Modernizing Authentication — What It Takes to Transform Secure Access
You'd think Schneier might sign up out of curiosity alone. You'd be wrong.
''It's something I would sign-up for if I thought it would help,'' Schneier says. But as a frequent flier, Schneier can already bypass many of the lines at the airport thanks to customer service initiatives that aim to keep the airlines' best customers happy. The incentive, therefore, is lacking.
The Registered Traveler Program was born in a post-Sept. 11 world, in response to travelers delayed by lengthy security lines and airlines concerned they would lose their best customers to other modes of transportation.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i The pilot program started in early July. In Minneapolis, the TSA is working with Northwest Airlines, which invited its Platinum Elite frequent fliers to enroll. The volunteers provided the TSA with information, including their name, address, phone number, and date of birth, along with biometric identifiers (either a fingerprint or iris scan). The TSA then conducted a background check of each volunteer, including analysis of law enforcement and intelligence data sources and a check of outstanding criminal warrants.
Once approved, registered travelers can use a designated checkpoint lane at the airport to provide biometric information to confirm their identity. Registered travelers and their carry-on bags still go through primary screening, but more extensive secondary screening is bypassed.
In addition to Minneapolis, 90-day pilot programs will be underway at LAX, George Bush Intercontinental in Houston, Boston Logan International, and Reagan Washington National Airport by the end of the summer.
While not mentioned by name, the Sept. 11 Commission called for a program similar to Registered Traveler in its final report.
Rear Adm. David M. Stone, USN (Ret.), the TSA's acting administrator, called the Registered Traveler Program "an exciting step toward enhancing customer service." As a customer service program, and as a chance for everyday people to see biometrics in action, the program is intriguing. But this was supposed to be about security.
Airport Security Revolves Around Identity
Security in American airports is essentially an identity issue.
You want to identify the bad guys and stop them before they can do bad things. In the case of the Registered Traveler Program, the goal is to identify the people who do not pose a threat and remove them from the pool of potential suspects. In the case of the controversial and (apparently) discontinued CAPPS II concept, the goal is simply to identify those who might be the bad guys.
The original Computer Assisted Passenger Prescreening System (CAPPS) program was implemented in the mid-1990s in response to a commission on airline security led by former Vice President Al Gore. What the commission wanted was positive baggage matching on all domestic flights, including connecting flights a practice not uncommon in most parts of the world. In a compromise, the airline industry developed CAPPS.
CAPPS uses information from the airline industry's databases to flag travelers for closer scrutiny. What exactly raises a flag is kept under wraps, but ask anyone who has paid for a ticket with cash, bought a ticket last minute, or booked a one-way flight what their experience with airport security was like, and it's not terribly difficult to get an idea.
Because it relies on databases, the system is thought by its proponents to avoid racial and ethnic profiling. It even flagged six of the Sept. 11 hijackers on that fateful day, meaning their checked baggage got a closer look. Since Sept. 11, both baggage and flagged passengers themselves are more closely inspected.
After Sept. 11, the government developed a plan for a next-generation CAPPS system called CAPPS II. The program cost hundreds of millions of dollars, and was supposed to use a larger terrorism watch list, as well as information gleaned from intelligence and commercial databases to confirm the identity of passengers. It was also reported that CAPPS II would require passengers to provide their names, addresses, and maybe even their date of birth before flying.