You step up to a TSA kiosk at the airport. Camera flashes. You tap submit. Twelve seconds. That biometric scan just entered a federal database that may retain it for up to 75 years.[1] You didn't sign anything. You didn't opt in. You just wanted to get home.

The Airport

CBP's biometric program is live at 238 airports. TSA is targeting 400+.[2] Beyond facial scans, the ESTA form — required for travelers from 42 countries — now asks for social media handles. In December 2025, CBP proposed expanding ESTA to require five years of social media history, a decade of email addresses, phone numbers, IP metadata, and your entire immediate family's personal information.[3] All of it cross-referenced against the Automated Targeting System, which assigns invisible risk scores retained for up to 40 years and shared with foreign governments.[4]

In 2019, a CBP subcontractor downloaded 184,000 traveler face photos to its own private servers — without authorization — and lost them to a ransomware attack. They ended up on the dark web.[5] Unlike passwords, you cannot change your face.

In 2018, the Boston Globe revealed that TSA had been secretly assigning air marshals to surveil ordinary domestic passengers — not suspects, not watchlisted individuals — logging whether they had a “cold penetrating stare.” The program ran for six years before anyone outside TSA knew it existed.[6]

Unemployment

To collect benefits you've spent your career paying into, most states now require biometric identity verification. During COVID, 30+ states routed applicants through ID.me — a private company — storing facial scans on private servers indefinitely. That data flows onward to the IRS, SSA, child support agencies, and the National Directory of New Hires: a federal database tracking virtually every job and every paycheck in the country.[7]

When that aggregated data became an attack surface, the results were catastrophic. The DOL Inspector General estimates at least $163 billion in fraudulent pandemic UI payments — most of it enabled by identity theft using data stolen in prior breaches. Less than $1 billion has been recovered.[8]

The Consent Illusion

You don't have to travel internationally. You don't have to claim unemployment. The forms are technically optional — in the same way eating is optional. The Privacy Act of 1974 says data collected for one purpose can only be used for a “compatible” purpose, defined as a “routine use.” Agencies define their own routine uses. The lists expand over time. Academics call this function creep; bureaucrats call it program evolution.[9]

In May 2025, the Privacy and Civil Liberties Oversight Board released a 125-page review of TSA's facial recognition program. It found the DHS Chief Privacy Officer had failed to conduct required privacy compliance reviews — and recommended the program remain genuinely voluntary.[10] A 2019 NIST study found the same algorithms misidentified Asian and Black faces up to 100 times more often than white male faces.

The form asks for your name. It always has. But it used to forget.

Sources

  1. DHS, 2024 Update on DHS's Use of Face Recognition Technologies (Jan. 2025). dhs.gov
  2. Biometric Update, TSA targets 400 US airports for biometrics rollout (Dec. 2024). biometricupdate.com
  3. Federal Register, Revision to I-94 and ESTA (Dec. 2025). federalregister.gov
  4. EPIC, Automated Targeting System. epic.org
  5. Zack Whittaker, CBP says traveler photos stolen in data breach, TechCrunch (June 2019). techcrunch.com
  6. Jana Winter, Inside TSA's Quiet Skies, Boston Globe (July 2018). bostonglobe.com
  7. ACFE, National Directory of New Hires, HHS. acf.hhs.gov
  8. Jeff Stein, An estimated $163 billion from pandemic unemployment benefits were misspent or stolen, Washington Post (May 2022). washingtonpost.com
  9. Finn et al., “The Concept of Function Creep,” Law, Innovation and Technology (2021). tandfonline.com
  10. Privacy and Civil Liberties Oversight Board, Use of FRT by TSA (May 2025). PCLOB Report (PDF)

Comments