Frequent flier program raises privacy, security questions

The recent announcement by the Transportation Security Administration that next summer it will finish deploying a nationwide program for frequent fliers raises numerous questions about technology, privacy and security.

Congress and the airline industry have pressured the agency to establish a timeline for the Registered Traveler program since the agency finished testing it in September. In the agency's spending law for next year, lawmakers directed officials to employ an existing database run by airports and airlines for the initiative in order to speed its deployment.

The agency bowed to lawmakers' requests by planning full deployment next year, after establishing technology and privacy standards, and defining responsibilities for the private sector.

The popular Registered Traveler pilot projects allowed participants to bypass long, slow-moving security checkpoint lines in exchange for voluntary background checks and access to biometric information obtained via iris and fingerprint scans. One criticism was that the projects were not connected. Registered travelers could reap the benefits of the program only with one airline carrier at the initial departure airport.

Lawmakers believe the Transportation Security Clearinghouse database, which is owned and operated by the American Association of Airport Executives, could enable the systems of TSA, airports and the companies that would issue biometric cards to work together. The database has been used since 2002 to conduct background checks on 1.8 million airport and airline employees. Every airport has access to the clearinghouse to confirm employee identifications.

The Association of Airport Executives has pitched the clearinghouse to Congress and recently created a Registered Traveler Interoperability Consortium with nearly 60 airports. The goal is to define and establish mutual business practices and technical standards to "push forward a national program," according to written testimony from Charles Barclay, the group's president.

The group has agreed to a system where companies that provide "smart cards" enroll people and collect and verify their personal data. The company then would give the information to the consortium, which would double-check the data, and forward it to TSA for a threat assessment.

TSA in turn would notify consortium if applicants are approved or declined but would not provide further details. The consortium would notify the smart-card vendors, which are responsible for protecting and maintaining the personal data.

TSA has not endorsed on the proposed business model and plans to examine the issue over coming months. But Kip Hawley, TSA's assistant secretary, said in testimony last week that the agency would let the private sector operate and manage the initiative, and officials plan to "define the role of the Transportation Security Clearinghouse."

Marc Rotenberg, president of the Electronic Privacy Information Center, testified against using the clearinghouse database and letting companies have their own databases. He argued that private-sector databases are not subject to safeguards in the 1974 Privacy Act. The law requires agencies to let people access, and correct, information that the government collects about them.

Hawley said that early next year, the agency would establish a redress process for travelers who are rejected from the program and would define privacy requirements for companies.