Governments Deploy Facial Tech Faster Than It Works

The TSA is scanning faces at airports across the country. Immigration agents are running a mobile face app in cities and towns nationwide. An age verification platform quietly used by Discord was running 269 separate identity checks — including terrorism and espionage screening — without anyone knowing about it until researchers stumbled onto nearly 2,500 exposed files sitting on an open government-authorized endpoint. No exploit required. No hacking. Just open tabs and a browser.

That last detail should bother you more than the rest of it combined.

The Week That Broke the "Government = Credible" Assumption

Let's start with the one that arguably has the highest stakes: ICE and CBP's Mobile Fortify app. WIRED reviewed agency records and found that the app — launched by the Department of Homeland Security in spring 2025 and explicitly tied to a Trump executive order calling for a "total and efficient" immigration crackdown — does not actually verify who people are.

Read that again. An app marketed and deployed as an identity verification tool cannot verify identities.

"Every manufacturer of this technology, every police department with a policy makes very clear that face recognition technology is not capable of providing a positive identification." — Quoted in WIRED, reporting on Mobile Fortify records

That's not a civil liberties talking point. That's the technology's own manufacturers and its most experienced law enforcement users admitting a fundamental ceiling on what the tool can do. Mobile Fortify was deployed anyway — without the scrutiny that has historically governed rollouts of technologies affecting personal privacy — and it's now being used in the streets to make decisions about people's freedom of movement. The gap between what agents are told the tool does and what it actually does is not a minor footnote. It's the whole story. This article is part of a series — start with Facial Recognition Checkpoint Convergence Investig.

At the Airport: "Voluntary" Is Doing a Lot of Heavy Lifting

Meanwhile, at airports across the United States, TSA's credential authentication technology — the face scan terminals that compare your live image against your government-issued ID — continues its steady expansion. The TSA frames this as both efficient and optional. McKenly Redmon of Southern Methodist University's Dedman School of Law, writing in a recent analysis covered by The Regulatory Review, argues that "optional" is mostly theoretical.

The reality on the ground: most travelers don't know they can opt out. Signage uses vague language. Security lines are not exactly environments that encourage you to pause, read the fine print, and assert your rights. Redmon's concern isn't fringe — the Government Accountability Office has raised similar questions about consent language, data retention, and what a "voluntary" biometric capture actually means when a uniformed agent is directing you to look at a camera.

The TSA's position — that except in limited cases it deletes captured photos — is at least a policy. Whether that policy is followed with the rigor that biometric data deserves is a different question, and one that hasn't been answered to anyone's satisfaction. The agency is still expanding this program. The accountability infrastructure hasn't kept pace with the deployment timeline. That's not a guess; that's the GAO's own documented concern.

The Persona Situation Is Its Own Category of Alarming

The Discord-Persona story deserves more attention than it's getting, because it exposes something the TSA and ICE stories don't: the invisible third-party layer inside commercial identity verification.

Persona Identities — partially funded by Peter Thiel's Founders Fund and used by OpenAI, Lime, Roblox, and until recently Discord — was supposed to be an age verification tool. What researchers actually found, according to Fortune, was a platform conducting facial recognition checks against watchlists, screening for politically exposed persons, assigning risk and similarity scores, and running those 269 distinct verification sub-checks — including screening for terrorism and espionage — all without meaningful disclosure to the person being checked. Previously in this series: Facial Comparison Going Mainstream Verification Ga.

Here's where it gets genuinely unsettling: this wasn't discovered through some sophisticated investigation. Researchers found nearly 2,500 accessible files sitting on a U.S. government-authorized endpoint. As one researcher put it, "We didn't even have to write or perform a single exploit." The entire methodology was just sitting there.

Think about what that means for end users of any platform running Persona. You're trying to verify your age to play a game or use a communications app. Behind the scenes, you're being screened against terrorism watchlists and assigned a risk score. Nobody told you. Nobody asked. And the documentation of how that works was available to anyone who knew where to look — which is to say, everyone.

The Practitioner Gap: Where Discipline Becomes a Competitive Advantage

So where does all of this leave the investigator, the forensic analyst, the security professional trying to do rigorous facial comparison work in 2026?

Honestly? In a better position than you might think — if you're operating with documented methodology.

The professionals who will come through this period with unimpeachable credibility are the ones who can walk into any deposition or client presentation and explain exactly how their facial analysis was conducted. What methodology. What the known accuracy parameters are. How the result was documented. The gap between "we ran it through the system" and "here is our documented comparison with supporting imagery, methodology notes, and clearly stated confidence intervals" is the difference between evidence and assertion. Courts are beginning to enforce that distinction, even when government systems don't meet it. Up next: Face Scans Everywhere But Can They Prove Who Someo.

This is exactly the kind of controlled, case-specific approach that disciplined facial comparison methodology is designed to support — working from known case photos, with explicit documentation of process, rather than running queries through systems whose error rates and watchlist criteria aren't disclosed to anyone, including the agents using them.

"Travelers are likely unaware that they can opt out, and signage at airports frequently uses vague terms." — McKenly Redmon, SMU Dedman School of Law, via The Regulatory Review

The strongest counter-argument to this take is real: large-scale government systems train on massive datasets. Scale, in theory, improves accuracy over time. That's legitimate. But scale without transparency is not a defense in a courtroom. A system that can't explain its error rate for your specific case, in your specific conditions, with your specific image quality, is not more reliable for your case. It's just more opaque — and opacity is not a feature your opposing counsel will let slide.

The real edge in 2026 isn't access to the flashiest system. It's being the person in the room who can answer the question a judge is about to ask — and answer it with documentation, not confidence.

So here's the one worth sitting with: when TSA can't clearly explain what "voluntary" means at a checkpoint, and ICE is running an app its own records acknowledge can't verify identities, and a commercial ID vendor is silently running terrorism checks behind an age gate — how are you documenting and defending your own facial comparison methodology when your case ends up in court? Because it will. And "the government does it this way" is not going to hold up the way it used to.