint, that could be interesting,” Keenan says, referencing a famous case in which someone took a high-resolution photo of German Defense Minister Ursula von der Leyen and from that was able to create a replica of her finger. “Apparently he was able to log into some secure device using that.” It’s unlikely this is what Clear (or any modern biometrics service) does, instead hashing its data and assigning our fingerprints and irises numerical matches. This is called “modifiable biometrics,” Keenan says, and it means that if there is a breach, you can, in fact, get a different algorithm assigned to your fingerprint or iris.
Aside from security concerns, though, biometric analysis does present a moral quandary. Yes, human biases are expressed in security lines every day, and the idea is that an algorithm can’t have a bias — but as we’ve seen, Silicon Valley’s prejudices are routinely baked into its software. Two Stanford researchers and professors recently created an “A.I. gaydar” to demonstrate the ethical issues associated with the facial-recognition technologies that are being used for identity verification and, in many cases by extension, profiling. There’s been a strong backlash to the system, but one of the creators, Michal Kosinski, says it should act as a warning — this software, he reasons, could be used in a country where it’s illegal to be gay. “The question is, can you live with yourself if you knew it’s possible and you didn’t let anyone know?” he told The New York Times.
Kosinski is far from the first expert to call attention to the potential duplicitous uses of biometric-reading identification systems. The Electronic Frontier Foundation has long discussed the scary side of such services. A representative of the organization pointed me toward a report from Georgetown Law’s Center on Privacy & Technology that found that services using facial recognition do so without regulation and that the results can negatively affect people of color.
New legislation could prevent companies from selling users’ biometric data to the highest bidder, and from obtaining it without users’ consent. “It’s important to get these rules in place before the horse gets out of the barn,” Washington state Representative Jeff Morris said about a bill passed in his chamber in March. (The bill later passed in the state Senate and was signed into law in May.) Opponents of the bill reasoned, in part, that the security benefits that biometric systems yield outweigh some of the potential data violations. So far, there is no federal legislation protecting consumers’ biometric information, though a handful of states have passed bills doing so.
Keenan says there could be reasons the government would want to know your sexual orientation. “Mr. Trump might not let you enlist in the Army,” he half joked. “There are two ends to this argument, and on one side you have the people who are worried about the government using this information; on the other, you have those more worried about ‘surveillance capitalism.’”
“That’s going to argue that private companies, companies like Alphabet, are actually worse than the government because they’re not only mercilessly taking your data, they’ll sell it,” Keenan says. “At least the government, by and large, keeps it to themselves or only shares it with other government agencies. A lot of my privacy friends are more afraid of what the private sector will do with your data.”
Keenan, who lives in Calgary, says he uses Global Entry when he travels between the U.S. and Canada. “I put my passport in, I put my fingerprints down, I look into a camera and I’m reasonably content to do that because it’s the U.S. government and I hope that they are actually protecting the data,” he says. “But also, I don’t want to stand in line for 35 minutes to talk to an immigration person.”
He says Clear “may be worth it. You may want to give up some of your privacy and even risk it being hacked to not have to stand in line at the airport.”
The problem, Keenan explains, is not so much that companies are using biometrics as a means to enable convenience and security — the problem is how they are storing that data and what they are doing with it after the fact. Keenan says National Hockey League arenas are beginning to experiment with facial recognition as a security measure.
“Immediately all my privacy friends, including me, said, ‘Oh my god they can track us!’” he says with a laugh. “But then it becomes more about the important thing: Well, what becomes of that data? I’m actually pretty happy if I go to a Calgary Flames game and I’m safer because they spotted a terrorist in the crowd and then they threw that data away. But I’m not happy if they save that data forever, give it to the police, use it to look at other places I’ve been. So one of the big issues when you create a system like this is data storage.”
Kayyem, the CNN analyst and Evolv adviser, echoes Keenan’s concerns about hacking, and says the market needs to “grow up a little bit” and realize that nothing is unhackable — companies that take this data should be obliged to have layers upon layers of defense. At the same time, she reasons that we’ve been giving up personal information for some time now, and biometrics are just the latest bit we’re being asked for. And at least this time, we’re trading it for more than a Google search or a Facebook profile.
She’s not the only one who thinks we should be getting a fairer trade. Leslie Saxon, who runs the USC Center for Body Computing, believes our biometric data is valuable, and if we’re going to be trading it, we should be getting significantly more than what’s being offered. (Which, unless you think of Facebook as bringing monetary value to your life, is nothing.) Saxon, though, is speaking of health biometrics when she talks about how we should be rewarded for sharing this data. And some platforms do just that: Achievement, for example, is a health app that awards users points (and eventually cash or other prizes) in exchange for your fitness data. It’s an attitude adjustment for sure, given how accustomed consumers are to giving away personal information. Saxon’s point is that perhaps a developing country could subsidize health care by giving it away to people who allow their biometrics to be measured, and sure, there is a risk in health data being breached, but the payment for that risk is immense.
“But this is convenience and security,” she says when we’re talking about Clear. “So by giving your data, it’s also a security play. And I think people would give a lot of their data away to be more secure.” She notes the convenience factor is huge, too — there is a gain there, even though consumers pay for the service. In fact, as she clicked around the site while we spoke on the phone, she told me she was going to sign up for Clear right then.
Notions of privacy have fallen away recently — we’ve been conditioned to give up more of ourselves, to social media, to corporations, to the internet at large. “Look at what we give away with a Google search, right? People give away enormous amounts of information for the ruthless efficiency of that,” Saxon says. “Many times, they’re not really aware of how deep that goes, and what it’s for, you know? It’s for another company to make money.”
An earlier version of this piece incorrectly stated that Clear pods scan all three of a user’s fingerprints, eyes, and face; the pods scan just one of those three features. Also, an incorrect statement referring to Clear body scanners was corrected to refer to a company pilot program that expands what the kiosks can grant users access to within airports; the company does not produce body scanners. Finally, two erroneous references to “DNA” were changed to “biometrics.”