Registered Traveler Pilot. Privacy Impact Assessment. June 24, Contact Point:
Size: px
Start display at page:

Download "Registered Traveler Pilot. Privacy Impact Assessment. June 24, 2004. Contact Point:"

Transcription

1 Registered Traveler Pilt Privacy Impact Assessment June 24, 2004 Cntact Pint: Lisa S. Dean Privacy Officer Transprtatin Security Administratin Reviewing Official: Nuala O Cnnr Kelly Chief Privacy Officer U.S. Department f Hmeland Security

2 I. Intrductin The Aviatin and Transprtatin Security Act (ATSA), P.L , Sectin 109 (a)(3) authrizes the Transprtatin Security Administratin t establish requirements t implement trusted passenger prgrams and use available technlgies t expedite security screening f passengers wh participate in such prgrams, thereby allwing security screening persnnel t fcus n thse passengers wh shuld be subject t mre extensive screening. Pursuant t that authrity, TSA prpses t cnduct a Registered Traveler (RT) Pilt Prgram in a limited number f airprts t test and evaluate the merits f this type f trusted passenger prgram. Under the Registered Traveler Prgram as envisined by TSA, qualified travelers will be psitively identified via advanced identificatin technlgies in rder t cnfirm that these travelers are nt suspected f psing a threat t aviatin security. The RT pilt will cllect bigraphical infrmatin and a bimetric frm airline passengers wh vlunteer t submit t a security threat assessment, which will include checking their identities against terrrist-related databases and apprpriate criminal databases fr utstanding warrants. If an RT vlunteer passes the security threat assessment, TSA will use their bimetric infrmatin t verify their identity when they present themselves fr screening at the airprt security checkpint. This shuld expedite the screening f registered travelers and allw TSA t fcus its security effrts mre apprpriately. This Privacy Impact Assessment (PIA), cnducted pursuant t the E-Gvernment Act f 2002, P.L , and the accmpanying guidelines issued by the Office f Management and Budget (OMB) n September 26, 2003, is based n the current design f the prgram and the Privacy Act system f recrds ntice, Registered Traveler Operatins Files (DHS/TSA 015), that was published in the Federal Register n June 1, This PIA prvides further details abut the cllectin f persnally identifiable infrmatin fr the purpse f cnducting security threat assessments and issuing an RT card during the pilt. II. System Overview What infrmatin will be cllected and used fr this security threat assessment? An imprtant part f the infrmatin cllected fr the security threat assessment fr the RT pilt is the fact that participatin will be strictly vluntary. Accrdingly, if individuals are cncerned abut the privacy implicatins f prviding their persnal data, they simply need nt participate in the prgram. Individuals wh chse t participate in the pilt will prvide the infrmatin listed belw, which will be used by TSA t cmplete a name-based security threat assessment prir t acceptance f the vlunteer as a registered traveler: full name, scial security number, ther names used, hme address, hme telephne number, cell phne number, address, date f birth, place f birth, natinality, gender, prir addresses (fr the past five years), drivers license number, and bimetric identifiers (fingerprints and/r iris scan). 1 infrmatin is used fr identity verificatin as well t cntact vlunteers cncerning their enrllment status. 2 If the vlunteer has n address, they can call the htline t verify status. Why is the infrmatin being cllected and wh is affected by the cllectin f the data? The infrmatin is being cllected frm vlunteers fr the RT pilt in rder t perfrm a namebased security threat assessment f individuals wh vlunteer fr the RT pilt prgram and t issue an RT card linked t the vlunteer s bimetric infrmatin. As explained abve, TSA 1 TSA will cllect tw fingerprints and an iris scan f bth eyes at enrllment. 2 Fr the prgram itself, addresses will be used by TSA t keep custmers infrmed f any changes that might ccur with regard t the agency s privacy plicies and/r the Privacy Impact Assessment gverning this prgram.

3 cllects and uses the bimetric data t verify the identity f Registered Travelers at the airprt security checkpint. Infrmatin gathered frm vlunteers fr the RT pilt will be used fr the fllwing purpses: (1) T pre-screen and psitively identify lw-risk travelers by cnducting security threat assessments and using advanced identificatin technlgies, including bimetrics, t expedite passengers security screening at airprt checkpints, (2) T identify individuals impersnating law enfrcement fficers wh attempt t bard cmmercial aircraft while armed; (3) T assist in the management and tracking f applicant and member security assessments; (4) T permit the retrieval f the results f security assessments, including criminal histry recrds checks and searches in ther gvernmental identificatin systems, perfrmed n vlunteers; (5) T refer t the apprpriate intelligence and law enfrcement entities the identity f vlunteers wh pse r are suspected f psing a security threat with the apprpriate intelligence and law enfrcement entities. What are the specifics f the prgram, paying particular attentin t the cllectin and use f bimetrics? TSA will cllect bigraphical and bimetric infrmatin directly frm the passengers wh are enrlling in the RT pilt prgram at the airprt enrllment statin. Once the enrllment is cmpleted each Registered Traveler candidate will be issued a member card with his r her bimetrics encrypted and encded n it. Bimetrics will nly be used fr purpses f identity verificatin. The card will nt be activated unless and until a candidate cmpletes a security threat assessment and TSA has determined that they are nt suspected f psing a security threat. TSA emplyees and a gvernment cntractr specifically hired fr the purpse f cllecting and securing the data will cllect and maintain this infrmatin in accrdance with the Privacy Act systems f recrd ntice fr the RT Pilt (DHS/TSA 015). Infrmatin will be cllected at enrllment statins in the airprt where the vlunteer applies. During enrllment, the infrmatin will be securely stred and passwrd-prtected n desktp/laptp cmputers. All bigraphical data will be dwnladed via encrypted remvable media (CD, memry stick) t a TSA cmputer cnnected t the secure TSA netwrk. The bimetric infrmatin cllected will be used nly t verify identificatin and enrllment in the prgram at the Registered Traveler security checkpint. Bimetrics will nly be stred n the individual s member card and in the Registered Traveler database at the pilt lcatin. Bimetrics will nt be used t cnduct security threat assessments. The bigraphical infrmatin will be used t cnduct a security threat assessment by running the names and bigraphic infrmatin thrugh terrrist-related and apprpriate criminal databases. If any individual whse name and ther bigraphic data submitted appears t meet the minimum criteria established by the database as a pssible match, that infrmatin will be frwarded t TSA fr further screening, and a determinatin that the individual des nt pse r is nt suspected f psing a security threat. After TSA review, the name f any passenger psing r suspected f psing a security threat will be frwarded t apprpriate law enfrcement and/r intelligence agency(ies) fr either actin r further investigatin. The purpse fr adding a further review by TSA f ptential matches is t add a layer f prtectin fr thse individuals wh may be affected by the threat assessment prcess and t reduce as much as pssible the number f false psitives that may affect individuals whse names are submitted fr the prgram. All

4 vlunteers will receive a card cntaining their bimetric. Hwever, vlunteers are nt cnsidered enrlled in the RT pilt prgram until they have cleared a security threat assessment. TSA will transmit t the cntractr, via secure , the names f thse vlunteers wh have cleared the security threat assessment. The cntractr will encrypt the data abut Registered Travelers nt remvable media and manually transfer the data t their secure desktp/laptp cmputers at the airprt enrllment and security checkpint statins. In additin, the cntractr will send an t the applicant, via the accunt prvided at enrllment, infrming the traveler f his/her status in the prgram; either accepted r rejected. At the airprt participants will present their member card t TSA cntractrs at a kisk set up at the RT screening checkpint. The participant s bimetric infrmatin will be matched t the card fr identity verificatin. The system will check the individual s identity against the status f his r her security threat assessment at which time the system will allw verified participants t prceed thrugh the security checkpint. Any participant whse bimetric cannt be matched r threat assessment verified at the Registered Traveler security checkpint will be directed t the regular security checkpint lines. In the case where the airprt perates n a card-less system, the Registered Traveler will simply submit his r her bimetrics at the checkpint t be matched t the bimetrics captured at enrllment and stred in the Registered Traveler Database n site. The system will check the individual s identity against the status f his r her security threat assessment at which time the system will allw verified participants t prceed thrugh the security checkpint. Any participant whse bimetric cannt be matched r threat assessment verified at the Registered Traveler security checkpint will be directed t the regular security checkpint lines. In all cases names will be peridically run against the terrrist and criminal databases thrughut the curse f the pilt prgram in rder t ensure that all enrllees remain eligible. This pilt prgram will nt supplant regular screening prcedures and enrllees remain subject t rutine passenger screening at airprt security checkpints. Vlunteers whse identities match r ptentially match an entry n a terrrist related databases cannt be eligible fr the RT prgram. In this circumstance a transmittal will be sent in the same manner as abve but will indicate that the vlunteer is ineligible fr the RT prgram. A transmittal will be sent in the same manner described abve except it will indicate that a vlunteer is nt an acceptable candidate fr the RT prgram. Vlunteers bigraphical and bimetric infrmatin will be maintained in the system whether r nt they receive the RT credential. Additinally, if TSA makes a determinatin during the security threat assessment that a vlunteer pses r is suspected f psing a security threat, TSA will share infrmatin abut such vlunteer with the apprpriate law enfrcement and/r intelligence agencies. All vlunteers may find ut if they have been granted RT status by calling a TSA htline established at each RT pilt lcatin. Additinally, all vlunteers will be ntified by f their status autmatically when their security threat assessment has been cmpleted. All bimetric data will be stred n the cntractr s database that will be secured and maintained in a secure/lcked lcatin by the cntractr fr the duratin f the cntract. In additin, bimetric data will als be stred n the RT cards (ICC r 2D Bar Cdes) prvided t eligible Registered Travelers. The bimetric technlgy used in this pilt meets all Natinal Institute f Standards and Technlgy, American Natinal Standards Institute, Federal Infrmatin Prcessing Standards and Gvernment Smart Card standards. The equipment was evaluated and tested using a live demnstratin during cntractr briefings and has been evaluated by the bimetrics crdinatr at TSA and DHS. What ntice r pprtunities fr cnsent are prvided t individuals regarding what infrmatin is cllected, and hw that infrmatin is shared? Because RT is a strictly vluntary prgram, cnsent is a prerequisite fr participatin in the prgram. The RT applicatin material will include a ntice as required by the Privacy Act, 5

5 U.S.C. 552a(e)(3). The ntice will describe the reasns fr the cllectin f infrmatin, the cnsequences f failing t prvide the requested infrmatin, and explain hw the infrmatin will be used. Individuals wh chse nt t apply r participate in the prgram will cntinue t underg nrmal airprt security screening prcedures. The cllectin, maintenance, and disclsure f infrmatin will be in cmpliance with the Privacy Act and the published system f recrds ntice fr the RT pilt, DHS/TSA 015. Infrmatin abut vlunteers will be shared with TSA emplyees and cntractrs wh have a need t knw fr implementatin f the RT pilt and the SORN reflects the apprpriate rutine uses fr disclsure f this infrmatin t the cntractr. The cntractrs are cntractually bligated t cmply with the Privacy Act in their handling, use, and disseminatin f persnal infrmatin. As stated earlier, if TSA determines during the threat assessment that an applicant may pse r is suspected f psing a security threat, TSA will ntify the apprpriate law enfrcement and/r intelligence agencies. Des this prgram create a new system f recrds under the Privacy Act? Yes. The Registered Traveler (RT) Operatins Files system f recrds ntice was published in the Federal Register n June 1, 2004, and can be fund at 69 Fed Reg , What is the intended use f the infrmatin cllected? The bimetric infrmatin being cllected will be used t establish a RT participant s identity. The bigraphical infrmatin will be used t cnduct a security threat assessment by means f query against terrrist and criminal databases. Will the infrmatin cllected be used fr any purpse ther than the ne intended? Infrmatin cllected will be used nly fr the purpses utlined, cnsistent with the Privacy Act f 1974 and the published system f recrds ntice fr the RT pilt, DHS/TSA 015. Specifically the infrmatin will be used by and disclsed t TSA persnnel and cntractrs r ther agents wh need the infrmatin t assist in the peratin f the Registered Traveler pilt; t airprts and airlines t the extent necessary t ensure prper identificatin, ticketing, security screening, and barding f Registered Travelers; and t apprpriate law enfrcement r ther gvernment agencies as necessary t identify and respnd t utstanding criminal warrants r ptential threats t transprtatin security. See Attachment A, DHS/TSA 015 system f recrds ntice fr the RT prgram published June 1, Hw will the infrmatin be secured against unauthrized use? (What technlgical mechanism will be used t ensure security against hackers r malicius intent?) TSA will secure persnal infrmatin against unauthrized use thrugh the use f a layered security apprach invlving prcedural and infrmatin security safeguards. The data will be encrypted using Natinal Institute f Science and Technlgy (NIST) and Federal Infrmatin Security Management Act (FISMA) standards and industry best practices when being transferred between secure wrkstatins. Only TSA emplyees and cntractrs with prper security credentials and passwrds will have access t this infrmatin t cnduct the security threat assessment and identity verificatin at airprt security checkpints. Mrever, all TSA and assigned cntractr staff receive DHS-mandated privacy training n the use and disclsure f persnal data. Specific privacy safeguards can be categrized by the fllwing means, which are described in greater detail elsewhere in this dcument: Technical limitatins n, and tracking f, data access and use;

6 Use f secure telecmmunicatins techniques; and Limitatin f physical access t system databases and wrkstatins. This apprach prtects the infrmatin in accrdance with the fllwing requirements: The Privacy Act f 1974, as amended (5 USC 552a), which affrds individuals the right t privacy in recrds that are maintained and used by Federal agencies. Federal Infrmatin Security Management Act f 2002, (Public Law ), which establishes minimum security practices fr Federal security systems. Will the infrmatin be retained and, if s, fr what perid f time? TSA intends t retain these recrds fr a sufficient perid f time t cnduct and review this pilt prgram. TSA des nt yet have a recrd retentin schedule apprved by the Natinal Archives and Recrds Administratin (NARA) fr recrds pertaining t this prgram and must retain these recrds until such schedule is apprved. TSA is in the prcess f develping a recrds retentin schedule that will dictate the retentin perid fr these recrds. Once the recrds schedule is apprved, TSA will amend this dcument t include the retentin perid fr these recrds. Hw will the applicant be able t seek redress? Enrllees wh are identified as psing r suspected f psing a security threat will nt be allwed t attain RT status. Due t the shrt duratin f the RT pilt, RT vlunteers wh believe that they have been wrngly identified as a security threat will nt be given the pprtunity t appeal r seek ther redress. Shuld the RT Pilt becme a fully peratinal prgram, hwever, TSA will develp redress prcedures fr individuals wh seek t participate in the prgram. What databases will the names be run against? TSA will run the names against terrrist-related databases, and apprpriate criminal databases fr utstanding warrants, t determine if an individual pses r is suspected f psing a ptential threat t aviatin security Step by step prcess f hw the systems will wrk nce the data has been input and what is the prcess fr generating a respnse? All infrmatin will be cllected manually frm the individuals enrlling in the pilt prgram via electrnic frms at the RT pilt site by the TSA emplyees r thrugh a TSA cntractr. The TSA emplyees r cntractr will encrypt the data and frward it t TSA persnnel. TSA will cnduct the security threat assessment by running the names against terrrist related and apprpriate criminal databases. The results f the checks are reviewed by TSA persnnel fr accuracy. TSA will further vet persns identified as ptential matches against additinal databases t further determine accuracy. Any individuals that TSA determines pse r are suspected f psing a security threat will nt be awarded an RT credential and TSA will refer the identity f the individual t the apprpriate law enfrcement and/r intelligence agencies. Once eligible participants are identified, the data is encrypted and sent back t the cntractr, wh will lad the infrmatin n their wrkstatins at the respective RT site t activate the credentials f eligible enrllees. Each time a vlunteer ffers his RT card at an RT pilt lcatin, the identity f the vlunteer is authenticated by verifying that the bimetric n the card matches the individual s bimetric at the screening checkpint. What technical safeguards are in place t secure the data?

7 Infrmatin in TSA s system is safeguarded in accrdance with the Federal Infrmatin Security Management Act f 2002, (Public Law ), which established gvernment-wide cmputer security and training standards fr all persns assciated with the management and peratin f Federal cmputer systems. Additinally, the system is managed in accrdance with applicable TSA and DHS autmated systems-security and access plicies. The cmputer system frm which recrds culd be accessed is plicy-and security-based; access is limited thrugh user identificatin and passwrd prtectin t thse individuals wh require it t perfrm their fficial duties. All data transferred n memry sticks is encrypted fr security. The system als maintains a real-time auditing functin f individuals wh access the system. Databases that stre persnal infrmatin at the RT airprt lcatins are hused n remvable hard drives and will be stred in secured and lcked facilities and cntainers in accrdance with federal requirements. TSA emplys the fllwing technical safeguards t secure data: Use f advanced encryptin technlgy t prevent internal and external tampering f data and transmissins. Secure data transmissin including the use f passwrd-prtected fr sending files between the security threat assessment participants t prevent unauthrized internal and external access. Passwrd prtectin fr files cntaining persnal r security threat assessment data t prevent unauthrized internal and external access. Netwrk firewalls t prevent intrusin int DHS netwrk and TSA databases. User identificatin and passwrd authenticatin t prevent access t security threat assessment systems by unauthrized users. Security auditing tls t identify the surce f failed TSA system access attempts by unauthrized users and the imprper use f data by authrized peratrs. Privacy Threats and Mitigatin Measures The table belw prvides an verview f the privacy risks assciated with RT and the types f mitigatin measures that address thse risks. Table 1: Overview f Privacy Threats and Mitigatin Measures Type f Threat Descriptin f Threat Type f Measures t Cunter/Mitigate Threat

8 Unintentinal threats frm insiders 3 Intentinal threat frm insiders Intentinal and unintentinal threats frm authrized external entities Intentinal threats frm external unauthrized entities Unintentinal threats include flaws in privacy plicy definitin; mistakes in infrmatin system design, develpment, integratin, cnfiguratin, and peratin; and errrs made by custdians (i.e., persnnel f rganizatins with custdy f the infrmatin). These threats can be physical (e.g., leaving dcuments in plain view) r electrnic in nature. These threats can result in insiders being granted access t infrmatin fr which they are nt authrized r nt cnsistent with their respnsibilities. Threat actins can be characterized as imprper use f authrized capabilities (e.g., brwsing, remving infrmatin frm trash) and circumventin f cntrls t take unauthrized actins (e.g., remving data frm a wrkstatin that has been nt been shut ff). Intentinal: Threat actins can be characterized as imprper use f authrized capabilities (e.g., misuse f infrmatin) and circumventin f cntrls t take unauthrized actins (e.g., unauthrized access t systems). Unintentinal: Flaws in privacy plicy definitin; mistakes in infrmatin system design, develpment, integratin, cnfiguratin, and peratin; and errrs made by custdians Threat actins can be characterized by mechanism: physical attack (e.g., theft f equipment), electrnic attack (e.g., hacking, interceptin f cmmunicatins), and persnnel attack (e.g., scial engineering). These threats are addressed by (a) develping a privacy plicy cnsistent with Fair Infrmatin Practices, laws, regulatins, and OMB guidance; (b) defining apprpriate functinal and interface requirements; develping, integrating, and cnfiguring the system in accrdance with thse requirements and best security practices; and testing and validating the system against thse requirements; and (c) prviding clear perating instructins and training t users and system administratrs. These threats are addressed by a cmbinatin f technical safeguards (e.g., access cntrl, auditing, and anmaly detectin) and administrative safeguards (e.g., prcedures, training). These threats are addressed by technical safeguards (in particular, bundary cntrls such as firewalls) and administrative safeguards in the frm f rutine use agreements which require external entities (a) t cnfrm with the rules f behavir and (b) t prvide safeguards cnsistent with, r mre stringent than, thse f the system r prgram. These threats are addressed by physical safeguards, bundary cntrls at external interfaces, technical safeguards (e.g., identificatin and authenticatin, encrypted cmmunicatins), and clear perating instructins and training fr users and system administratrs. Will the staff wrking with the data have apprpriate training and security clearances t handle the sensitivity f the infrmatin? All TSA and DHS and assigned cntractr staff receive DHS-mandated privacy training n the use and disclsure f persnal data. Staff assigned t handle classified infrmatin will be required t btain apprpriate security clearances. Additinally, all staff must hld apprpriate credentials fr physical access t the sites husing the security threat assessment databases and management applicatins. Physical access safeguards include the use f armed r unarmed security guards at sites; hard-blting r fastening f databases, servers, and wrkstatins; and credential readers fr internal and 3 Here, the term insider is intended t include individuals acting under the authrity f the system wner r prgram manager. These include users, system administratrs, maintenance persnnel, and thers authrized fr physical access t system cmpnents.

9 external site access. The TSA and DHS cntractr als hlds apprpriate facility security clearances. Fr questins r cmments, please cntact: Lisa S. Dean, Privacy Officer, Transprtatin Security Administratin, Nuala O'Cnnr Kelly, Chief Privacy Officer, Department f Hmeland Security,

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information