If biometric data is stolen or misused, travelers don’t have much recourse, said Alex Alben, who teaches privacy, data and cybersecurity at the University of California Los Angeles and University of Washington law schools. There are no federal laws regarding the use of biometric data, he said, although a few states are beginning to create a patchwork of legal protections, and in the European Union and Britain, companies must get permission from consumers to collect their data and must tell them what it will be used for.
Private companies’ management of facial recognition data worries Jeramie D. Scott, director of the Project on Surveillance Oversight at the Electronic Privacy Information Center. Companies, he said, could be hacked or could turn the data over to government entities, who might use it for surveillance. Some might even sell customers’ biometric information or find other ways to profit off it and bury those intentions in the fine print, Mr. Scott said — a scenario that could echo the “Black Mirror” episode “Joan Is Awful,” in which a fictional streaming service uses its terms-and-conditions agreement to hijack the main character’s life for a TV series.
One company has already used facial recognition technology to exclude people from its premises. Last year, MSG Entertainment, which owns Radio City Music Hall in New York, barred a lawyer from seeing the Rockettes with her daughter’s scout troop, because she worked for a firm the company viewed as adversarial.
Facial recognition software has also been shown to be less accurate for certain demographic groups, said Mr. Scott, and even with improvements, the algorithms are typically not shared or tested publicly “so we need to take the company’s word about their accuracy,” he said.
On a recent Virgin Voyages cruise through the Greek Islands, one passenger, Divya McDuffie, a media executive from New York, was asked to upload a selfie as part of the check-in process to help identify her when she got on and off the ship. Ms. McDuffie said she was fine with facial recognition as a security measure, but if hospitality companies started using it to, say, assess her mood, target her with offers or steer her toward some kind of action, “absolutely ‘no’ to that,” she said, and stressed the need for transparency. “If there isn’t a disclaimer where I can make an informed decision, that would be disturbing. Where would it end?”