TSA Face Scans: What Airports Get Wrong on Consent

Stand in a TSA line right now — any airport, 80-plus of them nationwide — and there's a decent chance a camera is comparing your face to your ID before you even register that you had a choice. Technically, you could say no. In practice? Good luck figuring that out from the signage.

The TSA will tell you its credential authentication technology — the CAT-2 scanners now operating at airports across the country — is a voluntary program. Travelers can opt out. Photos are deleted after the comparison, except in limited cases. The agency frames this as both a security enhancement and a passenger convenience. That framing is doing a lot of heavy lifting.

Because here's the thing: a right that nobody knows they have isn't really a right. It's a liability disclaimer.

The Consent Problem Has a Name — and It's Structural

McKenly Redmon of Southern Methodist University Dedman School of Law has been digging into exactly this tension, and the findings are uncomfortable for TSA's public position. According to The Regulatory Review, Redmon argues that passengers' ability to decline these scans "often exists only in theory" — that travelers are likely unaware of the opt-out option, and that airport signage frequently uses vague language that obscures what's actually happening.

"Travelers are likely unaware that they can opt out, and signage at airports frequently uses vague terms." — McKenly Redmon, The Regulatory Review, summarizing Redmon's law review research on TSA biometric screening

Think about the environment for a second. You're in an airport. You have a flight to catch. There's a line behind you. A uniformed federal agent is gesturing toward a camera. At no point has anyone handed you a pamphlet explaining that you can politely decline and request a manual document check instead. This isn't informed consent — it's ambient compliance. And there's a legal concept that describes exactly this kind of setup: contextual coercion. The context does the coercing so the institution doesn't have to. This article is part of a series — start with Facial Recognition Checkpoint Convergence Investig.

Redmon specifically flags that the program has expanded to many airports nationwide — the program has reportedly grown to over 80 locations — without the kind of formal Congressional authorization you'd expect for mass biometric collection at this scale. That jurisdictional gap isn't a footnote. It's the whole story.

Accuracy Benchmarks: The Numbers You're Not Being Told

DHS has reported internal accuracy figures above 96% in controlled conditions. Sounds reassuring. But that top-line number is doing exactly what top-line numbers are designed to do: hide the variance underneath.

The National Institute of Standards and Technology's ongoing Face Recognition Vendor Testing program has consistently shown that accuracy figures vary significantly across demographic groups — age, skin tone, image quality all introduce meaningful performance gaps that don't show up in the headline percentage. MIT Media Lab research has documented the same pattern. A 96% average means nothing if the error rate for a specific demographic is two or three times higher. The average smooths over the populations who bear the actual cost of the mistakes.

And then there's the ICE and CBP situation, which is even more blunt about the reliability problem. WIRED's reporting on Mobile Fortify — the face-recognition app now used by immigration agents in towns and cities across the country — found that the tool "is not designed to reliably identify people in the streets" and was deployed without the scrutiny that has historically governed rollouts of privacy-impacting technologies.

"Every manufacturer of this technology, every police department with a policy makes very clear that face recognition technology is not capable of providing a positive [identification]." — WIRED, reporting on DHS Mobile Fortify deployment and the known limitations of facial recognition as an identification tool

Let that sit for a moment. The manufacturers of these systems are saying this. Police departments with established policies are saying this. And yet government agencies are deploying these tools in high-stakes contexts — immigration enforcement, security screening — in ways that suggest positive identification is exactly what's happening. That gap between what the technology can do and how it's being presented to the public is not a minor communications issue. It's the whole accountability failure in one sentence. To understand how TSA's biometric technology works, explore our facial recognition technology guide.

What "Good Practice" Actually Looks Like — And Why the Bar Is Higher Than the Checkpoint

Here's the counterargument worth taking seriously: TSA operates at impossible scale. Millions of travelers, seconds per interaction, federal security mandates that don't pause for paperwork. The documentation and consent infrastructure that investigators can apply to a single case simply doesn't translate to a checkpoint processing 3,000 people before 8 a.m. That's a fair point. Previously in this series: Face Scan 269 Hidden Checks Watchlist Screening.

But — and this is the part that matters — scale constraints are TSA's problem to solve, not a reason for everyone else to lower the bar. The fact that mass deployment forces certain compromises is precisely why case-specific facial comparison should be held to a higher standard than the checkpoint, not treated as roughly equivalent. When you're working a single investigation, you have the time, the methodology, and the professional obligation to do this right. The airport doesn't get to set the floor.

Good facial comparison practice in investigative work looks specific: a defined scope (what images, what question you're asking), explicit documented consent where applicable, disclosed error rates from the tool being used, clear notation of what the comparison can and cannot conclude, and output formatted for potential court or client review. That's not an abstract ideal — it's the standard that separates credible findings from guesswork with a confidence score attached.

At CaraComp, the approach we see working in practice centers on exactly that gap — the difference between a tool that produces a result and a workflow that produces a defensible result. If you want to understand why that distinction matters technically, the breakdown of face comparison methodology is worth the read.

The "comparison vs. recognition" distinction deserves more attention than it usually gets. Running two known images — a photo from a case file and a photo from a verified source — against each other is a bounded, documented act. Scanning an unknown face against a database of millions is a different category of technology and a different category of legal exposure. NIST treats them differently. Courts increasingly treat them differently. Investigators who conflate them are carrying a credibility risk they probably haven't fully priced in.

The Question Nobody in the Industry Wants to Answer Out Loud

Redmon's legal analysis frames this as a civil liberties problem — which it is. But there's a parallel professional problem that the investigative community hasn't fully reckoned with yet.

When TSA says face scans are optional and then builds an environment where opting out requires knowledge, confidence, and willingness to slow down a federal checkpoint line, they've created a system optimized for compliance rather than consent. That's the thing most professionals instinctively recognize as wrong when they read about it. It feels obviously problematic from the outside.

The harder question is whether anyone's practice looks different from the inside. If you're using facial comparison in casework right now — are your consent procedures documented in writing, or is "they agreed to the investigation" doing too much work? Do you know your tool's false positive rate across different demographic groups, or are you citing an overall accuracy figure the way TSA cites 96%? Could you produce a chain-of-custody document for how that comparison was run and what it concluded, or would that request catch you off guard?

Nobody's going to audit your answer. But a court might.

TSA built a system where "optional" became theoretical because no one was accountable for making it real. That's not a government problem — that's a deployment problem that shows up anywhere someone chooses speed and convenience over documentation and clarity. The airports just happen to have cameras big enough for everyone to notice.