(by Tim Cushing, TechDirt) -- The TSA is disappointed that so few Americans have opted out of its bottle-tossing, package-groping screenings by signing up for its PreCheck program. For a few years now, the TSA has been selling travelers’ civil liberties back to them, most recently for $85 a head, but it’s now making a serious push to increase participation. The TSA can’t do it alone, so it’s accepting bids on its PreCheck expansion proposal. (h/t to Amy Alkon)
The Transportation Security Administration (TSA) is seeking vendors for TSA Pre√® Application Expansion initiative to develop, deliver, and deploy private sector application capabilities expanding the public’s enrollment opportunities for TSA Pre✓® through an Other Transactional Agreement (OTA) awarded by TSA. The Government plans to award an OTA to multiple vendors. The Government will evaluate the proposed ready-to-market solutions’ application capabilities against this TSA Pre√® Expansion Initiative Solicitation and Statement of Work.
This will involve a new pre-screening process to weed out terrorists by looking through a variety of “commercial data” sources. The proposal [pdf link] is very vague on the details of what “commercial data” will be used by these third parties.
Contractors may use commercial data to conduct an eligibility evaluation (also known as pre-screening) of potential applicants. The eligibility evaluation shall include, at a minimum, validating identity and performing a criminal history records check to ensure that applicants do not have disqualifying convictions in conjunction with the TSA Pre✓® disqualifying offenses…
The proposal goes on to say something that sounds like the TSA safeguarding PreCheck applicants’ privacy by standing between them and any crazy ideas third party contractors might have about “commercial data.”
As a second component to the eligibility evaluation, TSA may also consider approving an option to use additional private sector processes to conduct a provisional risk assessment (based on an algorithm developed by the Contractor) for the purposes of assisting in identifying those individuals believed to pose a low risk to transportation security. TSA must approve any commercial data inputs proposed for use by contractors to include those which validate identity and determine provisional low-risk status.
More protections here:
Risk assessments may not be based on race, ethnicity, religion, national origin, age, financial status (e.g., credit ratings/scores, liens, bankruptcies, foreclosures, annual income), health records, constitutionally protected activity, or other records reflecting an individual’s socio-economic status.
So far, so good. But while the TSA has pointed out a few examples of what won’t be permitted to be used to separate the threats from the travelers, it really never goes on to detail what will be permitted… at least not in the proposal itself. Those sources (and there are several) are tucked away inside the agreement boilerplate [pdf link] to be signed by winning contractors.
Here’s everything that’s open to inspection by PreCheck applicant screeners.
For purposes of this private sector enrollment initiative for the TSA Pre√® Application Program, “commercial data” includes: public record data, such as criminal history and real estate records produced by federal, state, and local governments; other publicly available information, such as directories, press reports, location data and information that individuals post on blogs and social media sites; and wide ranging data such as purchase information, customer lists from registration websites, and self-reported information provided by consumers that is obtained by commercial data sources such as data brokers.
So, the TSA is authorizing contractors to use social media posts in the screening process — which, yes, are by default public but tend to generate more noise than signal when it comes to spotting the terrorists in PreCheck approval queue.
[And I suppose my Facebook page -- containing pictures I added a few months ago -- will put me in the "questionable" group.]
The TSA is looking to hire on third-party haystackers in order to pre-profile travelers. There’s a lot of “public/commercial data” out there, and very little of it has any relevance to the “threat level” of potential flyers. And the part about “purchase information” is particularly disturbing, considering the DHS would really like to have access to that data.
Homeland Security Secretary Jeh Johnson said his department will be issuing new guidance to retailers this week giving them pointers on how to spot potential terrorists among their customers by looking at what they’re buying.
While saying the government cannot prohibit sales of some everyday materials, Mr. Johnson said retailers should be trained to look for anyone who buys a lot from what he described as a “long list of materials that could be used as explosive precursors.”
He said it was an extension of the “If you see something, say something” campaign launched by his predecessor, former Secretary Janet Napolitano, which tries to enlist average Americans to be aware of their immediate environment.
Couple Johnson’s statements with this proposal sentence (which immediately follows the “Risk assessments may not be based on…” sentence from the paragraph above), and you get an idea where this PreCheck database is headed.
Any algorithm used must receive DHS approval, which will be based upon a DHS evaluation requiring testing and review of commercial data inputs during that process.
Whatever data the contractors grab will be viewed by the DHS first, before it makes its decision to keep or discard it. And this will be in addition to the huge amount of data these two agencies already dip into to determine how many “S’s” to print on your boarding pass. The TSA’s role in the PreCheck program will be mainly limited to waving successful applicants through. (Something it has previously done to alleviate congestion with no apparent concern about PreCheck approval and all of its “safeguards”.) So, this is really the DHS’s program, one that allows it partake of third-party data hoovering and add anything it deems relevant to its databases.
That’s a lot of info to turn over for shorter waits at the airport. Generally speaking, the government has little interest in your purchases and social media activities, but by applying for PreCheck, you give them the green light to go digging. Sure, most of what’s there isn’t necessarily private, but it’s still information most people wouldn’t assume the government would find to be relevant to airport security. Factor in the TSA/DHS’s ever-mounting paranoia, and you’ve got a recipe for a slew of false positives, especially when the latter considers photography of public buildings to be “suspicious activity.”