By Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy and Technology Project
The TSA has issued a “Market Research Announcement” in which the agency expresses a desire to expand its Pre-Check whitelist program by allowing private companies to carry out risk analysis of Americans that would determine whether they are “trusted” enough to participate in the trusted traveler program. This would be a major step toward turning the agency’s Pre-Check whitelist into the insidious kind of passenger profiling system that was proposed under the Bush Administration in the wake of 9/11, and a confirmation of our longstanding warnings that the logic of the risk-assessment approach to security will drive the government toward the use of more and more data on individuals. It would be the most significant of the new initiatives the TSA is looking at this year.
Currently, under Pre-Check, travelers who have attained a certain level within the frequent flier programs of six airlines can apply for the program by providing the government with certain information and, if they are accepted, receive access to expedited security lines. Department of Defense personnel and those with certain security clearances may now also join—and future expansions are inevitable. Although it is currently limited in scope, we have been warning that this kind of program points us down the road of engaging in background checks and discriminatory profiling of passengers. The concept raises knotty questions about fairness; we don’t know who is approved for this program and who is rejected, and based on what data, or what criteria for evaluating that data.
Defenders of Pre-Check point out that it is voluntary. However, as the agency explicitly states in this new document, “TSA desires to maximize appropriate participation in expedited screening initiatives.” In short, it hopes to lighten the screening load as much as possible by enrolling as many people as it can in Pre-Check. That means that ultimately, we face the prospect of a two-class airline security system, or even a system in which simply everyone has a Pre-Check ID, and the hapless group who can’t get one become a security underclass. Then the Pre-Check is adopted for all kinds of other purposes by piggybacking organizations, and like a “voluntary” credit card, it becomes impossible to fully participate in American life without one, and those who are shut out—and they won’t know why—face all kinds of obstacles and disadvantages.
As I discussed in this post, the Bush program, called CAPPS II, would have tapped into commercial data sources to perform background checks on every air passenger, and crunched that data to produce a profile of each traveler’s “risk to aviation.” The initial vision seemed to be to measure individuals’ “rootedness in their community,” measuring such things as how long a person has lived at their current address, held their current job, held a credit rating, etc. Among the numerous problems with this concept, it would have been enormously discriminatory in its impact (African-Americans, for example, tend to move more often than whites), and would have been grossly ineffective in spotting terrorists. (As Bruce Schneier has long pointed out, the danger is that to the extent you exempt some groups from security measures, you open up a pathway for terrorists to join or recruit their way into the program.)
We and others fought this terrible idea, and over several years of battles in Congress and the media, it was renamed “Secure Flight” and basically reduced to watch list checks. A victory of sorts—although the watch list system underpinning Secure Flight continues to be a mess.
Now it is clear that our concerns about Pre-Check sliding back towards some kind of CAPPS II-like profiling system have been warranted. In particular, the agency appears never to have lost its fixation with partnering with private-sector data aggregators to evaluate American citizens. The TSA writes:
TSA is particularly interested in techniques that … use non-governmental data elements to generate an assessment of the risk to the aviation transportation system that may be posed by a specific individual, and to communicate the identity of persons who have successfully passed this risk based assessment to TSA’s Secure Flight.
As I understand it, the concept here is that a company such as a data broker would sift through the enormous volumes of data they store on Americans and come up with a proposed algorithm for judging “the risk to the aviation transportation system” of any given individual. TSA would examine that algorithm, and upon the agency’s approval, the company would be authorized to sell Pre-Check memberships using that algorithm applied to its own data.
For now, the TSA says it “is seeking white papers that successfully demonstrate sound, well-reasoned concepts … to identify ‘known travelers’ pre-screened to a high degree of confidence.” The agency says it wants to allow “entities latitude to do what makes the most sense for them”:
TSA will specify a few common core requirements for process and algorithm content, while encouraging innovation by allowing participating entities to include additional elements in their algorithms as they see fit (as long as they are legal). These hybrid algorithms would have to meet certain performance criteria, described below.
Those criteria include:
- An enrollment process that is convenient and user friendly
- A proposal that “presents an effective process for gathering required personal information from potentially large numbers of prospective enrollees”
- Handling travelers’ personal information with various security and privacy safeguards
- “Has identified and obtained access to specific sources of current, accurate, and complete non-Governmental data that can be used to support effective screening of prospective travelers”
- An algorithm “that produces dependable results”
The agency outlines a three-phase process for turning these white papers into functioning part of our security system. Phase 1 (30 days) is selection of promising submissions, phase 2 (45-60 days) is prototype implementation, and phase 3 (4-6 months) will be live prototyping on actual passengers at an actual airport.
Aside from the fundamental effectiveness questions of this concept, there are a number of major problems with it from a civil-liberties point of view:
- Unfair effects. It is likely to have an unfair impact on the American public. As I mentioned above it could easily be discriminatory in its application, or otherwise unfair depending on the data sources used. For example, see this story about a man having problems with his credit score precisely because he had always been careful not to go into debt. The data aggregators are subject to no rules regarding data quality, and their databases are rife with errors, as are the credit ratings agencies’ (despite their being subject to some regulations).
- Secrecy. We probably won’t even know about such unfair effects because the system will be wrapped in secrecy. The TSA’s document specifies that “The specific sources and types of information employed for pre-screening purposes under this initiative may not be publicly disclosed.” It also contains a long section specifying that any private partners of the TSA will be subject to the agency’s Sensitive Security Information (SSI) rules.
- Private-sector delegation. Delegating security assessments to a private company raises significant issues. We have always believed that it’s a foolish idea to start building an algorithm-based system for “rating” Americans on their security “trustworthiness,” which is then used to curb people’s rights (such as the right to travel). If we must have such ratings performed, that would at least be an inherent law enforcement function. We shouldn’t have private, profit-oriented companies making those designations, any more than such companies should be deciding who to prosecute. Having private companies make the ratings, and the government acting upon them, may be pretty close to the worst of all worlds. In addition, much of the corporate world operates on relationships and favors—not to mention money; it’s not clear how the TSA would regulate these companies to ensure they won’t engage in corruption or abuse or systematic bias when deciding who can get a Pre-Check pass. Especially given that the TSA won’t routinely have access to the underlying data.
- Access to data. However, the agency does state that while it won’t “generally” access the personal information about an individual used by a company, it may do so during audits. Also, the “results of the pre-screening process” will be shared with the TSA “upon request”; it’s not clear to me what the agency means by “results” here.
Ultimately, the core problem with Pre-Check remains: it is (as I said here) caught between two possibilities: collecting so little information that it’s useless as a security measure, or so much that it is scarily intrusive. The TSA wants to take a long stride toward the latter. True, by outsourcing the data-crunching function to a private company, the agency won’t be collecting the information itself. That certainly ameliorates some of the privacy problems with the concept—but if anything worsens the other concerns, such as fairness, accuracy, due process, and the role of for-profit companies in providing what are essential government functions. Thwarted in its efforts to tap private databases a decade ago, the agency seems to be edging back toward that concept via a classic Surveillance-Industrial Complex strategy.