The Promise of Registered Traveler

Share

Executive Summary:

Registered Traveler seeks to overcome the delay at airports, atax on travelers time, by increasing the amount of personalinformation and privacy that travelers "pay" - information that isused to investigate and pre-clear them for travel.

There are merits to the Orlando pilot, which will use aprivately issued identification card. Private card issuers makeprivacy promises that are legally enforceable, which no governmentprogram has done, or can do. The "Clear" card to be used in Orlandoparticularly promises to dispose of data about travelers'movements, which is a notable anti-surveillance feature. Uniformidentification systems are harmful to interests like privacy,autonomy, and liberty, so the emergence of a private identificationsystem like this is welcome.

The TSA should avoid inadvertently picking winners and losers.It should open private card issuance to competition, which willtend to drive down prices and increase the appeal of the system toconsumers. Also, if Registered Traveler is expanded, the TSA shouldselect airports based on neutral standards.

There are problems with Registered Traveler. It is unseemly tohave government agents associated with segregating "preferred"travelers from others. The Registered Traveler program essentiallydenies fairness, due process, and privacy protections tovolunteers. And the "voluntariness" of the program could disappearat any time. Because it is a government program, no promise aboutit being optional can be assured.

The problems with Registered Travel are premised on the error inhaving government provide security services to the airtransportation industry. There are emotional and politicaljustifications for it, but there is no principled, security-based,or economic rationale for providing a massive security subsidy toairlines.

The government checkpoints that Americans must pass through inorder to travel are an affront to American freedom and civilliberties. They require travelers to submit to government searchand seizure based on no suspicion and to show papers in order toexercise the important liberty interest of traveling within theirown country.

Identification-based security is intuitive but deeply flawed asa protection against terrorism. Private responsibility for airlinesafety would better secure us against the threat of terrorism,using all the tools that our free society has at its disposal.


Chairman Lungren, Ranking Member Sanchez, and Members of theSubcommittee -

Thank you for examining the Registered Traveler program throughtoday's hearing. I appreciate the opportunity to share my viewswith you.

I am Director of Information Policy Studies at The CatoInstitute. The Cato Institute promotes fundamental Americanprinciples of limited government, individual liberty, free markets,and peace. The Jeffersonian philosophy that animates Cato is oftencalled "libertarianism" or "market liberalism." It combines anappreciation for entrepreneurship, the market process, and lowertaxes with strict respect for civil liberties, and skepticism aboutthe benefits of both the welfare state and foreign militaryadventurism.

At Cato, I study, write, and speak about the difficultchallenges of adapting law and policy to the unique problems of theInformation Age. My areas of study include privacy, data security,identification, surveillance, and cybersecurity, as well asintellectual property, telecommunications, and Internetgovernance.

I am also the Editor of Privacilla.org, a Web-basedthink-tank devoted exclusively to privacy. On the Privacilla site,there are hundreds of pages of material about privacy, includingbook reviews and discussions of privacy fundamentals, privacy fromgovernment, and topics such as online privacy, financial privacy,and medical privacy.

Recently, I was appointed by the Secretary of the Department ofHomeland Security to serve as a member of the Department's DataPrivacy and Integrity Advisory Committee. This group is constitutedto advise the Secretary and the DHS Chief Privacy Officer onprogrammatic, policy, operational, administrative, andtechnological issues within DHS that affect individual privacy, aswell as data integrity, data interoperability and otherprivacy-related issues.

The Privacy Advisory Committee will have its second meeting inBoston next week. We are only beginning our work and deliberationsso nothing in my testimony, oral or written, reflects the views ofthe Privacy Advisory Committee or any other member of theCommittee. I am confident, however, that the Privacy AdvisoryCommittee appreciates the attention being paid us by Members ofCongress. Mr. Thompson, the Ranking Member of the full HomelandSecurity Committee and an ex-officio Member of thisSubcommittee, was good enough to come speak to our first meeting inearly April, as did Mr. Cannon of Utah, who serves on the Judiciaryand Government Reform Committees.

I am currently writing a book on identification calledIdentity Crisis: How Identification Is Overused andMisunderstood. It is slated for publication early next yearand will address many of the issues in current airline securityprograms on at least a theoretical level.

In my testimony below, I have first done what I can to highlightthe good elements of the Registered Traveler program. I have manyreservations about Registered Traveler, which I address second. Mydeep misgivings about the entire system that Registered Travelertries to fix come last, but please consider these equally ascarefully. Their position at the end of my testimony should notsuggest that they are my least important contribution. Indeed, theyare probably the most important.

Though I am highly concerned with, and critical of, our currentapproach to airline security, I acknowledge without reservationthat the people working on these policies at the Department ofHomeland Security and the Transportation Security Administration doso in good faith, with the best interests of our country, itspeople, and our tradition of freedom in their hearts.

Registered Traveler Summarized

Like the beneficent motives of the people at DHS and TSA, thereis no doubt about the good intentions behind the RegisteredTraveler program. Some relief from the uncertainty and delay fortravelers at airports is certainly in order. Anything that willrestore our air transportation system to better functioning is awelcome effort.

Registered Traveler amounts to the following "deal" for airtravelers: If you submit information to the government and pass abackground investigation (also paying a fee in some cases), youwill be given slightly less inspection, on average, at airportcheckpoints. Registered Travelers will generally have their ownlines at checkpoints and will not be subject to random secondaryscreening and other security measures in place for the generalpopulation.

Stated in different terms, the program works like this: Airportcheckpoints now amount to a tax on travelers in two ways: intravelers' time and in their privacy/anonymity. Users of RegisteredTraveler will pay a privacy/anonymity fee by handing informationover to the government (the fee, paid in lost privacy, is higherthan the tax, because more personal information is used), and acash fee in some cases. In return, less of their time will be taxedaway through waiting in lines at airports.1

People often trade privacy for convenience which is why someestimates of American travelers' participation are relatively high.Though there are many reasons for concern, there are interestingpotential benefits from a version of Registered Traveler slated tobegin soon in Orlando, Florida.

The Innovative Orlando Version: Privately IssuedIdentification

The Orlando version of Registered Traveler includes what I thinkis a fascinating and welcome innovation: the use of a privatelyissued identification card. The Greater Orlando Airport Authorityhas entered into an agreement with a private identification cardissuer called Verified Identity Pass, Inc. This company willmarket, issue, and operate Orlando's Registered Traveler card underthe brand name "Clear." Clear will collect information fromapplicants for Registered Traveler, including fingerprints and irisimages. These are highly accurate biometric identifiers thatmachines can read fairly well today. It will forward applicants'personal information to the TSA so that the TSA can investigate theapplicants. (As discussed below, conditioning travel on governmentinvestigation is not okay, but my focus in this section is what isgood in Registered Traveler.) Once the applicant has been approvedby the TSA, the Clear card can be used to access airportconcourses.

At the airport, the Clear member will place the card in a readerand allow his or her finger or iris to be scanned. The scan will becompared to the biometric information embedded in the card using analgorithm designed for matching these biometrics. Meanwhile, aunique identifier on the card will be compared to a database ofmembers' identifiers. If the card information matches the personcarrying it, and if the card identifier is on the list of approvedcards, the Clear member will continue through the expeditedRegistered Traveler line. Privately Issued Identification Cardsare Good

Reading the privacy policy on the Verified Identity Pass Website illustrates why privately issued identification is superior.It is for a reason that might be surprising: because the VerifiedIdentity Pass privacy policy is a contract. It gives Clearmembers enforceable legal rights and it gives potential applicantsinformation that they can rely on when deciding whether to use it.A private identification issuer like the Clear program submitsitself to enforceable contractual terms and commits itself tofuture actions consistent with its contract.

Neither of these things is true of government privacy policiesor the Privacy Act notices published routinely in the FederalRegister. Privacy Act notices can be changed merely by a newpublication. Congress and federal agencies can change the privacycommitments they have made, denying recourse to citizens, becausethese government entities are lawmakers not law subjects.

A program like the Orlando Registered Traveler, operated as itis by a private identification card issuer, can be much moreprotective of privacy than a government operated program, aboutwhich future privacy consequences cannot be predicted. And, as Idiscuss below, the Clear program is more protective of travelinformation than the government programs we have seen.

For years, the American Association of Motor VehicleAdministrators has been trying to build the role of Departments ofMotor Vehicles in American life and commerce. They are among asmall few who seem to recognize that identification is an importantand useful economic and social tool. AAMVA and the DMV bureaucratsthey represent are seeking to use the power of government toperpetuate the happenstance - the mere historical accident - thatthe most common and recognized identification services are providedby governments. It does not have to be this way, and it should notbe this way.

Uniform Identification Systems Are Bad

In my forthcoming book, I summarize and build on the work ofmany scholars and advocates who have shown that uniformidentification systems have significant negative consequences forimportant interests that Americans cherish, both as citizens and asconsumers.

Uniform identification systems enable surveillance by bothpublic and private entities. They are a tool that undermines theprivacy and obscurity people enjoy every day. That is, governmentsuse uniform identification to watch and record the movements andactions of citizens, often contrary to their interests. Likewise,companies and marketers watch and study consumers. This is usuallydone for the purpose of improving customer service, product design,marketing, and so on, but many people object to it. They are freeto do so and would be better able to prevent such monitoring ifthere were more choice among different identification systems.

Exacerbating the problem, the existence of uniformidentification systems makes it easier for more institutions todemand identification than otherwise would. Most consumers accedeto requests for identification when they check into hotels, enterbuildings, and so on because it is easier to do so than to ask whyor to refuse. For this reason, identification is becoming overused.It is often not actually necessary or useful for a transaction, butit gets added for marginal-to-nonexistent security reasons, or tocreate the impression of security. This kind of identificationallows further surveillance. All private surveillance creates datathat, in the current legal environment, government authorities mayreadily seize.

Uniform identification systems expose consumers and citizens tosignificant dangers. Our national identifier, the Social SecurityNumber, and traditional second identifiers like the mother's maidenname are used too often by too many institutions. This makesidentity fraud easier and more profitable. It means that a fraud onone identification system can multiply and by used in many systems,including security systems. If each institution used distinctidentification mechanisms, identity fraud would drop in number andin both cost and consequence. (This measure is not without costsitself, of course.)

Likewise, uniform identification systems expose citizens to therisk of official confiscation. Currently, access to more and moregoods, services, and infrastructure is being made contingent onshowing a single identification, the driver's license. With thistrend, there is an increasing risk that authorities may - legallyor illegally - take away identification documents, effectivelydepriving people of their ability to function in society.

Most totalitarian governments in history have used uniformidentification systems as a powerful administrative tool.Totalitarianism does not arise because of uniform identification,but uniform identification systems help totalitarian governments bethat way. We are better off, and our freedom stands on strongerfooting, if we have heterogeneous identification systems, includingthings like the Clear identification card.

Privately issued identification cards like the Clear card slatedfor use in Orlando will help create the heterogeneousidentification system that we need in the United States. Though notentirely sufficient - not by a long shot - diversity ofidentification systems is one bulwark of liberty that will payAmericans enormous dividends in freedom and autonomy during therapidly advancing digital age.

Private identification systems can put people, as both consumersand citizens, in a better position to control information aboutthemselves. The alternative is massive, uncontrolled informationsharing and data pooling that empowers governments and corporationsover individuals.

Clear Under the Microscope

I have sung the praises of private identification cards likeClear, noting particularly that they are subject to law rather thanthe whim of lawmakers. This does not mean they are flawless. Alongwith some particular benefits, there are potential drawbacks to theClear identification system, particularly in its interaction withthe TSA program.

Foremost, the Clear system appears designed for resistance tosurveillance of travelers' movements. This is an attractivefeature, laid out in the privacy policy as a firm contract withmembers. Specifically, Verified Identity Pass tells us:

For purposes of real-time maintenance and customersupport (e.g., if your card doesn't work, we need to be able to runtests to understand why), we will maintain "log files" of entrancesto local venues. However, we keep such records only at thatlocation, we purge these records automatically every 24-48 hours,and we have designed our network so that neither Verified ID norits subcontractors, including Lockheed Martin Corporation, cantrack and record Members' activities from location tolocation.

Assuming the Clear system works as stated - and if it does notVerified Identity Pass is on the hook for deceiving its customers -this is a tremendous anti-surveillance feature that has never beenseen in government operated programs.

To the extent they revealed information in their Privacy Actnotices, programs like CAPPS II and Secure Flight have beenambiguous about how long they would maintain information aboutAmericans' travels in their records. Indeed, the Privacy Act noticefor the Registered Traveler pilot, covering TSA's portion of theprogram, says that data will be retained "in accordance with aschedule to be approved by the National Archives and RecordsAdministration." This is both perfectly ambiguous and subject tochange by a subsequent Federal Register notice, whether or notparticipants in Registered Traveler might object.

Clear's contractual promise to use a surveillance-resistant datadestruction policy is a major improvement over the alternatives wehave seen so far.

Clear's system is not unambiguously good. I note that theycollect and store digital images of applicant s' fingerprints andirises, apparently passing those on to the TSA as well. The dataused to compare a Clear member with biometric data on a Clear cardis not an image of the biometric itself but a sort of mathematicaldescription of the biometric. Keeping a copy offingerprint and iris images themselves may expose Clear members tofuture high-tech iterations of identity fraud if Verified IdentityPass' systems or TSA's systems are hacked or otherwise compromised.There is no obvious rationale for saving images of these biometricsor for sharing copies with the TSA.

Another concern is an apparent conflict between differentsections of the Verified Identity Pass privacy policy. In section5, it says it will comply with valid subpoenas, court orders, orother legal processes that require sharing of Member informationwith others. This suggests, without stating clearly enough, that itwill share information only in these cases. In section8(C), the policy says that Verified Identity Pass will shareinformation "[i]f the government asks us" in cases when a member isremoved from TSA's list of approved Registered Travelers. Loosewording in these two sections combine to create flimsy privacyprotections against government entities for users of the Clearcard.

Of greatest concern, of course, Clear passes identity andbackground information to the TSA, which is subject to none of theobligations in the Clear privacy policy. This problem arises from,and inheres in, government-provided security programs, discussed indetail below.

It is not for me to decide whether Clear provides adequateprivacy-protective terms to prospective members. Privacy advocates,a watchdog press, the exposure brought by this Subcommittee'shearing, and many other actors and events will shape whether thisproduct meets with the acceptance of consumers. Happily, though,these questions will be decided in a marketplace, where consumershave choices, as opposed to a government process where they donot.

Next, I will discuss how this marketplace can be improved.

Avoid Picking Winners and Losers

Too often with government programs and regulations, winners andlosers are chosen through superior lobbying or luck rather than themerits of how well they serve consumers. In at least two respects,Registered Traveler, and the Orlando version of it, can be improvedso that competition forces providers to serve consumers better.

Below, I will discuss the relatively large expense of RegisteredTraveler and Clear cards, particularly for people who travelrarely. This could create the impression of inequity - a classsystem - that carries the apparent approval and backing of the TSA.I have written above about concerns with the privacy terms offeredby Verified Identity Pass to Clear users, though they are generallygood. Competition can both lower the price and broaden the appealof Registered Traveler, and potentially improve the privacyprotections in private identification systems like Clear.

Registered Traveler should operate using uniform, neutral, andpublished (though, of course, secure) standards and protocols forbiometric algorithms and for communication between cards andreaders. This would enable other identification card issuers toenter the market, competing to serve Orlando customers andtravelers at other airports as they come into the program. Uniformstandards and protocols would also allow the identification cardsused for Registered Traveler to be used in other settings such asoffice buildings.

Under the monopoly granted by the Orlando airport authority,Verified Identity Pass appears positioned to collect a relativewindfall of $80 to $100 per customer per year, according to reportsand the company's Web site, just for issuing the Clear card. (Someof this may go to the TSA to pay for investigations.) In the faceof competition among identification card issuers, the price to theOrlando air traveler could drop quickly. Competitive identificationcard issuers would also likely pick at each others' privacy andanti-surveillance offerings and try to cater better to consumers'concerns, to the extent the TSA's terms allow them to do so.

Imagining further what might happen in a competitiveenvironment, airlines might offer branded Registered Traveler cardsto their customers for free to build loyalty. They may group cardswith other concierge services for their best travelers. This isfine for private companies to do, though not for the government toaffiliate itself with (as discussed below). Other card issuers mayseek the low end of the market and offer Registered Traveler cardsas inexpensively as possible to the occasional vacationtraveler.

There is a wide array of possibilities and I cannot predict howthe market for identification services would take shape. None ofthese beneficial practices would overcome the deep flaws in thecurrent government-provided air security system discussed below.The background investigations done by the TSA could and should alsobe competitively provided based on full permission from travelers.But, so long as this system exists, there are potential benefits toconsumers and to society as a whole from a private identificationmarket. These benefits should be harvested.

Likewise, if it expands Registered Traveler, TSA should offerthe programs to airports based on neutral standards rather thansuperior lobbying and relationships. It should expand into marketsrather than airports, so that one airport in a market is not givencompetitive advantage over another.

People often confuse free-market advocacy like mine withpro-business advocacy. In fact, unhampered markets are very toughon businesses because they force businesses into sharp competitionwith one another to serve consumers. Subjecting the identificationbusiness to competition will help ensure that it is attractive toconsumers and oriented to serve their interests, including privacy.Doing whatever is possible to prevent distortion of competitionamong airports should also be a goal of Registered Traveler.

Registered Traveler has some merits - in particular, the use ofa privately issued identification card. It has plenty of demeritsthat must be considered as well.

Problems with Registered Traveler

Having sought the good from Registered Traveler, I now turn tothe bad. There a variety of problems that attach to the program,some of which have been alluded to above. It is difficult tointermingle the government and private sector as closely asRegistered Traveler does. In the final sections of my testimony Iargue against that entire approach. What follows here is adiscussion of several issues that arise from that policy as itmanifests itself in Registered Traveler.

Inequity

Users of the Registered Traveler system to date have beeninvitees of the airlines and regular business travelers much morethan average or occasional flyers. It appears that RegisteredTraveler will ultimately be funded by fees, and the version ofRegistered Traveler being adopted in Orlando will be based on an$80 annual fee. In light of the fees and inconvenience of joiningthe program, Registered Traveler will probably not be used byoccasional travelers and travelers of limited means. Thus,Registered Traveler will have all the hallmarks of a benefitreserved for the wealthy.

It is discomforting that TSA agents will be actively involvedin, and associated with, segregating "preferred" passengers fromeverybody else in the flying public. Airlines should be free tosegment their customers, of course, and business travelers arecertainly a valuable segment, but Registered Traveler appearslikely to put the government's imprimatur on these divisions.

According to the Washington Post, Verified Identity Pass, thecompany that will be providing Clear cards for Orlando, will share29% of the revenue with the airport authority and as much as 22.5%in succeeding years, as well as 2.5% of Clear's future nationwiderevenue. This puts the airport authority in a position to benefitfrom moving travelers from the regular line into RegisteredTraveler.

The easiest way to do this is to maintain consistent long linesfor non-Registered Travelers. Eliminating wait times anduncertainty for the general public would reduce the attraction ofthe Registered Traveler program and the airport could lose Clearrevenues by doing so.

At the least, the Orlando airport's incentive structure will beclouded by this arrangement. The incentives created by thearrangement between Clear and the Orlando airport authority mayexacerbate long lines and the sense of inequity created by theRegistered Traveler program, a sense that will be inextricablylinked to the TSA and U.S. government.

If airline security were handled by airlines themselves, ofcourse, this problem would disappear. Some airlines specificallytarget the business segment and others target the low-faretraveler. Each could customize their security programs to meet thetastes and demands of their customers.

Fairness, Due Process, and Privacy

According to the Privacy Impact Assessment for the RegisteredTraveler program's pilot phase, applicants for the RegisteredTraveler program who are denied will not be given the opportunityto appeal or have other redress. As the program expands, asignificant number of people may be unable to participate inRegistered Traveler.

If the system goes forward without a full-fledged redressprocedure, this will be at least unfair to many people. Whengovernment action affects property or important liberty interests,this triggers the requirements of the constitution's Due Processclause. Given the long-recognized liberty interest in travel, it islikely that denying people the right to participate in theRegistered Traveler program without appeal or redress will violateDue Process. Attempting to participate in the program, but beingdenied, may mark a traveler for future difficulties when he or sheattempts to fly.

This would be equally true in the Orlando version of theprogram, in which a private company would collect personalinformation from applicants, forward it to the government for theinvestigation, and deny an application based on the governmentfindings. The interposition of a private company does not affectthe constitutionality or fairness of denying applications withoutrecourse.

There are many other interests that Registered Traveler deniesto volunteers. Indeed, in a Federal Register notice published justyesterday, TSA exempted the system from many protections of thePrivacy Act, including the right to an accounting of disclosures,the right to access one's records, and the requirement thatinformation in a traveler's file be relevant and necessary to theTSA's statutory purpose.

Volunteers for the Registered Traveler program may be seekingbetter treatment at airports, but they may end up gettingsubstantially worse treatment by their government.

Voluntariness

Speaking of volunteering, the Registered Traveler brochure onthe Transportation Security Administration's Web site callsparticipation in the program "completely voluntary." This is trueat the present time, of course, and nobody intends for RegisteredTraveler to be mandatory - just like no one intended the SocialSecurity Number to be used for identification.

No one can predict the future and no one - lawmaker, bureaucrat,or seer - can say for certain that the Registered Traveler programwould never become mandatory. Indeed, there is good reason toobject to the program in its entirety simply because it builds atraveler surveillance infrastructure and conditions people toaccept government investigation as a prerequisite for travelingwithin the United States. After some future attack on the UnitedStates with significant loss of life, Registered Traveler mayquickly be extended in any number of directions and made mandatory- without regard to its real utility in terrorism prevention.

In addition to the possibility that registration might bemandated directly in the future, the "voluntariness" of RegisteredTraveler can be eroded by maintaining consistently bad, slowservice in the non-Registered Traveler lines at airports. Asdiscussed above, the Orlando airport will have mixed incentivesunder its arrangement with Verified Identity Pass. Were airportsand the Transportation Security Administration to continuallymaintain sub-standard service in the standard passenger lanes,Registered Traveler could remain voluntary in the technical sincewhile becoming practically mandatory if a traveler actually wantsto get somewhere on an airplane.

The risk that Registered Traveler could become mandatory isgrave.

Registered Traveler has some merits that I have featured above.A number of problems with the program exist. They are rooted in theprovision of air security to the airlines by the government. Thispremise is a deep and fundamental flaw that I have reserved to thelatter part of my testimony.

Providing Government Security Services to PrivateIndustry is Error

Though I have done my best, the Registered Traveler program cannot be discussed in isolation. The program is intimately bound upwith the provision of government security services to the airlineindustry, at taxpayer expense. It is also premised on the existenceof government checkpoints that condition Americans' access totravel, an important and long-recognized liberty interest. Totravel by airplane today, one must submit to seizure and search bygovernment officials and one must show identification to governmentofficials as well.

Though there are plenty of emotional and politicaljustifications for it, there is no principled security-based oreconomic rationale for it. Putting government in the privatesecurity business opens the door to substantial incursions on civilliberties, which are occurring at airports daily.

The instinct to bring the full weight of the government intosecuring air travel is understandable. Attacks on airtransportation have often had political motivations. The firstrecorded attack, in May 1930, saw Peruvian revolutionaries seizinga Pan American mail plane with the aim of dropping propagandaleaflets over Lima.

Hijackings and other terrorist acts often spur knee-jerk, andoften wasteful or misdirected, responses. In that sense, terroristsoften succeed at injuring their targets even when the directeffects of their actions may be small.

Because it is so important to understand this, I have attachedto my testimony an article from the Fall, 2004 issue ofRegulation magazine called "A False Sense of Insecurity? "In it, Ohio State University national security expert John Muellershows that leadership in the fight against terror involvesinforming the public of the real risks from terrorist acts ratherthan just catering to public fears.

The rash of hijackings to and from Cuba in the late 1960s hadobvious political motivations and consequences. A spate of eighthijackings in January 1969 brought the Federal AviationAdministration into the air security business with the creation ofthe Task Force on the Deterrence of Air Piracy. The Task Forcedeveloped a hijacker "profile" to be used along with magnetometersto screen passengers.

In the first few days of September 1970, two American planes, aSwiss plane, and a British plane were hijacked and destroyed withexplosives on the ground in Jordan and Cairo. The perpetrators inthe Popular Front for the Liberation of Palestine had an obviouspolitical motive. They elicited a super-prompt response in theUnited States which was very unlikely to have been carefullycalculated for optimal terrorism suppression. On September 11,1970, just days after these bombings, President Richard Nixonrushed out a comprehensive anti-hijacking program that included aFederal marshal program. Since then, the federal government has hadits hand in airline security, mandating various security practicesand supplying guards at taxpayer expense to commercial passengerairlines.

The attacks of September 11th, 2001 - thirty-one years to theday from President Nixon's move to bring the government intocommercial air security - horrified all Americans and filled uswith anger and dread. Congress reacted to the provocation withnatural protectiveness. The Aviation and Transportation SecurityAct, signed into law a little more than two months after theattacks, increased the government's role in airline security evenfurther.

This politically appealing response was not necessarily thebest. Had the lines of authority for transportation security neverbeen blurred by federal government involvement, the Al Qaedakillers planning the 9/11 attacks might have faced a heterogeneousand unpredictable security system operated by multiple airlines,each one motivated by the fact that their continuing operationsrelied on keeping their passengers safe and secure.

This is not to say that airlines with full responsibility forsecurity would have had perfect anti-terror records or even wouldhave defeated the 9/11 plot. The weaponization of planes - adestructive technique not seen since the kamikaze attacks byJapanese forces in World War II - was a risk that no institution,public or private, seems to have considered. At best, though, theresponsibility for airline security was mixed on 9/11. Unclearresponsibility tends to degrade results.

The situation got worse with the airline bail-out, creation ofthe victims' compensation fund, and creation of the TransportationSecurity Agency. These steps have contributed to "moral hazard" (inthe lexicon of insurance economics) around terrorism prevention:Decision-makers in the companies that control most of America'simportant infrastructure have seen that failing to protectthemselves from terrorist threats may result in substantialimmediate subsidies, release from liability, and an ongoinggovernment subsidy of their security operations. The fate that theairlines "suffered" after 9/11 was a substantial infusion ofvarious kinds of corporate welfare.

Airport Checkpoints and Identification Requirements AreSuspect

With good intentions and for good reasons, the RegisteredTraveler program seeks to overcome flaws in the TransportationSecurity Administration's screening program. But it addresses onlya narrow part of one flaw: the substantial time delay fortravelers. There are many others.

Foremost, TSA screening areas are government checkpoints thatmay be unconstitutional and that are certainly defective policy.When government officials stop and inspect citizens and theirbelongings, these are Fourth Amendment searches and seizures which,according to the terms of that Amendment, must be reasonable.

Two lines of Supreme Court cases are relevant. In one line(Terry v. Ohio), authorities have some level of suspicionabout particular people that they have stopped. This is clearly notapplicable to TSA checkpoints at which government officials stopand search everyone. The other line addresses checkpoints - inwhich everyone passing through a particular area is seized, ifbriefly, based on no particular suspicion whatsoever.

The most recent case, Indianapolis v. Edmond (2000),struck down a checkpoint set up for general law enforcementpurposes. The Supreme Court specifically declined to decide whetherits decision applied to airports or government buildings.

The future case that addresses checkpoints at long-distancetransportation centers will have high stakes on both sides if itsquarely addresses whether exercising the liberty to travel can beconditioned by government officials on submitting to search andseizure. If suspicionless searches and seizures at airports arereasonable under the Fourth Amendment because of the substantialdanger to the public involved, this limitless rationale willvalidate checkpoints wherever some gross crime could or does occur:shopping malls, tunnels, factories, subways and so on. This is aroadmap for terrorists who wish to sap our economic strength andthe vitality of our free people.

Overlaying these issues is the question of government-mandatedidentification at checkpoints. The recent Hiibel casewhich validated the requirement that someone tell an officer his orher name tracks to the Terry v. Ohio Fourth Amendmentcases because the subject in that case was under suspicion.Suspicionless identification requirements have not been tested inthe courts. A prominent case called Gilmore v. Gonzalespending in the Ninth Circuit may reveal what law or regulation, ifany, actually requires the showing of identification at TSAcheckpoints, and whether such a law is constitutional.

The constitutional questions about checkpoints andgovernment-mandated identification underscore important policyquestions that deserve careful, rational consideration. The FourthAmendment is a constitutional rule, but also a sensible policyguideline. Searching the 99.99% of Americans who are 110% insupport of the United States against the terrorists may be a wasteof resources and time. These resources might be better devoted tofar more selective and particularized searching, developing humanintelligence, following leads, and tracking down genuine suspectsof crime, terrorism, and related conspiracies.

The theory of identification-based security has significantflaws. People tend to believe that knowing who a person is reducesthat person as a threat. This is true in normal life because innormal life people who are known can be held accountable.Terrorists are not accountable, however. They are willing to die.Capturing the identity of all who would board an airplane doesnothing to thwart committed terrorists. Checking identification mayprop up the mistaken feeling the general public has of being safersitting next to someone who the government has "checked out." It isdisrespectful folly to deceive the American people this way.

Checking identification for the purpose of comparing airtravelers to lists of suspects or no-flyers is also deeply flawedand unlikely to interdict committed terrorist groups. An MIT studycalled "Carnival Booth: An Algorithm for Defeating theComputer-Assisted Passenger Screening System," has shown thatterrorists can defeat screening programs. By traveling multipletimes before carrying out an attack, terrorists can determinewhether or not they are subject to special screening. Those who arenot subject to screening can be assigned to act. Again, thisbrittle security policy provides a roadmap to terrorists.

If terror suspects are known, watch lists are analogous toplacing wanted posters in Post Offices - and then waiting forthe criminals to go to the Post Office. True terror suspectsshould be sought out, investigated, arrested, and prosecuted.Non-suspects should be free to travel.

Identification can have some role in suppressing the risks ofterrorist attacks. There is probably a close, but imperfect inversecorrelation between "depth" in the community -children, family,ownership, liberal education, etc. - and propensity to terrorism.Identification and investigation can reveal such background, butpeople have consistently rejected the background checks envisionedfor CAPPS II and Secure Flight. Background checking should be aconsensual service, provided by airports and airlines. Because thecorrelation is imperfect, of course, securing infrastructureagainst tools and methods of attack will always be needed.Searching for weapons or bombs should probably remain a part of thesecurity practice in commercial aviation for the indefinitefuture.

This all presumes that weaponization of a plane remains a risk.It does not. Hardened cockpit doors have driven that risk downsubstantially. In fact, that risk was virtually eliminated by 9:57a.m. on the morning of September 11, 2001. That was the time thatthe passengers on United 93 attacked the cockpit. They realizedthat the airline security system had failed them and cooperatingwith the hijackers would not save them. Indeed, it would take thelives of others. These passengers at least ensured that theirflight would not be used as a giant bomb like the others. No joycomes from recounting this event, but it does illustrate the betterresult when security is provided by interested parties with a realstake in the outcome.

To do airline security best, it should be done by the airlinesthemselves, in ways that they find to best protect their, and theirpassengers', interests. They are the ones who have something on theline. In case that is a subject of doubt: no air carrier isinsurable post-9/11, and thus no air carrier is operable, if itdoes not take precautions fully sufficient for the risks topassenger aviation we all now recognize.

Likewise, in a fully private system, every major investigativenews operation would be poring over airline security and sneakingdangerous items onto planes so that they could report on airlines'failings. The threat this publicity would bring to passenger levelsand revenues would put airlines in a security frenzy. Airlinesecurity would be better and more creatively tested by the nation'senterprising reporters under a private system than it is today inthe monolithic government systems we are limping along with. Thestrongest tools our society has to fight terror are still lying onthe ground, unused.

Airlines are not subject to constitutional limitations like theFourth Amendment. Were airline security restored to private hands,the airlines could condition travel on search, identification, orwhatever other measure they thought would protect their airplanesand passengers. They would implement these security practices inways that nest with and balance passenger comfort and privacy, goodcustomer service, profitability and all the other interests thatbusinesses must serve in order to survive. Each passenger, informedby our watchdog press, could choose the airline which he or shebelieved to be most secure.

Despite my deep reservations about the current stance of airlinesecurity, I have endeavored to constructively highlight what isgood and bad about the Registered Traveler program. The emergenceof a privately issued identification system, subject to contractualobligations that protect privacy and resist travel surveillance, isa welcome innovation. Whether it will appeal to the public is anopen question that has many facets. And whether Registered Travelerwill or should survive is another question. Probably, it should goaway as airlines retake responsibility for a security role that isproperly theirs.

"A False Senseof Insecurity," by Jim Harper, Regulation Magazine,Vol.27, No. 3, Fall 2004 (PDF, 5 pp, 97 Kb)


1 The plans of VerifiedIdentity Pass, Inc., at the Orlando, Florida, airport are discussedin detail below. According to the Washington Post, thecompany expects to have 3.3 million customers for its "Clear"Registered Traveler identification card within six years at annualmemberships fees of $100. This estimate holds that far in excess of330 million dollars worth of consumer time each year is wasted bythe wait times and uncertainty of wait times at airports.

Additional SubmittedTestimony, (PDF, 1 pp, 60 Kb) June 22, 2005.

Jim Harper

Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity
Committee on Homeland Security
United States House of Representatives