Face Scans Everywhere. But Can They Prove Identity?

The TSA wants your face at the checkpoint. So does Customs. So does JR East's bullet train network in Japan. So does a Las Vegas casino hotel, probably. Facial scanning at scale is no longer a pilot program — it's becoming the default assumption of how modern identity infrastructure works. And in the same week that headlines celebrated that expansion, security researchers quietly documented nearly 2,500 identity verification files sitting completely exposed on a U.S. government-authorized Google Cloud endpoint. No exploit required. No breach. Just… there.

That contrast — massive institutional expansion on one side, embarrassing operational failure on the other — is exactly the kind of signal that gets lost in the noise of breathless tech coverage. Everyone's reporting on the rollout. Not enough people are asking whether any of this actually works the way it's supposed to.

The Expansion Is Real, and It's Moving Fast

Let's start with what's actually happening, because the scale is genuinely significant. According to TSA's own factsheet, the agency has deployed facial comparison technology across select airports nationwide, positioning it as both a security enhancement and a passenger convenience feature. The system captures a real-time image at the checkpoint and compares it against the photo on your government-issued ID. TSA frames this as "optional." More on that word shortly.

Meanwhile, TSA has already run biometric trials at both LAX and McCarran International in Las Vegas — the Vegas proof-of-concept collecting a fairly detailed dossier on participating travelers: real-time facial images, ID document photos, issuance and expiration dates, travel dates, ID type, issuing organization, and birth year. That's not a light-touch pilot. That's a data collection architecture.

Internationally, Panasonic Connect and JR East are trialing facial recognition ticket gates at Nagaoka Station on the Joetsu Shinkansen line — biometric boarding for the bullet train, essentially. The normalization is happening across continents simultaneously. By the time most people notice, the infrastructure will already be baked in. This article is part of a series — start with Facial Recognition Checkpoint Convergence Investig.

Now Here's Where the Story Gets Uncomfortable

While agencies were busy expanding their biometric footprints, Fortune reported that Persona Identities — the Peter Thiel-backed verification software used by Discord, OpenAI, Roblox, Lime, and others — had its front-end code fully accessible on a government-authorized endpoint. Researchers found it without writing a single line of exploit code. They just… looked.

What was exposed wasn't trivial. Persona, it turns out, performs 269 distinct verification checks on users. That includes facial recognition comparisons against watchlists, screening against lists of politically exposed persons, and adverse media checks across 14 categories — terrorism, espionage, and more. The system assigns risk and similarity scores to individual users. And according to researchers, that entire verification architecture was visible to anyone who knew where to point a browser.

"We didn’t even have to write or perform a single exploit, the entire verification system was exposed to the open internet." — Researchers, as quoted by Fortune

Discord has since distanced itself from Persona. That's the corporate equivalent of quietly leaving a dinner party after knocking over the host's best wine. The damage, in terms of what this reveals about how identity verification infrastructure is actually managed at scale, doesn't go away when you update your vendor list.

This isn't a one-off. Security researchers have documented this pattern repeatedly across large-scale biometric deployments: speed-to-deployment consistently outpaces security hardening. When you're racing to process millions of identity checks, someone almost always leaves a door open somewhere.

"Optional" Is Doing a Lot of Heavy Lifting Here

Back to that word. TSA calls its facial scans voluntary. McKenly Redmon of Southern Methodist University's Dedman School of Law has a fairly pointed response to that framing.

"Travelers are likely unaware that they can opt out, and signage at airports frequently uses vague terms." — McKenly Redmon, SMU Dedman School of Law, as cited by The Regulatory Review

Redmon's argument is structurally sound. When the alternative to consenting to a biometric scan is missing your flight, you don't really have a choice — you have a coerced compliance event dressed up in opt-out language. The consent exists in theory. In practice, at 6 AM in a TSA line with a rolling bag and a boarding pass that closes in 40 minutes, it doesn't. Previously in this series: Governments Deploying Facial Tech Faster Than It W.

TSA's credential authentication technology-2 scanners — the CAT-2 units now deployed at airports nationwide — capture real-time images and compare them against government-issued IDs automatically. The agency maintains it deletes the photos (except in limited cases). Constitutional law scholars aren't fully convinced that passive enrollment in this kind of system clears Fourth Amendment thresholds. That legal question hasn't been settled. And it probably won't be settled quietly.

The Border App Problem Nobody Wants to Talk About

Then there's the issue that should be most alarming for anyone who uses institutional biometric outputs as part of professional identity work. Wired has reported that the face-recognition app used by ICE and CBP can't actually verify who people are. Not "struggles to verify" or "has accuracy limitations." Can't actually do the core thing it's supposed to do.

That's a devastating finding, and it barely registered in mainstream coverage. The app is deployed by federal immigration enforcement. It's backed by the full institutional authority of two major federal agencies. And independent assessment found it cannot reliably distinguish a live enrollment from a presented document — which means the foundational premise of what "verified" means in that context is broken.

Here's the thing about authority bias that makes this so professionally dangerous: we are wired to assume that bigger, more official systems are more accurate. A federal agency using facial recognition sounds more rigorous than an individual investigator doing a controlled comparison on a single case file. That assumption is backwards. And it's going to get people hurt — professionally, legally, and in some cases physically — if investigators don't actively resist it.

For anyone doing professional facial comparison work, the distinction between mass identity systems and case-level analysis isn't semantic. It's the entire methodological foundation of defensible work. Mass systems optimize for throughput at acceptable aggregate error rates. Case-level comparison optimizes for documented, controlled methodology on a defined image set — with a chain of reasoning that can be explained, challenged, and defended in front of a judge.

What "Professional-Grade" Actually Means

The strongest counterargument to everything above is worth taking seriously: government biometric systems do have regulatory oversight, institutional audits, and accountability structures that individual tools don't. A solo investigator's methodology can face more courtroom scrutiny precisely because it lacks the institutional backing of a federal program. That's real. That's not nothing. Up next: Face As Boarding Pass Facial Comparison Evidence S.

But the answer isn't to defer to institutional systems whose own auditors have documented foundational accuracy problems. The answer is to document your own methodology so thoroughly — image source, comparison parameters, similarity scoring rationale, analyst reasoning — that the analysis stands on its own regardless of what any sprawling government deployment does or doesn't do correctly.

The New York Times headline says it plainly: "At Check-In, Your Face Is Increasingly Your ID." That's true. But your face being scanned at scale is not the same as your identity being verified with precision. Those two things sound similar. They are not the same thing at all.

So here's the question worth sitting with this week — not rhetorically, but as an actual professional challenge: when a client or opposing counsel asks you to explain the difference between what TSA does at an airport checkpoint and what you did with a set of case images, what exactly do you say? Because that answer is your entire credibility as an identity professional. And right now, the news is handing you the best possible argument for why that distinction matters — if you know how to use it.

The 2,500 exposed files probably didn't contain your client's face. Probably. But if they did, would you even know?