TSA unveils its ‘biometrics roadmap’ in wake of legislation requiring more scrutiny
Coming on the heels of the Transportation Security Administration [TSA] Modernization Act — the first ever reauthorization of TSA since the agency’s founding in 2001 – which requires evaluation of the efficacy, privacy issues, and expanded use of biometrics by TSA, the agency released its Biometrics Roadmap for Aviation Security & the Passenger Experience, which TSA Administrator David P. Pekoske said “will guide our efforts to modernize aviation passenger identity verification over the coming years,” and “aligns with and supports the 2018-2026 TSA Strategy I announced earlier this year in several ways. It defines clear pathways to improve security, safeguard the Nation’s transportation system, and accelerate the speed of action through smart investments and collaborative partnerships.”
Pekoske said, “To achieve the vision, goals, and objectives outlined in the Biometrics Roadmap, TSA will leverage innovative biometric concepts and solutions that will enhance security effectiveness, improve operational efficiency, and yield a consistent, streamlined passenger experience in coordination with our aviation security partners,” and that, “In addition to addressing key operational needs, implementing the Biometrics Roadmap will secure TSA’s position as a global leader in aviation security and advance global transportation security standards.”
However, while the TSA Modernization Act authorizes TSA to “continue as an agile and modern national security organization capable of dealing with ever-evolving threats to our transportation system,” it also puts a great deal more scrutiny and analysis on expansion of biometrics.
For example, while the law empowers TSA to expand field operations testing of advanced screening technologies, especially biometrics, it also puts somewhat of new reigns on biometric usage.
Following passage of the legislation, TSA assured it “will strengthen the agency and result in a more comprehensive security system to outmatch today’s dynamic threat environment.”
Pursuant to the new law, under “Biometric Expansion,” The TSA Administrator and the Commissioner of Customs and Border Protection (CBP) “shall consult with each other on the deployment of biometric technologies,” and under a new “Rule of Construction,” the CBP Commissioner “shall” not “facilitate or expand the deployment of biometric technologies, or otherwise collect, use, or retain biometrics, not authorized by any provision of or amendment made by the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458; 10 118 Stat. 3638) or the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110–12 53; 121 Stat. 266).”
And, not later than 270 days after enactment of the Act, the Department of Homeland Security (DHS) Secretary “shall submit to the appropriate committees of Congress, and to any member of Congress upon the request of that member, a report that includes specific assessments from the [TSA] Administrator and the Commissioner of US Customs and Border Protection with respect to the following:”
• The operational and security impact of using biometric technology to identify travelers;
• The potential effects on privacy of the expansion of the use of biometric technology, including methods proposed or implemented to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and,
• Methods to analyze and address any matching performance errors related to race, gender, or age identified by the TSA Administrator with respect to the use of biometric technology, including the deployment of facial recognition technology.
In response to the legislation, TSA said in implementing its “biometrics strategy, TSA will comply with the requirements of the [law], including consultation with the Commissioner of US Customs and Border Protection and preparation of a report to the appropriate committees of Congress. As mandated in the Act, this report will [also] address privacy issues as well as methods used to analyze and address errors related to race, gender or age.”
TSA further elaborated that it “and CBP will continue piloting efforts currently underway to implement facial recognition for identity verification of international travelers transiting TSA checkpoints. TSA and CBP, in coordination with [DHS’s] Office of Biometrics and Identity Management (OBIM), will continue to build on recent efforts to develop, design, and execute pilot projects at checkpoints that automate the Travel Document Checker (TDC) process and assist CBP in meeting Biometric Air Exit requirements. CBP and TSA will focus on maturing current pilot projects and conducting additional biometric technology pilots at locations where airport and airline stakeholders have committed to making their own investments to streamline the passenger experience using facial recognition technology. Travelers will be notified of pilot project activities and have the ability to opt-in to various biometric procedures. TSA and CBP will analyze biometric technology pilot results and refine approaches for future efforts.”
In addition, “Alongside the phased pilot projects, TSA and CBP will develop joint policies and standard operating procedures for biometric screening of international passengers transiting through TSA checkpoints. CBP and TSA will work together to develop plans to perform biometric exit exception processing, as appropriate under CBP and TSA authorities. As TSA checkpoints are upgraded to accommodate biometric technology, TSA and CBP will work to limit any impact to passenger wait times and TSA operations. TSA and CBP will develop concepts of operation, standard operating procedures, and policies related to these efforts for review by counsel, privacy officials, and senior leaders of both agencies.”
Finally, “TSA and CBP will work to integrate similar functions and capabilities to enable scaled, automated, and streamlined operations in the future [and] will collaborate with DHS Science & Technology and OBIM to ensure facial matching capabilities are optimized for the larger gallery sets needed for checkpoint processing. Together, as biometric matching continues to mature, TSA and CBP will work with OBIM to create an integration roadmap to the Homeland Advanced Recognition Technology (HART) in accordance with DHS guidance and policy. As the congressionally-designated lead provider of biometric identity services for DHS, OBIM serves a critical function by enabling CBP and TSA missions through biometric matching, storing, sharing, and analysis. DHS achieves both mission benefit and efficiencies through a centralized biometric service provider and data store.”
Alongside the phased biometric pilot projects – like the “feasibility of expanding the Pilot Program for Automated Exit Lane Technology to additional airports, including to medium and large hub airports” — TSA and CBP will also “develop joint policies and standard operating procedures for biometric screening of international passengers transiting through TSA checkpoints. CBP and TSA will work together to develop plans to perform biometric exit exception processing, as appropriate under CBP and TSA authorities. As TSA checkpoints are upgraded to accommodate biometric technology, TSA and CBP will work to limit any impact to passenger wait times and TSA operations. TSA and CBP will develop concepts of operation, standard operating procedures, and policies related to these efforts for review by counsel, privacy officials, and senior leaders of both agencies.”
However, as Biometric Update earlier reported, the Pilot Program for Automated Exit Lane Technology to additional airports, for example, won’t be determined pursuant to the legislation by the Comptroller General of the United States until two years after the pilot program is implemented. The Comptroller General will then submit his findings to the appropriate congressional committees on the extent of airport participation in the pilot; how the program was implemented; and the results of the pilot program and any reported benefits, including the impact on security and any cost-related efficiencies realized by TSA or at the participating airports.
TSA added that it “will develop implementation plans to actualize each of the goals and objectives in a practical, time-bound manner. Implementation plans will capture dependencies, owners, stakeholders, and detailed plans of action. Recognizing there is no turn-key biometric solution for all travelers today, TSA and its security partners will take a phased approach to implementation that incrementally builds upon credential authentication, connectivity, and checkpoint technology deployments to incorporate biometric identity verification.”
TSA said this approach will enable it and its partners to “iteratively build capability and reduce operational overhead in phases by automating manual processes, preserving resilient fail-over systems, and introducing biometric matching services across populations in phases” that are in compliance and accordance with “applicable laws, authorities, and privacy considerations.”
With respect to the biometric entry-exit program, for example, the following is required under the new TSA “modernization” legislation, as Biometric Update reported:
• Assessments of the error rates, including the rates of false positives and false negatives, and accuracy of biometric technologies;
• The effects of biometric technologies, to ensure that such technologies do not unduly burden categories of travelers, such as a certain race, gender, or nationality;
• The extent to which and how biometric technologies could address instances of travelers to the United States over-staying their visas, including an estimate of how often biometric matches are contained in an existing database;
• An estimate of the rate at which travelers using fraudulent credentials identifications are accurately rejected – and an assessment of what percentage of the detection of fraudulent identifications could have been accomplished using conventional methods;
• The effects on privacy of the use of biometric technologies, including methods to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and the number of individuals who stay in the United States after the expiration of their visas each year;
• A description of all audits performed to assess error rates in the use of biometric technologies; or whether the use of biometric technologies and error rates in the use of such technologies disproportionately affect a certain race, gender, or nationality;
• A description of the process by which domestic travelers are able to opt-out of scanning using biometric technologies;
• A description of what traveler data is collected through scanning using biometric technologies, what agencies have access to such data, and how long the agencies possess such data; and
• Specific actions DHS and other relevant federal departments and agencies take to safeguard such data; and a short-term goal for the prompt deletion of the data of individual United States citizens after such data is used to verify traveler identities.
Regarding TSA’s PreCheck program, the new legislation requires the TSA Administrator to continue to administer the Program in accordance with the Aviation and Transportation Security Act, but that no “later than 180 days after the date of enactment of the TSA Modernization Act, the administrator shall enter into an agreement, using other transaction authority … with at least 2 private sector entities to increase the methods and capabilities available for the public to enroll in the PreCheck program.”
Minimum capabilities are required. At least 1 agreement shall include the following capabilities:
• Start-to-finish secure online or mobile enrollment capability;
• Vetting of an applicant by means other than biometrics, such as a risk assessment, if such means are evaluated and certified by the Secretary of Homeland Security;
• Meet the definition of a qualified anti-terrorism technology under section 865 of the Homeland Security Act of 2002 (6 U.S.C. 444); and are determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history; and with regard to private sector risk assessments, the Secretary has certified that reasonable procedures are in place with regard to the accuracy, relevancy, and proper utilization of information employed in such risk assessments.
“Additional capability requirements” for the PreCheck program are also compulsory, and include at least one more agreement that “shall include” a start-to-finish secure online or mobile enrollment capability; vetting of an applicant by means of biometrics if the collection is comparable with the appropriate and applicable standards developed by the National Institute of Standards and Technology; protects privacy and data security, including that any personally identifiable information is collected, retained, used, and shared in a manner consistent with what’s commonly known as the Privacy Act of 1974, and with agency regulations.
This all must be evaluated and certified by the DHS secretary; and determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history.
Regarding identity verification enhancement, the TSA Administrator shall “coordinate with the heads of appropriate components of DHS to leverage DHS-held data and technologies to verify the identity and citizenship of individuals enrolling in the PreCheck Program; partner with the private sector to use biometrics and authentication standards, such as relevant standards developed by NIST to facilitate enrollment in the program; and consider leveraging the existing resources and abilities of airports to collect fingerprints for use in background checks to expedite identity verification.”
The TSA Administrator “shall” also initiate an assessment to identify any security vulnerabilities in the vetting process for the PreCheck Program, including determining whether subjecting PreCheck Program participants to recurrent fingerprint-based criminal history records checks, in addition to recurrent checks against the terrorist watchlist, could be done in a cost-effective manner to strengthen the security of the PreCheck Program.
Lastly, looking at the long-term, the law requires “Providing PreCheck Program enrollment flexibility by offering secure mobile enrollment platforms that facilitate in-person identity verification and application data collection, such as through biometrics.”
TSA responded in its roadmap stating the TSA Pre Application Program collects fingerprints from applicants to conduct criminal history checks as part of its enrollment and security threat assessment process. Through this process, TSA can be confident in issuing a known traveler number (KTN) to vetted applicants which they can then provide to an airline during the reservation process, receive a boarding pass, and enter the TSA Pre screening lane at the airport. Moving forward, TSA Pre will increase its access to and utilization of voluntarily-provided biometric data, including facial images, to modernize the trusted traveler experience for TSA Pre travelers.”
TSA’s objective is to update TSA Pre data holdings and to modernize the TSA Pre Passenger experience,
According to TSA’s biometric strategy, “Identity verification is a cornerstone of TSA’s operational landscape in the commercial aviation sector. In order to meet the challenges of evolving security threats, rising air travel volumes, resource constraints, and limits on operational footprint, TSA and aviation security regulators around the globe must look to automate manual and paper-based identity verification processes through smart technology investments. The TSA Biometrics Roadmap lays out a practical approach to leverage biometric technologies to improve security effectiveness and operational efficiency while also enhancing the passenger experience.”
TSA said it “is stepping into the biometric solution space at an ideal time to capitalize on technological advancements in biometric system accuracy, speed, and ability to automate high-throughput operations. Additionally, traveler sentiment toward biometric technologies, when coupled with the appropriate privacy safeguards, has evolved toward appreciation for the enhanced security and efficiency they can provide.”
The roadmap “incorporates feedback gathered during more than forty targeted engagements with aviation security leaders from airlines, airports, and solution providers. Feedback was also gathered from key government stakeholders, including TSA internal offices, DHS headquarters, and operational components,” and “articulates a collaborative biometric vision for TSA and its aviation security partners in the context of an overall identity verification and management approach.”
TSA said this “vision is achievable through the alignment and parallel advancement of four goals and associated objectives. The TSA Biometrics Roadmap describes the ‘what’ and the ‘why’ of TSA’s biometric approach,” and that “implementation plans will be developed to describe the ‘who, when, and how.’”
Continuing, TSA’s roadmap stated that, “TSA will continue to use facial images as the primary means of identity verification for aviation security screening,” explaining that “facial recognition capabilities will be automated to improve the performance and security of TSA operations by increasing assurance of traveler identity beyond what travel documents alone can provide.”
“Meanwhile,” TSA stated, “fingerprints will continue to serve as the primary biometric modality for trusted traveler and other credentialed enrollments and security threat assessments. Over time, multi-modal approaches may help further increase the accuracy, security, and scalability of TSA operations.”
TSA said in its roadmap that, “Today, facial recognition provides TSA with several key benefits. Facial recognition systems can be self-service, facilitative and incorporate anti-tampering countermeasures, enabling TSA and aviation security partners to reduce reliance on physical travel documents and manual inspection. Facial recognition benefits from the wide availability of high-performance, low-cost, and commercially available camera systems that could be extended, in collaboration with aviation security partners, across the entire passenger experience from reservation to boarding.”
“Additionally,” TSA’s roadmap put forth, “Federal and state identity document issuance organizations already collect facial images which may be generally suitable for facial recognition capabilities. Biometric data for fingerprint or iris recognition are generally not available for the majority of travelers. Facial image standards continue to mature and facial data exchange formats are widely adopted and used throughout civil aviation for identity verification per International Civil Aviation Organization Doc 9303.”
Moving forward, TSA’s execution of its Biometrics Roadmap will begin by identifying “sponsors for the overarching goals and corresponding objectives,” and “ongoing efforts and biometric technology pilots will be aligned and continue while implementation plans are developed in consultation with TSA, DHS, federal, and aviation industry stakeholders” in accordance with the legislation Congress just past effectively slowing things down.
“This will require the collective support and dedication of all parties to make the TSA Biometrics Vision a reality,” TSA said.
In order to make its biometric vision a reality, TSA is adopting the following “overarching core principles, informed by stakeholder feedback. These principles will guide the implementation of the goals and objectives:”
• Security effectiveness & operational efficiency;
• DHS unity of effort;
• Public-private partnership;
• Passenger experience;
• Interoperability; and