Royal Caribbean’s Enhanced Facial Recognition Roll-Out Raises Serious Privacy Concerns

The Caribbean—and possibly the government—sees all.

Anthem of the Seas - Aerials at sea (Bahamas)
Royal Caribbean

Royal Caribbean Cruise Line has been testing facial recognition software to speed up disembarkation. After successful trial runs at the ports of Cape Liberty, Miami, and New Jersey, Royal Caribbean will deploy the technology across all of its ports, with Florida’s targeted to become the first adopters. However, there are lingering concerns about passenger privacy—and what happens to the facial scans once they're taken.

The “MFace” facial recognition technology is built by the company IDEMIA. Employed whenever a passenger disembarks or returns to the ship, the MFace software compares a 3D rendering taken of the passenger’s face with an already cataloged photo held in the ship’s passenger manifest. It’s also cross-referenced through Customs and Border Protection’s Traveler Verification Service. The point is to simplify and expedite passenger comings and goings onto or off the ship and reduce possible stowaways. But what happens to your rendered face and logged photo I.D. is somewhat murkier.

IDEMIA, Royal Caribbean, and U.S. Customs and Border Protection all state emphatically that they do not store images past the end of the completed trip. Though we cannot confirm whether or not IDEMIA or Royal Caribbean store those images, the U.S. Customs and Border Protection appears to do exactly that. 

In a recent article by the South Florida Sun-Sentinel, the article’s reporter found out that the U.S. CBP stores images of “U.S. citizens and exempt non-citizens” for at least 12 hours once the images have been compared to those on file. “Non-citizens,” however, could have their images stored for up to 14 days. Yet, going through U.S. CBP’s publically available reports on the agency’s use of the Traveler Verification Service, the language used makes it seem as if the agency holds onto the data collected indefinitely as a way to enhance the TVS. 

According to the August 14, 2018-dated “Privacy Impact Assessment Update for the Traveler Verification Service (TVS): CBP-TSA Technical Demonstration Phase II” assessment, “Once the photo is captured and transmitted to the TVS, it is converted into a template and matched against the gallery of preassembled templates of historical images described above.” Preassembled and historical images are likely those gathered from passports and state I.D.s. However, the next portion seems to confirm that these new biometric facial recognition units are used to update those files and store new images. “If the TVS confirms the traveler’s identity, the CBP dashboard application will display the newly-captured image, along with [previously acquired] biographic data (full name and date of birth) of that passenger.”

Further obscuring what the system actually entails, the U.S. CBP assessment states, “In an effort to mitigate the impacts of this expanded collection, CBP seeks to minimize the data it maintains by purging facial images as quickly as possible after use. Each traveler’s biographic and biometric data is deleted from the TSA-issued device, either at the time of the next passenger’s transaction or after two minutes, whichever occurs first. All PII collected for the TVS transaction is stored in a secure database within the CBP network. CBP does not retain images of U.S. Citizens in ATS-UPAX but does retain images of non-U.S. Citizens for up to 14 days for confirmation of the match, as well as evaluation and audit purposes. CBP deletes all photos, regardless of immigration or citizenship status, from the TVS cloud matching service within 12 hours of the match”

The U.S. CBP’s report makes it sound like when your photo is captured by a TVS-enabled system, it is deleted soon after. But the actual wording implies that the data is only deleted from the specific device the passenger uses. The U.S. CBP’s wording also contradicts itself based on previous sections of the assessment. If the photos are deleted soon after being taken at a point of entry, how then does the agency update the “historical images” in a person’s profile within the Traveler Verification Service? 

In the U.S. CBP assessment, the agency states that “CBP deploys auditing tools within its systems to ensure appropriate retention and deletion of data in accordance with the policies and procedures outlined in this PIA,” however, recent breaches, or outright covert usage, of an individual’s personal data show that no system is infallible.  

Royal Caribbean will roll out the larger scale use of IDEMIA’s MFace through the year at the ports mentioned above. However, you may find yourself face-to-face with one of these systems sooner and not at a port. IDEMIA has also been contracted to provide facial recognition systems for the Department of State, a number of U.S.-based airports, and for the government’s Consular Affairs.