Airport Access Control Pilot Project. Privacy Impact Assessment. June 18, Contact Point:

Transcription

1 Airprt Access Cntrl Pilt Prject Privacy Impact Assessment June 18, 2004 Cntact Pint: Lisa S. Dean Privacy Officer Transprtatin Security Administratin Reviewing Official: Nuala O Cnnr Kelly Chief Privacy Officer U.S. Department f Hmeland Security

2 Airprt Access Cntrl Pilt Prject Privacy Impact Assessment I. Intrductin On Nvember 18, 2001 Cngress passed the Aviatin and Transprtatin Security Act (PL ). The statute directed the newly-frmed Transprtatin Security Administratin (TSA) t establish pilt prgrams in n fewer than 20 airprts t test and evaluate new and emerging technlgies fr prviding access cntrl and ther security prtectins fr clsed r secure areas f the airprts. Such technlgy may include bimetric r ther technlgy that ensures nly authrized access t secure areas. (See PL Sectin 106(d)(3) cdified at 49 U.S.C (c)(3)). The purpse f TSA s Airprt Access Cntrl Pilt Prgram (AACPP) is t implement pilt prjects at airprts t evaluate and demnstrate applicatins f new and emerging technlgies that enhance the perfrmance f access cntrl systems. Access cntrls are used t ensure that unauthrized persns cannt gain access t sensitive areas in airprts r gain access t air carg stred in sensitive areas in air transprtatin facilities (e.g: warehuses, hangers, and ther buildings that are usually at an airprt). Since the fcus f the prject is n the testing f technlgies with the vluntary cllectin f a limited amunt f persnal data being an incidental cmpnent needed t cnduct the testing, the impact t persnal privacy will be minimal. Hwever, in the interest f transparency t the public, TSA decided t cnduct this Privacy Impact Assessment (PIA) pursuant t the E-Gvernment Act f 2002, P.L , and the accmpanying guidelines issued by the Office f Management and Budget (OMB) n September 26, This PIA is based n the current design f the prgram and the Privacy Act system f recrds ntice, Transprtatin Security Technlgy Testing System (DHS/TSA 016), that was published in the Federal Register n July 1, This PIA prvides further details abut the cllectin f persnally identifiable infrmatin fr the purpse f evaluating and demnstrating applicatins f new and emerging technlgies. The AACPP received prpsals frm 55 airprts that are interested in vlunteering fr the prject. Altgether, the airprts prpsed 325 different technlgy vendrs wh market variatins f certain technlgies. Of the different technlgies prpsed, the AACPP gruped them int 5 general categries: Bimetric devices (including fingerprint recgnitin, vice r wrd recgnitin, iris scans, hand gemetry recgnitin), intrusin surveillance and tracking (including Radi Frequency ID tags and intelligent vide systems), dr cntrls (including access cntrl card readers), anti-tailgating (preventing persns frm sneaking in behind authrized peple by using intelligent vide, and ptical license plate readers t detect autmbiles) and ther, which cnsisted f interesting but difficult t categrize ideas. During the perid f the pilt prject, TSA will chse which technlgies it wuld like t assess fr access cntrl purpses, and the AACPP will set up the access pint and demnstrate the effectiveness f the chsen technlgies. The demnstratin will rely n the participatin f vlunteers wh wrk at the airprt and will use the access technlgy being tested. The prgram will mnitr the experience f these vlunteers and will utilize surveys t request feedback n the technlgy. Limited persnal infrmatin abut the vlunteers will be cllected and used during this pilt; hwever, nne f this infrmatin will be cllected r used t make determinatins that will affect individual rights. The prgram will als nt have an impact n anyne wh des nt vlunteer t participate. The end result f the prject will be a reprt t TSA that will describe all f the technlgies that were tested in at least 20 airprts. The reprt will serve a threefld purpse:

3 Fr TSA, the AACPP reprt will cntain a bdy f field-prven knwledge t assist in develping perfrmance standards and in determining what kinds f access cntrl technlgy are acceptable fr use in sensitive areas in airprts r ther air transprtatin facilities. Aviatin security slutins need t vary in rder t accmmdate the needs f a large number f airprts f varius sizes and vulnerabilities. The bdy f field-prven knwledge that results frm this prject will enable TSA t apprve security systems and designs that can be tailred t individual airprt needs. Fr stakehlders (airprts in particular), the AACPP reprt will facilitate the deplyment f advanced access cntrl technlgy. The results f this prject will enable stakehlders t cnfidently design security slutins tailred t their individual needs and budgets, drawing upn the field-prven technlgy that was demnstrated under this prject. This flexibility in meeting regulatry security standards is a high pririty fr stakehlders. Fr manufacturers f emerging technlgies, prtins f the AACPP reprt can be used as a guide fr tailring advanced access cntrl technlgies t meet the demands f the airprt envirnment. II. System Overview What infrmatin will be cllected and used fr this pilt prject? The infrmatin t be used and cllected under this prject cnsists f: full name, year f birth, gender, ethnic backgrund, primary language, emplyer, and airprt identificatin badge number f a select grup f vlunteer participants (airprt r air carrier emplyees and cntractrs, airprt users, and federal wrkers) wh have access t secure areas f an airprt (and in tw cases, access t air carg stred in secure areas f air carg strage facilities). Additinally, at sites that are testing bimetric devices, a bimetric identifier will be cllected frm participants in the prgram. In rder fr AACPP t analyze the perfrmance f the devices at access pints leading int secure areas f an airprt, the participants will use the device whenever they attempt t enter these areas. The AACPP will then review hw well the device wrks and hw well the participants adjusted t the device. In cnducting such a review, the AACPP may have reasn t cntact the participant fr infrmatin. As a result, the AACPP needs t have a methd f identifying wh the participants are. Nrmally, this will be dne thrugh the participant s airprt identificatin badge number, which will be recrded every time a participant uses the device. The AACPP may need t cntact the participant fr a number f reasns, including the fllwing: If, during the pilt, the technical data cllected indicates t the AACPP that a participant has experienced unique difficulties while interacting with a device, the AACPP can use the participant s identifying infrmatin in rder t cntact the participant t get mre specific infrmatin abut the difficulties that were experienced. Fr example, in a prject demnstrating the effectiveness f a fingerprint reader, participants will enrll in the prject by submitting a fingerprint sample t the system. If technical data later indicates that ne participant cntinues t experience a bad read by the fingerprint reader, the AACPP can extract the participant s badge number frm the raw data cllected and ask the airprt t use the badge number t identify the participant. AACPP can then cntact the participant t determine why the fingerprint reader is having truble recgnizing that participant s fingerprint sample (the participant s fingerprint sample may have been enrlled imprperly). In all cases, submissin f identifying data t the AACPP is vluntary, and anyne wh has been invited t be a participant in the pilt prject is free t decline.

4 Midway thrugh the prject, the AACPP may want t interview sme participants t determine their perceptins f the prject. While perceptins d nt indicate hw well a device actually wrks, they can shed light n the acceptability f a device by the persns using it. In sme cases, if the participants have t fllw a few extra steps befre gaining access t a secure area, but they feel that the added steps are wrth the effrt t keep the area safe, a particular device may be easier t intrduce at an airprt fr widespread use. Sme technlgies d nt effectively identify peple with certain physical characteristics. It is well dcumented, fr instance, that certain fingerprint technlgies d nt effectively recgnize the fingerprints f certain ethnic grups. If a pilt device indicates an unusually high number f bad reads fr ne participant, the AACPP may want t lk at the participant s vluntarily-submitted demgraphic infrmatin t determine whether he r she falls int a knwn categry f persns fr which that particular technlgy isn t best suited. This is als seen in wrd recgnitin technlgy being used by persns wh speak English as a secnd language. Use f this persnal infrmatin will help AACPP determine whether the device being demnstrated is malfunctining, r whether it is nt perfrming well because f utside influences such as ethnic backgrund r language barriers. In all instances when persnal infrmatin is used, the AACPP is using the infrmatin t determine hw well a device is functining as well as the prs and cns f deplying a device in a lcatin that must accmmdate a large number f persns. The AACPP s interest, then, is t determine the ultimate peratinal suitability f a technlgy fr use by many peple; ther than determining hw well a device wrks, r whether a device is malfunctining r simply reacting t a demgraphic anmaly, AACPP has n ther interest in persnal infrmatin f participants, and will nt use it fr any ther purpse. Why is the infrmatin being cllected and hw are participants affected? The infrmatin is being cllected in rder t evaluate the perfrmance f the access cntrl systems being demnstrated at each site. Participants are nt affected persnally, except that they may be cntacted by AACPP and asked their pinins abut the device being demnstrated and whether they find it easy t use. What infrmatin technlgy system(s) will be used fr this prgram and hw will they be integrated? The AACPP will deply Data Observatin Cllectin Kits (DOCKs) at all airprt sites where technlgies are being demnstrated. These kits receive highly technical peratinal data (raw data, such as mean-time between failures, temperature, and the date and time a device was used) frm an integratin panel cnnected t the devices being demnstrated. The DOCKs at every lcatin recrd the raw data received and transmit it t a central data repsitry lcated at the AACPP headquarters in Restn, Virginia. AACPP persnnel then review the raw data t determine hw well the devices are wrking. The system als recrds such things as whether a device wuld have permitted access t a participant if it were actually deplyed by an airprt as part f its security system, and hw lng it tk fr the transactin t take place. Malfunctins f any devices will als be recrded and analyzed. Neither the DOCKs nr the Central Repsitry are integrated int any ther infrmatin system. N infrmatin frm the DOCKs r frm the Central Repsitry can be btained frm any utside system. Only AACPP persnnel with a need t knw will have access t the infrmatin recrded by the DOCKs r stred in the Central Repsitry

5 What ntice r pprtunities fr cnsent are prvided t individuals regarding what infrmatin is cllected, and hw that infrmatin is shared? In its Privacy Act System f Recrds Ntice, Transprtatin Security Technlgy Testing System (DHS/TSA 016), TSA prvided ntice that it will cllect persnally-identifying infrmatin. relating t the Transprtatin Security Technlgy Testing System. This PIA prvides additinal ntice abut the prgram. TSA intends t prvide further ntices t individuals at the time the infrmatin is cllected. Individuals participatin in the AACPP prgram is entirely vluntary. Des this prgram create a new system f recrds under the Privacy Act? Yes. This prgram is cvered under a Privacy Act system f recrds that is being established cncurrent with this ntice, called the Transprtatin Security Technlgy Testing System, r DHS/TSA 016. With whm will the cllected infrmatin be shared? The cllectin, maintenance, and disclsure f infrmatin will be in cmpliance with the Privacy Act and the published system f recrds ntice. TSA s cntractr is likewise bliged t cmply with the Privacy Act pursuant t 5 U.S.C. 552a(m). Hw will the infrmatin be secured against unauthrized use? (What technlgical mechanism will be used t ensure security against hackers r malicius intent?) TSA will secure persnal infrmatin against unauthrized use thrugh the use f a layered security apprach invlving prcedural and infrmatin security safeguards. The data will be encrypted using Natinal Institute f Science and Technlgy (NIST) and Federal Infrmatin Security Management Act (FISMA) standards and industry best practices when being transferred between secure wrkstatins. When transferring infrmatin between the end user s brwser and the web, TSA will use Secure Scket Layer (SSL) 128-bit encrypted sessins fr data integrity and privacy. Once user data has been btained at the web server, it will be transferred t a TSA database server ver an encrypted sessin. Specific privacy safeguards can be categrized by the fllwing means, which are described in greater detail elsewhere in this dcument: Technical limitatins n, and tracking f, data access and use; Use f secure telecmmunicatins techniques; and Limitatin f physical access t system databases and wrkstatins. This apprach prtects the infrmatin in accrdance with the fllwing requirements: The Privacy Act f 1974, as amended (5 USC 552a), which affrds individuals the right t privacy in recrds that are maintained and used by Federal agencies. Federal Infrmatin Security Management Act f 2002, (Public Law ), which establishes minimum security practices fr Federal security systems.

6 Will the infrmatin be retained and if s, fr what perid f time? TSA prpses t maintain the raw data and accmpanying recrds generated by the AACPP fr 10 years, pending apprval by the Natinal Archives and Recrds Administratin (NARA). The recrds being retained, hwever, will nt cntain any persnal identifiers f the participants. AACPP will remve and destry persnal identifiers frm the data at the end f the prject. Will the infrmatin cllected be used fr any ther purpse ther than the ne intended? Infrmatin cllected will nly be used fr the purpse f evaluating the technlgy being tested at each site under the AACPP pilt prgram. Hw will the pilt participants be able t seek redress? Fr purpses f this pilt, TSA will nt make any determinatins that affect individual rights fr which redress is required; additinally, all participants are vlunteers. Prcedures fr Privacy Act requests fr access t infrmatin in the system are as fllws: T determine if this system cntains a recrd relating t yu, write t the system manager at the fllwing address: Directr f the Security Technlgy Office, TSA Headquarters, TSA-16, 601 S. 12 th Street, Arlingtn, VA Please prvide yur full name, current address, date f birth, place f birth, and a descriptin f infrmatin that yu seek, including the time frame during which the recrd(s) may have been generated. Yu may als prvide yur Scial Security Number r ther unique identifier(s) but yu are nt required t d s. Individuals requesting access must cmply with the Department f Hmeland Security s Privacy Act regulatins n verificatin f identity (6 CFR 5.21(d)). What databases will the names be run against? DHS will nt run the names f pilt participants against any database. What is the step by step prcess thrugh which the systems will wrk nce the data has been input and what is the prcess fr generating a respnse? AACPP will input the participant infrmatin (an airprt badge number, alng with a bimetric identifier in places where a bimetric device is being demnstrated) int the system being demnstrated at each site. Fr a perid f 90 days per site, the participant will present his r her bimetric identifier (a fingerprint, fr instance) t a reader, and then fllw regular airprt prcedures in rder t gain access t a secure area. Because the devices in this prgram are being demnstrated, they are nt cnnected t an airprt s actual access cntrl system. In this way, if the device cannt read a fingerprint, r an iris scan, r whatever bimetric identifier is needed fr the demnstratin, a participant will nt be prevented frm entering an area if he r she therwise is granted access by the airprt s system. In mst cases where a device cannt read a bimetric identifier, the device will prmpt the participant t try again. Even if the device cannt identify the participant, the participant ultimately will be given a signal (usually a green light r an audible tne) indicating that the participant may prceed int a secure area after fllwing the airprt s standard access prcedures. AACPP has an interest in the number f times a device fails t read a bimetric identifier as well as the number f times it recgnizes them. Therefre, all f the attempts t use the device are recrded by the DOCK and sent t the Central Repsitry. AACPP will review the raw data t

7 evaluate the perfrmance f the device. Participants can expect t be cntacted by AACPP during the 90-day perid f the demnstratin and asked their pinins f the device being demnstrated. At the end f the pilt perid, any leftver equipment (nt clear what this refers t), the AACPP reprt, and assciated raw data (with persnal identifiers remved) will be prvided t TSA. What technical safeguards are in place t secure the data? DHS emplys the fllwing technical safeguards t secure data: Use f advanced encryptin technlgy t prevent internal and external tampering f the raw data. Secure data transmissin including the use f passwrd-prtected fr sending files between the AACPP cntractr and TSA headquarters. Passwrd prtectin fr files cntaining persnal r sensitive security infrmatin t prevent unauthrized internal and external access. Netwrk firewalls t prevent intrusin int DHS netwrk and AACPP databases. User identificatin and passwrd authenticatin t prevent access t sensitive security infrmatin by unauthrized users. Will the staff wrking with the data have apprpriate training and security clearances t handle the sensitivity f the infrmatin? All DHS and assigned cntractr staff receive DHS-mandated privacy training n the use and disclsure f persnal data. Additinally, training has been cnducted that relates t the handling f persnal data and sensitive security infrmatin. FOR QUESTIONS OR COMMENTS, PLEASE CONTACT: Lisa S. Dean, Privacy Officer, Transprtatin Security Administratin, Nuala O'Cnnr Kelly, Chief Privacy Officer, Department f Hmeland Security,