DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration
Docket No. TSA-2005-20485
Notice of Public Meeting and Request for Comments
Biometrics Guidance
COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER
By notice published on March 4, 2005, the Transportation Security Administration ("TSA") requested guidance for the use of biometric technology in connection with access control systems in the nation's airports and announced a public meeting to discuss the guidance.1 According to this notice, Section 4011(a)(5) of the Intelligence Reform and Terrorism Prevention Act of 2004, P.L. 108-458:
directed TSA to issue guidance on the use of biometric technologies at airports in consultation with representatives of the aviation industry, the biometric identifier industry, and the National Institute of Standards and Technology (NIST). The guidance must include --
Comprehensive technical and operational system requirements and performance standards;
A list of products and vendors that meet these requirements and standards;
Procedures for implementing biometric systems that prevent the use of assumed identities, resolve failure to enroll, false matches, and false non-matches; and
Best practices for incorporating biometric identifier technology into airport access control systems.2Pursuant to this TSA notice, the Electronic Privacy Information Center ("EPIC") submits these comments to address the substantial privacy issues raised by the use of biometric technology in access control systems used on workers at airports. EPIC requests that TSA not test its use of biometric technology until it conducts a comprehensive Privacy Impact Assessment to ensure protection of the privacy rights of program members and incorporate privacy protections into the decision-making process rather than awkwardly and inefficiently adjusting the program later, at a high cost to taxpayers, to meet legal requirements and government standards for privacy protections.
When it enacted the Privacy Act, 5 U.S.C. § 552a, in 1974, Congress sought to restrict the amount of personal information that federal agencies could collect and required agencies to be transparent in their information practices.3 The Privacy Act is intended "to promote accountability, responsibility, legislative oversight, and open government with respect to the use of computer technology in the personal information systems and data banks of the Federal Government[.]"4
TSA must follow both the spirit and the letter of the Privacy Act when it soon begins testing biometric technology in connection with access control systems in the nation's airports with data culled from test crew members. In the Department of Homeland Security ("DHS") TSA "GUIDANCE PACKAGE: Biometrics for Airport Access Control, Response to Section 4011(a)(5), First Draft," TSA stated that "all necessary steps shall be taken to protect the privacy of the test crew members" during testing of biometric systems.5 TSA also stated that it would develop and publish a "Privacy Impact Statement" and that testing would be conducted to ensure that all data collected would be protected from misuse.6 However, TSA did not state a time frame for the issuance of the statement. TSA also stated that sensitive information would be "stored in accordance with the Privacy Guide for TSA Biometric Devices Information and Data"; however, no such guide can be found in the public domain.7 Whether or not this guide is to be created from the Privacy Impact Statement, such a document should be issued as soon as possible so that TSA may conduct its testing of biometric technology in accordance with the requirements of the Privacy Act of 1974.
TSA is testing this biometric technology for use in government identification programs for airport workers. This falls under the Homeland Security Presidential Directive/HSPD-12 ("Policy for a Common Identification Standard for Federal Employees and Contractors"), which says explicitly:
This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5. U.S.C. 552a) and other statutes protecting the rights of Americans.
TSA is bound under HSPD-12 and its own first draft of guidance for the use of biometrics technology to follow the Privacy Act of 1974 in the development and implementation of this data collection and use. As a government agency, TSA must protect the privacy rights of American citizens, and operate with openness and transparency.
In the development and implementation of previous systems of records, TSA has violated the spirit if not the letter of the Privacy Act. TSA also has shown a proclivity to using personal information for reasons other than the ones for which the information was gathered or volunteered.8 Given this history, EPIC urges the agency not to test its biometric technology systems until it fully evaluates the privacy implications of this program for the participants and revises its information collection, maintenance and storage practices to comply fully with the Privacy Act.
I. TSA Has History of Secrecy and Low Valuation of Privacy Rights
Although TSA was created just three years ago, the agency's brief history has been marked by secrecy, lack of transparency and little regard for individual privacy rights. In light of this unimpressive record, and considering the obvious risk of "mission creep," TSA should not begin gathering, maintaining, and storing sensitive personal information about airport workers for use in its biometric systems tests without first conducting a Privacy Impact Assessment and ensuring that adequate safeguards are in place to protect the privacy rights of program participants.
EPIC has repeatedly found through its FOIA work that TSA is not forthcoming with records of its activities, even though the law entitles the public to such information. For example, in September 2004, TSA announced plans to test Secure Flight. Secure Flight is intended to replace the now-defunct second generation Computer Assisted Passenger Prescreening Program ("CAPPS II"), but it includes many elements of the CAPPS II program, which was abandoned largely due to privacy concerns.9 TSA said that "Secure Flight will involve the comparison of information for domestic flights to names in the Terrorist Screening Database maintained by the Terrorist Screening Center, to include the expanded TSA No-Fly and Selectee Lists, in order to identify individuals known or reasonably suspected to be engaged in terrorist activity."10
On Sept. 28, 2004, EPIC submitted a Freedom of Information Act ("FOIA"), 5 U.S.C. § 552, request to TSA asking for information about Secure Flight.11 EPIC asked that the request be processed expeditiously, noting the intense media interest surrounding the program. Specifically, EPIC demonstrated that 485 articles had been published about the program since TSA announced its plans for Secure Flight. EPIC also noted the Oct. 25, 2004, deadline for public comments on the test phase of the system, explaining the urgency for the public to be as well informed as possible about Secure Flight in order to meaningfully respond to the agency's proposal for the program. TSA decided that these circumstances did not justify the information's immediate release, and refused EPIC's request that the information be made public prior to the Oct. 25 deadline for these comments. TSA also denied EPIC a fee waiver, which the agency has never done before in its three-year existence. This maneuver imposed a significant procedural barrier to EPIC's ability to obtain the information. EPIC appealed TSA's decision noting that TSA's actions were unlawful. Rather than defend its position in court, TSA has released a minimal amount of the information that EPIC requested. EPIC continues to seek from TSA information about the program that will affect tens of millions of airline passengers each year.
TSA has a history of secrecy and low valuation of individual privacy rights. Given this history, TSA should not begin gathering, maintaining, and storing sensitive personal information about airport workers for use in its biometric systems tests without first conducting a Privacy Impact Assessment. TSA must ensure that the privacy rights of program participants are safeguarded.
II. Unique Problems Are Associated With Biometrics Technology
Biometric identification systems are automated methods of recognizing a person based on one or more physical characteristics, such as fingerprints, voice, or facial characteristics.12 In Congressional testimony in July 2002, EPIC explained the unique problems that are associated with biometrics technology, which are still important today.13 First, the uniqueness of biometric data is affected by time, variability and data collection. This leads to the second problem: the technologies available are subject to varying degrees of error, which means that there is an element of uncertainty in any match. Third, there are several ways to circumvent a biometrics system.
Biometric data is affected during collection by many factors including time, variability and data. Changes in the environment, such as positioning, lighting, shadows and background noise can affect data collection.14 However, an individual's biometrics are also susceptible to change through aging, injury and disease.15 Because of this, the accuracy of all biometric systems diminishes over time.
As EPIC Executive Director Marc Rotenberg explained in July 2002, there is an element of uncertainty in any biometric match:
The accuracy of biometric systems is measured by their false acceptance and false rejection rates. A false acceptance is when the wrong individual is matched to a stored biometric. A false rejection is when an individual is not recognized who should have been. The two measures are dependent. In reducing false acceptances, the false rejection rate will increase. Reducing false rejections will cause the false acceptance rate to go up. Most biometric systems adjust false acceptances or false rejections to the type of application and the amount of security required. High security areas, such as bank vaults and military installations are protected by biometric systems that minimize fraudulent acceptances. The false acceptance rate must be low enough to prevent imposters, but as a result, people who rightfully should be accepted, are often refused.16
The biometric technologies available are subject to varying degrees of error. For example, fingerprint biometric technology is the best known and most widely used biometric technology, yet fingerprint authentication systems can have a false match rate of 5%.17
Executive Director Rotenberg also explained that there are several ways to compromise the effectiveness of a biometric system. Biometric systems can be circumvented by false identification at enrollment, physical alteration of a personal biometric, skewing the sample collection by not cooperating, and hacking into or falsifying the database. The effectiveness of system of biometric identification will be determined by how the system is set up, protected and maintained.18
It is also important to recognize that the creation of a database linked to an individual and containing sensitive information creates privacy issues and would be a tempting target for identity thieves. Information in the database could be altered by administrators of the database or by those who gain unlawful access to the information.
Once a biometric identifier has been compromised, there can be severe consequences for the individual whose identity has been affected. It is possible to replace a credit card or Social Security numbers, but how does one replace a fingerprint, voiceprint, or retina scan? It would be difficult to remedy identity fraud when a thief has identification with a security-cleared federal employee name on it, but the thief's biometric identifier. Or, in a more innocuous scenario, the identities of employees with different security clearances and their biometric identifiers are mismatched in their files due to human or computer error. Allowing employees access to their records would help ensure the accuracy of the information collected and used.
In fact, if a biometric system were properly designed to safeguard privacy rights, it would enable the data subject to have easy access to all records concerning the individual. In other words, if the agency is able to accurately identify an individual with a biometric identifier, the agency should have the necessary assurance that it can provide to that individual whatever information he or she may be entitled to under the Privacy Act.
III. TSA Must Ensure Individuals Have Enforceable Rights of Access and Correction
The Privacy Act provides, among other things, that an individual may request access to records an agency maintains about him or her;19 and the agency must publish a notice of the existence of records in the Federal Register, along with the procedures to be followed to obtain access.20 TSA has historically failed to provide individuals with enforceable rights of access to their records and correction of any erroneous information contained in such records.
The recently enacted Intelligence Reform and Terrorism Prevention Act of 2004 directed TSA to create a system for travelers to correct inaccurate information that has caused their names to be added to the no-fly list.21 TSA maintains that it has an adequate redress process to clear individuals improperly flagged by watch lists; however, it is well known that individuals encounter difficulty in resolving such problems. Senators Ted Kennedy (D-MA) and Don Young (R-AK) are among the individuals who have been improperly flagged by watch lists.22 Sen. Kennedy was able to resolve the situation only by enlisting the help of then-Homeland Security Secretary Tom Ridge; unfortunately, most people do not have that option.
Earlier this month Rep. Loretta Sanchez (D-CA) expressed dismay to TSA officials that current TSA safeguards had failed her constituents. At a House subcommittee hearing on March 2, 2005, Rep. Sanchez reported that many of her constituents continue to face lengthy delays, questioning, and at times are prohibited from boarding flights because they are misidentified as people sought on no-fly lists. Her constituents continue to face these roadblocks even after they apply for, receive and then display to screener personnel the official federal government letters that establish their innocence. Rep. Sanchez questioned why current redress procedures have failed these American citizens.23
In the March 5, 2005 Biometrics Guidance notice, TSA sought comments on "[p]rocedures for implementing biometric systems that prevent the use of assumed identities, resolve failure to enroll, false matches, and false non-matches."24 Yet the agency's history shows that TSA has been unable to ensure the accuracy of information it collects and stores in its record systems, allowing for more security problems and delays growing out of identity mismatches. Given the present problems with the agency's redress procedures, EPIC urges TSA to provide individuals with judicially enforceable rights of access to their records and an effective method of redress to correct erroneous information in their records in compliance with the requirements of the Privacy Act.
IV. TSA Must Not Allow For Mission Creep
Whenever a large amount of personal information is collected, there is the danger that this information will be used for purposes other than for which it was gathered. This "mission creep" violates the privacy rights of those Americans who provided their information for one objective only to find the data has been appropriated for other purposes. TSA must not allow for mission creep in its biometric technology test program.
In June 2004 then-TSA Acting Administrator Admiral David Stone admitted to the Senate Governmental Affairs Committee that in 2002 TSA facilitated the transfer of passenger data from American Airlines, Continental Airlines, Delta Airlines, America West Airlines, Frontier Airlines, and JetBlue Airways to TSA "cooperative agreement recipients" for purposes of CAPPS II testing, as well as to the Secret Service and IBM for other purposes.25 Stone also stated that Galileo International and "possibly" Apollo, two central airline reservation companies, had provided passenger data to recipients working on behalf of TSA.26 Further, TSA directly obtained passenger data from JetBlue and Sabre, another central airline reservation company, for CAPPS II development.27 TSA did not observe Privacy Act requirements with regard to any of these collections of personal information.28 Stone's admission followed repeated denials to the public, Congress, GAO, and Department of Homeland Security Privacy Office that TSA had acquired or used real passenger data to test CAPPS II.29
TSA documents about the CAPPS II program collected by EPIC under the FOIA clearly showed that TSA had considered using personal information gathered for the CAPPS II program for reasons beyond its original purposes. For example, TSA stated that CAPPS II personal data might be disclosed to federal, state, local, international or foreign agencies for their investigations of statute, rule, regulation or order violations.30 TSA exhibited a proclivity for using personal information for reasons other than the ones for which the information was gathered or volunteered. EPIC urges the agency to put adequate safeguards in place to protect the personal information of program members from suffering mission creep.
V. TSA Must Avoid Pitfalls Faced by Canada in 2000
Other governments have made serious missteps in protecting the privacy rights of their citizens and TSA should learn from these mistakes. Significantly, TSA should avoid the pitfalls that Canada faced in 2000 because it did not create adequate safeguards or standards for data collection and use, and because it failed to conduct this collection and use openly and transparently.
The Canadian government suffered an embarrassment in May 2000 when its privacy commission publicly objected to a massive government database of personal information about 33 million living and deceased Canadian citizens. The database, called the Longitudinal Labour Force File, contained "as many as 2,000 pieces of information about individual Canadians, including their education, marital status, ethnic origin, disabilities, income tax, employment and social assistance history."31
Bruce Phillips, Privacy Commissioner of Canada, discussed the significant lack of privacy protection and substantial potential for misuse of the information in a report to the Canadian Parliament. Phillips also expressed his "profound concerns" that the government had shared the information with outside companies and researchers without the Canadians' knowledge or consent.32
Commissioner Phillips also noted that the expansive database would tempt the Canadian government to allow for mission creep to the detriment of the privacy rights of Canadian citizens:
Compiling such comprehensive longitudinal records by record linkage or matching is a hazard to informational privacy because of the temptation for government to use the information for data mining and individual profiling. A so-called "research database" may soon lend itself to other purposes, raising fears that data could be used to make decisions or predictions about individuals, or could be retrieved in unforeseen waysby disabilities or ethnic origin, for exampleto the detriment of individual rights.33
Canadian Human Resources Minister Jane Stewart subsequently announced a dismantling of the database. Stewart said that to safeguard the privacy rights of Canadian citizens, her department would:
- establish a strict new protocol to govern any future policy analysis and research projects involving the linking of information from separate databases, and ensure that those projects use no personal information identifying Canadians;
- introduce measures to inform Canadians about the use of information collected from them by HRDC;
- recommend a legal protective framework (including penalties for misuse) which provides for the research requirements of HRDC. This will govern the future collection and uses of data and information being obtained from Canadians for use by HRDC. It will be done in a manner consistent with federal law, policies, procedures and outcomes of any Government of Canada review of the Privacy Act.34
If the Canadian government had conducted a Privacy Impact Assessment and openly and transparently prepared strong safeguards for citizens' privacy rights before creating the database, it likely would not have suffered the public outrage and embarrassment it experienced. It would have been possible to address the concerns of Privacy Commissioner Phillips and members of the public without having to waste time, energy and money on a project that was ultimately scrapped because of potential for misuse of the unsubstantially protected information.
TSA should learn from this incident and not repeat the mistakes made by the Canadian government. In order to avoid potential misuse of the data, TSA should conduct a Privacy Impact Assessment and openly and transparently prepare strong privacy safeguards before it begins testing biometric technology.
Conclusion
For the foregoing reasons, TSA must not test its use of biometric technology until it conducts a Privacy Impact Assessment to ensure protection of the privacy rights of program members. EPIC also urges TSA to incorporate privacy protections into the decision-making process. TSA then can avoid later having to awkwardly, expensively, and inefficiently adjusting the biometric technology systems to accommodate privacy protections in accordance with the requirements of the Privacy Act of 1974, under which the agency is bound.
Respectfully submitted,
_____________________________
Marc Rotenberg
Executive Director
_____________________________
Marcia Hofmann
Director, Open Government Project
_____________________________
Melissa Ngo
Staff Counsel
ELECTRONIC PRIVACY INFORMATION
CENTER
1718 Connecticut Avenue, N.W.
Suite 200
Washington, DC 20009
(202) 483-1140
1 Biometrics Guidance Notice, 70 Fed. Reg. 10667 (Mar. 4, 2005).
2 Id. at 10668.
3 S. Rep. No. 93-1183, at 1 (1974).
4 Id.
5 Department of Homeland Security, Transportation Security Administration, GUIDANCE PACKAGE: Biometrics for Airport Access Control, Response to Section 4011(a)(5), First Draft, (Feb. 16, 2005) Vol. 3, Ch. II, p. 15.
6 Id.
7 Id. at Vol. 3, Ch. II, p. 26.
8 See discussion infra, at 6.
9 See General Accounting Office, AVIATION SECURITY: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, GAO-04-385 (Feb. 2004).
10 System of Records Notice, Secure Flight Test Records, 69 Fed. Reg. 57345 (Sept. 24, 2004).
11 Letter from Marcia Hofmann, Staff Counsel, EPIC, to Patricia Reip-Dice, Associate Director, FOIA Headquarters Office, TSA, Sept. 28, 2004 (on file with EPIC).
12 See generally, John D. Woodward Jr., Nicholas M. Orlans and Peter T. Higgins, Biometrics: Identity Assurance in the Information Age, (McGraw Hill-Osborne 2003).
13 Statement of Marc Rotenberg, Executive Director, Electronic Privacy Information Center, and Carla Meninsky, EPIC IPIOP Fellow, at a Joint Hearing on Identity Theft Involving Elderly Victims Before the Special Committee on Aging (July 18, 2002) available at http://www.epic.org/privacy/biometrics/testimony_071802.html (hereinafter "EPIC Statement").
14 Cynthia Traeger and Howard Falk, Biometric Technologies Tutorial, Faulkner Information Services (Feb. 2002).
15 Id.
16 EPIC Statement, supra note 13.
17 Woodward, supra note 12.
18 EPIC Statement, supra note 13.
19 5 U.S.C. § 552a(d)(1). Individuals may seek judicial review to enforce the statutory right of access provided by the Act under 5 U.S.C. § 552a(g)(1).
20 5 U.S.C. §§ 552a(e)(4)(G), (e)(4)(H), (f).
21 P.L. No. 108-458 (2004).
22 See, e.g., Sara Kehaulani Goo, Committee Chairman Runs Into Watch-List Problem, Washington Post, Sept. 30, 3004; Leslie Miller, House Transportation Panel Chairman Latest to be Stuck on No-Fly List, Associated Press, Sept. 29, 2004; Shaun Waterman, Senator Gets a Taste of No-Fly List Problems, United Press International, Aug. 20, 2004.
23 Shaun Waterman, No Redress Mechanism in New DHS Terrorist Screening Office, United Press International, Mar. 2, 2005.
24 Biometrics Guidance Notice, 70 Fed. Reg. 10668 (Mar. 4, 2005).
25 See U.S. Senate Committee on Governmental Affairs Pre-hearing Questionnaire for the Nomination of Admiral David Stone to be Assistant Secretary of Homeland Security, Transportation Security Administration 17, 19, available at http://www.epic.org/privacy/airtravel/stone_answers.pdf.
26 Id.
27 Id. at 19.
28 Id. at 18.
29 See, e.g., Ryan Singel, More False Information From TSA, Wired News, June 23, 2004 ("After the JetBlue transfer was brought to public attention in September 2003, TSA spokesman Brian Turmail told Wired News that the TSA had never used passenger records for testing CAPPS II, nor had it provided records to its contractors. In September 2003, Wired News asked TSA spokesman Nico Melendez whether the TSA's four contractors had used real passenger records to test and develop their systems. Melendez denied it, saying, We have only used dummy data to this point.' "); U.S. Representative John Mica (R-FL) Holds Hearing on Airline Passenger Profiling Proposal: Hearing Before the Aviation Subcomm. of the House Transportation and Infrastructure Comm., 105th Cong. (March 2004) (Admiral Stone testifying that CAPPS II testing was likely to begin in June 2004); Government Accounting Office, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, GAO-04-385 (Feb. 2004) 17 ("TSA has only used 32 simulated passenger records – created by TSA from the itineraries of its employees and contractor staff who volunteered to provide the data – to conduct [CAPPS II] testing"); Department of Homeland Security Privacy Office, Report to the Public on Events Surrounding jetBlue Data Transfer (Feb. 2004) 8 ("At this time, there is no evidence that CAPPS II testing has taken place using passenger data").
30 Department of Homeland Security TSA, Draft Privacy Impact Statements (CAPPS II), April 17, 2003, July 29, 2003, and July 30, 2003, obtained by EPIC through FOIA litigation, available at http://www.epic.org/privacy/airtravel/profiling.html.
31 Valerie Lawton, Requests for Personal Files Swamp Ottawa, Toronto Star, July 4, 2000.
32 Privacy Commissioner of Canada, Annual Report to Parliament 1999-2000, May 16, 2000, at 64, available at http://www.privcom.gc.ca/information/ar/02_04_08_e.asp.
33 Id.
34 Press Release, Human Resources Development Canada, HRDC Dismantles Longitudinal Labour Force File Databank (May 29, 2000), available at: http://www.hrsdc.gc.ca/en/cs/comm/news/2000/000529_e.shtml.