Spotlight on Surveillance
July 2006:
Transportation Worker ID Card Riddled With Privacy and Security Holes
EPIC's "Spotlight on Surveillance" project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. The Department of Homeland Security’s Transportation Worker Identification Credential is under the Spotlight this month.1 About $65 million has been spent on this program, with a projected cost up to $1.9 billion.2
Each of the 750,000 workers could pay up to $139 each for a TWIC.
Source: Department of Homeland Security, Transportation Security
Administration and Coast GuardThe Transportation Worker Identification Credential (TWIC) is supposed to be a secure, biometric ID card for those hoping to work in the transportation industry. This program affects 750,000 land and sea transportation workers, including longshoremen, crews of vessels, rail workers, and truck drivers.3
Under TWIC, the Transportation Security Administration would gather finger scans, iris scans, digital photographs and detailed biographical, employment and other personal data from those hoping to work in the transportation industry.4 The applicants’ names would then be run against immigration and terror watch lists, and a criminal background check would be conducted.5 However, the Department of Homeland Security’s Inspector General recently released a report detailing significant security and privacy problems in the TWIC program, and the agency has delayed full implementation.6
TWIC was created in November 2002 as part of maritime security legislation, but the pilot program was delayed for two years and the cost ballooned.7 The pilot program was to include up to 200,000 participants at 34 locations in six states; however, only 4,000 prototype cards were issued at 26 sites in six states and the pilot program’s cost nearly doubled from $12.3 million to $22.8 million.8 There were disputes about the commercial contract for TWIC, as well. In April, TSA spokesman said the agency was considering awarding a sole-source contract for TWIC data management services to the American Association of Airport Executives (AAAE) trade group.9 Other companies would not be allowed to bid on the contract. But TSA reversed itself after a general outcry, prompted in part by the fact that AAAE contracted the work to a company that includes former Homeland Security Secretary Tom Ridge on its board of directors.10
Nationwide implementation of TWIC is projected to cost up to $1.9 billion.11 And the facility owners will bear the bulk of the cost; they could pay as much as $1.2 billion.12 The workers themselves would have to pay from $105 to $139 for the biometric ID card, which the TSA says will be good for five years.13
TWIC applicants undergo a seven-step process: sponsorship, pre-enrollment,
enrollment, security threat assessment, card production, card issuance, and
privilege granting.Source: Department of Homeland Security, Office of the Inspector General
Each applicant for a TWIC would provide detailed personal information, including biometric data, and undergo a criminal background check. An applicant would be disqualified if he has been convicted of 10 specific crimes, including espionage, treason, murder, or improper transportation of hazardous materials.14 Certain other offenses would disqualify the applicant if the conviction is “within the 7 years preceding the date of application, or [the applicant] was released from incarceration for the crime within the 5 years preceding the date [of] application.”15 Such crimes include, assault with intent to murder, kidnapping, extortion, or rape.16
TSA will share applicant data with U.S. Citizenship and Immigration Services, Immigration and Customs Enforcement, and with the Coast Guard. Applicant data also may be shared with DHS employees and DHS contractors for purposes associated with immigration, law enforcement or intelligence operations.17 It will also share applicant data with federal, state, or local law enforcement or intelligence agencies.18 The gathering and wide dissemination of so much sensitive personal data is also affected by a significant problem found by the Department of Homeland Security Inspector General. In its July report, “DHS Must Address Significant Security Vulnerabilities Prior To TWIC Implementation (Redacted),” the Inspector General found that that the TWIC program does not have a records retention schedule, and “therefore, TSA has not disposed of individuals’ applications or other information collected during the prototype.”19 The data remains in the system, and it is unknown when or if it will be deleted.
The Department of Homeland Security has said that, “privacy protections include strict access controls, including security credentials, passwords, real-time auditing that tracks access to electronic information, and mandated training for all employees and contractors.”20 However, the Department of Homeland Security Inspector General’s July report highlighted that there is inadequate security to protect against unauthorized access to confidential data.21 “Due to the number and significance of the weaknesses identified, TWIC prototype systems are vulnerable to various internal and external security threats. The security related issues identified may threaten the confidentiality, integrity, and availability of sensitive TWIC data,” according to the report.22 Other problems listed included: “Systems contingency plans have not been approved or tested”; “System and database administrators have not received specialized security awareness training.”
The names of TWIC applicants also would be run against immigration and terrorism watch lists. There have been myriad mistakes and problems associated with terrorism watch lists, which are inherent in such ID schemes as TWIC.23 A person may be labeled a threat if his name matches an entry on one of the watch lists, even if he is not the person actually on the list, and it is difficult to clear a person. Senators Ted Kennedy and Don Young are among the individuals who have been improperly flagged by watch lists, and Sen. Kennedy could only resolve the problem with the help of then-Homeland Security Secretary Tom Ridge.24 The lists are also bloated – earlier this year, they were revealed to include 325,000 names of terrorism suspects or people suspected to aid them.25 This is more than quadruple the 75,000 names on the lists when they were created in 2003.26 The false positive problem – when a person who is not a suspect is mistakenly matched to a watch list – is one highlighted by the Department of Homeland Security Inspector General’s July report.27
Also in July, a report by National Maritime Security Advisory Committee also listed problems with TWIC. The Security Advisory Committee was created by the same maritime legislation that created TWIC, and the committee provides advice to the U.S. Coast Guard on national security strategy and security concerns of the maritime transportation industry.28 The criteria for failure of the background checks are vague and need to be clarified, the Security Advisory Committee said.29 Also, TSA should consider alternative technology for reading the biometric ID cards, because the current card readers have not been adequately tested in real-life maritime environments, which are exposed to water, humidity, salt and high-volume traffic.30 During the pilot program, TSA did not conduct extensive testing of the card readers’ fingerprint scanning.31
In August, TSA announced a delay in the deployment of the biometric card readers.32 The agency says it is unknown when the card readers would be installed, because there are technological and logistical problems.33 The program has already cost $65 million, and full implementation could cost as much as $1.9 billion. Congress should carefully evaluate the costly Transportation Worker Identification Credential program and determine if such a program is necessary. If TWIC moves forward, it cannot do so until then the significant privacy, security and logistical problems found by the Security Advisory Committee and the Homeland Security Inspector General are solved.
1 Spotlight has examined identification issues previously, evaluating the Homeland Security ID Card, http://www.epic.org/privacy/surveillance/spotlight/0405/, and the Registered Traveler Card, http://www.epic.org/privacy/surveillance/spotlight/1005/.
2 Hearing on the Transportation Worker Identification Credential Before the S. Comm. on Commerce, Science and Transportation, 109th Cong. (May 16, 2006) [hereinafter Senate Hearing].
3 Department of Homeland Security, Press Conference with Homeland Security Secretary Michael Chertoff, Transportation Security Administration Assistant Secretary Kip Hawley, and U.S. Coast Guard Rear Admiral Craig Bone (Apr. 25, 2006).
4 Transportation Security Administration, Transportation Worker Identification Credential Program Frequently Asked Questions (2006) [hereinafter TWIC FAQ].
5 Id.
6 See infra discussion.
7 Maritime Transportation Security Act of 2002, Pub. L. No. 107-295, 116 Stat. 2064 (2002); Senate Hearing, supra note 2.
8 Department of Homeland Security, Fact Sheet: Transportation Worker Identification Credential Prototype (Nov. 17, 2004); Press Release, Department of Homeland Security, DHS Implements Immediate Measures to Secure Access to Ports (Apr. 25, 2006); Senate Hearing, supra note 2.
9 Alice Lipowicz, TSA does about-face on TWIC, General Computing News, May 12, 2006.
10 Id.
11 Senate Hearing, supra note 2.
12 Id.
13 TWIC FAQ, supra note 4.
14 Id.
15 Id.
16 Id.
17 Department of Homeland Security, Privacy Impact Assessment for the Transportation Worker Identification Credential (May 9, 2006) [hereinafter May Privacy Assessment].
18 Id.
19 Department of Homeland Security, Office of Inspector General, DHS Must Address Significant Security Vulnerabilities Prior To TWIC Implementation (Redacted), OIG-06-47 (July 2006) [hereinafter “Inspector General report”].
20 May Privacy Assessment, supra note 17.
21 Inspector General report, supra note 19 at 1.
22 Id.
23 Previous Spotlights have focused upon the broader problems identified with identification cards, see note 1; security expert Bruce Schneier has written extensively on these vulnerabilities, see Crypto-Gram Newsletter, May 15, 2005 at http://www.schneier.com/crypto-gram-0505.html#2.
24 See Sara Kehaulani Goo, Committee Chairman Runs Into Watch-List Problem, Wash. Post, Sept. 30, 2004; Leslie Miller, House Transportation Panel Chairman Latest to be Stuck on No-Fly List, Associated Press, Sept. 29, 2004; Shaun Waterman, Senator Gets a Taste of No-Fly List Problems, United Press Int’l, Aug. 20, 2004.
25 Dan Eggen and Walter Pincus, 325,000 Names on Terrorism List, Wash. Post, Feb. 15, 2006.
26 Id.
27 Inspector General report, supra note 19.
28 Maritime Transportation Security Act of 2002, supra note 7.
29 R.G. Edmonson, Coast Guard panel cites issues with port ID card, Journal of Commerce Online, July 26, 2006.
30 Id.
31 Alice Lipowicz, Additional testing recommended for worker ID card, TechNews, July 5, 2006.
32 Gregory Richards, System’s installation at ports delayed for further testing, Virginian-Pilot, Aug. 30, 2006.
33 Id.