The Transportation Security Administration is quietly proposing to outsource to private companies its PreCheck program, which allows enrolled members to skip past security lines at airports — a move some analysts warn may have serious privacy and security implications.
Under the proposal, the private-sector companies could collect and analyze travelers’ data such as locations, credit card purchases and social media posts.
Privacy advocates are concerned that the TSA is turning over what should be a government responsibility to the private sector, which doesn’t have to adhere to the same privacy and security requirements as federal agencies.
Advocates of the program say it would save federal money and improve customer service at airports, where security checkpoint lines can be a hassle to travelers. They say the TSA can’t handle the duties alone because of budget constraints and personnel issues.
“I think what they’re proposing is outsourced profiling and, more importantly, it’s outsourced digital profiling,” said Tom Bossert, president of CDS Consulting who served as deputy Homeland Security adviser to President George W. Bush.
Speaking at a panel discussion Tuesday hosted by the George Washington University Center for Cyber and Homeland Security, Mr. Bossert and other specialists highlighted privacy questions raised by the TSA’s proposal.
There is no certainty what a third-party company would do with the data it collected and how it would affect travelers, said Chris Calabrese, senior policy director at the Center for Democracy & Technology, a Washington-based think tank.
The company placed in charge of the program would be given the discretion to flag those whom it considers risky fliers, and the company’s classifications could be at odds with profiling policies of the Homeland Security Department and the TSA, he said.
“If PreCheck says for whatever reason I am a higher-danger traveler, what is DHS or TSA supposed to do with that information? Should I be watch-listed? Should I be given a chance to contest? These are very hard questions with real consequences,” Mr. Calabrese said. “If I’m a traveler who thinks I’m signing up for the fast lane and it turns out I’m really signing up for the ‘you get searched every single time you go through’ lane, it’s less customer service.”
TSA’s PreCheck program allows travelers to skip security lines after they voluntarily enroll by submitting information such as fingerprints and retina scans and by paying a fee. The agency first expressed interest in hiring private-sector companies for screenings in 2013.
Last year, the TSA issued an application for “vendors to apply for the program to develop, deliver, and deploy private sector application capabilities expanding the public’s enrollment opportunities” for the PreCheck program. The government plans to award the contract to multiple vendors, according to the application posted on FedBizOps.gov.
Advocates of the proposal say it would help market the PreCheck program to more people, providing more valuable data, faster security checks and better customer service.
“It’s a win-win proposition because it allows the U.S. government to take a more focused approach to our homeland security as opposed to the system that we originally developed where we basically just had a blanket review of everyone,” said Patricia Rojas, vice president of government relations at the U.S. Travel Association.
“Obviously, the U.S. traveler did not see that as an effective use of federal resources. We applaud TSA for seeing the vision of what PreCheck could be,” she said.
Ms. Rojas stressed that the program is voluntary so those with privacy concerns, who would rather go through the full security check, are not required to enroll, but she argued that the TSA would be better equipped to fight terrorist threats if more people join.
“The more we know about you, the better,” Ms. Rojas said.
In the past fiscal year, the PreCheck program saved the government roughly $100 million. The savings are expected to grow as more travelers enroll.
Federal agencies have found trouble with third-party contractors handling sensitive information, most notoriously in the case of Edward Snowden, who leaked a massive amount of sensitive information from the National Security Agency and became an international fugitive and cause celebre.
Mr. Calabrese also pointed out that commercial databases are notoriously inaccurate and opaque.
Many consumer advocates have complained about credit reporting agencies and the difficulties Americans have with faulty facts and outdated information.
He also contested the entire TSA security model — which private-sector companies likely would use — of big data and massive algorithms. That method of security, he said, is less effective at detecting terrorists trying to get past airport security than are random screenings.
“Terrorists can’t defeat a purely random system because they don’t know if they are going to get picked or not,” Mr. Calabrese said.
Even if the system is 99 percent accurate, he said, the 1 percent margin of error would let millions of passengers annually slip through the cracks.
“Given that we sort of contest the fundamental premise that you can do this with algorithms, when all these other considerations are piled on top it makes me think that we should be able to find other ways to screen passengers faster and make these lines less onerous, this is not a good practice going forward,” Mr. Calabrese said.
In addition to concerns over data accuracy, Mr. Bossert said, a private company will not place security interests above commercial success.
“Their metric for success is enrollment numbers,” he said, adding that a system might be dangerous if it reduces the number of screenings based on data that can be no better than a best guess of a threat.
“We do have a thoughtful predator, and there should be some baseline of physical screenings,” Mr. Bossert said.
The Center for Cyber and Homeland Security issued six recommendations, two to Congress and four to the White House, for consideration before accepting the proposal.
The recommendations include updating the agency’s privacy impact assessment of PreCheck and a request for Congress to issue a Government Accountability Office study of the proposed program to build on the last report issued in December.