Comment by Hnrobert42
2 days ago
No. TSA deletes the information it captures after 24 hours.
https://www.tsa.gov/travel/frequently-asked-questions/does-t...
2 days ago
No. TSA deletes the information it captures after 24 hours.
https://www.tsa.gov/travel/frequently-asked-questions/does-t...
Regardless of the fact that they can simply lie to you, it doesn't say that. The question is "Does TSA protect all data (e.g., photos)...?" What does protect mean? The stated common case is that a photo is ephemeral and is removed (from where?) after it is used. Now, they're using it for facial recognition. They didn't get a facial recognition system by deleting photos, so we know based on the premise that some representation of the data in the photo (your likeness) exists in persistent form.
But that's just generous reading, anyway. There are so many ambiguities that it's not really worth the trouble to attempt any rigorous analysis of it.
"In rare instances TSA will collect and temporarily retain photos and data..." How rare? Doesn't matter: then what happens?
"...data collection mode events are limited in time and place..." Damn unrelenting spacetime.
"TSA’s facial comparison technologies adhere to DHS and TSA cybersecurity requirements." Restatement of the problem.
To get actual answers (at least during sane political administrations), the System of Records Notice (“SORN”) is what you want. Whereas the info sites for these programs are typically useless, SORNs are the authoritative document that the federal government issues to identify and characterize systems that store records about data subjects, and include information about retention polices, exceptions, etc.
The last I read the SORN for TSA’s facial recognition, they did commit to deleting identifiable data within 24 hours.
CBP operates their facial recognition under a different SORN, and there are many more caveats, although they also commit to deleting identifiable data within 24 hours for US citizens (only).
That was in late 2024 anyway.
> Now, they're using it for facial recognition. They didn't get a facial recognition system by deleting photos, so we know based on the premise that some representation of the data in the photo (your likeness) exists in persistent form.
If we want to be truly generous in interpreting it, the new sample would be deleted and the comparison is done against the photos they have on file from your ID/passport (although, since a foreigner can do it on their first visit to the US, it might just be based on scanning the document you provide). Of course, single-sample-per-person facial recognition is pretty limited, but it's security theater anyways.
I think the mistake is assuming they're purely doing a 2d pixel array photo comparison and not a 3d scan. This would also satisfy their statement that they delete the photos, while still being able to store data that could be used to reproduce the photos.
That's too generous because even that document says that there that data is used for other purposes without detailing any of that. There are no timelines. Even when they say "temporary," when is that? Until 2300? Temporarily stored on the device until it's been stored remotely? Temporary until the NN is trained?
The cat's out of the bag, anyway. They already have a perfect dataset and surveillance mechanism. But it'd be nice to stop continuing to perfect it.
I just flew from the US to Europe; at each point where I had to get my picture taken, the machine had a label on it that clearly said they would delete my data after 24 hours. (Or after use, I don't remember the precise time frame.)
Were they lying? Possibly. But this is not a matter of them trying to use weasel wording to trick you into thinking they're claiming something they're not.
You think they could be lying, but your argument is that they're being candid? Then we simply see it differently. I just read the primary source, so I know without a doubt that it's weasely.
Moreover, it was put forward as proof that they don't keep the data, but the source is actually called "Does TSA protect all data (e.g., photos) collected." What are they protecting if they don't have it? What would be the point of even doing this if they don't collect it?
But leave that aside and let's talk about your experience. Did it say the data would be deleted after 24 hours or did it say it would be deleted after use? What is use? Use could be we're operating a giant biometric database and we intend to keep doing it until the asteroid, and why wouldn't it be that?
1 reply →
It says, "If you use TSA PreCheck Touchless ID, your information is deleted within 24 hours of your scheduled departure time."
Yes, they could be lying. That would be illegal.
What does the very next sentence say?
1 reply →
Agreed. Provides no obvious benefit to either me or society at large. Normalizes collection of biometrics. Implementation details not easy to verify - they could be lying or could silently change things later.
The entire scheme has a very high abuse potential. Equipment and personnel set up at major ports and their presence normalized. Turnkey authoritarianism at its finest.