The Transportation Security Administration’s (TSA) exclusive use of biographic data solutions “in its prospective attempt to expand the PreCheck travel screening program” is “strongly” being questioned by the International Biometrics & Identification Association (IBIA).
“As TSA works on re-issuing its Request for Proposal (RFP), IBIA believes that biometrics should remain at the core of the PreCheck vetting procedure,” the association said Wednesday.
On December 23, 2014, TSA issued an RFP for PreCheck expansion that seeks third-party vendors to "pre-enroll" passengers into the program. TSA’s proposal would authorize private vendors to use commercial data and proprietary algorithms to create a "risk-score" for passengers to determine eligibility.
“Though the RFP was temporarily withdrawn for a series of technical and policy reasons that are currently being resolved,” IBIA said, it noted that, “TSA has made clear its intention to change the established screening process for PreCheck applicants to rely on information from commercial data brokers and proprietary risk-scoring algorithms. As the RFP language is altered in anticipation of a future re-release, TSA has the opportunity to move in a direction that favors accurate matching against records of material value through biometrics.”
IBIA Managing Director Tovah LaDier, said, “this new practice lacks the necessary accuracy to identify security risks and poses a serious threat to applicant privacy, noting that the current system of biometric-based FBI criminal history records checks (CHRC) has a true match rate on fingerprints of 98.6 percent, whereas the performance of these algorithms varies greatly and remains largely unproven on such a mass scale."
The association said the “FBI biometric-based CHRC is acknowledged as key to background checks worldwide as well as in the US. It has been the cornerstone of TSA’s security threat assessment approach for the program. Now, TSA proposes that vendors perform less-reliable, name-based background checks, as well as amass personal information from social media, location information, retail purchase history, and blog posts.”
Chris Calabrese, senior policy director at the Center for Democracy and Technology, recently was quoted saying, "We’re talking about teaching machines how to spot dangerous behavior. It’s easy to do when you’re talking about credit card fraud; there’s billions of transactions and lots of fraud and you can teach the machine exactly what to look for. It’s very hard to do when it comes to terrorism, for which there are very few examples and which are very diverse."
IBIA said, “Biometrics already lie at the heart of the traveler vetting performed by most Department of Homeland Security (DHS) components, the benefits of which are widely known. TSA’s sole reliance on biographic checks fails to take advantage of the significant record base and experience that DHS already has in identifying security risks.”
“In addition,” the biometrics association said, “TSA’s proposed reliance on commercial data and proprietary risk-scoring algorithms also poses a serious threat to privacy. It is common knowledge that data on the Internet contains many inaccuracies. Personal biographic data, addresses, driver’s license numbers and credit card numbers that would be collected, have real value to cybercriminals and fraudsters and would leave private vendors vulnerable to hacks and incidents of identity theft.”
“This is not the case with biometrics in prescreening applications like PreCheck,” IBIA stated. “A fingerprint or other biometric only describes one thing, a user’s physical identity, and is of little value compared to large amounts of personal biographic, and other commercial data.”
IBIA is urging TSA to “reconsider its plan to rely solely on private company partnerships aiming to use biographic data in the PreCheck application process. Any reasonable and secure prescreening program must include biometrics for background checks and identification reliability to maintain a high-level of accuracy in identifying security risks.”
Earlier this month, Homeland Security Today reported, DHS’s Inspector General (IG) told a congressional committee hearing that nearly 14 years since TSA was established, “we remain deeply concerned about its ability to execute its important mission” – including PreCheck.
"Since 2004, we have published more than 115 audit and inspection reports about TSA’s programs and operations, [and] have issued hundreds of recommendations to attempt to improve TSA’s efficiency and effectiveness,” DHS IG John Roth said at a House Committee on Oversight and Government Reform.
Since July 2013 alone, Roth noted, the IG has issued 13 audit reports exposing TSA’s vulnerabilities and challenges, especially passenger and baggage screening, access controls to secured areas, workforce integrity and TSA’s operations.
While Roth said TSA needs to be applauded for its “efforts to use risk-based passenger screening because it allows TSA to focus on high- or unknown-risk passengers instead of known, vetted passengers who pose less risk to aviation security … we have deep concerns about some of TSA’s decisions about this risk. For example, we recently assessed the PreCheck initiative, which is used at about 125 airports to identify low-risk passengers for expedited airport checkpoint screening.”
“Since 2012,” Roth reported, “TSA has massively increased the use of PreCheck, allowing expedited screening for nearly half of the flying public. TSA did so in four ways:”
- Granted PreCheck eligibility to other federal government-vetted or known flying populations, such as those in the CBP Trusted Traveler Program;
- Established and increased the PreCheck application program, which requires individualized security threat assessment vetting;
- Implemented risk assessment rules; and
- Used “managed inclusion” for the general public, allowing random passengers access to PreCheck lanes without having assessed their risk.
As a result of the IG’s inspection, it “concluded that the first two methods are sound approaches to increasing the PreCheck population, but the latter two create security vulnerabilities. Based on our review, we believe TSA needs to modify the initiative’s vetting and screening processes. We also determined that PreCheck communication and coordination need improvement.”
TSA did not concur with the majority of the IG’s 17 recommendations, which Roth told the committee his office believes “represents TSA’s failure to understand the gravity of the situation.”
“As an example of PreCheck’s vulnerabilities,” Roth explained, “we recently reported that, through risk assessment rules, a felon was granted expedited screening through PreCheck. The traveler was a former member of a domestic terrorist group and, while a member, was involved in numerous felonious criminal activities that led to arrest and conviction. After serving a multiple-year sentence, the traveler was released from prison.”
“The traveler was sufficiently notorious that a Transportation Security Officer (TSO) recognized the traveler, based on media coverage,” Roth explained. “In scanning the traveler’s boarding pass, the TSO received notification that the traveler was PreCheck eligible. The TSO, aware of the traveler’s disqualifying criminal convictions, notified his supervisor who directed him to take no further action and allow the traveler to proceed through the PreCheck lane.”
Continuing, Roth said, “TSA agreed to modify its standard operating procedures to clarify TSOs’ and supervisory TSOs’ authority in referring passengers with PreCheck boarding passes to standard screening lanes when they believe it is warranted.”
“However,” Roth pointed out to the oversight committee, “TSA disagreed with our recommendation regarding the Secure Flight program. The failure to implement this recommendation perpetuates a security vulnerability.”
