The TSA Wants To Read Your Facebook Posts And Check Out Your Purchases Before It Will Approve You For PreCheck

Print Friendly, PDF & Email

from the ah,-now-I-understand-the-phrase-‘documented-citizen’ dept

The TSA is dis­ap­point­ed that so few Amer­i­cans have opt­ed out of its bot­tle-toss­ing, pack­age-grop­ing screen­ings by sign­ing up for its PreCheck pro­gram. For a few years now, the TSA has been sell­ing trav­el­ers’ civ­il lib­er­ties back to them, most recent­ly for $85 a head, but it’s now mak­ing a seri­ous push to increase par­tic­i­pa­tion. The TSA can’t do it alone, so it’s accept­ing bids on its PreCheck expan­sion pro­pos­al. (h/t to Amy Alkon)

The Trans­porta­tion Secu­ri­ty Admin­is­tra­tion (TSA) is seek­ing ven­dors for TSA Pre√® Appli­ca­tion Expan­sion ini­tia­tive to devel­op, deliv­er, and deploy pri­vate sec­tor appli­ca­tion capa­bil­i­ties expand­ing the pub­lic’s enroll­ment oppor­tu­ni­ties for TSA Pre✓® through an Oth­er Trans­ac­tion­al Agree­ment (OTA) award­ed by TSA. The Gov­ern­ment plans to award an OTA to mul­ti­ple ven­dors. The Gov­ern­ment will eval­u­ate the pro­posed ready-to-mar­ket solu­tions’ appli­ca­tion capa­bil­i­ties against this TSA Pre√® Expan­sion Ini­tia­tive Solic­i­ta­tion and State­ment of Work.

This will involve a new pre-screen­ing process to weed out ter­ror­ists by look­ing through a vari­ety of “com­mer­cial data” sources. The pro­pos­al [Statement_of_Work_-_TSA_PreCheck_Expansion_(12–194)_FINAL] is very vague on the details of what “com­mer­cial data” will be used by these third parties.

Con­trac­tors may use com­mer­cial data to con­duct an eli­gi­bil­i­ty eval­u­a­tion (also known as pre-screen­ing) of poten­tial appli­cants. The eli­gi­bil­i­ty eval­u­a­tion shall include, at a min­i­mum, val­i­dat­ing iden­ti­ty and per­form­ing a crim­i­nal his­to­ry records check to ensure that appli­cants do not have dis­qual­i­fy­ing con­vic­tions in con­junc­tion with the TSA Pre✓® dis­qual­i­fy­ing offenses…

The pro­pos­al goes on to say some­thing that sounds like the TSA safe­guard­ing PreCheck appli­cants’ pri­va­cy by stand­ing between them and any crazy ideas third par­ty con­trac­tors might have about “com­mer­cial data.”

As a sec­ond com­po­nent to the eli­gi­bil­i­ty eval­u­a­tion, TSA may also con­sid­er approv­ing an option to use addi­tion­al pri­vate sec­tor process­es to con­duct a pro­vi­sion­al risk assess­ment (based on an algo­rithm devel­oped by the Con­trac­tor) for the pur­pos­es of assist­ing in iden­ti­fy­ing those indi­vid­u­als believed to pose a low risk to trans­porta­tion secu­ri­ty. TSA must approve any com­mer­cial data inputs pro­posed for use by con­trac­tors to include those which val­i­date iden­ti­ty and deter­mine pro­vi­sion­al low-risk status.

More pro­tec­tions here:

Risk assess­ments may not be based on race, eth­nic­i­ty, reli­gion, nation­al ori­gin, age, finan­cial sta­tus (e.g., cred­it ratings/scores, liens, bank­rupt­cies, fore­clo­sures, annu­al income), health records, con­sti­tu­tion­al­ly pro­tect­ed activ­i­ty, or oth­er records reflect­ing an individual’s socio-eco­nom­ic status.

So far, so good. But while the TSA has point­ed out a few exam­ples of what won’t be per­mit­ted to be used to sep­a­rate the threats from the trav­el­ers, it real­ly nev­er goes on to detail what will be per­mit­ted… at least not in the pro­pos­al itself. Those sources (and there are sev­er­al) are tucked away inside the agree­ment boil­er­plate [OTA_Ar­ti­cles_­for_Pre-check­_Ap­pli­ca­tion_­Ex­pan­sion] to be signed by win­ning contractors.

Here’s every­thing that’s open to inspec­tion by PreCheck appli­cant screeners.

For pur­pos­es of this pri­vate sec­tor enroll­ment ini­tia­tive for the TSA Pre√® Appli­ca­tion Pro­gram, “com­mer­cial data” includes: pub­lic record data, such as crim­i­nal his­to­ry and real estate records pro­duced by fed­er­al, state, and local gov­ern­ments; oth­er pub­licly avail­able infor­ma­tion, such as direc­to­ries, press reports, loca­tion data and infor­ma­tion that indi­vid­u­als post on blogs and social media sites; and wide rang­ing data such as pur­chase infor­ma­tion, cus­tomer lists from reg­is­tra­tion web­sites, and self-report­ed infor­ma­tion pro­vid­ed by con­sumers that is obtained by com­mer­cial data sources such as data brokers.

So, the TSA is autho­riz­ing con­trac­tors to use social media posts in the screen­ing process — which, yes, are by default pub­lic but tend to gen­er­ate more noise than sig­nal when it comes to spot­ting the ter­ror­ists in PreCheck approval queue.

[And I sup­pose my Face­book page — con­tain­ing pic­tures I added a few months ago — will put me in the “ques­tion­able” group.]Af5Xe7M

The TSA is look­ing to hire on third-par­ty haystack­ers in order to pre-pro­file trav­el­ers. There’s a lot of “public/commercial data” out there, and very lit­tle of it has any rel­e­vance to the “threat lev­el” of poten­tial fly­ers. And the part about “pur­chase infor­ma­tion” is par­tic­u­lar­ly dis­turb­ing, con­sid­er­ing the DHS would real­ly like to have access to that data.

Home­land Secu­ri­ty Sec­re­tary Jeh John­son said his depart­ment will be issu­ing new guid­ance to retail­ers this week giv­ing them point­ers on how to spot poten­tial ter­ror­ists among their cus­tomers by look­ing at what they’re buying.

While say­ing the gov­ern­ment can­not pro­hib­it sales of some every­day mate­ri­als, Mr. John­son said retail­ers should be trained to look for any­one who buys a lot from what he described as a “long list of mate­ri­als that could be used as explo­sive precursors.”

He said it was an exten­sion of the “If you see some­thing, say some­thing” cam­paign launched by his pre­de­ces­sor, for­mer Sec­re­tary Janet Napoli­tano, which tries to enlist aver­age Amer­i­cans to be aware of their imme­di­ate environment.

Cou­ple John­son’s state­ments with this pro­pos­al sen­tence (which imme­di­ate­ly fol­lows the “Risk assess­ments may not be based on…” sen­tence from the para­graph above), and you get an idea where this PreCheck data­base is headed.

Any algo­rithm used must receive DHS approval, which will be based upon a DHS eval­u­a­tion requir­ing test­ing and review of com­mer­cial data inputs dur­ing that process.

What­ev­er data the con­trac­tors grab will be viewed by the DHS first, before it makes its deci­sion to keep or dis­card it. And this will be in addi­tion to the huge amount of data these two agen­cies already dip into to deter­mine how many “S’s” to print on your board­ing pass. The TSA’s role in the PreCheck pro­gram will be main­ly lim­it­ed to wav­ing suc­cess­ful appli­cants through. (Some­thing it has pre­vi­ous­ly done to alle­vi­ate con­ges­tion with no appar­ent con­cern about PreCheck approval and all of its “safe­guards”.) So, this is real­ly the DHS’s pro­gram, one that allows it par­take of third-par­ty data hoover­ing and add any­thing it deems rel­e­vant to its databases.

That’s a lot of info to turn over for short­er waits at the air­port. Gen­er­al­ly speak­ing, the gov­ern­ment has lit­tle inter­est in your pur­chas­es and social media activ­i­ties, but by apply­ing for PreCheck, you give them the green light to go dig­ging. Sure, most of what’s there isn’t nec­es­sar­i­ly pri­vate, but it’s still infor­ma­tion most peo­ple would­n’t assume the gov­ern­ment would find to be rel­e­vant to air­port secu­ri­ty. Fac­tor in the TSA/DHS’s ever-mount­ing para­noia, and you’ve got a recipe for a slew of false pos­i­tives, espe­cial­ly when the lat­ter con­sid­ers pho­tog­ra­phy of pub­lic build­ings to be “sus­pi­cious activ­i­ty.”