Your Biometric Privacy Is Worth 2,500 Miles to United

Written By Andrew Ronchetto

Holiday travel turns airports into pressure cookers. Gates are packed. Lines blur into crowds. Everyone is trying to keep up with boarding groups, overhead announcements, and the quiet urgency of not being the person who slows the whole machine down. Most of all, we are just hoping for the best.

It’s also the season when the airline industry’s favorite promise about biometric boarding gets tested in the one environment where promises tend to break. In the real world. Under stress. At speed.

United Airlines says biometric boarding is optional. It’s framed as a convenience for eligible travelers who want a faster experience.

But in a digital world, “optional” has to mean more than a sentence on a website. It has to mean the system can actually stop when you say no.

Because consent is not a vibe. It’s a control.

If a system cannot reliably enforce refusal in real time, then it doesn’t matter what the policy says. The policy becomes a disclaimer, and the technology becomes the default.

And that’s what happened to me.

I Opted Out. The System Processed Me Anyway.

At a United gate, I clearly and explicitly declined biometric facial scanning and requested to board using my physical boarding pass.

Despite that refusal, the biometric system continued operating and captured my facial data anyway.

I know because when I tried to scan my boarding pass after opting out, the system produced an error stating that I had already boarded the flight.

That outcome matters.

It means the system recorded a biometric boarding event tied to me even after I refused to participate. It also disrupted boarding because I was forced to deal with an error created by a process I explicitly declined.

This wasn’t about discomfort. This wasn’t about preference. This was a consent failure.

If “optional” doesn’t reliably stop collection when a passenger says no, then it’s not optional. It’s default.

And if the default is biometric capture, then the burden is no longer on the system to prove consent. It’s on the passenger to prove refusal.

That’s an inversion of what privacy should look like.

“I Had Nothing to Do With That”

When I raised the issue at the gate, the agent dismissed the concern and told me he “had nothing to do with that.”

That response should make anyone uneasy.

United has deployed biometric boarding into a live operational environment where sensitive biometric identifiers can be captured in seconds, at scale, under pressure. Yet the employee responsible for managing the boarding flow treated it as if it wasn’t his system, his process, or his responsibility.

That’s not just poor customer service. It’s a breakdown in governance.

A passenger cannot meaningfully opt out if the frontline staff managing the moment can’t explain the process, can’t enforce the refusal, and won’t take accountability when the system fails.

In the digital world, that’s how consent gets hollowed out. Not by malicious intent. By operational indifference and poor controls.

United’s First Move: Treat It Like a Seat Complaint

I submitted a formal complaint to the Department of Transportation because biometric identifiers are sensitive personal information. They can’t be reset like a password. They can’t be reissued like a credit card.

That’s precisely why biometric systems require strict consent enforcement and meaningful opt-outs that work in practice, not just in theory.

I also contacted United Customer Care.

Their first response didn’t engage the privacy breach at all. It began with: “I’m sorry to hear you didn’t enjoy your flight,” and it offered 2,500 award miles.

That wasn’t just miscommunication. It was a misclassification.

United treated unauthorized biometric processing like a standard service dissatisfaction issue. Miles. Loyalty. “Better impression next time.”

This is what happens when privacy failures are routed into customer service workflows designed to pacify frustration rather than investigate governance breakdowns. The company can close the case without answering the central question.

How did the system scan me after I opted out?

Then Came the “Wrong Line” Defense

After I pushed back and made it clear this was unauthorized biometric processing, United shifted to a procedural explanation: biometric boarding is optional, but opting out requires staying in the “standard boarding line,” not the “biometric-enabled lane.”

That framing didn’t match the boarding environment I experienced.

There weren’t separate biometric and non-biometric lanes. Boarding was organized by groups, and the biometric system was operating across that flow. In that environment, opt-out cannot be treated as a lane selection issue. It’s an operational control issue.

And when an airline leans on lane selection as the mechanism for consent, it creates a convenient escape hatch. If a passenger is scanned after refusing, the company can imply the passenger must have stood in the wrong place.

This is how responsibility gets quietly shifted away from the entity actually running the boarding operation.

It is also how opt-out becomes performative.

CBP Runs the Camera. United Still Runs the Boarding.

United’s later response leaned on a different defense: U.S. Customs and Border Protection (CBP) operates the biometric system. United said it does not store, retain, or access biometric images, and it cited CBP retention windows. It also stated that images are “not shared with United beyond the boarding status response generated by the CBP system.”

Here’s the problem with that framing.

Even if CBP controls the camera and retains the image, United still controls the passenger-facing collection moment. United still controls the boarding workflow. United’s system still updates the passenger’s boarding status based on the biometric transaction.

That’s not abstract. It’s exactly what happened to me.

The system flagged me as already boarded after I opted out and before I scanned my boarding pass. That means a biometric transaction occurred and it produced an operational outcome inside United’s process.

So “we don’t store the images” isn’t a complete answer.

Because clearing a passenger to board still requires a transaction tied to a specific traveler. The airline receives a “boarding status response” and uses it to update boarding and move the process forward. That response does not materialize out of thin air. It is the output of a biometric event that the airline operationalizes.

And that output creates records. Logs. Metadata. A timestamped boarding decision associated with a traveler record. The functional proof that a biometric process occurred, even if the image itself is deleted elsewhere.

That’s why focusing only on who holds the photo misses the point.

The issue is that biometric capture happened after explicit refusal. Then the system used the resulting response to mark me as boarded.

Consent failed at the exact moment it mattered most. And the airline still benefited from the result.

The Regulatory Lag Is the Real Risk

This is where the broader issue comes into focus.

Biometric programs are being deployed faster than enforceable safeguards, and passengers are left navigating a high-stakes consent environment with little power and even less transparency.

In most parts of the digital world, we’ve already learned the lesson. Companies say data collection is optional, but opt-outs can be buried, friction-filled, or functionally ignored. The difference here is the data.

Biometrics are uniquely permanent. Once captured, you cannot change your face. You cannot reissue your biometric identifiers. And you cannot audit what happened at the point of collection without the cooperation of the system that collected it.

That’s the risk of a regulatory lag. When the rules and enforcement mechanisms aren’t strong enough, the only practical protection becomes the passenger’s ability to push back, document, and escalate.

Most people don’t have time to do that. Especially during the holiday rush.

So the system keeps moving.

The Real Question: Does “Optional” Mean Anything at the Gate?

This isn’t about whether biometrics can make travel easier. It’s about whether consent survives contact with reality.

Holiday travel is the worst environment imaginable for “soft” opt-outs. Crowds move forward. Staff are pressured to keep throughput high. Travelers are rushed, distracted, and trying not to miss their flight.

That is precisely the moment when an opt-out must be a hard control, not a suggestion.

If the system can scan you after refusal, then the system is not respecting consent. It’s collecting first and sorting it out later.

And when the airline’s first response is miles, its second response is “wrong line,” and its third response is “CBP deletes the photos,” you’re left with one uncomfortable conclusion.

The industry is treating biometric privacy as a customer service topic, not a consent requirement.

United valued the violation at 2,500 miles. Is biometric privacy really worth only 2,500 miles? I don’t think so. Do you?

Andrew Ronchetto https://ronchetto.me
Previous

2025 Predictions Review: The Year Work Chose Control Over Trust
Next

It’s Confirmed: The Microsoft Power Platform Is 2025’s 1990s Access Database