Testimony

The Promise of Registered Traveler

Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity
Committee on Homeland Security
United States House of Representatives

Executive Summary:

Registered Traveler seeks to overcome the delay at airports, a tax on travelers time, by increasing the amount of personal information and privacy that travelers “pay” - information that is used to investigate and pre-clear them for travel.

There are merits to the Orlando pilot, which will use a privately issued identification card. Private card issuers make privacy promises that are legally enforceable, which no government program has done, or can do. The “Clear” card to be used in Orlando particularly promises to dispose of data about travelers’ movements, which is a notable anti-surveillance feature. Uniform identification systems are harmful to interests like privacy, autonomy, and liberty, so the emergence of a private identification system like this is welcome.

The TSA should avoid inadvertently picking winners and losers. It should open private card issuance to competition, which will tend to drive down prices and increase the appeal of the system to consumers. Also, if Registered Traveler is expanded, the TSA should select airports based on neutral standards.

There are problems with Registered Traveler. It is unseemly to have government agents associated with segregating “preferred” travelers from others. The Registered Traveler program essentially denies fairness, due process, and privacy protections to volunteers. And the “voluntariness” of the program could disappear at any time. Because it is a government program, no promise about it being optional can be assured.

The problems with Registered Travel are premised on the error in having government provide security services to the air transportation industry. There are emotional and political justifications for it, but there is no principled, security-based, or economic rationale for providing a massive security subsidy to airlines.

The government checkpoints that Americans must pass through in order to travel are an affront to American freedom and civil liberties. They require travelers to submit to government search and seizure based on no suspicion and to show papers in order to exercise the important liberty interest of traveling within their own country.

Identification-based security is intuitive but deeply flawed as a protection against terrorism. Private responsibility for airline safety would better secure us against the threat of terrorism, using all the tools that our free society has at its disposal.




Chairman Lungren, Ranking Member Sanchez, and Members of the Subcommittee -

Thank you for examining the Registered Traveler program through today’s hearing. I appreciate the opportunity to share my views with you.

I am Director of Information Policy Studies at The Cato Institute. The Cato Institute promotes fundamental American principles of limited government, individual liberty, free markets, and peace. The Jeffersonian philosophy that animates Cato is often called “libertarianism” or “market liberalism.” It combines an appreciation for entrepreneurship, the market process, and lower taxes with strict respect for civil liberties, and skepticism about the benefits of both the welfare state and foreign military adventurism.

At Cato, I study, write, and speak about the difficult challenges of adapting law and policy to the unique problems of the Information Age. My areas of study include privacy, data security, identification, surveillance, and cybersecurity, as well as intellectual property, telecommunications, and Internet governance.

I am also the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. On the Privacilla site, there are hundreds of pages of material about privacy, including book reviews and discussions of privacy fundamentals, privacy from government, and topics such as online privacy, financial privacy, and medical privacy.

Recently, I was appointed by the Secretary of the Department of Homeland Security to serve as a member of the Department’s Data Privacy and Integrity Advisory Committee. This group is constituted to advise the Secretary and the DHS Chief Privacy Officer on programmatic, policy, operational, administrative, and technological issues within DHS that affect individual privacy, as well as data integrity, data interoperability and other privacy-related issues.

The Privacy Advisory Committee will have its second meeting in Boston next week. We are only beginning our work and deliberations so nothing in my testimony, oral or written, reflects the views of the Privacy Advisory Committee or any other member of the Committee. I am confident, however, that the Privacy Advisory Committee appreciates the attention being paid us by Members of Congress. Mr. Thompson, the Ranking Member of the full Homeland Security Committee and an ex-officio Member of this Subcommittee, was good enough to come speak to our first meeting in early April, as did Mr. Cannon of Utah, who serves on the Judiciary and Government Reform Committees.

I am currently writing a book on identification called Identity Crisis: How Identification Is Overused and Misunderstood. It is slated for publication early next year and will address many of the issues in current airline security programs on at least a theoretical level.

In my testimony below, I have first done what I can to highlight the good elements of the Registered Traveler program. I have many reservations about Registered Traveler, which I address second. My deep misgivings about the entire system that Registered Traveler tries to fix come last, but please consider these equally as carefully. Their position at the end of my testimony should not suggest that they are my least important contribution. Indeed, they are probably the most important.

Though I am highly concerned with, and critical of, our current approach to airline security, I acknowledge without reservation that the people working on these policies at the Department of Homeland Security and the Transportation Security Administration do so in good faith, with the best interests of our country, its people, and our tradition of freedom in their hearts.

Registered Traveler Summarized

Like the beneficent motives of the people at DHS and TSA, there is no doubt about the good intentions behind the Registered Traveler program. Some relief from the uncertainty and delay for travelers at airports is certainly in order. Anything that will restore our air transportation system to better functioning is a welcome effort.

Registered Traveler amounts to the following “deal” for air travelers: If you submit information to the government and pass a background investigation (also paying a fee in some cases), you will be given slightly less inspection, on average, at airport checkpoints. Registered Travelers will generally have their own lines at checkpoints and will not be subject to random secondary screening and other security measures in place for the general population.

Stated in different terms, the program works like this: Airport checkpoints now amount to a tax on travelers in two ways: in travelers’ time and in their privacy/anonymity. Users of Registered Traveler will pay a privacy/anonymity fee by handing information over to the government (the fee, paid in lost privacy, is higher than the tax, because more personal information is used), and a cash fee in some cases. In return, less of their time will be taxed away through waiting in lines at airports.1

People often trade privacy for convenience which is why some estimates of American travelers’ participation are relatively high. Though there are many reasons for concern, there are interesting potential benefits from a version of Registered Traveler slated to begin soon in Orlando, Florida.

The Innovative Orlando Version: Privately Issued Identification

The Orlando version of Registered Traveler includes what I think is a fascinating and welcome innovation: the use of a privately issued identification card. The Greater Orlando Airport Authority has entered into an agreement with a private identification card issuer called Verified Identity Pass, Inc. This company will market, issue, and operate Orlando’s Registered Traveler card under the brand name “Clear.” Clear will collect information from applicants for Registered Traveler, including fingerprints and iris images. These are highly accurate biometric identifiers that machines can read fairly well today. It will forward applicants’ personal information to the TSA so that the TSA can investigate the applicants. (As discussed below, conditioning travel on government investigation is not okay, but my focus in this section is what is good in Registered Traveler.) Once the applicant has been approved by the TSA, the Clear card can be used to access airport concourses.

At the airport, the Clear member will place the card in a reader and allow his or her finger or iris to be scanned. The scan will be compared to the biometric information embedded in the card using an algorithm designed for matching these biometrics. Meanwhile, a unique identifier on the card will be compared to a database of members’ identifiers. If the card information matches the person carrying it, and if the card identifier is on the list of approved cards, the Clear member will continue through the expedited Registered Traveler line. Privately Issued Identification Cards are Good

Reading the privacy policy on the Verified Identity Pass Web site illustrates why privately issued identification is superior. It is for a reason that might be surprising: because the Verified Identity Pass privacy policy is a contract. It gives Clear members enforceable legal rights and it gives potential applicants information that they can rely on when deciding whether to use it. A private identification issuer like the Clear program submits itself to enforceable contractual terms and commits itself to future actions consistent with its contract.

Neither of these things is true of government privacy policies or the Privacy Act notices published routinely in the Federal Register. Privacy Act notices can be changed merely by a new publication. Congress and federal agencies can change the privacy commitments they have made, denying recourse to citizens, because these government entities are lawmakers not law subjects.

A program like the Orlando Registered Traveler, operated as it is by a private identification card issuer, can be much more protective of privacy than a government operated program, about which future privacy consequences cannot be predicted. And, as I discuss below, the Clear program is more protective of travel information than the government programs we have seen.

For years, the American Association of Motor Vehicle Administrators has been trying to build the role of Departments of Motor Vehicles in American life and commerce. They are among a small few who seem to recognize that identification is an important and useful economic and social tool. AAMVA and the DMV bureaucrats they represent are seeking to use the power of government to perpetuate the happenstance - the mere historical accident - that the most common and recognized identification services are provided by governments. It does not have to be this way, and it should not be this way.

Uniform Identification Systems Are Bad

In my forthcoming book, I summarize and build on the work of many scholars and advocates who have shown that uniform identification systems have significant negative consequences for important interests that Americans cherish, both as citizens and as consumers.

Uniform identification systems enable surveillance by both public and private entities. They are a tool that undermines the privacy and obscurity people enjoy every day. That is, governments use uniform identification to watch and record the movements and actions of citizens, often contrary to their interests. Likewise, companies and marketers watch and study consumers. This is usually done for the purpose of improving customer service, product design, marketing, and so on, but many people object to it. They are free to do so and would be better able to prevent such monitoring if there were more choice among different identification systems.

Exacerbating the problem, the existence of uniform identification systems makes it easier for more institutions to demand identification than otherwise would. Most consumers accede to requests for identification when they check into hotels, enter buildings, and so on because it is easier to do so than to ask why or to refuse. For this reason, identification is becoming overused. It is often not actually necessary or useful for a transaction, but it gets added for marginal-to-nonexistent security reasons, or to create the impression of security. This kind of identification allows further surveillance. All private surveillance creates data that, in the current legal environment, government authorities may readily seize.

Uniform identification systems expose consumers and citizens to significant dangers. Our national identifier, the Social Security Number, and traditional second identifiers like the mother’s maiden name are used too often by too many institutions. This makes identity fraud easier and more profitable. It means that a fraud on one identification system can multiply and by used in many systems, including security systems. If each institution used distinct identification mechanisms, identity fraud would drop in number and in both cost and consequence. (This measure is not without costs itself, of course.)

Likewise, uniform identification systems expose citizens to the risk of official confiscation. Currently, access to more and more goods, services, and infrastructure is being made contingent on showing a single identification, the driver’s license. With this trend, there is an increasing risk that authorities may - legally or illegally - take away identification documents, effectively depriving people of their ability to function in society.

Most totalitarian governments in history have used uniform identification systems as a powerful administrative tool. Totalitarianism does not arise because of uniform identification, but uniform identification systems help totalitarian governments be that way. We are better off, and our freedom stands on stronger footing, if we have heterogeneous identification systems, including things like the Clear identification card.

Privately issued identification cards like the Clear card slated for use in Orlando will help create the heterogeneous identification system that we need in the United States. Though not entirely sufficient - not by a long shot - diversity of identification systems is one bulwark of liberty that will pay Americans enormous dividends in freedom and autonomy during the rapidly advancing digital age.

Private identification systems can put people, as both consumers and citizens, in a better position to control information about themselves. The alternative is massive, uncontrolled information sharing and data pooling that empowers governments and corporations over individuals.

Clear Under the Microscope

I have sung the praises of private identification cards like Clear, noting particularly that they are subject to law rather than the whim of lawmakers. This does not mean they are flawless. Along with some particular benefits, there are potential drawbacks to the Clear identification system, particularly in its interaction with the TSA program.

Foremost, the Clear system appears designed for resistance to surveillance of travelers’ movements. This is an attractive feature, laid out in the privacy policy as a firm contract with members. Specifically, Verified Identity Pass tells us:

For purposes of real-time maintenance and customer support (e.g., if your card doesn’t work, we need to be able to run tests to understand why), we will maintain “log files” of entrances to local venues. However, we keep such records only at that location, we purge these records automatically every 24-48 hours, and we have designed our network so that neither Verified ID nor its subcontractors, including Lockheed Martin Corporation, can track and record Members’ activities from location to location.

Assuming the Clear system works as stated - and if it does not Verified Identity Pass is on the hook for deceiving its customers - this is a tremendous anti-surveillance feature that has never been seen in government operated programs.

To the extent they revealed information in their Privacy Act notices, programs like CAPPS II and Secure Flight have been ambiguous about how long they would maintain information about Americans’ travels in their records. Indeed, the Privacy Act notice for the Registered Traveler pilot, covering TSA’s portion of the program, says that data will be retained “in accordance with a schedule to be approved by the National Archives and Records Administration.” This is both perfectly ambiguous and subject to change by a subsequent Federal Register notice, whether or not participants in Registered Traveler might object.

Clear’s contractual promise to use a surveillance-resistant data destruction policy is a major improvement over the alternatives we have seen so far.

Clear’s system is not unambiguously good. I note that they collect and store digital images of applicant s’ fingerprints and irises, apparently passing those on to the TSA as well. The data used to compare a Clear member with biometric data on a Clear card is not an image of the biometric itself but a sort of mathematical description of the biometric. Keeping a copy of fingerprint and iris images themselves may expose Clear members to future high-tech iterations of identity fraud if Verified Identity Pass’ systems or TSA’s systems are hacked or otherwise compromised. There is no obvious rationale for saving images of these biometrics or for sharing copies with the TSA.

Another concern is an apparent conflict between different sections of the Verified Identity Pass privacy policy. In section 5, it says it will comply with valid subpoenas, court orders, or other legal processes that require sharing of Member information with others. This suggests, without stating clearly enough, that it will share information only in these cases. In section 8(C), the policy says that Verified Identity Pass will share information “[i]f the government asks us” in cases when a member is removed from TSA’s list of approved Registered Travelers. Loose wording in these two sections combine to create flimsy privacy protections against government entities for users of the Clear card.

Of greatest concern, of course, Clear passes identity and background information to the TSA, which is subject to none of the obligations in the Clear privacy policy. This problem arises from, and inheres in, government-provided security programs, discussed in detail below.

It is not for me to decide whether Clear provides adequate privacy-protective terms to prospective members. Privacy advocates, a watchdog press, the exposure brought by this Subcommittee’s hearing, and many other actors and events will shape whether this product meets with the acceptance of consumers. Happily, though, these questions will be decided in a marketplace, where consumers have choices, as opposed to a government process where they do not.

Next, I will discuss how this marketplace can be improved.

Avoid Picking Winners and Losers

Too often with government programs and regulations, winners and losers are chosen through superior lobbying or luck rather than the merits of how well they serve consumers. In at least two respects, Registered Traveler, and the Orlando version of it, can be improved so that competition forces providers to serve consumers better.

Below, I will discuss the relatively large expense of Registered Traveler and Clear cards, particularly for people who travel rarely. This could create the impression of inequity - a class system - that carries the apparent approval and backing of the TSA. I have written above about concerns with the privacy terms offered by Verified Identity Pass to Clear users, though they are generally good. Competition can both lower the price and broaden the appeal of Registered Traveler, and potentially improve the privacy protections in private identification systems like Clear.

Registered Traveler should operate using uniform, neutral, and published (though, of course, secure) standards and protocols for biometric algorithms and for communication between cards and readers. This would enable other identification card issuers to enter the market, competing to serve Orlando customers and travelers at other airports as they come into the program. Uniform standards and protocols would also allow the identification cards used for Registered Traveler to be used in other settings such as office buildings.

Under the monopoly granted by the Orlando airport authority, Verified Identity Pass appears positioned to collect a relative windfall of $80 to $100 per customer per year, according to reports and the company’s Web site, just for issuing the Clear card. (Some of this may go to the TSA to pay for investigations.) In the face of competition among identification card issuers, the price to the Orlando air traveler could drop quickly. Competitive identification card issuers would also likely pick at each others’ privacy and anti-surveillance offerings and try to cater better to consumers’ concerns, to the extent the TSA’s terms allow them to do so.

Imagining further what might happen in a competitive environment, airlines might offer branded Registered Traveler cards to their customers for free to build loyalty. They may group cards with other concierge services for their best travelers. This is fine for private companies to do, though not for the government to affiliate itself with (as discussed below). Other card issuers may seek the low end of the market and offer Registered Traveler cards as inexpensively as possible to the occasional vacation traveler.

There is a wide array of possibilities and I cannot predict how the market for identification services would take shape. None of these beneficial practices would overcome the deep flaws in the current government-provided air security system discussed below. The background investigations done by the TSA could and should also be competitively provided based on full permission from travelers. But, so long as this system exists, there are potential benefits to consumers and to society as a whole from a private identification market. These benefits should be harvested.

Likewise, if it expands Registered Traveler, TSA should offer the programs to airports based on neutral standards rather than superior lobbying and relationships. It should expand into markets rather than airports, so that one airport in a market is not given competitive advantage over another.

People often confuse free-market advocacy like mine with pro-business advocacy. In fact, unhampered markets are very tough on businesses because they force businesses into sharp competition with one another to serve consumers. Subjecting the identification business to competition will help ensure that it is attractive to consumers and oriented to serve their interests, including privacy. Doing whatever is possible to prevent distortion of competition among airports should also be a goal of Registered Traveler.

Registered Traveler has some merits - in particular, the use of a privately issued identification card. It has plenty of demerits that must be considered as well.

Problems with Registered Traveler

Having sought the good from Registered Traveler, I now turn to the bad. There a variety of problems that attach to the program, some of which have been alluded to above. It is difficult to intermingle the government and private sector as closely as Registered Traveler does. In the final sections of my testimony I argue against that entire approach. What follows here is a discussion of several issues that arise from that policy as it manifests itself in Registered Traveler.

Inequity

Users of the Registered Traveler system to date have been invitees of the airlines and regular business travelers much more than average or occasional flyers. It appears that Registered Traveler will ultimately be funded by fees, and the version of Registered Traveler being adopted in Orlando will be based on an $80 annual fee. In light of the fees and inconvenience of joining the program, Registered Traveler will probably not be used by occasional travelers and travelers of limited means. Thus, Registered Traveler will have all the hallmarks of a benefit reserved for the wealthy.

It is discomforting that TSA agents will be actively involved in, and associated with, segregating “preferred” passengers from everybody else in the flying public. Airlines should be free to segment their customers, of course, and business travelers are certainly a valuable segment, but Registered Traveler appears likely to put the government’s imprimatur on these divisions.

According to the Washington Post, Verified Identity Pass, the company that will be providing Clear cards for Orlando, will share 29% of the revenue with the airport authority and as much as 22.5% in succeeding years, as well as 2.5% of Clear’s future nationwide revenue. This puts the airport authority in a position to benefit from moving travelers from the regular line into Registered Traveler.

The easiest way to do this is to maintain consistent long lines for non-Registered Travelers. Eliminating wait times and uncertainty for the general public would reduce the attraction of the Registered Traveler program and the airport could lose Clear revenues by doing so.

At the least, the Orlando airport’s incentive structure will be clouded by this arrangement. The incentives created by the arrangement between Clear and the Orlando airport authority may exacerbate long lines and the sense of inequity created by the Registered Traveler program, a sense that will be inextricably linked to the TSA and U.S. government.

If airline security were handled by airlines themselves, of course, this problem would disappear. Some airlines specifically target the business segment and others target the low-fare traveler. Each could customize their security programs to meet the tastes and demands of their customers.

Fairness, Due Process, and Privacy

According to the Privacy Impact Assessment for the Registered Traveler program’s pilot phase, applicants for the Registered Traveler program who are denied will not be given the opportunity to appeal or have other redress. As the program expands, a significant number of people may be unable to participate in Registered Traveler.

If the system goes forward without a full-fledged redress procedure, this will be at least unfair to many people. When government action affects property or important liberty interests, this triggers the requirements of the constitution’s Due Process clause. Given the long-recognized liberty interest in travel, it is likely that denying people the right to participate in the Registered Traveler program without appeal or redress will violate Due Process. Attempting to participate in the program, but being denied, may mark a traveler for future difficulties when he or she attempts to fly.

This would be equally true in the Orlando version of the program, in which a private company would collect personal information from applicants, forward it to the government for the investigation, and deny an application based on the government findings. The interposition of a private company does not affect the constitutionality or fairness of denying applications without recourse.

There are many other interests that Registered Traveler denies to volunteers. Indeed, in a Federal Register notice published just yesterday, TSA exempted the system from many protections of the Privacy Act, including the right to an accounting of disclosures, the right to access one’s records, and the requirement that information in a traveler’s file be relevant and necessary to the TSA’s statutory purpose.

Volunteers for the Registered Traveler program may be seeking better treatment at airports, but they may end up getting substantially worse treatment by their government.

Voluntariness

Speaking of volunteering, the Registered Traveler brochure on the Transportation Security Administration’s Web site calls participation in the program “completely voluntary.” This is true at the present time, of course, and nobody intends for Registered Traveler to be mandatory - just like no one intended the Social Security Number to be used for identification.

No one can predict the future and no one - lawmaker, bureaucrat, or seer - can say for certain that the Registered Traveler program would never become mandatory. Indeed, there is good reason to object to the program in its entirety simply because it builds a traveler surveillance infrastructure and conditions people to accept government investigation as a prerequisite for traveling within the United States. After some future attack on the United States with significant loss of life, Registered Traveler may quickly be extended in any number of directions and made mandatory - without regard to its real utility in terrorism prevention.

In addition to the possibility that registration might be mandated directly in the future, the “voluntariness” of Registered Traveler can be eroded by maintaining consistently bad, slow service in the non-Registered Traveler lines at airports. As discussed above, the Orlando airport will have mixed incentives under its arrangement with Verified Identity Pass. Were airports and the Transportation Security Administration to continually maintain sub-standard service in the standard passenger lanes, Registered Traveler could remain voluntary in the technical since while becoming practically mandatory if a traveler actually wants to get somewhere on an airplane.

The risk that Registered Traveler could become mandatory is grave.

Registered Traveler has some merits that I have featured above. A number of problems with the program exist. They are rooted in the provision of air security to the airlines by the government. This premise is a deep and fundamental flaw that I have reserved to the latter part of my testimony.

Providing Government Security Services to Private Industry is Error

Though I have done my best, the Registered Traveler program can not be discussed in isolation. The program is intimately bound up with the provision of government security services to the airline industry, at taxpayer expense. It is also premised on the existence of government checkpoints that condition Americans’ access to travel, an important and long-recognized liberty interest. To travel by airplane today, one must submit to seizure and search by government officials and one must show identification to government officials as well.

Though there are plenty of emotional and political justifications for it, there is no principled security-based or economic rationale for it. Putting government in the private security business opens the door to substantial incursions on civil liberties, which are occurring at airports daily.

The instinct to bring the full weight of the government into securing air travel is understandable. Attacks on air transportation have often had political motivations. The first recorded attack, in May 1930, saw Peruvian revolutionaries seizing a Pan American mail plane with the aim of dropping propaganda leaflets over Lima.

Hijackings and other terrorist acts often spur knee-jerk, and often wasteful or misdirected, responses. In that sense, terrorists often succeed at injuring their targets even when the direct effects of their actions may be small.

Because it is so important to understand this, I have attached to my testimony an article from the Fall, 2004 issue of Regulation magazine called “A False Sense of Insecurity? ” In it, Ohio State University national security expert John Mueller shows that leadership in the fight against terror involves informing the public of the real risks from terrorist acts rather than just catering to public fears.

The rash of hijackings to and from Cuba in the late 1960s had obvious political motivations and consequences. A spate of eight hijackings in January 1969 brought the Federal Aviation Administration into the air security business with the creation of the Task Force on the Deterrence of Air Piracy. The Task Force developed a hijacker “profile” to be used along with magnetometers to screen passengers.

In the first few days of September 1970, two American planes, a Swiss plane, and a British plane were hijacked and destroyed with explosives on the ground in Jordan and Cairo. The perpetrators in the Popular Front for the Liberation of Palestine had an obvious political motive. They elicited a super-prompt response in the United States which was very unlikely to have been carefully calculated for optimal terrorism suppression. On September 11, 1970, just days after these bombings, President Richard Nixon rushed out a comprehensive anti-hijacking program that included a Federal marshal program. Since then, the federal government has had its hand in airline security, mandating various security practices and supplying guards at taxpayer expense to commercial passenger airlines.

The attacks of September 11th, 2001 - thirty-one years to the day from President Nixon’s move to bring the government into commercial air security - horrified all Americans and filled us with anger and dread. Congress reacted to the provocation with natural protectiveness. The Aviation and Transportation Security Act, signed into law a little more than two months after the attacks, increased the government’s role in airline security even further.

This politically appealing response was not necessarily the best. Had the lines of authority for transportation security never been blurred by federal government involvement, the Al Qaeda killers planning the 9/11 attacks might have faced a heterogeneous and unpredictable security system operated by multiple airlines, each one motivated by the fact that their continuing operations relied on keeping their passengers safe and secure.

This is not to say that airlines with full responsibility for security would have had perfect anti-terror records or even would have defeated the 9/11 plot. The weaponization of planes - a destructive technique not seen since the kamikaze attacks by Japanese forces in World War II - was a risk that no institution, public or private, seems to have considered. At best, though, the responsibility for airline security was mixed on 9/11. Unclear responsibility tends to degrade results.

The situation got worse with the airline bail-out, creation of the victims’ compensation fund, and creation of the Transportation Security Agency. These steps have contributed to “moral hazard” (in the lexicon of insurance economics) around terrorism prevention: Decision-makers in the companies that control most of America’s important infrastructure have seen that failing to protect themselves from terrorist threats may result in substantial immediate subsidies, release from liability, and an ongoing government subsidy of their security operations. The fate that the airlines “suffered” after 9/11 was a substantial infusion of various kinds of corporate welfare.

Airport Checkpoints and Identification Requirements Are Suspect

With good intentions and for good reasons, the Registered Traveler program seeks to overcome flaws in the Transportation Security Administration’s screening program. But it addresses only a narrow part of one flaw: the substantial time delay for travelers. There are many others.

Foremost, TSA screening areas are government checkpoints that may be unconstitutional and that are certainly defective policy. When government officials stop and inspect citizens and their belongings, these are Fourth Amendment searches and seizures which, according to the terms of that Amendment, must be reasonable.

Two lines of Supreme Court cases are relevant. In one line (Terry v. Ohio), authorities have some level of suspicion about particular people that they have stopped. This is clearly not applicable to TSA checkpoints at which government officials stop and search everyone. The other line addresses checkpoints - in which everyone passing through a particular area is seized, if briefly, based on no particular suspicion whatsoever.

The most recent case, Indianapolis v. Edmond (2000), struck down a checkpoint set up for general law enforcement purposes. The Supreme Court specifically declined to decide whether its decision applied to airports or government buildings.

The future case that addresses checkpoints at long-distance transportation centers will have high stakes on both sides if it squarely addresses whether exercising the liberty to travel can be conditioned by government officials on submitting to search and seizure. If suspicionless searches and seizures at airports are reasonable under the Fourth Amendment because of the substantial danger to the public involved, this limitless rationale will validate checkpoints wherever some gross crime could or does occur: shopping malls, tunnels, factories, subways and so on. This is a roadmap for terrorists who wish to sap our economic strength and the vitality of our free people.

Overlaying these issues is the question of government-mandated identification at checkpoints. The recent Hiibel case which validated the requirement that someone tell an officer his or her name tracks to the Terry v. Ohio Fourth Amendment cases because the subject in that case was under suspicion. Suspicionless identification requirements have not been tested in the courts. A prominent case called Gilmore v. Gonzales pending in the Ninth Circuit may reveal what law or regulation, if any, actually requires the showing of identification at TSA checkpoints, and whether such a law is constitutional.

The constitutional questions about checkpoints and government-mandated identification underscore important policy questions that deserve careful, rational consideration. The Fourth Amendment is a constitutional rule, but also a sensible policy guideline. Searching the 99.99% of Americans who are 110% in support of the United States against the terrorists may be a waste of resources and time. These resources might be better devoted to far more selective and particularized searching, developing human intelligence, following leads, and tracking down genuine suspects of crime, terrorism, and related conspiracies.

The theory of identification-based security has significant flaws. People tend to believe that knowing who a person is reduces that person as a threat. This is true in normal life because in normal life people who are known can be held accountable. Terrorists are not accountable, however. They are willing to die. Capturing the identity of all who would board an airplane does nothing to thwart committed terrorists. Checking identification may prop up the mistaken feeling the general public has of being safer sitting next to someone who the government has “checked out.” It is disrespectful folly to deceive the American people this way.

Checking identification for the purpose of comparing air travelers to lists of suspects or no-flyers is also deeply flawed and unlikely to interdict committed terrorist groups. An MIT study called “Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System,” has shown that terrorists can defeat screening programs. By traveling multiple times before carrying out an attack, terrorists can determine whether or not they are subject to special screening. Those who are not subject to screening can be assigned to act. Again, this brittle security policy provides a roadmap to terrorists.

If terror suspects are known, watch lists are analogous to placing wanted posters in Post Offices - and then waiting for the criminals to go to the Post Office. True terror suspects should be sought out, investigated, arrested, and prosecuted. Non-suspects should be free to travel.

Identification can have some role in suppressing the risks of terrorist attacks. There is probably a close, but imperfect inverse correlation between “depth” in the community -children, family, ownership, liberal education, etc. - and propensity to terrorism. Identification and investigation can reveal such background, but people have consistently rejected the background checks envisioned for CAPPS II and Secure Flight. Background checking should be a consensual service, provided by airports and airlines. Because the correlation is imperfect, of course, securing infrastructure against tools and methods of attack will always be needed. Searching for weapons or bombs should probably remain a part of the security practice in commercial aviation for the indefinite future.

This all presumes that weaponization of a plane remains a risk. It does not. Hardened cockpit doors have driven that risk down substantially. In fact, that risk was virtually eliminated by 9:57 a.m. on the morning of September 11, 2001. That was the time that the passengers on United 93 attacked the cockpit. They realized that the airline security system had failed them and cooperating with the hijackers would not save them. Indeed, it would take the lives of others. These passengers at least ensured that their flight would not be used as a giant bomb like the others. No joy comes from recounting this event, but it does illustrate the better result when security is provided by interested parties with a real stake in the outcome.

To do airline security best, it should be done by the airlines themselves, in ways that they find to best protect their, and their passengers’, interests. They are the ones who have something on the line. In case that is a subject of doubt: no air carrier is insurable post-9/11, and thus no air carrier is operable, if it does not take precautions fully sufficient for the risks to passenger aviation we all now recognize.

Likewise, in a fully private system, every major investigative news operation would be poring over airline security and sneaking dangerous items onto planes so that they could report on airlines’ failings. The threat this publicity would bring to passenger levels and revenues would put airlines in a security frenzy. Airline security would be better and more creatively tested by the nation’s enterprising reporters under a private system than it is today in the monolithic government systems we are limping along with. The strongest tools our society has to fight terror are still lying on the ground, unused.

Airlines are not subject to constitutional limitations like the Fourth Amendment. Were airline security restored to private hands, the airlines could condition travel on search, identification, or whatever other measure they thought would protect their airplanes and passengers. They would implement these security practices in ways that nest with and balance passenger comfort and privacy, good customer service, profitability and all the other interests that businesses must serve in order to survive. Each passenger, informed by our watchdog press, could choose the airline which he or she believed to be most secure.

Despite my deep reservations about the current stance of airline security, I have endeavored to constructively highlight what is good and bad about the Registered Traveler program. The emergence of a privately issued identification system, subject to contractual obligations that protect privacy and resist travel surveillance, is a welcome innovation. Whether it will appeal to the public is an open question that has many facets. And whether Registered Traveler will or should survive is another question. Probably, it should go away as airlines retake responsibility for a security role that is properly theirs.

A False Sense of Insecurity,” by Jim Harper, Regulation Magazine, Vol.27, No. 3, Fall 2004 (PDF, 5 pp, 97 Kb)


1 The plans of Verified Identity Pass, Inc., at the Orlando, Florida, airport are discussed in detail below. According to the Washington Post, the company expects to have 3.3 million customers for its “Clear” Registered Traveler identification card within six years at annual memberships fees of $100. This estimate holds that far in excess of 330 million dollars worth of consumer time each year is wasted by the wait times and uncertainty of wait times at airports.

Additional Submitted Testimony, (PDF, 1 pp, 60 Kb) June 22, 2005.