The cost of privacy: biometrics at London Heathrow T5

| 7 Comments
| More
London Heathrow's new Terminal 5 is back in the news: the Information Commissioner is investigating BAA's use of biometric security controls. But this fight isn't about security, it's about economics.

Last year I had the chance to tour London Heathrow's new Terminal 5. At £4.3bn, it's a remarkable piece of project management, even if it's not the most attractive terminal building I've been to. I wrote about what seemed like reasonable use of biometric security controls (with a big caveat about my fear of function creep and data retention), but the Information Commisisoner's Office sees it differently.

BAA's stated use of biometrics is to enhance security. Specifically, they say that the systems will prevent exchange of travel documents by airside passengers:

"The idea behind the fingerprinting is to make it impossible for a terrorist to arrive at Heathrow on a transit flight, then exchange boarding passes with a colleague in the departure lounge and join a domestic flight to enter the UK without being checked by immigration authorities."

The system works as follows: passengers are photographed and fingerprinted at passport control as they head airside, at which time passports and boarding cards are manually inspected. The process is repeated at the boarding gate, where the fingerprint scanner confirms that the traveller is the same person that went through passport control on that document. Airside document exchange has been effectively eradicated. BAA claim that the biometric data is destroyed after 24 hours, which seems reasonable, since by that time any traveller will have completed their flight - and if there's been a problem in the flight such as hijacking or accident, then the authorities could claim access to the records.

The new scheme is also being rolled out to Terminal 1 as part of the refit as BA moves to Terminal 5.

However, the Information Commissioner's Office sees this as a disproportionate response to a relatively minor problem. In response to a complaint by Privacy International, they believe that mandatory fingerprinting may be illegal, disproportionate to the need, and that the need has not in fact been proven. Furthermore, apparentlyBAA has not consulted the Information Commissioner's Office about the new scheme, which seems bizarre when they have staked so much upon it. The Commissioner is now investigating the scheme, and BAA has stated that whatever the outcome, the system will go live when the terminal commences operations this week.

What's the real issue here?

Our real problem is that BAA has yet to discuss the true motive for the new system. If airside document exchange were such a problem, then we would see biometric scanning planned for every airport in the UK. The Home Office would be making a political issue of it and championing the cause. But they're not, and this tells us that the motivation for the system is not security.

Take a look at the picture below:

200803241043.jpg

(c) Philip Ide/Daily Mail

What you can see here is a row of bag drop counters with the check-in stations in the background. Gone are the traditional check-in desks, which have been replaced with self-service counters. Passengers arrive, check themselves in at an ATM-like machine, then drop their bags. The first time they face a formal check of their passport and ticket is the security desk. What BAA and BA have managed to do here is to effectively remove an entire level of human interaction from the check-in process, and hence dispense with all the associated employees who would be involved in that. The new biometric security controls provide the check that would otherwise be done by the check-in staff.

What next?

So, in my opinion we have a new system that is claimed to enhance security at the cost of privacy, but in fact is there to save cost for the airport operator. And looking at it from that perspective, I'm inclined to agree with Privacy International and the Information Commissioner: this biometric system needs an urgent review. We need a public debate about whether it is acceptable to permit use of biometric checking to save costs for private companies. BAA should provide greater transparency about the system's design and operation, and engage with stakeholders to agree an appropriate governance regime to ensure that function creep and unnecessary retention of biometric data becomes impossible without user consent.BAA claims that the Home Office made them do it. The Home Office claims that it's a design decision for BAA and doesn't involve them.

Privacy International is recommending some pretty draconian countermeasures for travellers:

  • photograph anyone who takes biometrics and report them to the police;
  • prepare a Subject Access Request and submit it as soon as the fingerprinting takes place;
  • cover your fingers with a two-part adhesive so that the fingerprinting fails.

Until this gets sorted out, I think I'll fly from Southampton instead.


7 Comments

  • This is only required because of the common lounge facilities at T5.
    Most other airports have separate lounges for domestic and international passengers - so your entire premise for this article is incorrect.

    Without a common lounge, there is no risk of document exchange between international and domestic passengers.

    Biometrics was agreed with government agencies as being a suitable solution. In fact a photo only solution was deemed unsuitable by these agencies.

    quoting from another article :
    "In a statement, BAA said: “When BAA announced plans for common departure lounges, the Border and Immigration Agency was keen on a reliable biometric element to border control. Fingerprinting was selected as the most robust method by BAA, the BIA and other Government departments."
    "

    And finally - you should try asking BA what the process is. When you drop off your bag, you will have your documents checked if required by the BA staff at those desks.

  • Many thanks for your update. However, far from proving the premise to be incorrect, this reinforces it by demonstrating a second area of cost-savings arising from BAA's approach. They have been able to do away with the separate lounges rather than having to duplicate facilities.

    My description of the service is from the notes I took whist being shown the facilities by a BAA tour guide (who to be fair was no expert on biometrics). I'd be interested to hear if BA have anything to say on the matter.

  • I'm not going to argue that the bottom line is not money ;-)

    A Common Lounge is obviously beneficial in a number of areas; simpler design of building, less duplication of "essential" shops and concessions across two lounges, improved revenue stream from provision of all the high profile establishments to all the passengers etc. etc.

    No arguments there from me.

    However, the reason I questioned the premise of this article is because you seemed to imply that :
    - because no other aiport needed biometrics
    - because the Home Office aren't demanding it across the board (i.e. not necessary)
    - this in some way means that BAA (or BA) have an ulterior motive for fingerprint capture
    - which means a reduced number of staff in the check-in process and a cost saving

    The only reason for the system is due to the risk of document exchange in the common lounge.

    I suspect that if a photo only solution had been allowed by the government agencies, it would have been a lot easier and cheaper to implement.

    Your information on the biometrics system from last year matches my own understanding of how it operates, and I have no reason to believe that has changed.

  • Sorry "anaonymous" but this article is on the nail. The reason that they HAVE to have biometrics in T5 (& in the modified T1 et al) is that they are

    1. - "streamlining" check in, removing one layer of security at the front end and depending more on passport checks at the security barriers and at the gate.

    2. As for "The only reason for the system is due to the risk of document exchange in the common lounge".
    The common lounge is a weak spot, introduced for the sake of "efficiency" which means saving money and nothing else. If you don't want passport exchanges then you don't provide the opportunity to mix, pure and simple. So biometrics etc has been introduced to cover up for a failing in the building design.

  • This process is already in operation in Terminal 1. I recently arrived from Prague, transferring to a flight to Edinburgh. I was suddenly confronted by a desk , the person manning that desk did not have a very clear indication of who they worked for (either BAA or Immigration). I was faced with the decision of refusal and not being allowed to transfer (thus missing my flight) or complying …. At no point during the flight booking process or my check-in process at Prague was I notified that there would be this requirement, in my opinion a massive failure on the part of the airline - it clearly has knowledge of this process.

    2 main points need to be discussed.

    Firstly, as you say the justification. Both in the (extremely limited) information that is provided when you are confronted with this desk and through my own investigation have I been able to establish ANY concrete argument for the introduction of such a process.

    The second is around data security. This is in turn raises two issues.
    The leaflet provided states that the data is NOT linked to the traveller's name. This is certainly not true at time of capture. The finger prints and picture are taken whilst your boarding card is presented to the operative. Therefore at that moment the data IS linked to traveller's name. This can be referenced back (if the data is accessed) by the reference card that the operator prints, views and hands to the passenger …. Extremely easy to get a full list of passenger names and the corresponding data system reference WITHOUT accessing any system whatsoever.
    Then we get onto the data itself. It is said that the data will be destroyed after 24 hours. This may very well be the case according to policy and actually happen in normal operation. However there are 24 hours when the data can be compromised and as soon as it is then the 24 hours no longer has any relevance whatsoever. As is ever the case with such things, the most dangerous aspect is operation and data use as defined by the organisation, it is the misuse.
    On this matter of security, who is policing the Data Processing operations of BAA ? Who sees their Internal IT audit results. What external auditing will be taking place. What threat management operations are in place and above all … Who will POLICE this … This is a Public Limited Company that has introduced Biometric capture without (apparently) any reference to a Government body … That should NEVER be allowed to happen. Biometric capture by ANY organization should only be allowed under licence and should be Regulated by a Governmental Organization.

  • To JimmyD :
    BA will do passport checks at the bag drops and normal check in desks.
    If you require a passport check and have not had one you will be sent back to a BA desk to have it checked before you can pass through security and go airside.
    So - I don't see any streamlining there.
    See link regarding passport and visa checks for passengers with hand luggage only :
    http://www.britishairways.com/travel/terminal5-information/public/en_gb

    As for a design weakness in the building, it was actually designed in to the building from the start. The document exchange risk was a known issue from conception. It was originally planned to have a photo only system, but that was deemed inadequate by the government.
    BAA and BA would have happily implemented a photo only solution.

  • I raised a few questions with BAA (before T5 opened) about the operation of the biometric system. Below is the reply I received.

    Since sending my original email, I have since had the "pleasure" of coming back to the UK through T5. My photo was taken, but not my fingerprints. When we boarded the UK connecting flight, I was unaware of any further photographic check being made. As far as I could tell, boarding passes were simply scanned as normal.

    The BAA reply:

    Thank you for taking the time to contact us regarding your recent visit to Heathrow Airport. I would like to apologise for the delay in replying to your email.

    If I may explain, as part of the process of modernising Heathrow and transforming it into a world class airport, BAA has introduced common departure lounges for both domestic and international passengers travelling through Terminal 1 and Terminal 5.

    Traditionally, domestic passengers and international passengers have been segregated for border control purposes. However, new technology means passengers can enjoy the same facilities whilst still being able to identify the status of individual passengers.

    As international and domestic passengers will mix in the common lounge, we need to capture a photo image of departing domestic passengers. Ideally finger print data will be taken too, this personal data is encrypted immediately and is destroyed within 24 hours of use, the data capture does not include personal details. The photo and fingerprinting is referred to as Biometrics. At the gate, this data is reconciled to confirm the passengers' identity and ensures that UK border control regulations are met. Please be assured if you have been through the biometric process in Terminal 1 your data has been destroyed. Thank you for pointing out the mistake with the incorrect year for the Data Protection Act in the biometric security leaflet. This has been amended.

    As you may have seen in the media, following a meeting with all relevant parties, including the Information Commissioner and the Border and Immigration Agency, the introduction of fingerprinting for domestic passengers and international passengers transferring onto domestic flights at Heathrow has been temporarily delayed. BAA has opened Terminal 5 using a photographic identification process only. We will be working closely with the Information Commissioner and the Home Office over the next few weeks to agree the best approach going forward.

    Thank you again for your feedback and I do hope that any future journeys you may choose to take through Heathrow will prove to be much more enjoyable.

    Yours sincerely,


    Christine Page
    Traveller Communications
    For and On Behalf of BAA Heathrow

  • Leave a comment

    Disclaimer

    The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

    Subscribe to blog feed

    Archives

    Categories

    Toby on Twitter

      Recent Comments

      Max on The cost of privacy: biom... : I raised a few questions with BAA (before T5 opene...
      Anonymous on The cost of privacy: biom... : To JimmyD : BA will do passport checks at the bag ...
      David Hammet on The cost of privacy: biom... : This process is already in operation in Terminal 1...
      JimmyD on The cost of privacy: biom... : Sorry "anaonymous" but this article is on the nail...
      Anonymous on The cost of privacy: biom... : I'm not going to argue that the bottom line is not...
      Toby Stevens on The cost of privacy: biom... : Many thanks for your update. However, far from pro...
      Anonymous on The cost of privacy: biom... : This is only required because of the common lounge...

       

      -- Advertisement --