Legislation puts more scrutiny and analysis on TSA’s expanding use of biometrics
Evaluation of the efficacy, privacy issues, and expanded use of biometrics by the Transportation Security Administration (TSA) comprises a not insignificant chunk of the just passed TSA Modernization Act — the first ever reauthorization of TSA since the agency’s founding in 2001 – which Congress passed as part of the FAA Reauthorization Act of 2018. While the bill authorizes TSA to “continue as an agile and modern national security organization capable of dealing with ever-evolving threats to our transportation system,” it also puts a great deal more scrutiny and analysis on expansion of biometrics.
“This legislation emphasizes stability, supports TSA’s outstanding workforce, and modernizes the agency’s structure and operations.” said TSA Administrator David Pekoske. “I thank Congress, especially the Senate Committee on Commerce, Science, and Transportation, and the House Committee on Homeland Security, for their work on this legislation. It will strengthen the agency and result in a more comprehensive security system to outmatch today’s dynamic threat environment.”
The bill incorporates various provisions of S. 1872, TSA Modernization Act of 2018; S. 763, Surface and Maritime Transportation Security Act; H.R. 2825, DHS Authorization Act of 2017, and numerous other House-passed bills.
While the reauthorization act empowers TSA to expand field operations testing of advanced screening technologies, especially biometrics, it also puts somewhat of new reigns on biometric usage.
For example, the “feasibility of expanding the Pilot Program for Automated Exit Lane Technology to additional airports, including to medium and large hub airports,” won’t be determined pursuant to the legislation by the Comptroller General of the United States until two years after the pilot program is implemented. The Comptroller General will then submit his findings to the appropriate congressional committees on the extent of airport participation in the pilot; how the program was implemented; and the results of the pilot program and any reported benefits, including the impact on security and any cost-related efficiencies realized by TSA or at the participating airports.
Fifteen-million – or 85 percent of the total cost of the program — has been authorized to be appropriated to carry out the pilot under for each of fiscal years 2019 through 2021. For each of fiscal years 2019 through 2021. $77,000,000 is authorized to be appropriated to carry out exit lane security.
Pursuant to the new law, under “Biometric Expansion,” The TSA Administrator and the Commissioner of Customs and Border Protection (CBP) “shall consult with each other on the deployment of biometric technologies,” and under a new “Rule of Construction,” the CBP Commissioner “shall” not “facilitate or expand the deployment of biometric technologies, or otherwise collect, use, or retain biometrics, not authorized by any provision of or amendment made by the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458; 10 118 Stat. 3638) or the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110–12 53; 121 Stat. 266).”
Not later than 270 days after enactment of the Act, the Department of Homeland Security (DHS) Secretary “shall submit to the appropriate committees of Congress, and to any member of Congress upon the request of that member, a report that includes specific assessments from the [TSA] Administrator and the Commissioner of US Customs and Border Protection with respect to the following:”
• The operational and security impact of using biometric technology to identify travelers;
• The potential effects on privacy of the expansion of the use of biometric technology, including methods proposed or implemented to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and,
• Methods to analyze and address any matching performance errors related to race, gender, or age identified by the TSA Administrator with respect to the use of biometric technology, including the deployment of facial recognition technology.
With respect to the biometric entry-exit program, the following is also required under the new TSA “modernization” legislation:
• Assessments of the error rates, including the rates of false positives and false negatives, and accuracy of biometric technologies;
• The effects of biometric technologies, to ensure that such technologies do not unduly burden categories of travelers, such as a certain race, gender, or nationality;
• The extent to which and how biometric technologies could address instances of travelers to the United States over-staying their visas, including an estimate of how often biometric matches are contained in an existing database;
• An estimate of the rate at which travelers using fraudulent credentials identifications are accurately rejected – and an assessment of what percentage of the detection of fraudulent identifications could have been accomplished using conventional methods;
• The effects on privacy of the use of biometric technologies, including methods to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and the number of individuals who stay in the United States after the expiration of their visas each year;
• A description of all audits performed to assess error rates in the use of biometric technologies; or whether the use of biometric technologies and error rates in the use of such technologies disproportionately affect a certain race, gender, or nationality;
• A description of the process by which domestic travelers are able to opt-out of scanning using biometric technologies;
• A description of what traveler data is collected through scanning using biometric technologies, what agencies have access to such data, and how long the agencies possess such data; and
• Specific actions DHS and other relevant Federal departments and agencies take to safeguard such data; and a short-term goal for the prompt deletion of the data of individual United States citizens after such data is used to verify traveler identities.
Following all of the above having been concluded, the DHS Secretary, TSA Administrator, and CBP Commissioner “shall, if practicable, publish a public version of the assessment required.”
Regarding the PreCheck Program, the TSA Administrator “shall continue to administer the PreCheck Program in accordance with the Aviation and Transportation Security Act, “and no “later than 180 days after the date of enactment of the TSA Modernization Act, the Administrator shall enter into an agreement, using other transaction authority … with at least 2 private sector entities to increase the methods and capabilities available for the public to enroll in the PreCheck program.”
Minimum capabilities are required. At least 1 agreement shall include the following capabilities:
• Start-to-finish secure online or mobile enrollment capability;
• Vetting of an applicant by means other than biometrics, such as a risk assessment, if such means are evaluated and certified by the Secretary of Homeland Security;
• Meet the definition of a qualified anti-terrorism technology under section 865 of the Homeland Security Act of 2002 (6 U.S.C. 444); and are determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history; and with regard to private sector risk assessments, the Secretary has certified that reasonable procedures are in place with regard to the accuracy, relevancy, and proper utilization of information employed in such risk assessments.
“Additional capability requirements” for the PreCheck program are also compulsory, and include at least one more agreement that “shall include” a start-to-finish secure online or mobile enrollment capability; vetting of an applicant by means of biometrics if the collection is comparable with the appropriate and applicable standards developed by the National Institute of Standards and Technology; protects privacy and data security, including that any personally identifiable information is collected, retained, used, and shared in a manner consistent with what’s commonly known as the Privacy Act of 1974, and with agency regulations.
This all must be evaluated and certified by the DHS secretary; and determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history.
Regarding identity verification enhancement, the TSA Administrator shall “coordinate with the heads of appropriate components of DHS to leverage DHS-held data and technologies to verify the identity and citizenship of individuals enrolling in the PreCheck Program; partner with the private sector to use biometrics and authentication standards, such as relevant standards developed by NIST to facilitate enrollment in the program; and consider leveraging the existing resources and abilities of airports to collect fingerprints for use in background checks to expedite identity verification.”
The TSA Administrator “shall” also initiate an assessment to identify any security vulnerabilities in the vetting process for the PreCheck Program, including determining whether subjecting PreCheck Program participants to recurrent fingerprint-based criminal history records checks, in addition to recurrent checks against the terrorist watchlist, could be done in a cost-effective manner to strengthen the security of the PreCheck Program.
Lastly, looking at the long-term, the law requires “Providing PreCheck Program enrollment flexibility by offering secure mobile enrollment platforms that facilitate in-person identity verification and application data collection, such as through biometrics.”