Facial Tech Is Everywhere in 2025. Trust Isn't.

Immigration agents are running facial scans on people stopped in the street using an app that—according to records reviewed by WIRED—was never actually designed to reliably verify identities in field conditions. Simultaneously, airports are expanding biometric boarding at major U.S. hubs, Japanese rail is trialing face-based ticket gates on the Joetsu Shinkansen line, and an identity verification provider with ties to Peter Thiel's Founders Fund just had nearly 2,500 sensitive verification files sitting open on a government-authorized endpoint. All of this happened in roughly the same week. Facial comparison isn't coming. It's already the default.

Here's the thing nobody wants to say out loud: the technology itself isn't really what's failing. The underlying math—the kind of facial comparison analysis that measures biometric similarity between two images—is well-understood and, when conditions are controlled, genuinely reliable. What's failing is the human architecture around it. The policies. The operational boundaries. The ability to look a court, a regulator, or a journalist in the eye and explain exactly what the tool was built to do, what it wasn't, and how results were interpreted before someone acted on them.

That gap—between deploying technology and being able to defend how you deployed it—is the story of this entire week.

The ICE App Problem Is Not Really About ICE

The WIRED investigation into Mobile Fortify is worth reading slowly, because the headline obscures the more interesting detail. Yes, the Department of Homeland Security launched this app in spring 2025 to help immigration agents "determine or verify" identities during field stops. Yes, it was deployed explicitly in connection with President Trump's executive order calling for a "total and efficient" crackdown on undocumented immigrants. And yes, DHS repeatedly framed it as a facial recognition identity tool.

But here's the part that should make any serious investigator uncomfortable: the app doesn't actually verify identities. That's not a critic's spin—that's a documented limitation of how the tool is designed and used. This article is part of a series — start with Eu Ai Act Facial Recognition 2026.

"Every manufacturer of this technology, every police department with a policy makes very clear that face recognition technology is not capable of providing a positive identification." — As reported by WIRED, quoting documentation reviewed from DHS records

This is the line that every investigator using facial comparison should have memorized. Not because it makes the technology useless—it absolutely does not—but because the moment you start calling a comparison result an identification rather than a similarity assessment, you've crossed into territory that will collapse under cross-examination. Field agents running Mobile Fortify in variable outdoor lighting, at inconsistent angles, on subjects who aren't cooperating with capture conditions? That's not what the model was validated to handle. That's not a scandal. That's just physics and data science. The scandal is that nobody apparently stopped to document that limitation before deployment went nationwide.

Airports and Rail: Speed Over Accuracy Mandates

Meanwhile, on the infrastructure side of things, facial tech is crossing from pilot program to permanent fixture. The TSA is running its second facial recognition trial at Las Vegas's airport—the program is expanding across major U.S. hubs with biometric check-in becoming a routine part of the boarding process. Across the Pacific, Panasonic Connect just announced a trial of facial recognition ticket gates at JR East's Nagaoka Station on the Joetsu Shinkansen line. These are not experimental deployments. They're efficiency plays—driven by throughput, not by any particular mandate around verification accuracy.

That distinction matters. When an airport processes thousands of passengers an hour through a biometric gate, the operative question isn't "is this a perfect identity verification system?" It's "does this reduce queue time and false rejections at a rate that justifies the infrastructure cost?" The accuracy bar being applied is functional, not forensic. Which is fine, for an airport. It becomes a problem when the framing of those deployments—smooth, authoritative, government-sanctioned—bleeds into how less-scoped users think about what facial comparison can do.

Authority bias is real. When passengers walk through a biometric gate at a major international hub, the implicit message is: this works, this is trusted, this is definitive. The TSA's own page on facial comparison technology frames the program around identity verification—the same language that, in the Mobile Fortify context, turned out to describe something considerably more limited than it sounds. The technology in these two contexts is operating very differently. The marketing language around it sounds almost identical.

The Persona Exposure: Governance Hasn't Caught Up

Then there's the one that should genuinely concern anyone who handles sensitive identity data. Fortune reported this week that Persona Identities—an identity verification platform partially funded by Peter Thiel's Founders Fund, and used by Discord, OpenAI, Lime, and Roblox among others—had front-end code sitting accessible on the open internet via a U.S. government-authorized Google Cloud endpoint. Researchers found nearly 2,500 files, including details on how Persona conducts facial recognition checks against watchlists, screens identities against lists of politically exposed persons, and performs 269 distinct verification checks—including screening for "adverse media" across 14 categories covering terrorism and espionage. Previously in this series: Facial Recognition Default Infrastructure Weekly R.

The researchers' description of the discovery is worth sitting with for a moment: "We didn't even have to write or perform a single exploit." The files were just there. No sophisticated attack. No breach in the traditional sense. Just an organizational failure to secure data that was deeply sensitive by any reasonable definition of that word.

"Nearly 2,500 accessible files were found sitting on a U.S. government-authorized endpoint, researchers said." — Catherina Gioino, Fortune

Discord has since distanced itself from Persona. But Persona continues to provide verification services for OpenAI, Lime, and Roblox. The exposure didn't apparently affect those relationships—which tells you something about how the industry currently weighs operational risk against governance risk. (Spoiler: governance risk loses, until a regulator makes it expensive not to.)

The deeper issue here isn't that a vendor made a mistake. Mistakes happen. It's that the scope of what Persona was quietly doing—269 verification checks, watchlist comparisons, adverse media screening across terrorism and espionage categories, risk and similarity scoring—was apparently invisible to most of the organizations using it, right up until researchers stumbled across the exposed files and posted about it on X. That's not a technology failure. That's what happens when procurement moves faster than governance, every single time.

The Real Professional Edge Isn't the Tech You Have

Look, nobody is arguing that facial comparison technology doesn't work. The Euclidean distance analysis underlying most serious enterprise comparison tools—measuring similarity between biometric feature vectors in controlled input conditions—is solid, well-validated science. The problem isn't the algorithm. It's the chain of custody around it.

Every deployment drawing scrutiny this week failed the same test: operators could not produce a clear accounting of what the tool was designed to do, under what conditions it was validated, and how results were interpreted before action was taken. Mobile Fortify got deployed in street conditions its design parameters didn't cover. Airport biometric programs get framed with identity verification language that overstates what any comparison system can definitively prove. Persona ran 269 distinct checks—some of them touching national security categories—while the organizations licensing its API apparently had no clear picture of what they were actually running on their users. Up next: Face Scanning Mainstream Investigator Methodology .

The investigators and operators who are going to be standing on solid ground in three years aren't the ones with the most sophisticated tools. They're the ones who can open a case file, point to documented input conditions, articulate the difference between a similarity score and a verified identification, and explain why the methodology they used was appropriate for the context in which they used it. That's what defensible process looks like. It's not glamorous. It doesn't make for a good press release. But it's the only thing that survives a deposition, a regulatory audit, or a WIRED investigation.

With immigration agents, airports, Shinkansen gates, and online identity platforms all running facial tech—often with documented questions about reliability and scope—there's one question worth putting to yourself before you add a comparison result to a real case file: if this result ended up in front of a judge tomorrow, could you walk them through exactly how it was produced, what it can and cannot prove, and why you treated it as actionable? If the answer is anything other than an immediate yes, you already know what needs fixing. The tools aren't the problem. The process is.

So: what standard do you personally apply before you're willing to trust a facial comparison result in a real case file? Drop it in the comments—this is genuinely one of those questions where the professional variance in answers is both wide and instructive.