TSA cites progress on Secure Flight privacy requirements
The Transportation Security Administration has made significant progress in addressing key privacy concerns about its Secure Flight passenger screening program, the agency’s administrator told a House subcommittee.
Kip Hawley, TSA’s administrator, said during a Sept. 9 hearing that the Homeland Security Department has certified that the program has met a series of privacy requirements, paving the way for airlines to begin using the program to screen passengers against the government's no-fly list in January as currently planned. The agency’s bid to take over screening, as required by a 2004 law, has faced a series of delays spurred in part by concerns over privacy.
TSA said the Secure Flight program has now met the 10 congressionally mandated requirements, including:
• Establishing an internal oversight board.
• Putting in place substantial security measures to prevent hacking into the Secure Flight system.
• Establishing a redress process for passengers who feel they were wrongly identified.
• Demonstrating the accuracy of the system.
Hawley said the privacy requirements have been met, the technology is in place, and the next step is to have the Government Accountability Office review the system so it can be ready to go in January. Hawley told a session of the Homeland Security Committee’s Transportation Security and Infrastructure Subcommittee that he expects the administration to issue the final rule for the program in November.
However, after the first airlines start to use the program, Cathleen Berrick, director of homeland security and justice issues at GAO, said it will still take some time for all airlines to begin to use the program.
TSA estimates the Secure Flight program will cost approximately $1 billion over 10 years. Also, more costs will be paid by the airlines that will be required to update their IT systems and processes to comply with the program.
Secure Flight’s implementation will “resolve many of the inconveniences passengers are experiencing with verification under the current system,” Hawley said.
Under the current system, before passengers are allowed to reach a security checkpoint air carriers compare basic passenger data to the No Fly list to identify people who should be prevented from boarding an aircraft and against another list to identify individuals who will face additional screening.
Those lists are versions of the government's larger consolidated database for known or suspected terrorists.
Berrick said that until a recent TSA directive, airlines lacked specific guidance on certain aspects of the No Fly list name-checking process and hence airlines had been inconsistent in their approaches. GAO also testified that airlines had been inconsistent in their use of lists containing names of individuals who had been cleared for travel.
TSA and federal authorities have come under fire for highly publicized examples of individuals whose names match the No Fly List or other versions of the government’s master terrorist watch list facing consistent delays and difficulty when traveling.
Greg Wellen, TSA’s assistant administrator for transportation threat assessment, testified that each airline has a different approach for matching names to the watch list.
“One carrier may have a sophisticated computer system that uses robust filters to clear names," he said. "Another carrier may check names manually, or use a less advanced software program. The problem is solved when the same method is used to clear a passenger from the list. That answer is Secure Flight.”
Ben Bain is a reporter for Federal Computer Week.