The Transportation Security Administration is reassessing amid security and privacy concerns an expansion of its PreCheck program that would mine commercial data to analyze travelers.
TSA on Feb. 7 rescinded a December 2014 request for proposals asking vendors for solutions that would expand the PreCheck passenger screening program to collect publicly available and commercial data on potential participants.
The RFP followed a January 2013 request for information that sought vendors whose services would "include the use of commercial, publicly available, and public records data…and algorithms to validate identity and perform low-risk determinations at an acceptable standard of performance at the selected risk threshold," according to the now-removed RFP.
But critics say the new process would do more than just expand PreCheck, and that it would put private companies, not the government, in charge of determining who poses security threats to the traveling public.
"What's being proposed is not just an expansion of the enrollment process. It's also asking private companies to go out and use their big-data relationships to mine commercial data to not only verify identity – as opposed to the current fingerprint check – but [provide] a biographic approach to identify your identity, which is wrought with accuracy problems," said Tom Bossert, former deputy assistant to the President for homeland security and now president of CDS Consulting. "But it's also an attempt to outsource the determination to these companies. They would collect all the commercial data, look at social media, look at things that may or may not be indicative of a threat, and then make a determination at the private company."
Currently, the PreCheck program largely works by vetting travelers who voluntarily provide TSA with background information to verify that they are not security risks. But TSA is looking to broaden enrollment and fold in technologies that would cast a wider net of biographical data to identify potential threats.
However, it's not so simple in practice, some say.
"The science doesn't prove it's possible…to data-mine to pick out terrorists, and that's kind of what we're talking about here. We're data-mining to categorize people," said Chris Calabrese, senior policy director at the Center for Democracy and Technology. "We're talking about teaching machines how to spot dangerous behavior. It's easy to do when you're talking about credit card fraud; there's billions of transactions and lots of fraud and you can teach the machine exactly what to look for. It's very hard to do when it comes to terrorism, for which there are very few examples and which are very diverse."
Proponents of the program say this kind of technological evolution of security screening is necessary to counter the threats to air travel evidenced in recent years, such as the Richard Reid shoe-bomber incident and incidents involving the use of liquids and undergarments in failed bombing schemes.
"Throwing technology and being reactive to those scenarios is unsustainable," TSA's Jerry Booker said from the audience of a recent forum on the topic at George Washington University. "So the idea was, is there an opportunity for us to provide expedited screening to passengers that we know more about and can make a risk judgment?"
TSA officials maintain their interest in "exploring ways to work with the private sector to expand and strengthen TSA PreCheck."
"As always, TSA continues to enhance its layered security approach through state-of-the-art technologies, improved passenger identification techniques and trusted traveler programs, and best practices to strengthen transportation security across all modes of transportation," said a TSA spokesman. "As it does with all of its existing aviation security initiatives, TSA is actively reviewing the recently issued [RFP] to ensure that proposals it may elicit are designed to protect the privacy, confidentiality, civil rights and civil liberties of passengers."