TSA’s ‘Biometric Roadmap’ may need more funding under new law, former deputy administrator says
While the Transportation Security Administration [TSA] Modernization Act “will guide our efforts to modernize aviation passenger identity verification over the coming years,” and “aligns with and supports the 2018-2026 TSA Strategy [that] defines clear pathways to improve security, safeguard the nation’s transportation system, and accelerate the speed of action through smart investments and collaborative partnerships,” TSA Administrator David P. Pekoske said in response to the new law, former TSA Deputy Administrator John Halinski told Biometric Update that, “The compliance/reporting piece mandated by Congress will be a work in progress for TSA and Customs and Border Protection [CBP].”
Halinski, who served as TSA’s Deputy Administrator responsible for growing TSA into a high-performance counterterrorism agency, explained that TSA’s Biometrics Roadmap for Aviation Security & the Passenger Experience –which was issued soon after the legislation became law — “The roadmap doesn’t address how TSA and CBP will evaluate and report [the law’s mandated reporting and compliance] findings to Congress. The reality is, it might entail additional funding or assets to monitor, especially in the early stages of the roadmap. Where that money comes from in today’s budget environment will be a challenge.”
While the TSA Modernization Act authorizes TSA to “continue as an agile and modern national security organization capable of dealing with ever-evolving threats to our transportation system,” it also puts a great deal more scrutiny and analysis on its expansion of biometrics, as Biometric Update has reported. For example, while the law empowers TSA to expand field operations testing of advanced screening technologies, especially biometrics, it also puts new reigns on deploying biometric technologies.
Indeed. Congress enacted requirements that must be fulfilled, and leaves compliance and reporting to TSA and CBP. Unfortunately, these unfunded mandates can become a problem for any agency that incurs such new reporting and compliance requirements. And under the new TSA Modernization Act, there are numerous mandated requirements to report to Congress like metrics, outcomes, etc., regarding its Biometrics Roadmap, which means TSA — and CBP — have new costs imposed on them, and may have to contract out — or restructure their organizations — to meet Congress’ new reporting and compliance mandates. And this can be a bit of a double-edged sword unless they’re funded properly.
Called “a slowdown on the rollout of biometrics” by some on the Hill, the new law requires considerable evaluation of the efficacy, privacy issues, and expanded use of biometrics by TSA which must first be detailed in reports to Congress – meaning Congress will be the final arbiter of TSA’s biometric deployment plans, and what gets fully funded or doesn’t.
TSA said execution of its Biometrics Roadmap will begin by identifying “sponsors for the overarching goals and corresponding objectives,” and “ongoing efforts and biometric technology pilots will be aligned and continue while implementation plans are developed in consultation with TSA, DHS, federal, and aviation industry stakeholders” in accordance with the legislation Congress just past effectively slowing things down.
In 2004, the Government Accountability Office similarly stated it found “three key considerations” that needed to be addressed before a decision is made to design, develop, and implement biometrics into a security system: decisions must be made on how the technology will be used; a detailed cost-benefit analysis must be conducted to determine that the benefits gained from a system outweigh the costs; and, a trade-off analysis must be conducted between the increased security, which the use of biometrics would provide, and the effect on areas such as privacy and convenience. Security concerns need to be balanced with practical cost and operational considerations as well as political and economic interests.”
Pursuant to the new law, the TSA Administrator and the Commissioner of Customs and Border Protection (CBP) “shall consult with each other on the deployment of biometric technologies,” and, the CBP Commissioner “shall” not “facilitate or expand the deployment of biometric technologies, or otherwise collect, use, or retain biometrics, not authorized by any provision of or amendment made by the Intelligence Reform and Terrorism Prevention Act of 2004 (Public Law 108–458; 10 118 Stat. 3638) or the Implementing Recommendations of the 9/11 Commission Act of 2007 (Public Law 110–12 53; 121 Stat. 266).”
And, not later than 270 days after enactment of the law, the Department of Homeland Security (DHS) Secretary “shall submit to the appropriate committees of Congress, and to any member of Congress upon the request of that member, a report that includes specific assessments from the [TSA] Administrator and the Commissioner of [CBP] with respect to the following:”
• The operational and security impact of using biometric technology to identify travelers;
• The potential effects on privacy of the expansion of the use of biometric technology, including methods proposed or implemented to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and,
• Methods to analyze and address any matching performance errors related to race, gender, or age identified by the TSA Administrator with respect to the use of biometric technology, including the deployment of facial recognition technology.
In response to the legislation, TSA said in implementing its “biometrics strategy, TSA will comply with the requirements of the [law], including consultation with the Commissioner of US Customs and Border Protection and preparation of a report to the appropriate committees of Congress. As mandated in the Act, this report will [also] address privacy issues as well as methods used to analyze and address errors related to race, gender or age.”
TSA further elaborated that it “and CBP will continue piloting efforts currently underway to implement facial recognition for identity verification of international travelers transiting TSA checkpoints. TSA and CBP, in coordination with [DHS’s] Office of Biometrics and Identity Management (OBIM), will continue to build on recent efforts to develop, design, and execute pilot projects at checkpoints that automate the Travel Document Checker (TDC) process and assist CBP in meeting Biometric Air Exit requirements. CBP and TSA will focus on maturing current pilot projects and conducting additional biometric technology pilots at locations where airport and airline stakeholders have committed to making their own investments to streamline the passenger experience using facial recognition technology. Travelers will be notified of pilot project activities and have the ability to opt-in to various biometric procedures. TSA and CBP will analyze biometric technology pilot results and refine approaches for future efforts.”
In addition, “Alongside the phased pilot projects, TSA and CBP will develop joint policies and standard operating procedures for biometric screening of international passengers transiting through TSA checkpoints. CBP and TSA will work together to develop plans to perform biometric exit exception processing, as appropriate under CBP and TSA authorities. As TSA checkpoints are upgraded to accommodate biometric technology, TSA and CBP will work to limit any impact to passenger wait times and TSA operations. TSA and CBP will develop concepts of operation, standard operating procedures, and policies related to these efforts for review by counsel, privacy officials, and senior leaders of both agencies.”
Finally, “TSA and CBP will work to integrate similar functions and capabilities to enable scaled, automated, and streamlined operations in the future [and] will collaborate with DHS Science & Technology and OBIM to ensure facial matching capabilities are optimized for the larger gallery sets needed for checkpoint processing. Together, as biometric matching continues to mature, TSA and CBP will work with OBIM to create an integration roadmap to the Homeland Advanced Recognition Technology (HART) in accordance with DHS guidance and policy. As the congressionally-designated lead provider of biometric identity services for DHS, OBIM serves a critical function by enabling CBP and TSA missions through biometric matching, storing, sharing, and analysis. DHS achieves both mission benefit and efficiencies through a centralize biometric service provider and data store.”
Alongside the phased biometric pilot projects – like the “feasibility of expanding the Pilot Program for Automated Exit Lane Technology to additional airports, including to medium and large hub airports” — TSA and CBP will also “develop joint policies and standard operating procedures for biometric screening of international passengers transiting through TSA checkpoints. CBP and TSA will work together to develop plans to perform biometric exit exception processing, as appropriate under CBP and TSA authorities. As TSA checkpoints are upgraded to accommodate biometric technology, TSA and CBP will work to limit any impact to passenger wait times and TSA operations. TSA and CBP will develop concepts of operation, standard operating procedures, and policies related to these efforts for review by counsel, privacy officials, and senior leaders of both agencies.”
However, as Biometric Update earlier reported, the Pilot Program for Automated Exit Lane Technology to additional airports, for example, won’t be determined pursuant to the legislation by the Comptroller General of the United States until two years after the pilot program is implemented. The Comptroller General will then submit his findings to the appropriate congressional committees on the extent of airport participation in the pilot; how the program was implemented; and the results of the pilot program and any reported benefits, including the impact on security and any cost-related efficiencies realized by TSA or at the participating airports.
TSA added that it “will develop implementation plans to actualize each of the goals and objectives in a practical, time-bound manner. Implementation plans will capture dependencies, owners, stakeholders, and detailed plans of action. Recognizing there is no turn-key biometric solution for all travelers today, TSA and its security partners will take a phased approach to implementation that incrementally builds upon credential authentication, connectivity, and checkpoint technology deployments to incorporate biometric identity verification.”
TSA said this approach will enable it and its partners to “iteratively build capability and reduce operational overhead in phases by automating manual processes, preserving resilient fail-over systems, and introducing biometric matching services across populations in phases” that are in compliance and accordance with “applicable laws, authorities, and privacy considerations.”
With respect to the biometric entry-exit program, the following is also now required under the new TSA “modernization” legislation:
• Assessments of the error rates, including the rates of false positives and false negatives, and accuracy of biometric technologies;
• The effects of biometric technologies, to ensure that such technologies do not unduly burden categories of travelers, such as a certain race, gender, or nationality;
• The extent to which and how biometric technologies could address instances of travelers to the United States over-staying their visas, including an estimate of how often biometric matches are contained in an existing database;
• An estimate of the rate at which travelers using fraudulent credentials identifications are accurately rejected – and an assessment of what percentage of the detection of fraudulent identifications could have been accomplished using conventional methods;
• The effects on privacy of the use of biometric technologies, including methods to mitigate any risks to privacy identified by the TSA Administrator or CBP Commissioner related to the active or passive collection of biometric data; and the number of individuals who stay in the United States after the expiration of their visas each year;
• A description of all audits performed to assess error rates in the use of biometric technologies; or whether the use of biometric technologies and error rates in the use of such technologies disproportionately affect a certain race, gender, or nationality;
• A description of the process by which domestic travelers are able to opt-out of scanning using biometric technologies;
• A description of what traveler data is collected through scanning using biometric technologies, what agencies have access to such data, and how long the agencies possess such data; and
• Specific actions DHS and other relevant federal departments and agencies take to safeguard such data; and a short-term goal for the prompt deletion of the data of individual United States citizens after such data is used to verify traveler identities.
The new legislation also requires the TSA Administrator to continue to administer the PreCheck program in accordance with the Aviation and Transportation Security Act, but that no “later than 180 days after the date of enactment of the TSA Modernization Act, the administrator shall enter into an agreement, using other transaction authority … with at least 2 private sector entities to increase the methods and capabilities available for the public to enroll in the PreCheck program.”
Minimum capabilities are required. At least one agreement shall include the following capabilities:
• Start-to-finish secure online or mobile enrollment capability;
• Vetting of an applicant by means other than biometrics, such as a risk assessment, if such means are evaluated and certified by the Secretary of Homeland Security;
• Meet the definition of a qualified anti-terrorism technology under section 865 of the Homeland Security Act of 2002 (6 U.S.C. 444); and are determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history; and with regard to private sector risk assessments, the Secretary has certified that reasonable procedures are in place with regard to the accuracy, relevancy, and proper utilization of information employed in such risk assessments.
“Additional capability requirements” for the PreCheck program are also compulsory, and include at least one more agreement that “shall include” a start-to-finish secure online or mobile enrollment capability; vetting of an applicant by means of biometrics if the collection is comparable with the appropriate and applicable standards developed by the National Institute of Standards and Technology; protects privacy and data security, including that any personally identifiable information is collected, retained, used, and shared in a manner consistent with what’s commonly known as the Privacy Act of 1974, and with agency regulations.
All of this, though, must first be evaluated and certified by the DHS secretary, and determined by the TSA Administrator to provide a risk assessment that is as effective as a fingerprint-based criminal history records check conducted through the FBI with respect to identifying individuals who are not qualified to participate in the PreCheck Program due to disqualifying criminal history.
Regarding identity verification enhancement, the TSA Administrator shall “coordinate with the heads of appropriate components of DHS to leverage DHS-held data and technologies to verify the identity and citizenship of individuals enrolling in the PreCheck Program; partner with the private sector to use biometrics and authentication standards, such as relevant standards developed by NIST to facilitate enrollment in the program; and consider leveraging the existing resources and abilities of airports to collect fingerprints for use in background checks to expedite identity verification.”
The TSA Administrator “shall” also initiate an assessment to identify any security vulnerabilities in the vetting process for the PreCheck Program, including determining whether subjecting PreCheck Program participants to recurrent fingerprint-based criminal history records checks, in addition to recurrent checks against the terrorist watchlist, could be done in a cost-effective manner to strengthen the security of the PreCheck Program.
Lastly, looking at the long-term, the law requires “Providing PreCheck Program enrollment flexibility by offering secure mobile enrollment platforms that facilitate in-person identity verification and application data collection, such as through biometrics.”
Despite these new compliance and reporting requirements, “In my opinion, the TSA roadmap meets the guidelines of the” new legislation. “It lays out a strategy that promises to incorporate biometric technology into practical applications,” said Halinski, currently CEO and partner in S&R Investments LLC, a veteran owned small business specializing in global security and risk consulting. He noted, however, “I think that the partnership outlined between CBP and TSA is a good move, particularly since CBP has been more forward leading in biometric use with systems like global entry and their new immigration kiosk programs.”
Continuing, the former number two man at TSA said, “This roadmap will be a good way to solicit technology companies to work with TSA and CBP and advance biometrics in a practical way. Gone are the days that biometrics meant fingerprints only. Technology now uses varying systems including fingerprints, facial, iris, retinal, voice, heart rate, and even a person’s gait. This roadmap should drive cheaper more accurate technology.”
“Finally,” he added, “this roadmap and strategy is very timely, as groups like the International Civil Aviation Organization, The International Air Transport Association, and nations especially in Europe, have been slightly ahead in rolling out this technology.”
Similarly, Rep. John Katko (R-NY), chairman of the House Committee on Homeland Security Subcommittee on Transportation and Protective Security, stated at the outset of the April, 2017 subcommittee hearing, “Checkpoint of the Future: Evaluating TSA’s Innovation Task Force Initiative,” that, “I believe that we are behind the curve concerning our technology innovation, particularly with respect to what is going on in Europe in some places, and the traveler experience at our nation’s airports. Many foreign airports have implemented improved security scanners, better biometric capabilities, and smarter systems for passenger queuing to meet the emerging threats in a timely manner.”
But, he also echoed Halinski, saying, “While the federal government is ultimately responsible for delivering on the secure freedom of movement throughout the nation’s transportation systems, the effectiveness of the security framework surrounding that movement hinges on the private sector’s commitment to innovation and continuous development of new security technologies to screen millions of passengers and bags every day. However, quality innovation comes with a hefty price tag, and we cannot reasonably expect the private sector to spend millions of dollars in the research and development of new and emerging technologies without greater transparency and communication from both TSA and the Department of Homeland Security.”
Halinski said he believes “’the TSA Innovation Lane Program will be and is a great mechanism to get biometric use into airports quickly. Airlines like JetBlue and others are moving towards a Biometric Vice ticket approach in passenger experience. Biometrics offer a more secure approach to verifying who is boarding aircraft, and at the same time will enhance the passenger experience.” He noted that, “TSA started the Innovation Lane Program to get new technology into airports faster. It is a simple white paper, some testing and then tested ‘hands on’ in an airport. Biometric technology is being tested now in this manner.”
“Yes, it is still a work in progress, but it is speeding things up,” he added.
During Pekoske’s recent speech at the Airports Council International – North America Conference, he alluded to how TSA can modernize and improve security through partnerships with the private sector, specifically calling out TSA’s relationship with CLEAR.
“The TSA has a very strong relationship with CLEAR, our registered traveler partner, on biometrics. It is a great example of our partnering with the private sector,” he stated.
Howard Kass, senior vice president of corporate affairs, said, “CLEAR applauds TSA’s plans to expand the use of biometric screening at our nation’s airports to further improve security, efficiency and the passenger experience,” and that, “CLEAR is committed to making the passenger journey easier and safer … we look forward to collaborating with TSA to make their Biometrics Roadmap a reality for the agency and travelers nationwide.”
CLEAR was purchased out of bankruptcy in 2010 for $5.87 million by Alclear, LLC, a technology company that relaunched the service that was shut down in 2009.
CLEAR is a biometric secure identity platform that stores individuals’ personal information and links it to biometric data, allowing them to bypass the travel document checker at security checkpoints by using fingerprint and/or iris identification. The technology was awarded SAFETY Act Certification in 2012 as a Qualified Anti-Terrorism Technology by the Department of Homeland Security’s Science & Technology Directorate, making it the only expedited traveler solution to be placed on DHS’s “Approved Product List for Homeland Security.”