Watchdog says face scanning at US airports is plagued with technical problems

A watchdog report has warned that Homeland Security’s face scanning program, designed to track all departing travelers from the US, is facing “technical and operational challenges” that may not see the system fully working by the time of its estimated completion in 2021. The report by Homeland Security’s inspector general said that although Customs and […]

A watchdog report has warned that Homeland Security’s face scanning program, designed to track all departing travelers from the US, is facing “technical and operational challenges” that may not see the system fully working by the time of its estimated completion in 2021.

The report by Homeland Security’s inspector general said that although Customs and Border Protection (CBP) was making “considerable progress” in rolling out the facial scanning technology, the program is dogged with problems.

CBP has been on a years-long effort to roll out facial recognition at US airports, trialing one airport after the other with the help of airlines, in an effort to track passengers as they leave the US. Although citizens can opt-out, the biometric scanning is mandatory for all foreign nationals and visitors. CBP is using the system to crack down on those who overstay their visas, but critics say the system violates privacy rights.

Currently in nine airports, the facial recognition program is set to be operational in the top 20 airports by 2021. But the inspector general report out Tuesday said that the government may miss that target.

“During the pilot, CBP encountered various technical and operational challenges that limited biometric confirmation to only 85 percent of all passengers processed,” the report said. “These challenges included poor network availability, a lack of dedicated staff, and compressed boarding times due to flight delays.”

The report said that the scanners failed to “consistently match individuals of certain age groups or nationalities.”

Although the system detected 1,300 visitors overstaying their allowed time in the US, the watchdog seemed to suggest that more overstays would have been found if the system wasn’t running under capacity at an 85 percent success rate.

As a result, CBP “may be unable to meet expectations for achieving full operational capability, including biometrically processing 100 percent of all international passengers at the 20 busiest airports,” the report said.

Staffing issues and a lack of certainty around airline assistance are also throwing the program into question. After all, CBP said that it will rely on the airlines to take the facial scans, while CBP does the background checks behind the scenes. But CBP’s “plans to rely upon airport stakeholders” for equipment purchases, like digital cameras needed for taking passenger photos at boarding gates “pose a significant point of failure” for the program, the report read.

“Until CBP resolves the longstanding questions regarding stakeholder commitment to its biometric program, it may not be able to scale up to reach full operating capability by 2021 as planned,” the report said.

Although the CBP disagreed, the agency said it would “develop an internal contingency plan” in case airlines and airports decline to help.

A CBP spokesperson did not return a request for comment.

France records big jump in privacy complaints since GDPR

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations. France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR […]

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.

France records big jump in privacy complaints since GDPR

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations. France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR […]

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.

Delta to start scanning faces at airport check-in

Delta will later this year roll out facial recognition at its terminal at Atlanta International Airport for anyone traveling on an international flight. The airline said the biometric facial scanning is optional — a move that will shave off a few minutes off each flight — but will help border and pre-flight security authorities before […]

Delta will later this year roll out facial recognition at its terminal at Atlanta International Airport for anyone traveling on an international flight.

The airline said the biometric facial scanning is optional — a move that will shave off a few minutes off each flight — but will help border and pre-flight security authorities before jetting out of the US. It’s the latest roll-out of facial recognition trials at Detroit Metropolitan and New York John F. Kennedy airports.

What might be convenient to some, to others it’s a privacy violation — and some argue that without approval from Congress, it could be illegal.

Facial recognition at airports is a controversial move, one that’s been decried over the past year since it first rolled out last year. Six major US airports completed trials as part of a wider rollout — aimed to be completed by today. CBP relies on airlines to collect facial recognition data, something Delta doesn’t shy away from. The airline said facial recognition “is a natural next step following CBP and Delta’s optional facial recognition boarding tests” at Atlanta.

Customs and Border Protection has previously said that the move was to crack down on those who overstay their visas, but privacy advocates said that it steps on privacy rights.

Delta said that travelers who don’t want their faces will be given several opportunities to opt-out, Delta spokesperson Kathryn Steele told TechCrunch, and can continue to “proceed normally” through security.

CBP spokesperson Jennifer Gabris said that only US citizens can opt out, and will have their documents checked manually.

Homeland Security, which oversees border security, struck a different tone when last year it said that anyone who wanted to opt out of having their faces scanned should “refrain from traveling.”

Biometric data collected by Delta is stored by the government for two weeks, but exit records on citizens and green card holders are held for 15 years, and 75 years for non-immigrant visitors.

If that makes you uneasy, don’t expect the rollout to slow any time soon. Homeland Security continues to expand the program and is expected to roll out to land borders. Airport biometric scanners last month caught a traveler with a fake passport after using the facial scanners at Washington Dulles airport.

Even with one success story in the bag, it’s a tough sell to convince the government to pull back now.

So long then, iPhone home button…

… it was nice pressing you. Well, at least some of the thousands and thousands of times. Apple has finally abandoned a feature that’s been a staple of its smartphones since the very start, over a decade ago: A physical home button. The trio of almost-all-screen iPhones unboxed today at its Cupertino HQ go all […]

… it was nice pressing you. Well, at least some of the thousands and thousands of times. Apple has finally abandoned a feature that’s been a staple of its smartphones since the very start, over a decade ago: A physical home button.

The trio of almost-all-screen iPhones unboxed today at its Cupertino HQ go all in on looks and swipes, with nothing but a sensor-housing notch up top to detract from their smoothly shining faces. 

Last year Apple only ditched the button on its premium iPhone X handset, retaining physical home buttons on cheaper iPhones. But this year it’s a clean sweep, with buttons dropped across the board.

If you want to go home on the new iPhone XS, iPhone XS Max or iPhone XR (as the trio of new iPhones are confusingly named) well, there’s a gesture for that: An up swipe from the bottom edge of the screen, specifically. Or a look and that gesture if your phone is locked.

This is because Apple has also gone all in on its facial biometric authentication system, Face ID, for its next crop of iPhones — throwing out the predecessor Touch ID biometric in the process.

“Customers love it!” enthused Apple’s marketing chief, Phil Schiller, talking up Face ID from the stage, after CEO Tim Cook had reintroduced the tech by collapsing it all to: “Your phone knows what you look like and your face becomes your password.”

“There’s no home button,” confirmed Schiller, going over the details of the last of the three new iPhones to be announced — and also confirming Face ID is indeed on board the least pricey iPhone Xr. “You look at it to unlock it… you look at it to pay with Apple Pay,” he noted.

So hey there Face ID, goodbye Touch ID.

Like any fingerprint biometric Touch ID is fallible. Having been doing a lot of DIY lately it simply hasn’t worked at all for my battered fingertips for more than a month now. Nor does it work well if you have dry skin or wet hands and so on. It can also be hacked with a bit of effort, such as via silicone spoofs.

Still, Touch ID does have its fans — given relative simplicity. And also because you can register multiple digits to share biometric access to a single iPhone with a S.O. (Or, well, your cat.)

Apple has mitigated the device sharing issue by adding support for two faces per device being registered with Face ID in iOS 12. (We haven’t tested if it’ll register a cat yet.)

However the more major complaint from privacy advocates is that turning a person’s facial features into their security and authentication key normalizes surveillance. That’s certainly harder to workaround or argue against.

Apple will be hoping its general pro-privacy stance helps mitigate concerns on that front. But exactly how the millions of third party apps running on its platform make use of the facial biometric feature is a whole other issue, though.

Elsewhere, debate has focused on whether Face ID makes an iPhone more vulnerable to being force unlocked against its owner’s will. The technology does require active interaction from the registered face in question for it to function, though — a sort of ‘eyes-on’ check and balance.

It’s probably not perfect but neither was a fingerprint biometric — which could arguably be more easily forcibly taken from someone in custody or asleep.

But it’s irrefutable that biometrics come with trade-offs. None of these technologies is perfect in security terms. Arguably the biggest problem is there’s no way to change your biometric ‘password’ if your data leaks — having your fingerprints or face surgically swapped is hardly a viable option.

Yet despite such concerns the march towards consumer authentication systems that are robust without being hopelessly inconvenient has continued to give biometrics uplift.

And fingerprint readers, especially, are now pretty much standard issue across much of the Android device ecosystem (which may also be encouraging Apple to step up and away now, as it seeks to widen the gap with the less pricey competition).

In the first year of operation its Face ID system does appear to have been impressively resilient, too — barring a few cases of highly similar looking family members/identical twins. Apple is certainly projecting confidence, now, going all in on the tech across all its iPhones.

If you’re inconsolable about the loss of the home button it’s not entirely extinct on Apple hardware yet: The iPad retains it, at least for now.

And if it’s Touch ID you’re hankering for Apple added the technology to the MacBook Pro’s Touch Bar (on 2016 models and later).

Yet the days of poking at a physical button as a key crux of mobile computing do now look numbered.

Contextual computing — and all it implies — is the name of the game from here on in. Which is going to raise increasingly nuanced questions about the erosion of user agency and control, alongside major privacy considerations and related data ethics issues, at the same time as ramping up technological complexity in the background. So no pressure then!

At the end of the day there was something wonderfully simple about having a home button always sitting there — quietly working to take people back to a place they felt comfortable.

It was inclusive. Accessible. Reassuring. For some an unnecessary blemish on their rectangle of glass, for sure, but for others an important touchstone to get them where they needed to go.

Hopefully Apple won’t forget everything that was wrapped around the home button.

It would certainly be a shame if its spirit of inclusiveness also fell by the wayside.

Photo by Kim Kulish/Corbis via Getty Images

more iPhone Event 2018 coverage

Fido Alliance adds a biometrics certification program to help fight spoofing

In a move aimed at upping standards across biometric user verification systems, the industry consortium, Fido Alliance, has launched a certification program for biometrics systems. “The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified authenticators,” it writes on its […]

In a move aimed at upping standards across biometric user verification systems, the industry consortium, Fido Alliance, has launched a certification program for biometrics systems.

“The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified authenticators,” it writes on its website.

While biometric verification systems such as fingerprint readers have been pretty widely adopted in the mobile space already — with Apple introducing its fingerprint biometric, Touch ID, to the iPhone a full five years ago; followed, last fall, by the introduction of a facial recognition biometric (Face ID) for its high end iPhone X — the Alliance says that, up to now, there hasn’t been a standardized way to validate the accuracy and reliability of biometric recognition systems in the commercial marketplace. Which is where it’s intending the new certification program to come in.

While few would doubt the robustness of Apple’s biometrics components (and testing regime), the sprawlingly diverse Android marketplace hosts all sorts of OEM players — which inevitably raises the risk of some lesser quality components (and/or processes) slipping in.

And in recent years there have been plenty of examples of poorly implemented biometrics, especially in the mobile space — with hackers easily able to crack into various Android devices that were using facial or iris recognition technology in trivially bypassable ways.

In 2017, for example, Chaos Computer Club members used a print out of an eye combined with a contact lens to fox iris scanners on the Samsung Galaxy S8. And that was one of the most sophisticated biometric hacks. Others have just required a selfie of the person to be held up in front of a ‘face unlock’ system to get an easy open sesame.

Where the not-for-profit Alliance comes in — an industry group whose board includes security exec reps from the likes of Amazon, Google and Microsoft, among others — is it’s on a mission to reduce reliance on passwords for digital security because they inject friction into the online experience.

And biometrics do tend to be convenient, given they are attached to each person. Which is why they have been increasingly finding their way into smartphones and all sorts of other consumer electronics — from wearables to car tech, helped by component costs shrinking as biometrics adoption grows.

But it’s no good trying to speed up ID verification if the alternatives being reached for are badly implemented — and end up actively damaging security.

It certainly doesn’t have to be that way.

Apple’s biometrics are not so easily mocked. And while Touch ID is vulnerable to spoofing, like pretty much any fingerprint reader, its depth-mapping Face ID tech is by far the most sophisticated biometric implementation in the consumer electronics space to date. And hasn’t been meaningfully hacked (well, barring attacks by identical twins/strikingly similar looking family members).

So there’s clearly a world of difference (and, well, cost) between a well architected biometric recognition system which puts security considerations front and center, vs the awful sloppy stuff we’ve seen in recent years — where OEMs were just rushing to compete.

Biometrics has certainly often been treated more as a convenience gimmick for device marketing purposes, rather than viewed as a route to evolve (and even potentially enhance) device security.

The Alliance’s certification program is using accredited independent labs to test that biometric subcomponents meet what it dubs “globally recognized performance standards for biometric recognition performance and Presentation Attack Detection (PAD)” — and thus that they are “fit for commercial use”.

PAD refers to various methods that can be used to try to attack and circumvent biometric systems, such as using silicon or gelatine fingerprints, or deploying harvested facial or video imagery of the device owner.

So it looks like the Alliance’s hope for the program is to ‘upskill’ biometric implementations — or at least weed out the really stupid stuff.

“For customers, such as regulated online service providers, OEMs and enterprises, it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks,” it writes.

Speed is another goal too, as it says prior to this certification program due diligence was carried out by enterprise customers (or at least by those “who had the capacity to conduct such reviews”) — which required biometric vendors to repeatedly prove performance for each customer.

Whereas going forward vendors can use the program to test and certify just once to validate their system’s performance and re-use that third-party validation across the market — gaining what the Alliance bills as” substantial time and cost savings”.

Commenting in a statement, Brett McDowell, executive director of the Alliance, said: “While border control and law enforcement markets have mature assessment programs for their biometric systems, we were surprised that no such program existed for this rapidly growing consumer market.”

“With biometrics being a popular option for mobile and web applications implementing Fido Authentication, there is a growing need for those service providers to appropriately assess the risk of fraud from lost or stolen devices,” he added.

Currently only one lab has been accredited to perform components testing for the program.

The lab, iBeta, is located in the U.S. but a spokeswoman for the Fido Alliance told us: “The Alliance is actively working to bring in additional labs.”

She added that the Alliance will update this list as more are added.

Clear for beer: Biometrics provider now enables alcohol purchases at Seahawks and Mariners games

Clear, the biometrics company you’ve probably seen at airports and at a few other prominent queues, is rolling out the capability to simultaneously verify your ID and pay for an alcoholic drink with your fingerprint. It’s only at Seattle’s CenturyLink and Safeco Fields (and only a handful of concessions stands at those) but if it’s successful you can bet we’ll be seeing more of it.

Clear, the biometrics company you’ve probably seen at airports and at a few other prominent queues, is rolling out the capability to simultaneously verify your ID and pay for an alcoholic drink with your fingerprint. It’s only at Seattle’s CenturyLink and Safeco Fields (and only a handful of concessions stands at those) but if it’s successful you can bet we’ll be seeing more of it.

That makes it the first time in the U.S. that biometrics are used for both age check and payment, but this exception will almost certainly become less uncommon in time: Clear announced its intention to pursue the payments side of biometrics when it raised $15 million last year.

This also marks the first NFL team to partner with Clear; Seahawks fans going to home games this season will be able to use a separate Clear lane at the northwest and southwest gates. It can be quite a melee or a considerable wait getting into both venues (I’m a local) so this will almost certainly be embraced by the Clear-privileged among Seattle sports fans. Sounders games at CenturyLink, by the way, will have the same perks, as will any concerts at either venue.

After you get inside the field, you’ll have to hoof it a bit to find one of the concession stands that Clear serves from. At Safeco it’s Double Play in section 136 and Shortstop Beer in 185. At CenturyLink it’s at the Delta Sky360 Club, by sections 210 and 234.

So, it’s not exactly everywhere. But during the beer rush of halftime or the seventh inning stretch at a good ballgame, it might be worth it to traverse a few sections and skip the line. Unfortunately, Clear doesn’t get you a discount on the outrageously priced drinks, so savor those $10 tallboys. Your wallet may stay in your pocket, but the money flies out of it just the same.

It’s a bit remarkable to me that alcohol merchants are allowed to take anything but a state-issued ID or passport — but as at the airport, Clear has been given authority to track those IDs internally and verify their authenticity and the identity of the person. Obviously the company’s success there warmed the frozen hearts of our state’s Liquor Control Board and allowed this small divergence from the status quo.

There are still plenty of Mariners games at which to test this out, and the Seahawks preseason starts Thursday, at which time the Clear lane for entry and fingerprint-powered concessions will be available to all 12s. Assuming it goes well we can expect it to show up at other major sports venues soon.