Enhancing Customer Experience through Data without Breaching Privacy

Data is the new currency in our digital global economy, and airlines here in the US as well as abroad constantly collect, store, use, and share their guest and employee personal data to safely and consistently operate their businesses.

As the value of personal information increases, so do the threats to the privacy of that data. Traditional security controls are not sufficient to protect the privacy of personal data. Once this data arrives within your company’s enterprise perimeter, it becomes each of your employees’ responsibility to protect it.

There are so many aspects of standard airline operation where privacy plays a role - whether it is your marketing team contacting guests via emails, your engineering team developing the latest eCommerce tool, your customer service agent providing their best service via SMS, on the phone or at the airport, or a flight attendant greeting guests on their next flight. All of us in the airline industry can make the experience personal without our guests losing trust in each of our brands. 

In addition to handling personal data, each one of us can think about right away, such as names, addresses, phone numbers, and emails, airlines also handle extremely sensitive data about our guests such as their disability information, passport numbers, information about their minor children, their biometric information, etc.

With so many new regulations focusing on protecting personal data, especially sensitive data, the focus is on coming up with a balanced approach to risk management.  There is a big shift in this world of the digital data economy – customers are more likely to trade in some of their data to achieve convenience or a tangible benefit. If done correctly – your privacy function in your company can help you do just that – deliver value to your customer base while growing your fan-base and protecting their data and reducing the risk of breach or data misuse.

Just think about your own day of travel experience.  From the point of arriving at the airport and forgetting your passport, or seeing the very long line to print your boarding pass and your bag tag, to fumbling through your screened luggage to retrieve your boarding pass yet again to board your flight. There are so many mini-stresses that add to your airport commute traffic stress, such as snack-packing-for- kids stress, remembering your headphones, and that extra set of socks. Wouldn’t you want to take the extra stresses away to achieve a better day of travel experience? 

Here is a high-level diagram showing the level of stress during your day of travel, and how biometric authentication can be added to various check-points of the journey to reduce that stress, according to the TSA:

Imagine not having to fumble for your phone to retrieve your boarding pass, not having to worry about leaving your passport at home, or not having to prove you have a membership to enjoy one of the airline lounges. Alaska Airlines is already leveraging biometrics to achieve this vision.  With biometric authentication, your face is your ticket, passport, and boarding pass.

Biometrics have expanded in complexity and usage since 9/11, extending to: “logical and physical access systems; surveillance operations to fight against fraud and organized crime; immigration control and border security systems; national identity programs; identity management systems; and the determination of friend or foe in military installations” [CBP].

So what is biometrics? Biometrics may include appearance, behavior, and cognitive state. Systems achieve automated recognition of individuals based on their biological and behavioral characteristics. 

Why don’t all organizations rely on biometrics? 

Doesn’t it appear to be the Holy Grail of security? Are there any privacy risks?

According to the Electronic Privacy Information Center, “Biometric data is personally identifiable information that cannot be changed when compromised. Improper collection of this information can contribute to identity theft, inaccurate identifications, and infringement of constitutional rights. Facial recognition uses algorithms to match a picture of an unknown individual to a gallery of identified images based on facial features like the distance between a person’s eyes. The proliferation of available digital images created by security cameras added online via social media, or collected by the government for routine purposes (e.g. passport photos) has created a wealth of data to use for face surveillance. And there is a lack of legal protections against the use of images for facial recognition. The result is that the images used to create the underlying algorithms and databases are often collected surreptitiously and without consent.”

Facial recognition makes it easy to identify anyone at any time without their consent and even without their knowledge to track the movements of that person or connect that person to the copious amounts of information collected by the government and private sector. The technology also increases the ability to conduct mass surveillance of large crowds.

Facial recognition can be used in almost every dimension of life, from banking and commerce to transportation and communications. 

Law enforcement's use of facial recognition is dangerous because it exacerbates protest policing and political repression, the over-policing of minority communities, and the risk of wrongful identification and wrongful arrest. Commercial facial recognition products are often used by law enforcement, blurring the line between corporations and the government. Clearview AI, for example, stole billions of images from social media sites and built a powerful facial recognition system off those images it sells law enforcement access to.

You might wonder what airline passengers’ response would be to biometric implementation if not done right. Take a look at the case of JetBlue implementing biometrics in 2019 without providing notice to its passengers or collecting consent. A passenger boarded a flight and was forced to go through biometric authentication without her choice or consent, or without being notified that her photo was about to be taken and compared to the government databases for security purposes. This caused an outcry of support – over 7,000 individuals appear to agree with her on Twitter. This also caused a ton of brand damage to JetBlue, with potential fines for regulatory violations.

How did the JetBlue fiasco happen?

- The Center for Border Patrol already has biometric photos of all US citizens via their passports

- JetBlue took photos of passengers without notice or consent and supplied those photos to CBP from each flight’s manifest

- Airport Station instantly matched the passenger photos to their passport, visa, or immigration document photos.

What went wrong?

- Since guests were not provided any notice, and no consent was collected, JetBlue violated several regulations and laws (see graphic below to get a sense of states regulating biometric data use) – consent always has to be collected in an opt-in format for biometric use

- JetBlue didn’t just suffer regulatory fines but the loss of customer trust and negative PR 

- CBP hasn’t implemented meaningful restrictions on where it will share photos, so your photo may end up anywhere! The best thing to do is not store the photo at all – use it for comparison purposes on the device itself and delete it as soon as the check is performed.

- Congress has not told the agency to collect such data from Americans

- Facial recognition is prone to more errors with African Americans, women, and children based on research.

So, how can you implement biometrics to improve customer experience and enhance security without risking the fiasco that JetBlue had to go through above? How do we mitigate the risks?

“Many state governments and consumers are becoming privacy aware that new laws are popping up left and right. So consumers are now paying attention to how you collect their data and what you do with it”

Firstly, always keep your finger on the pulse of new laws and regulations. Many state governments and consumers are becoming privacy aware that new laws are popping up left and right. So many consumers are now paying attention to how you collect their data and what you do with it.

Secondly, always obtain consent. Biometrics are sensitive data and consent has to be collected in an opt-in format. This doesn’t necessarily mean having checkboxes at the gate – as long as you provide your guests with appropriate notice and a choice (ex: to proceed by going through the biometric authentication queue, or choose to continue in a more traditional queue) would be a sufficient form of collecting consent. Having two queues is important, just like the implementation of full body scanners at airports required having a traditional metal detector and pat[1]down line for passengers who did not feel comfortable going through the body scanner at first.

Thirdly – protect the biometric data when you do get it. What does this mean? Encrypt the data and only store it for the shortest duration of time needed to perform the security check. It is preferable to always store the biometric information on the camera device itself rather than uploading it anywhere else. This practice reduces the risk of the sensitive data being intercepted in transit and prevents the risk of other departments potentially misusing the sensitive data for a secondary use that the customer did not consent to.

Fourth – delete the data as soon as you can. If you don’t have it – you cannot lose it. Besides – since the biometrics are only used for authentication, once the passenger passes the checkpoint, logically there should not be a reason to keep the data any longer.

Where do you end up? You end up improving your customers’ experience on their (stressful) day of travel, reducing the risks of data loss or misuse, protecting the brand, and staying compliant with various security and privacy laws.

Guests stay in control of their biometric information and our industry uses the latest in technology developments to improve security while improving the efficiency of operations (and continue having happy customers flying with you).