Skip navigation
Sign up to follow your favorites on all your devices.
Sign up
View All Scores

Biometric scanning is coming to the ballpark. It’s a really bad idea.

Cyber Security Concerns In The Global Wake of Hacking Threat

LONDON, ENGLAND - AUGUST 09: In this photo illustration, a hard drive is seen in the light of a projection of a thumbprint on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks. (Photo by Leon Neal/Getty Images)

Getty Images

*This article has been corrected and updated since it was first published. See below for notes on corrections.

It was announced last summer to relatively little fanfare, but after a few years in which only a couple of teams have done this on a small-scale basis, several more teams will be introducing biometric ticketing and concessions purchases in 2019. It’s a pilot program between Major League Baseball and Clear, the company behind fingerprint and facial recognition technology at airports and other places. As described in a typical story about it from last summer:

Clear members can link their profiles with their accounts, entering Comerica Park or Yankee Stadium or AT&T Park with just the tap of a finger—or maybe even facial recognition technology in the near future. The tech is still developing.

With the nod to people who like to say things like “the future is cool,” etc. etc., may I ask why anyone would willingly give their biometric over to get into a ballpark?

At the outset let me say that I am not one of those people who lose sleep at night worrying about data security. It’s a serious matter, yes, but I tend to think that the concerns about it can, at times, be overstated. I know Facebook, Twitter my mobile phone and all manner of other apps and devices are collecting data and are studying my habits. I don’t think it’s a good thing, but I also try to exercise as much common sense, employ enough password and security measures, and share as little truly critical personal information as I can. There is a real danger of data misuse and theft, yes, but at times some of the talk about it can, I think, be a tad overwrought and alarmist.

But biometric data is a bit different than, say, a social media profile or a record of the online retailers I like to browse. I can change my passwords and go incognito online. I can’t change my fingerprints. I can’t change my retinas. Once that data is collected, the collector can, theoretically, hold it forever. Or sell it to anyone. They may say they have no interest in doing that -- and perhaps it’s bad for business to be seen as a company that shares your information with others -- but there is nothing legally stopping them from doing it. There are no federal laws covering this and only three state laws about it at all. Only one of which, in Illinois, has anything approaching teeth.

The bigger question I have: why in the heck does baseball think this is necessary?

A glimpse of it can be seen in the quotes given by an MLB official last summer:

“Developing a partnership that will unify emerging identity technology and ticketing is reflective of our commitments to always improving ballpark accessibility and maintaining critical security standards.”

Like everyone else in post-9/11 society, baseball seems to think that using the word “security” as some sort of magical incantation explains everything that needs to be explained. That’s far from the case, of course.

You can read a good bit of why that is in this article at Vice from 2015, which reported on the first installation of Clear’s biometric technology in baseball, at Yankee Stadium. The upshot: while biometric technology can mostly assure that the person entering a stadium is who they say they are, baseball has never cared, one iota, that the person entering the stadium is who they say they are. You’re not ID-checked at the turnstile and you never have been.

There is, at present, the extraordinarily rare case of keeping out people who have otherwise been banned from the ballpark, but going forward this gives MLB the ability to know who is there and who is not. Is there a compelling security reason for that? Maybe there’s an argument for that, maybe there isn’t, but if MLB simply wanted to know that it could’ve required ID checks for everyone at either point of sale or point of entry a long time ago and it has never done that. I suppose it’s possible they want that but it’s too cumbersome to check IDs and Clear makes it all easier. But it’s not like MLB is mandating the use of Clear, so it’s still an opt-in process. If the need for knowing fan identity were truly compelling, it would not be opt-in, right?

Even with Clear, I’m not sure what kind of security enhancements will be realized. Fine, you know who’s in the ballpark. But there is no screening function achieved simply by giving your fingerprint to get in unless it’s linked to a hotline to the Department of Homeland Security or the FBI or something, and I feel like that would a whole different story. As it stands, a registration with Clear -- which is free of charge for sports purposes -- an ID and a set of fingers can get you into the ballpark, which anyone can get. As for the mechanics: before now there have been various stadium-by-stadium versions of Clear and there is mixed information about what security processes people who use Clear go through. The Vice article from 2015 had the user bypassing the metal detectors completely. I’m told that’s no longer the case, but a Yankees fan I spoke with who has used the service as recently as last year said that you’re still subject to security, but it’s an express line with a more lax wand-wave and bag check.

So if there’s no obvious security enhancement why do this?

A source at Major League Baseball tells me that it’s mostly about streamlining the game-going experience. Specifically upon entering the park. Rather than scan tickets, one’s fingerprint basically takes care of that. It seems like a very, very small amount of streamlining if you ask me. You still have to go through the metal detectors or a wand and bag check, which is the real bottleneck, and the time it takes to get your fingerprint is not that much faster than the time it takes for the old guy with the little scanner to scan the bar code on your ticket. Major League Baseball corrected my earlier assumption that it holds on to the biometric data that is scanned -- it does not keep that information; it merely confirms with Clear that you bought a ticket -- but it has to be getting something out of this deal in order to allow Clear to set up shop at its ballparks and have access to its ticketing database. I speculated to my source that maybe it’s just money -- the Doosans and the Camping Worlds and, perhaps, the Clears of the world make the league go ‘round -- but neither Major League Baseball nor Clear would comment about the specifics their business arrangement. Which, fair enough.

Then I reached out to Clear to ask them why a baseball fan should use the service.

A spokesperson for the company says that Clear wants fans to have access to a “trusted identity platform,” and that it wants fans to have “faster, predictable experiences from the time they arrive at the stadium until the time they leave.” Over time it envisions providing more services, such as “touch points at stadiums, biometric ticketing and concessions that fans can choose to take advantage of.” That’s a seemingly reasonable pitch and your mileage may vary as to whether you think that provides you value as a fan.

But there’s no escaping the fact that the mechanics of its system also provides Clear with a rich source of data. Via registration of its users and via the ability to pair up its users personal and biometric information with its commercial habits -- in this case, going to baseball games, buying concessions or whatever -- Clear is gathering data on its users. What they do with that data may not be anything to be concerned about -- Clear is, well, clear, in stating that it “never rents or sells member data, biometrics or personally identifiable information of members to third parties.” Still, it’s worth noting that Clear for sports is free of charge, and as the old adage goes, if you’re not paying for the product, you ARE the product. There is value in the data you are giving to Clear in order to use it to get into the ballpark. And that’s before one acknowledges that even the best-designed data security operations can fail. There are a lot of people who would love to get into a database of fingerprints and retina scans tied to your address, email address and, possibly, your credit card data. I take the Clear spokesman at his word regarding their desire to safeguard user information -- it’s terrible for business if they don’t -- but no one is perfect and there are a lot of bored, greedy hackers in the world.

MLB’s partnership with Clear will, if you take advantage of it, cause you to turn over your biometric data. Maybe they do nothing with it, but huge swaths of the modern economy are based primarily on data and information and that has a big effect. Sometimes that effect is negative, sometimes it is beneficial, but it’s rarely neutral. Biometric access to the ballpark will change things for baseball fans, sooner or later. How you feel about that is up to you.

For now, I’m sticking with paper tickets and the old guy with the scanner.


*The earlier version of this post cited an article at the SportsTechie website which detailed the state of the law regarding biometric regulation. That article has been removed since this post was published. The information regarding the number of states regulating biometric data and the lack of federal regulation regarding biometric data was and is, however, accurate.

* The earlier version of this post referred to Major League Baseball “holding” your data or otherwise storing it. Major League Baseball stated to me, however, that it does not, in any way, hold or retain customers’ biometric data pursuant to its partnership with Clear. It merely confirms that fans who use Clear are ticketed to ballgames.

* The earlier version of this post did not contain comment from Clear. Comments, specifically regarding its policies regarding the use of customer’s personal and biometric data have been added.

Follow @craigcalcaterra