The European Union’s highest court today made clear—once again—that the US government’s mass surveillance programs are incompatible with the privacy rights of EU citizens. The judgment was made in the latest case involving Austrian privacy advocate and EFF Pioneer Award winner Max Schrems. It invalidated the “Privacy Shield,” the data protection deal that secured the transatlantic data flow, and narrowed the ability of companies to transfer data using individual agreements (Standard Contractual Clauses, or SCCs). Despite the many “we are disappointed” statements by the EU Commission, U.S. government officials, and businesses, it should come as no surprise, since it follows the reasoning the court made in Schrems’ previous case, in 2015. Back then, the EU Court of Justice (CJEU) noted that European citizens had no real recourse in US law if their data was swept up in the U.S. governments’ surveillance schemes. Such a violation of their basic privacy rights meant that U.S. companies could not provide an “adequate level of [data] protection,” as required by EU law and promised by the EU/U.S. “Privacy Safe Harbor” self-regulation regime. Accordingly, the Safe Harbor was deemed inadequate, and data transfers by companies between the EU and the U.S. were forbidden. Since that original decision, multinational companies, the U.S. government, and the European Commission sought to paper over the giant gaps between U.S. spying practices and the EU’s fundamental values. The U.S. government made clear that it did not intend to change its surveillance practices, nor push for legislative fixes in Congress. All parties instead agreed to merely fiddle around the edges of transatlantic data practices, reinventing the previous Safe Harbor agreement, which weakly governed corporate handling of EU citizen’s personal data, under a new name: the EU-U.S. Privacy Shield. EFF, along with the rest of civil society on both sides of the Atlantic, pointed out that this was just shuffling chairs on the Titanic. The Court cited government programs like PRISM and Upstream as its primary reason for ending data flows between Europe and the United States, not the (admittedly woeful) privacy practices of the companies themselves. That meant that it was entirely in the government and U.S. Congress’ hands to decide whether U.S. tech companies are allowed to handle European personal data. The message to the U.S. government is simple: Fix U.S. mass surveillance, or undermine one of the United States’ major industries. Five years after the original iceberg of Schrems 1, Schrems 2 has pushed the Titanic fully beneath the waves. The new judgment explicitly calls out the weaknesses of U.S. law in protecting non-U.S. persons from arbitrary surveillance, highlighting that: Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes. and ... neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary. The CJEU could not be more blunt in its pronouncements: but it remains unclear how the various actors that could fix this problem will react. Will EU data protection authorities step up their enforcement activities and invalidate SCCs that authorize data flows to the U.S. for failing to protect EU citizens from U.S. mass surveillance programs? And if U.S. corporations cannot confidently rely on either SCCs or the defunct Privacy Shield, will they lobby harder for real U.S. legislative change to protect the privacy rights of Europeans in the U.S.—or just find another temporary stopgap to force yet another CJEU decision? And will the European Commission move from defending the status quo and current corporate practices, to truly acting on behalf of its citizens? Whatever the initial reaction by EU regulators, companies and the Commission, the real solution lies, as it always has, with the United States Congress. Today's decision is yet another significant indicator that the U.S. government's foreign intelligence surveillance practices need a massive overhaul. Congress half-heartedly began the process of improving some parts of FISA earlier this year—a process which now appears to have been abandoned. But this decision shows, yet again, that the U.S. needs much broader, privacy-protective reform, and that Congress’ inaction makes us all less safe, wherever we are.

Government agencies and airlines have ignored years of warnings from privacy groups and Senators that using face recognition technology on travelers would massively violate their privacy. Now, the passengers are in revolt as well, and they’re demanding answers. Last week, a lengthy exchange on Twitter between a traveler who was concerned about her privacy and a spokesperson for the airline JetBlue went viral, and many of the questions asked by the traveler and others were the same ones that we’ve posed to Customs and Border Protection (CBP) officials: Where did you get my data? How is it protected? Which airports will use this? Where in the airports will it be used? Most importantly, how do I opt-out? Right now, the key to opting out of face recognition is to be vigilant. How to Opt Out These questions should be simple to answer, but we haven’t gotten simple answers. When we asked CBP for more information, they told us: “visit our website.” We did, and we still have many of the same questions. Representatives for airlines, which partner directly with the government agencies, also seem unable to answer the concerns, as the JetBlue spokesperson made evident. Both agencies and airlines seemed to expect no pushback from passengers when they implemented this boarding-pass-replacing-panopticon. The convenience would win out, they seemed to assume, not expecting people to mind having their face scanned “the same way you unlock your phone.” But now that “your face is your boarding pass” (as JetBlue awkwardly puts it), at least in some airports, the invasive nature of the system is much more clear, and travelers are understandably upset. It might sound trite, but right now, the key to opting out of face recognition is to be vigilant. There’s no single box you can check, and importantly, it may not be possible for non-U.S. persons to opt out of face recognition entirely. For those who can opt out, you’ll need to spot the surveillance when it’s happening. To start, TSA PreCheck, Clear, and other ways of "skipping the line" often require biometric identification, and are often being used as test cases for these sorts of programs. Once you’re at the airport, be on the lookout for any time a TSA, CBP, or airline employee asks you to look into a device, or when there’s a kiosk or signage like those below. That means your biometric data is probably about to be scanned. At the moment, face recognition is most likely to happen at specific airports, including Atlanta, Chicago, Seattle, San Francisco, Las Vegas, Los Angeles, Washington (Dulles and Reagan), Boston, Fort Lauderdale, Houston Hobby, Dallas/Fort Worth, JFK, Miami, San Jose, Orlando, and Detroit; while flying on Delta, JetBlue, Lufthansa, British Airways and American Airlines; and in particular, on international flights. But, that doesn’t mean that other airlines and airports won’t implement it sooner rather than later. To skip the surveillance, CBP says you “should notify a CBP Officer or an airline or airport representative in order to seek an alternative means of verifying [your] identity and documents.” Do the same when you encounter this with an airline. While there should be signage near the face recognition area, it may not be clear. If you’re concerned about creating a slight delay for yourself or other passengers, take note: though CBP has claimed to have a 98% accuracy rating in their pilot programs, the Office of the Inspector General could not verify those numbers, and even a 2% error rate would cause thousands of people to be misidentified every day. Most face recognition technology has significantly lower accuracy ratings than that, so you might actually be speeding things up by skipping the surveillance. The Long And Winding Biometric Pathway Part of the reason for the confusion about how to opt out is that there are actually (at least) three different face recognition checkpoints looming: Airlines want to use your face as your boarding pass, saying “it's about convenience.” CBP, which is part of the Department of Homeland Security (DHS), wants to use your face to check against DHS and State Department databases when you’re entering or exiting the country; and the TSA wants to compare your face against your photo identification throughout the airport. And if people are upset now, they will be furious to know this is just the beginning of the “biometric pathway” program: CBP and TSA want to use face recognition and other biometric data to track everyone from check-in, through security, into airport lounges, and onto flights (PDF). They’re moving fast, too, despite (or perhaps because of) the fact that there are no regulations on this sort of technology: DHS is hoping to use facial recognition on 97 percent of departing air passengers within the next four years and 100 percent of all international passengers in the top 20 U.S. airports by 2021. It’s the customers and passengers who will bear the burden when things go wrong, If the government agencies get their way, new biometric data could be taken from/used against travelers wherever they are in the airport—and much of that collection will be implemented by private companies (even rental car companies are getting in on the action). CBP will store that facial recognition data for two weeks for U.S. citizens and lawful permanent residents, and for 75+ years for non-U.S. persons. In addition, the biometric data collected by at least some of these systems in the future—which can include your fingerprints, the image of your face, and the scan of your iris—will be stored in FBI and DHS databases and will be searched again and again for immigration, law enforcement, and intelligence checks, including checks against latent prints associated with unsolved crimes. Passengers Will Bear the Burden of Privacy Invasion, Not Airlines or Government Agencies It’s easy for companies and agencies to tout the convenience of this sort of massive data collection and sharing scheme. But as we’ve seen in notable privacy fiascos over the last few years—from Facebook’s Cambridge Analytica scandal, to the breaches of the Office of Personnel Management and Equifax in the U.S., to the constant hacking of India’s national biometric database, Aadhar—it’s the customers and passengers who will bear the burden when things go wrong, and they will go wrong. These vast biometric databases will create huge security and privacy risks, with the additional concern that a company leaking your passwords or credit card numbers is nothing compared to it leaking your biometric data. While you can change a password, you can’t easily change your face. Additionally, these systems are notoriously inaccurate, contain out-of-date information, and due to the fact that immigrants and people of color are disproportionately represented in criminal and immigration databases, and that face recognition systems are less capable of identifying people of color, women, and young people, the weight of these inaccuracies will fall disproportionately on them. It will be the passengers who bear the burden when they are stuck watching the flights they paid for take off without them because there was an error with a database or an algorithm, or because they preferred non-biometric options that weren’t in place. It’s time for the government agencies and the airlines to pause these programs until they can clearly and adequately give: Photographs of the signage in-situ in the airports in question, as well as any additional information about the opt-out process. An explanation of the locations where CBP will be providing meaningful and clear opt out notice to travelers (for example, at entry points, point-of-sale, ticket counters, security checkpoints, and boarding gates) as well as the specific language travelers can use to opt out of the biometric data collection program. An up-to-date list of all the airports and airlines that currently participate in the biometric exit program. Information about the algorithm CBP is using to compare photos (provided by NEC), as well as the accuracy information associated with that algorithm. Technological specifications for transferring data from point of collection to DHS and with vendors and airlines. Additional questions—like how data is safeguarded—are laid out in our letter to CBP. Congress must also demand the answers to these questions. And lawmakers must require agencies and airlines to pause this program until they can not only ensure the biometric privacy of travelers is protected but more importantly justify this huge invasion of privacy. Just last month, three Senators released a joint statement calling on DHS to pause the program until there can be “a rulemaking to establish privacy and security rules of the road,” but so far, they’ve been ignored. Trading privacy for convenience is a bad bargain, and it can feel like the deal isn’t always one we have a choice in. DHS has said that the only way we can ensure that our biometric data isn’t collected when we travel is to “refrain from traveling.” That’s ridiculous. The time to regulate and restrict the use of  facial recognition technology is now, before it becomes embedded in our everyday lives. We must keep fighting to make sure that in the future, it gets easier, and not harder, to defend our privacy—biometric or otherwise.