Oversight report fuels urgency of Congressional push for TSA biometrics reform

At a time of intensified scrutiny of the Transportation Security Administration’s (TSA) expanding use of facial recognition technology (FRT) at U.S. airports, the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) has released a comprehensive 125-page report which commends certain safeguards while simultaneously warning of transparency failures, unclear consent practices, and the latent risks of mission creep.

“Any further expansion of the scope or application of TSA’s use of FRT should come only after a determination that the benefits of such expansion outweigh the increased risks to privacy and civil liberties, as well as full public disclosure and debate,” states the PCLOB report, which paints a detailed portrait of TSA’s biometric programs PCLOB has been investigating for the last seven years.

The report was prepared by PCLOB’s past and present professional staff and released in lieu of a quorum vote. In January, one of President Trump’s first actions was to fire all three Democratic members of the board, leaving the PCLOB with only one active member, Republican appointee Beth Williams. It was Williams who made the report public. It’s unclear whether top TSA or Department of Homeland Security (DHS) leadership have accepted the PCLOB’s findings, which provide a granular account of TSA’s use of facial recognition since its experimental phase in 2017.

The report comes amidst a renewed bipartisan effort in Congress to constrain TSA’s biometric surveillance practices. Senators Jeff Merkley, a Democrat from Oregon, and John Kennedy, a Republican from Louisiana, this past week announced plans to reintroduce the Traveler Privacy Protection Act, a legislative measure that would sharply restrict TSA in expanding its use of biometrics without specific Congressional authorization.

At the heart of the proposed legislation is a set of principles increasingly echoed by privacy advocates, civil libertarians, and even some in the national security community: the right to anonymity in public spaces, the necessity of informed consent in surveillance technologies, and the constitutional importance of constraining executive branch powers.

The bill would establish human ID checks as the default verification method at TSA checkpoints, relegating facial recognition to an opt-in alternative rather than an expectation, and would further prohibit TSA from storing or repurposing the biometric data it collects, mandating that facial scans be deleted immediately after identity verification is complete.

These legislative concerns are not hypothetical. The PCLOB report affirms many of the senators’ warnings. The report reveals a biometric ecosystem that is expanding in scope but underregulated and inconsistently implemented.

By early 2025, more than 2,100 CAT-2 devices with facial recognition capabilities had been deployed across over 250 federalized airports, the PCLOB report disclosed. These systems use two biometric modalities, “one-to-one” facial matching in which a live image is compared to a government-issued ID, and “one-to-many” facial recognition in which a traveler’s face is checked against a gallery of opt-in participants expected to travel that day.

The one-to-many system, which compares a traveler’s photo against a gallery of enrolled participants, is viewed as more concerning by the PCLOB. While participation is voluntary and opt-in only, the architecture of this system lends itself more easily to surveillance-style applications.

PCLOB warns that if not strictly confined, one-to-many systems could eventually be adapted for broader tracking or identification of individuals beyond airport security. As such, the report underscores the need for formal limits to ensure this mode does not evolve into a general-purpose surveillance tool.

According to the PCLOB report, TSA claims its systems are highly accurate, citing National Institute of Standards and Technology (NIST) testing showing false positive rates below 0.001 percent and face capture success rates exceeding 99 percent across demographic groups. TSA argues that the systems are efficient and superior to human screeners in both speed and precision.

Yet, even with these technical assurances, the report identifies substantial cause for concern. The report emphasizes that even with high accuracy rates, issues of demographic bias persist and must be addressed. Although performance across demographic groups has improved, false negative rates can still lead to disproportionate burdens on marginalized communities, resulting in unnecessary scrutiny or delays, the report points out.

PCLOB concluded that, “because TSA does not have metrics on the number of impostors detected nor estimates of the number of impostors who are currently undetected, we are unable to evaluate the absolute contribution of the [FRT] system to security or the cumulative effect of the entire passenger screening and authentication function.”

PCLOB also criticized TSA’s lack of a comprehensive Privacy Impact Assessment, a significant omission that undermines public understanding and accountability. “As of the publication of this report, TSA has yet to publish a single, comprehensive Privacy Impact Assessment for its use of facial recognition,” PCLOB said, adding that “there has been a lack of clear communication about the nature and maturity of plans for deployment of FRT.”

Moreover, while TSA policy nominally allows travelers to opt out of facial recognition, the report finds that signage and Transportation Security Officer (TSO) instructions often fail to clearly communicate that choice, and that travelers may feel pressure to comply.

The PCLOB highlighted what it said is a troubling pattern of ambiguous language and inconsistent implementation across airport checkpoints. TSA’s use of terms like “pilot,” “proof of concept,” and “operational deployment” has, according to the PCLOB, often obscured the true extent and permanence of its biometric rollout. The result is a public that is frequently unaware of how and where their biometric data is being collected and used.

TSA’s signage and TSO instructions have often failed to clearly communicate that participation in facial recognition is voluntary. “There are undeniable difficulties in establishing a program that is frequently evolving, including logistical challenges related to screening lanes and auditing performance, but travelers must be informed that they can opt out and given a meaningful opportunity to do so,” the report states.

The report notes that even a sitting senator – Jeff Merkley himself – was misinformed by a TSA agent who claimed opting out would cause delays. If such confusion can reach a lawmaker, the report suggests, it is likely to affect ordinary travelers at a much higher rate.

PCLOB’s findings are further reinforced by concerns about how data is stored and shared. While the report praises TSA for deleting live images within 24 hours and avoiding integration with law enforcement databases, it also notes the potential vulnerabilities inherent in expanding biometric infrastructure.

“The more information gathered, the more places it is stored, and the longer it is retained, the higher the chance that the information could be accessed by malicious actors or misused beyond its intended purpose,” the report warns. To mitigate these risks, PCLOB recommends a range of reforms, from restricting data retention to mandating independent audits and establishing clear mechanisms for handling complaints.

One particularly sensitive area is the demographic performance of the facial recognition algorithms. Although recent evaluations show significantly improved accuracy across age, gender, and racial lines, earlier studies – especially those prior to the adoption of newer algorithms – revealed disproportionate error rates for people of color, older adults, and women.

PCLOB urges DHS to develop mandatory standards that minimize demographic disparities and ensure fairness across populations, especially in high-stakes environments like airport security where a misidentification could lead to public embarrassment, missed flights, or worse.

PCLOB also criticizes TSA and DHS for lacking clear procedures to collect and respond to traveler complaints related to facial recognition. Without a formal mechanism to register concerns, travelers have limited recourse if they feel their rights have been violated. Additionally, the report stresses the importance of independent audits and public reporting to ensure compliance with privacy rules and to detect any systemic failures.

Yet, for all its findings, the report stops short of calling for a suspension of TSA’s further deployment of biometrics. Instead, it offers a cautiously pragmatic framework for improvement. The underlying assumption appears to be that facial recognition at TSA checkpoints is here to stay, but that it must be made accountable, transparent, and truly voluntary. That assumption, however, is precisely what Merkley and Kennedy’s legislation challenges.

In that light, their bill and the PCLOB report operate in complementary, if occasionally divergent, spheres. The former attempts to codify legal limits on biometric surveillance before the expansion becomes irreversible. The latter diagnoses the current system’s structural flaws and offers administrative remedies that might, if faithfully implemented, protect civil liberties within existing frameworks. Together, they offer a roadmap – one political, the other technocratic – for how the U.S. might govern its biometric future.

What remains unclear is whether there is sufficient political will to move from recommendations to binding restrictions. Legislative action faces an uphill climb in a divided Congress where surveillance powers are often justified in the name of security, and where technology firms and government contractors have vested interests in the continued proliferation of biometric systems.

That leaves the future of facial recognition governance in a precarious position. As PCLOB warns, the risks of function creep, opacity, and inconsistent implementation are not theoretical, they are already underway. If TSA’s current trajectory continues unchecked, the agency is poised to complete its biometric rollout to all 400-plus U.S. airports by 2049. And if voluntary participation continues to be undermined by unclear signage and misinformed agents, then “opt-in” could become a legal fiction rather than a meaningful right.

Merkley and Kennedy are not content to wait for those predictions to be fulfilled. Their proposed legislation, bolstered by the PCLOB’s empirical findings, seeks to place a democratic perimeter around a rapidly expanding surveillance system. Whether Congress acts, or whether biometric normalization proceeds by bureaucratic inertia, it well define the next chapter in the debate over privacy, technology, and the limits of state power.

Article Topics

airports  |  biometrics  |  data privacy  |  DHS  |  digital ID  |  face biometrics  |  facial recognition  |  identity verification  |  Privacy and Civil Liberties Oversight Board (PCLOB)  |  TSA