U.S. airlines use cameras to capture the faces of fliers and are giving the images to the government.

JetBlue started using customers’ biometric data, unique physical traits, in June to let them get on flights from Boston to Aruba without a boarding pass. At the same time, JetBlue started sending the data to Customs and Border Protection so the government could vet travelers. Delta is currently in discussions with CBP to do the same.

Even Homeland Security concedes airlines may use this for purposes other than ID checks.

“There is a risk that approved partners will use biometric images collected under the [service] for a purpose other than identity verification,” CBP said in a June privacy impact assessment (PDF).

CBP says it keeps all photos for up to 14 days for the time being during the trial, but biographical information associated with the photos, like passport numbers and dates of birth, is retained 15 years for U.S. citizens and 75 years for foreigners. The agency recommends partner airlines and contractors delete pictures within 14 days, but says the companies may choose to keep them longer “for business purposes,” the assessment states.

“Airlines are doing their own independent biometric-type services for checking bags, for boarding the plane, access to their lounges,” John Wagner, CBP deputy executive assistant commissioner of field operations, told privacy activists last week.

“If they are collecting that photo [at the boarding area], then just send it to us, and it’ll take care of our biometric exit requirement in a way that doesn’t require two cameras for you to have your picture taken twice to board the plane.”

Congress passed legislation after the 9/11 attacks that required a biometric identification system at air, land, and sea border entries and exits to make sure foreigners don’t overstay their visas or evade law enforcement. Congress never specified the physical characteristics the government should use for identity verification and did not require U.S. citizens to undergo biometric screening.

Yet Americans are being screened by CBP at airports. It first piloted the technology in June 2016 on departures from Atlanta’s Hartsfield-Jackson airport. The program is now running in five more airports: Dulles in Washington, Houston’s George Bush and William P. Hobby airports, Chicago O’Hare, and McCarren in Las Vegas. The goal is to have the program running in major U.S. airports in 2018.

In each airport, the government captures faces then cross-references them against a gallery of passport and visa photos of the legitimate passengers expected to be on flights. (It’s the same database Delta and JetBlue photos are checked against.) Signs posted near the cameras notify the public that the airlines are passing faces on to CBP, and paper fliers with details on the partnership are available if passengers request more information.

The agency admits there are many privacy issues surrounding this “partner process” that need some resolving (PDF). As CBP’s own June privacy impact assessment states, there remains “a risk that commercial air carriers will use the photographs for purposes beyond departure verification” because “commercial air carriers are not collecting photographs on CBP’s behalf or under CBP authorities.”

Delta and JetBlue said they do not store or directly access passenger biometric data.

Opponents of the airline-government partnership say, at least in present form, there is no way of preventing an airline from also using biometric information to monitor a person’s movements, shopping habits, or more.

CBP officials and DHS privacy officers sat down with some of their harshest critics to get help on this and other facial recognition concerns. About 10 advocates from the American Civil Liberties Union, Electronic Privacy Information Center, Georgetown Law Center on Privacy & Technology, and other public interest groups met at CBP headquarters in D.C. last week.

Privacy advocates at the meeting inside CBP’s headquarters, and in interviews afterward, depicted the the entire facial recognition concept as one national security purpose creeping into other government and consumer activities, without congressional authorization.

“Can you imagine from reservation to destination to back home, your face is truly your passport? From the time you walk in the airport, to you checking your bag, to TSA, to your flight,” CBP Executive Director Colleen Manaher said at the roundtable.

Some chuckled and others cringed.

“I know a lot of you looked at me like, ‘That’s a crazy dream,’” she added.

To Jeramie Scott, national security counsel at the Electronic Privacy Council, her vision of a planet blanketed by interconnected security cameras and computers seemed all too plausible.

“I don’t think that’s a crazy world. It’s just a scary world for us,” Scott said. “The mission creep possibility is a real, real thing.”

ACLU senior policy analyst Jay Stanley said it would be convenient to walk through checkpoints where you have to stop and show papers today, but would you want to take out your passport and show it to authorities every 10 feet?

“If your face is your passport you’re doing the same thing—we end up with a checkpoint society where people are being tracked,” Stanley said.

The critics were quick to call for a nationwide conversation when President Trump first ordered an accelerated rollout of the $1 billion face search technology in his travel ban, and have been growing louder now that the trial program is expanding.

“Be very clear with travelers that when it’s a company, an airline, taking the photograph, that company owns the photo and can determine how they use and store that photo,” because it’s possible the company could use it for marketing, Robyn Greene, government affairs lead for the Open Technology Institute at New America, told CBP officials.

Wagner responded, “We agree. It’s something we’ll work on with the carriers and the airports, figure out a way to do that.”

The agency says it will address outstanding privacy issues with public interest groups and airlines before deploying other possible technologies, such as lounge access or Transportation Security Administration screening.

CBP officials said they’re interested in allowing other agencies, specifically TSA, to use the database and facial data to vet foreign travelers, but that would require different legal authorities.

CBP says Americans on international flights don’t have to submit to airport photographs if they present a passport photo proving U.S. citizenship.

Privacy advocates pointed out there are no signs informing fliers of this right, plus, if customers want to use their face only as a boarding pass, it’s unclear how to opt out of sharing the photograph with CBP.

JetBlue says customers who do not want their photos shared with CBP can decline the whole boarding-pass-less service and show their paper documents to a crew member instead.

Each JetBlue-owned camera that’s part of the partner process is connected to a CBP virtual private cloud via a secure, encrypted connection.

“These photos are not accessible except by [JetBlue IT contractor] SITA and CBP for document verification purposes,” JetBlue spokesman Morgan Johnston said in an email. SITA provides “a pass-through service” and does not retain any data, including photos, Johnston added.

Delta spokeswoman Kate Modolo said in an email, “While Delta and the CBP have explored implementing facial recognition-based boarding that integrates the CBP’s customer screening requirements with Delta’s boarding process, CBP would own and handle all biometric data associated with that process.”