TSA compromising security for popularity; and looking at our credit purchases?

You know those PreCheck lanes at the airport that promise expedited screening?  The TSA wants to fill them and it has come up with a troubling new twist on an old, contentious scheme to do it.  While Congress and the rest of us were slipping out for the holidays, the TSA quietly published its intent to hire big data companies to solicit you for PreCheck enrollment, and seek your consent to mine your grocery receipts, your credit card purchases, and even your Facebook posts to determine if you are a terrorist risk – not just once but on an ongoing basis. 

The TSA’s approach raises serious concerns about citizen privacy, and security, especially as we face an increased threat that outgoing administrator John Pistole recently declared was “more expansive” than it was four-and-a-half years ago.

The government has concluded that low participation rates in the expedited airport screening program known as PreCheck must be due to poor marketing and slow enrollment, as opposed to the flying public recognizing a bad deal when they see it.

TSA believes private sector companies can use commercial data and secret computerized algorithms to examine a passenger’s background and predict who is, and who is not, a terrorist risk.  It is so invested in this method of predicting risk that it is willing to reduce physical screening of passengers that agree to and pass these recurring background checks.  If the TSA carries out its plan, it will be a massive expansion and outsourcing of the government’s citizen data mining, and it is a bad idea. 

The TSA is no stranger to computerized passenger profiling programs.  In 2002 the CAPPS-2 program sought to evaluate passengers based on government and commercial databases and assign them a risk score.  It was scrapped after heavy public criticism, especially about its intrusive use of incomplete, unverified commercial data.  Yet once again, the TSA is heading down this path, enticing the public with the promise of reduced security screening at the airport. 

TSA hopes to not tell you what exactly their private sector contractors will collect or what they will use to determine your suitability for reduced screening.  The government will remind you that the program is voluntary, rightly.  But, how do we give informed consent?  It is unknown what predictive factors will be used in the algorithm to determine whether a passenger is a threat. 

Beware what you post on social media while you are enrolled in PreCheck – it is fair game, according to the TSA’s request for proposals.  It is also unclear whether the information collected by the agency’s private sector contractors could be used for other government or private purposes.  The type of information collected appears to be unlimited and the government will not say what these big data companies may or may not collect.  Worse, if you are rejected by a private sector contractor, you may never know why.

The privacy and civil liberties implications alone are astounding.  But, there is a more important issue.  The TSA is gambling with the security of civil aviation and expanding its scope irresponsibly.  The problem with computerized passenger profiling is that it simply does not work.

Frequent flyer miles might be a factor in the secret algorithm.  However, Mohamed Atta, a ringleader and 9/11 hijacker, had a frequent-flyer gold card. Current members of the military are considered low risk by the TSA.  Yet, Nidal Hasan, the convicted Fort Hood shooter, was a U.S. Army Major.  Perhaps the algorithm will be programmed to trust doctors.  Yet, the attempted 2007 car bomb attacks in London and Glasgow were planned and executed by doctors. 

According to a recent report on Homeland Security News Wire, “about 40 percent of lone-wolf terrorists are driven by mental illness, not ideology.” 

If you voluntarily submit for a PreCheck background check and are green-lighted by the big data companies who have fed your discoverable personal data into their algorithms, you are promised quicker transit through airport security, dedicated faster moving lines, and you will not be asked to remove your belt, shoes, liquids and gels.  If you do not, you are guaranteed the opposite.  So, either these security measures—removal of belts, shoes, liquids and gels—are unnecessarily kept in place to drive passengers into the allure of PreCheck, or they are prudent flight security measures waived by the TSA because it is willing to gamble on the effectiveness of its prescreening.  Either conclusion is unsettling.      

When all else fails, TSA leadership will argue that no approach is perfect; a conceded truism.  Yet, playing the odds is a difficult game.  Statistically speaking, there have been billions of passengers that have flown without incident.  Not all of them were savory.  That didn’t make them terrorist hijackers.   Had TSA been in existence on 9/11, it could have claimed a 98 percent success rate, statistically. That is cold comfort. 

The policy issue is this: the TSA should focus less on big data commercial background checks of passengers, which have proven unpopular and unreliable, and more time on securing flights by screening passengers for weapons and explosives.  The TSA is instead seeking terrorist correlations among criminal behavior and commercial conduct.  It used to be that you only met the TSA at the airport.  Now it wants to be your friend on Facebook.  We know the TSA is performing an important but thankless job.  TSA leadership should focus on improving core capabilities instead of trying to make the TSA more popular or unnecessarily expanding its scope.   

Bossert formerly served as the deputy assistant to the President for Homeland Security under President George W. Bush.