Your Face is Your Ticket: Scary Convenience

No one scanned the digital pass on my phone for me to enter this year’s MWC, the annual technology trade show formerly known as Mobile World Congress. Facial recognition software did all the work.

Your face, too, might already be a ticket to a venue near you. Delta Airlines Inc.,

United Airlines Holdings Inc.

and JetBlue Airways Corp.

have installed face-scan ticketless boarding systems at several airports. This season, all Mets fans can use the facial-recognition express lanes previously reserved for season ticket holders. Frightening? Cool? From my recent brush with technology, it’s both.

As facial recognition access points appear in more and more public places, including airports and concert halls, you might be wondering how you’re supposed to feel about it.

Companies implementing facial recognition software tout the speed, convenience, security, and contactless benefits for customers. Most also point out that this is only an option. Meanwhile, lawmakers in several US states are seeking to tighten regulations around the use of this type of technology, citing privacy concerns as well as allegations of bias. Research found that the technology isn’t as accurate for people of color and women in general.

Although the answer depends on the individual, it is useful to know the company providing the service and the expected benefits: do you want this company to store your biometric information? Do you get anything useful in return? It also depends on where you are, as local laws affect the extent to which facial recognition can be used and data can be collected.

Capture your facial print

Facial recognition works by creating a map of your face. The card contains your unique measurements: the distance between your forehead and your chin, or between your eyes. These statistics are then converted into code called a biometric token or face print.

It’s how your iPhone’s Face ID identifies you, how Google Photos can group photos of your kids, or how Amazon.com Inc.

The Astro robot can distinguish family members from burglars. Tokens are not shared between separate services: each uses its own unique, non-transferable token for you.

GSMA, the industry group that organizes the MWC and represents mobile network operators worldwide, used a facial recognition service called Breez, developed with ScanVis Ltd., a Hong Kong-based company. The service cross-matches participants’ faces with previously submitted photos from government-issued IDs.

Breez entry is optional, but I chose it for speed. Prior to the event, non-breez attendees could wait several days to confirm their registration. Signing up for the MWC app, which used my phone’s camera to match my face with the image on my passport, took less than a minute.

How safe is my data?

While the conference face-scan lanes were certainly handy, every time I looked at the camera, I wondered who was looking at me. Where is my image going and what can be done with it?

A company that stores your facial data could keep it and pass from site admission to, say, law enforcement, or be acquired by a company that has an entirely different purpose than you agreed to. This type of abuse is largely hypothetical. However, you can’t always know where your face is: A company has sold facial recognition technology based on billions of images scraped from Facebook, LinkedIn and other sources.

Before consenting to the use of biometric data, Josef Kittler, professor of artificial intelligence at the University of Surrey in the United Kingdom, recommends finding out about three things: the purpose of collecting your data, what it happens to your face image once you no longer need it. service and how the data is deleted.

Conference organizers said attendees’ biometric tokens are encrypted and stored in Europe, though the data can be accessed from Hong Kong. The event’s privacy policy states that data is “securely destroyed” within 28 days of the event, in accordance with European Union data privacy laws. A GSMA spokesperson told me the data would likely be deleted within three days of the event closing. ScanVis, the GSMA’s technology partner, did not respond to my request for comment.

Protect your biometric data

While you almost always have the option to turn off facial recognition, it could eventually come at a cost, said Jennifer King, privacy and data policy officer at the Institute for Human-Centered Artificial Intelligence. from Stanford. Think about how the payment lane at a toll stop is almost always much slower than the E-ZPass lanes.

Another problem, she said, is that the United States does not have a federal law governing opt-out and non-discrimination rights, unlike the EU. Not only are there laws in Europe, but there are also regulators empowered to enforce them, Dr King said. Currently, only a few states, including Illinois, Texas, and California, have biometric privacy policies.

In January, the New York Attorney General launched an investigation into Madison Square Garden Entertainment Corp.

, after the New York site used facial recognition to block corporate attorneys suing the company from attending concerts or sporting events. In late February, a pair of court rulings expanded the scope of an Illinois law governing companies’ use of biometric data, which includes facial and retinal scans.

Face scanning will become increasingly prevalent in our travel and entertainment, as well as in other areas such as education, banking, and law enforcement. We have just started to understand the pros and cons.

For more analysis, reviews, tips and headlines from WSJ Technology, Subscribe to our weekly newsletter.

Write to Nicole Nguyen at nicole.nguyen@wsj.com