Quest for higher security brings conflicts

Listen to this article

00:00
00:00

The US travel industry would have embraced biometric information and radio frequency identification (RFID) even without the events of September 2001.

But the terror attacks in the US brought a new urgency and a political motivation to their implementation. The attacks in New York and Washington sparked the creation of the Department of Homeland Security (DHS) and initiatives to improve aviation, border and port security.

The DHS has repeatedly endorsed biometrics as the way forward for digitising identity systems. This is in step with US government moves towards electronic passports and ID cards.

Another part of this effort is the US demand that the 27 countries in its Visa Waiver Program begin issuing electronic passports that carry biometric chips with digital photos and machine-readable technology.

In acknowledging that the technology and systems are not yet in place to support this requirement, the DHS has extended the deadline for inclusion of biometric chips in new passports to October 2006, though its October 2005 deadline remains for the inclusion of digital photographs on their own.

The DHS is also tracking the entrance and exit of any foreigner who visits through the US-Visit programme. This stipulates that any visitor must have their digital photographs and fingerprints taken.

These are used to check that the person is the same person that was issued the visa.

Pilot schemes are under way at several airports and ports to check them at departure as well.

Furthermore, there are a number of trusted traveller schemes in place intended to expedite the entry of regular visitors.

Such international schemes must negotiate several hurdles - what kind of RFID technology to use for instance - before full-scale deployment.

The impact of these developments on the airline industry has been mixed. For instance, according to Diana Cronan of the Air Transport Association of America (ATA), US-VISIT has been successful so far, with no extra delays imposed on passengers.

The ATA is more antagonistic towards government attempts to pass on the schemes’ costs to the industry. In an April address to the Senate Committee on Commerce, Science and Transportation, James May, president and chief executive of the ATA, rejected the proposed increase to the September 11th Passenger Security Fee.

He argued that one industry should not pay for something that impacts national security for all Americans and the economy as a whole.

He also asserted that the agency concerned - the Transportation Security Administration (TSA), itself part of the DHS - should be held accountable for the funds it already has before it gets any more.

“Continuing problems with the no-fly and selectee lists make the headlines on a regular basis, and the effort to put into place a system to augment CAPPS I (Computer Assisted Passenger Prescreening System) is beginning to look like the search for the Holy Grail,” he wrote.

“After some two years of effort, numerous mis-steps and an unknown amount of employee time and money, TSA has not moved past the testing phase.

“In addition the testing phase of the Registered Traveller Program has made little sense, with five different systems unable to interface or lay the groundwork for a national system.”

The slow and cautious approach by government agencies frustrates those technology companies that are pitching for business as well as the airlines.

The latter need to accommodate government security measures while tending their own business imperatives.

For instance, they need to grapple with the threat of ever-extending check-in times at a time when airlines are increasingly scrutinised for their punctuality.

Hence, both the ATA and its European counterpart, the Association of European Airlines (AEA), are trying to resist APIS-60 (Advanced Passenger Information System), which requires airlines to submit an accurate passenger manifest as much as 60 minutes before departure.

They warned of its “devastating impact on industry operations and efficiency” and suggested the implementation of a “real-time passenger pre-clearance system” so that passengers could be screened at check-in.

Such real-time database look-ups are a key part of the security apparatus in the travel industry.

In a year that has been punctuated by regular press reports of data theft from the very entities that are supposed to be experts at tending such information repositories - customer information databases such as LexisNexis or Checkpoint - experts question whether government agencies can do any better when ensuring data integrity.

According to Jeff Vining, vice-president of public sector research at Gartner, the Federal Bureau of Investigation uses these very commercial databases.

He adds that US-Visit is a “system of systems” and recounts once instance where the IDENT system - the automated biometric identification system - did not correctly inter-operate with the FBI’s fingerprint ID system allowing a known criminal to slip into the US and commit a murder.

Miles Clement, project manager at the Information Security Forum, says: “There are always going to be ways to break into these systems.” He points out that with outsourcing the risk is increased.

This human factor has been recognised in part, for instance with moves to federalise the role of baggage screeners.

But there have been other technology trade-offs. While the DHS has looked to implement biometric systems that are fast there are still instances where unwanted visitors have been let through because a positive match was not found in the time allotted.

And as Daniel Munyan, chief scientist of Global Security Solutions, ID Labs, at Computer Sciences Corporation, points out, some biometric techniques for identity verification were designed 100 years ago for forensic, not automated-identity, use. He says: “We’re asking to take a 100-year-old technology and use it in three seconds for US-Visit.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.