the government does, and what they do with it is harshly regulated.

the TSA is part of DHS but operates outside of DHS and can do whatever it wants with your information if you give it freely. it’s one of the reasons how that facial recognition apparatus works. it was developed by a contractor to USDOD and delivered to DHS for the TSA to use on the public.

DHS cannot investigate the general public without probable cause, TSA can. so what information they gleam from the general public is then shared with DHS, DOD, and sold back to the contractor as a part of the delivered contract. what they do with it afterwards is entirely up to them.

both accepting and rejecting the scan is harmful to your privacy. by accepting you are now indexed in a database and that information can be used in multiple government sanctioned investigations. by rejecting it, you are flagged as a concern and your profile is then processed through and algorithm to identify your threat level.

the TSA are doing more than just looking at your passport when you reject. they’re waiting on that threat level response to identify if you should be taken for further questioning.

conservative Americans be like

it’s a data collection point.

can’t scan AI recognition on your passport, so they get your consent this way and with an updated photo.

it’s the only thing that makes sense if they’re taking photos and checking passports.

I would recommend it. Speaking from personal experience, I trusted my VPN connection to remain on and self-heal. Thinking that cost me a strike against my ISP.

Now I know for a fact that if anything goes wrong with the VPN connection, all the containers that need it will need to restart before they have connectivity again and that can only happen after the VPN container restarts and passes healthcheck.

IMO this is the best OS way, but without nix it’s a pita to maintain through restores/rebuilds. personally I never fully comprehended how to properly configure iptables/routes (I did try though, so nobody can blame me lol).

however, a major benefit to using a contained VPN or gluetun is that you can be selective on what apps use the VPN.

I host 12 other containers (with nas mounts) on the same host outside of the three that need to use a VPN, so this is why the solution I described works for me. and should I ever need to use routes for more advanced network filtering I still have it available without adding the complexity of splitting normal traffic vs VPN traffic.

I’ll ask this question because it might be something you didn’t think of.

What happens to your network connection if the VPN fails? will it continue to connect without a VPN?

I had a similar case of that happening, and ended up causing me to get some shame mail from my ISP.

now I run my VPN inside docker, and any containers that need access to it are configured as network slaves to it. VPN goes down? container reboots, all the others reboot after connection is restored, but will have no connection while it’s down.

it’s all in a well designed system of healthchecks and container configuration.