Registered Traveler seeks to overcome the delay at airports, a tax on travelers time, by increasing the amount of personal information and privacy that travelers “pay” — information that is used to investigate and pre-clear them for travel.
There are merits to the Orlando pilot, which will use a privately issued identification card. Private card issuers make privacy promises that are legally enforceable, which no government program has done, or can do. The “Clear” card to be used in Orlando particularly promises to dispose of data about travelers’ movements, which is a notable anti-surveillance feature. Uniform identification systems are harmful to interests like privacy, autonomy, and liberty, so the emergence of a private identification system like this is welcome.
The TSA should avoid inadvertently picking winners and losers. It should open private card issuance to competition, which will tend to drive down prices and increase the appeal of the system to consumers. Also, if Registered Traveler is expanded, the TSA should select airports based on neutral standards.
There are problems with Registered Traveler. It is unseemly to have government agents associated with segregating “preferred” travelers from others. The Registered Traveler program essentially denies fairness, due process, and privacy protections to volunteers. And the “voluntariness” of the program could disappear at any time. Because it is a government program, no promise about it being optional can be assured.
The problems with Registered Travel are premised on the error in having government provide security services to the air transportation industry. There are emotional and political justifications for it, but there is no principled, security-based, or economic rationale for providing a massive security subsidy to airlines.
The government checkpoints that Americans must pass through in order to travel are an affront to American freedom and civil liberties. They require travelers to submit to government search and seizure based on no suspicion and to show papers in order to exercise the important liberty interest of traveling within their own country.
Identification-based security is intuitive but deeply flawed as a protection against terrorism. Private responsibility for airline safety would better secure us against the threat of terrorism, using all the tools that our free society has at its disposal.
Chairman Lungren, Ranking Member Sanchez, and Members of the Subcommittee -
Thank you for examining the Registered Traveler program through today’s hearing. I appreciate the opportunity to share my views with you.
I am Director of Information Policy Studies at The Cato Institute. The Cato Institute promotes fundamental American principles of limited government, individual liberty, free markets, and peace. The Jeffersonian philosophy that animates Cato is often called “libertarianism” or “market liberalism.” It combines an appreciation for entrepreneurship, the market process, and lower taxes with strict respect for civil liberties, and skepticism about the benefits of both the welfare state and foreign military adventurism.
At Cato, I study, write, and speak about the difficult challenges of adapting law and policy to the unique problems of the Information Age. My areas of study include privacy, data security, identification, surveillance, and cybersecurity, as well as intellectual property, telecommunications, and Internet governance.
I am also the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. On the Privacilla site, there are hundreds of pages of material about privacy, including book reviews and discussions of privacy fundamentals, privacy from government, and topics such as online privacy, financial privacy, and medical privacy.
Recently, I was appointed by the Secretary of the Department of Homeland Security to serve as a member of the Department’s Data Privacy and Integrity Advisory Committee. This group is constituted to advise the Secretary and the DHS Chief Privacy Officer on programmatic, policy, operational, administrative, and technological issues within DHS that affect individual privacy, as well as data integrity, data interoperability and other privacy-related issues.
The Privacy Advisory Committee will have its second meeting in Boston next week. We are only beginning our work and deliberations so nothing in my testimony, oral or written, reflects the views of the Privacy Advisory Committee or any other member of the Committee. I am confident, however, that the Privacy Advisory Committee appreciates the attention being paid us by Members of Congress. Mr. Thompson, the Ranking Member of the full Homeland Security Committee and an ex-officio Member of this Subcommittee, was good enough to come speak to our first meeting in early April, as did Mr. Cannon of Utah, who serves on the Judiciary and Government Reform Committees.
I am currently writing a book on identification called Identity Crisis: How Identification Is Overused and Misunderstood. It is slated for publication early next year and will address many of the issues in current airline security programs on at least a theoretical level.
In my testimony below, I have first done what I can to highlight the good elements of the Registered Traveler program. I have many reservations about Registered Traveler, which I address second. My deep misgivings about the entire system that Registered Traveler tries to fix come last, but please consider these equally as carefully. Their position at the end of my testimony should not suggest that they are my least important contribution. Indeed, they are probably the most important.
Though I am highly concerned with, and critical of, our current approach to airline security, I acknowledge without reservation that the people working on these policies at the Department of Homeland Security and the Transportation Security Administration do so in good faith, with the best interests of our country, its people, and our tradition of freedom in their hearts.
Registered Traveler Summarized
Like the beneficent motives of the people at DHS and TSA, there is no doubt about the good intentions behind the Registered Traveler program. Some relief from the uncertainty and delay for travelers at airports is certainly in order. Anything that will restore our air transportation system to better functioning is a welcome effort.
Registered Traveler amounts to the following “deal” for air travelers: If you submit information to the government and pass a background investigation (also paying a fee in some cases), you will be given slightly less inspection, on average, at airport checkpoints. Registered Travelers will generally have their own lines at checkpoints and will not be subject to random secondary screening and other security measures in place for the general population.
Stated in different terms, the program works like this: Airport checkpoints now amount to a tax on travelers in two ways: in travelers’ time and in their privacy/anonymity. Users of Registered Traveler will pay a privacy/anonymity fee by handing information over to the government (the fee, paid in lost privacy, is higher than the tax, because more personal information is used), and a cash fee in some cases. In return, less of their time will be taxed away through waiting in lines at airports.1
People often trade privacy for convenience which is why some estimates of American travelers’ participation are relatively high. Though there are many reasons for concern, there are interesting potential benefits from a version of Registered Traveler slated to begin soon in Orlando, Florida.
The Innovative Orlando Version: Privately Issued Identification
The Orlando version of Registered Traveler includes what I think is a fascinating and welcome innovation: the use of a privately issued identification card. The Greater Orlando Airport Authority has entered into an agreement with a private identification card issuer called Verified Identity Pass, Inc. This company will market, issue, and operate Orlando’s Registered Traveler card under the brand name “Clear.” Clear will collect information from applicants for Registered Traveler, including fingerprints and iris images. These are highly accurate biometric identifiers that machines can read fairly well today. It will forward applicants’ personal information to the TSA so that the TSA can investigate the applicants. (As discussed below, conditioning travel on government investigation is not okay, but my focus in this section is what is good in Registered Traveler.) Once the applicant has been approved by the TSA, the Clear card can be used to access airport concourses.
At the airport, the Clear member will place the card in a reader and allow his or her finger or iris to be scanned. The scan will be compared to the biometric information embedded in the card using an algorithm designed for matching these biometrics. Meanwhile, a unique identifier on the card will be compared to a database of members’ identifiers. If the card information matches the person carrying it, and if the card identifier is on the list of approved cards, the Clear member will continue through the expedited Registered Traveler line. Privately Issued Identification Cards are Good
Reading the privacy policy on the Verified Identity Pass Web site illustrates why privately issued identification is superior. It is for a reason that might be surprising: because the Verified Identity Pass privacy policy is a contract. It gives Clear members enforceable legal rights and it gives potential applicants information that they can rely on when deciding whether to use it. A private identification issuer like the Clear program submits itself to enforceable contractual terms and commits itself to future actions consistent with its contract.
Neither of these things is true of government privacy policies or the Privacy Act notices published routinely in the Federal Register. Privacy Act notices can be changed merely by a new publication. Congress and federal agencies can change the privacy commitments they have made, denying recourse to citizens, because these government entities are lawmakers not law subjects.
A program like the Orlando Registered Traveler, operated as it is by a private identification card issuer, can be much more protective of privacy than a government operated program, about which future privacy consequences cannot be predicted. And, as I discuss below, the Clear program is more protective of travel information than the government programs we have seen.
For years, the American Association of Motor Vehicle Administrators has been trying to build the role of Departments of Motor Vehicles in American life and commerce. They are among a small few who seem to recognize that identification is an important and useful economic and social tool. AAMVA and the DMV bureaucrats they represent are seeking to use the power of government to perpetuate the happenstance — the mere historical accident — that the most common and recognized identification services are provided by governments. It does not have to be this way, and it should not be this way.
Uniform Identification Systems Are Bad
In my forthcoming book, I summarize and build on the work of many scholars and advocates who have shown that uniform identification systems have significant negative consequences for important interests that Americans cherish, both as citizens and as consumers.
Uniform identification systems enable surveillance by both public and private entities. They are a tool that undermines the privacy and obscurity people enjoy every day. That is, governments use uniform identification to watch and record the movements and actions of citizens, often contrary to their interests. Likewise, companies and marketers watch and study consumers. This is usually done for the purpose of improving customer service, product design, marketing, and so on, but many people object to it. They are free to do so and would be better able to prevent such monitoring if there were more choice among different identification systems.
Exacerbating the problem, the existence of uniform identification systems makes it easier for more institutions to demand identification than otherwise would. Most consumers accede to requests for identification when they check into hotels, enter buildings, and so on because it is easier to do so than to ask why or to refuse. For this reason, identification is becoming overused. It is often not actually necessary or useful for a transaction, but it gets added for marginal-to-nonexistent security reasons, or to create the impression of security. This kind of identification allows further surveillance. All private surveillance creates data that, in the current legal environment, government authorities may readily seize.
Uniform identification systems expose consumers and citizens to significant dangers. Our national identifier, the Social Security Number, and traditional second identifiers like the mother’s maiden name are used too often by too many institutions. This makes identity fraud easier and more profitable. It means that a fraud on one identification system can multiply and by used in many systems, including security systems. If each institution used distinct identification mechanisms, identity fraud would drop in number and in both cost and consequence. (This measure is not without costs itself, of course.)
Likewise, uniform identification systems expose citizens to the risk of official confiscation. Currently, access to more and more goods, services, and infrastructure is being made contingent on showing a single identification, the driver’s license. With this trend, there is an increasing risk that authorities may — legally or illegally — take away identification documents, effectively depriving people of their ability to function in society.
Most totalitarian governments in history have used uniform identification systems as a powerful administrative tool. Totalitarianism does not arise because of uniform identification, but uniform identification systems help totalitarian governments be that way. We are better off, and our freedom stands on stronger footing, if we have heterogeneous identification systems, including things like the Clear identification card.
Privately issued identification cards like the Clear card slated for use in Orlando will help create the heterogeneous identification system that we need in the United States. Though not entirely sufficient — not by a long shot — diversity of identification systems is one bulwark of liberty that will pay Americans enormous dividends in freedom and autonomy during the rapidly advancing digital age.
Private identification systems can put people, as both consumers and citizens, in a better position to control information about themselves. The alternative is massive, uncontrolled information sharing and data pooling that empowers governments and corporations over individuals.
Clear Under the Microscope
I have sung the praises of private identification cards like Clear, noting particularly that they are subject to law rather than the whim of lawmakers. This does not mean they are flawless. Along with some particular benefits, there are potential drawbacks to the Clear identification system, particularly in its interaction with the TSA program.
Foremost, the Clear system appears designed for resistance to surveillance of travelers’ movements. This is an attractive feature, laid out in the privacy policy as a firm contract with members. Specifically, Verified Identity Pass tells us: