The TSA has a 鈥淢arket Research Announcement鈥 in which the agency expresses a desire to expand its Pre-Check whitelist program by allowing private companies to carry out risk analysis of Americans that would determine whether they are 鈥渢rusted鈥 enough to participate in the trusted traveler program. This would be a major step toward turning the agency鈥檚 Pre-Check whitelist into the insidious kind of passenger profiling system that was proposed under the Bush Administration in the wake of 9/11, and a confirmation of our longstanding warnings that the logic of the risk-assessment approach to security will drive the government toward the use of more and more data on individuals. It would be the most significant of the the TSA is looking at this year.
Currently, under Pre-Check, travelers who have attained a certain level within the frequent flier programs of six airlines can apply for the program by providing the government with certain information and, if they are accepted, receive access to expedited security lines. Department of Defense personnel and those with certain security clearances may now also join鈥攁nd future expansions are inevitable. Although it is currently limited in scope, we have been warning that this kind of program points us down the road of engaging in background checks and discriminatory profiling of passengers. The concept raises knotty questions about fairness; we don鈥檛 know who is approved for this program and who is rejected, and based on what data, or what criteria for evaluating that data.
Defenders of Pre-Check point out that it is voluntary. However, as the agency explicitly states in this new document, 鈥淭SA desires to maximize appropriate participation in expedited screening initiatives.鈥 In short, it hopes to lighten the screening load as much as possible by enrolling as many people as it can in Pre-Check. That means that ultimately, we face the prospect of a two-class airline security system, or even a system in which simply everyone has a Pre-Check ID, and the hapless group who can鈥檛 get one become a security underclass. Then the Pre-Check is adopted for all kinds of other purposes by piggybacking organizations, and like a 鈥渧oluntary鈥 credit card, it becomes impossible to fully participate in American life without one, and those who are shut out鈥攁nd they won鈥檛 know why鈥攆ace all kinds of obstacles and disadvantages.
As I discussed in this , the Bush program, called CAPPS II, would have tapped into commercial data sources to perform background checks on every air passenger, and crunched that data to produce a profile of each traveler鈥檚 鈥渞isk to aviation.鈥 The initial vision seemed to be to measure individuals鈥 鈥渞ootedness in their community,鈥 measuring such things as how long a person has lived at their current address, held their current job, held a credit rating, etc. Among the numerous problems with this concept, it would have been enormously discriminatory in its impact (African-Americans, for example, tend to move more often than whites), and would have been grossly ineffective in spotting terrorists. (As Bruce Schneier has long , the danger is that to the extent you exempt some groups from security measures, you open up a pathway for terrorists to join or recruit their way into the program.)
We and others fought this terrible idea, and over several years of battles in Congress and the media, it was renamed 鈥淪ecure Flight鈥 and basically reduced to watch list checks. A victory of sorts鈥攁lthough the watch list system underpinning Secure Flight continues to be a mess.
Now it is clear that our concerns about Pre-Check sliding back towards some kind of CAPPS II-like profiling system have been warranted. In particular, the agency appears never to have lost its fixation with partnering with private-sector data aggregators to evaluate American citizens. The TSA writes:
TSA is particularly interested in techniques that 鈥 use non-governmental data elements to generate an assessment of the risk to the aviation transportation system that may be posed by a specific individual, and to communicate the identity of persons who have successfully passed this risk based assessment to TSA鈥檚 Secure Flight.
As I understand it, the concept here is that a company such as a data broker would sift through the enormous volumes of data they store on Americans and come up with a proposed algorithm for judging 鈥渢he risk to the aviation transportation system鈥 of any given individual. TSA would examine that algorithm, and upon the agency鈥檚 approval, the company would be authorized to sell Pre-Check memberships using that algorithm applied to its own data.
For now, the TSA says it 鈥渋s seeking white papers that successfully demonstrate sound, well-reasoned concepts 鈥 to identify 鈥榢nown travelers鈥 pre-screened to a high degree of confidence.鈥 The agency says it wants to allow 鈥渆ntities latitude to do what makes the most sense for them鈥:
TSA will specify a few common core requirements for process and algorithm content, while encouraging innovation by allowing participating entities to include additional elements in their algorithms as they see fit (as long as they are legal). These hybrid algorithms would have to meet certain performance criteria, described below.
Those criteria include:
- An enrollment process that is convenient and user friendly
- A proposal that 鈥減resents an effective process for gathering required personal information from potentially large numbers of prospective enrollees鈥
- Handling travelers鈥 personal information with various security and privacy safeguards
- 鈥淗as identified and obtained access to specific sources of current, accurate, and complete non-Governmental data that can be used to support effective screening of prospective travelers鈥
- An algorithm 鈥渢hat produces dependable results鈥
The agency outlines a three-phase process for turning these white papers into functioning part of our security system. Phase 1 (30 days) is selection of promising submissions, phase 2 (45-60 days) is prototype implementation, and phase 3 (4-6 months) will be live prototyping on actual passengers at an actual airport.
Major problems
Aside from the fundamental effectiveness questions of this concept, there are a number of major problems with it from a civil-liberties point of view:
- Unfair effects. It is likely to have an unfair impact on the American public. As I mentioned above it could easily be discriminatory in its application, or otherwise unfair depending on the data sources used. For example, see this about a man having problems with his credit score precisely because he had always been careful not to go into debt. The data aggregators are subject to no rules regarding data quality, and their databases are rife with errors, as are the credit ratings agencies鈥 (despite their being subject to some regulations).
- Secrecy. We probably won鈥檛 even know about such unfair effects because the system will be wrapped in secrecy. The TSA鈥檚 document specifies that 鈥淭he specific sources and types of information employed for pre-screening purposes under this initiative may not be publicly disclosed.鈥 It also contains a long section specifying that any private partners of the TSA will be subject to the agency鈥檚 Sensitive Security Information (SSI) rules.
- Private-sector delegation. Delegating security assessments to a private company raises significant issues. We have always believed that it鈥檚 a foolish idea to start building an algorithm-based system for 鈥渞ating鈥 Americans on their security 鈥渢rustworthiness,鈥 which is then used to curb people鈥檚 rights (such as the right to travel). If we must have such ratings performed, that would at least be an inherent law enforcement function. We shouldn鈥檛 have private, profit-oriented companies making those designations, any more than such companies should be deciding who to prosecute. Having private companies make the ratings, and the government acting upon them, may be pretty close to the worst of all worlds. In addition, much of the corporate world operates on relationships and favors鈥攏ot to mention money; it鈥檚 not clear how the TSA would regulate these companies to ensure they won鈥檛 engage in corruption or abuse or systematic bias when deciding who can get a Pre-Check pass. Especially given that the TSA won鈥檛 routinely have access to the underlying data.
- Access to data. However, the agency does state that while it won鈥檛 鈥済enerally鈥 access the personal information about an individual used by a company, it may do so during audits. Also, the 鈥渞esults of the pre-screening process鈥 will be shared with the TSA 鈥渦pon request鈥; it鈥檚 not clear to me what the agency means by 鈥渞esults鈥 here.
Ultimately, the core problem with Pre-Check remains: it is (as I said ) caught between two possibilities: collecting so little information that it鈥檚 useless as a security measure, or so much that it is scarily intrusive. The TSA wants to take a long stride toward the latter. True, by outsourcing the data-crunching function to a private company, the agency won鈥檛 be collecting the information itself. That certainly ameliorates some of the privacy problems with the concept鈥攂ut if anything worsens the other concerns, such as fairness, accuracy, due process, and the role of for-profit companies in providing what are essential government functions. Thwarted in its efforts to tap private databases a decade ago, the agency seems to be edging back toward that concept via a classic Surveillance-Industrial Complex strategy.