How does the TSA decide if you are who you say you are?

An ongoing trickle of still-incomplete responses by the TSA to a Freedom Of Information Act (FOIA) request we made in June 2013 continues to shed more light on the TSA’s procedures for air travelers who don’t have ID credentials the TSA deems satisfactory.

It’s difficult to compile statistics from files in the image format in which the TSA has released them, but we can make some anecdotal observations about what happens to people who try to fly without “acceptable” ID.

Since the 1996 amendments to FOIA, the statute has required that, “an agency shall provide the record in any form or format requested by the person if the record is readily reproducible by the agency in that form or format.”  The TSA hasn’t deigned to respond to our request for access to its original records, despite our request for access to and bitwise copies of the original digital records. Of course, files are reproducible as bitwise copies more easily than they could be converted to any other format. Instead, the TSA is going through an elaborate and illegal multi-step munging process to create new and less-useful derivative files which it is substituting — without explanation or excuse or any claim of legal justification — for the original records in its responses to our request.

First, the records — which appear to have consisted originally of some combination of text or word processor files and spreadsheet, database, and/or word-processing document tables — are viewed in an application program, and images of “page” views are captured. Those images are redacted with some sort of image editing software, and then the redacted images are pasted into newly-created PDF files. It’s impossible to tell which pages of the PDFs correspond to which original files, much less the file names, dates, filesystem information, or other metadata of the original files. Some ranges of pages in the latest PDFs are redacted in their entirety as “exampt” from FOIA, with no indication of which of the FOIA exemptions is being claimed.

So far, the files we’ve received from the TSA in response to this request have all been derived from daily reports of calls to the TSA “ID Verification Call Center” (IVCC). Each daily report includes a count of the nature and outcome of the day’s calls, and a narrative summary of each case in which a would-be traveler’s ID was not (or initially was not) “verified” by comparing their answers to telephone questions (sometimes relayed by checkpoint staff) with the data in the file about them (if such a file exists) retrieved by the IVCC from Accurint.

Since its first release of an unredacted reference to Accurint last year, the TSA seems to have stopped trying to hide Accurint’s identity as the  commercial data aggregator and broker whose dossiers about individuals are used as the basis for “verifying” our identities. There are numerous unredacted references to Accurint in subsequent intermim TSA releases of IVCC daily reports.

We got our first example of one of these daily reports from the TSA in April 2015. We’ve now received 4800 PDF “pages” of these reports, covering a little more than three years of reports, in randomly sequenced fragments. The oldest of these reports that we’ve received — and possibly the oldest that exist — are from June 2008, when the TSA modified its (secret) procedures to introduce the use of an (illegal) “Certification of Identity” affidavit and questioning based on Accurint files and as part of ID “verification”.

Some general patterns emerge from our first scan of these reports:

The overwhelming majority of people who try to fly without ID are (eventually) allowed to do so.  It;s rare for TSA reports to note that would-be travelers were permitted to proceed past TSA checkpoints only after missing their intended flights. But it’s not clear whether this information is systematically recorded, and checkpoint or IVCC staff preparing the reports may not even know whether a delayed traveler missed their flight.

About half of those would-be travelers whose identity can’t be “verified” by the TSA to its satisfaction, based on comparing answers to checkpoint interrogations with the contents of Accurint files, have been allowed to fly anyway at the “discretion” of the Federal Security Director (FSD) for the TSA at the airport, the Acting FSD, or his or her designee. There is absolutely no indication in any of the 4800 pages of reports we have received of the existence of any standards for the exercise of this discretion, and nothing (even redacted) that would appear to allow for any oversight of how this discretionary fly/no-fly power is exercised, much less any indication of what the criteria, if any, for discretionary “permisison” for travel by “unverified” people might be.

Some people — primarily but not exclusively non-US citizens — aren’t permitted to travel because the TSA can’t find a file on them in Accurint’s database. Others aren’t permitted to travel because Accurint doesn’t have enough information about them in its file for the TSA to feel confident that its game of “20 questions” (in practice usually fewer questions than 20, perhaps just 3 or 4) has “verified” the identity of the person at the checkpoint as matching an Accurint record.

It’s not clear to what extent Accurint tries to keep files on people who aren’t US citizens. But a substantial percentage of the people who are denied passage because the TSA can’t match them with an Accurint file are non-US citizens. Many of them show up at TSA checkpoints with non-US drivers licenses, perhaps having asked what ID they need to fly and having been told that a valid drivers license is sufficient.  The list of acceptable forms of ID credentials on the TSA website includes, “Driver’s licenses or other state photo identity cards issued by Department of Motor Vehicles (or equivalent).” The TSA doesn’t make clear that only US and Canadian drivers licenses are deemed sufficient, even though drivers licenses isssued by equivalent agencies in other countries are valid for driving in the US.

Foreign citizens also turn up regularly at TSA checkpoints with expired passports, or without passports (or occasionally with illegible passports) because theirs have been lost, stolen, or damaged.  They can’t fly without their passport, and they can’t get their passport renewed or replaced without a personal interview at a consulate or embassy. Catch 22. Imagine that your passport expired or was lost or stolen while you were traveling or living abroad in some large country. How would you get to the nearest US consulate or embassy, especially if it was thousands of miles away, to get a new passport? Now imagine that you are a foreign citizen visiting Hawaii and your passport is lost or stolen.  How are you supposed to get to a consulate or embassy on the mainland, or get home?

Other people are prevented from passing through TSA checkpoints because they exercise their right to remain silent when interrogated by TSA staff or contractors, or because their answers are inconsistent with the data obtasined from unknown sources and maintained in secret, unverified Accurint files. Because these files are maintained by Accurint, not the government, the TSA would undoubtedly claim that they are not subject to the Privacy Act, even though theis data is used as the basis for adverse decisions by the TSA and denial by the TSA of the right to travel by common carrier.

There’s no list of fields that are or might be included in Accurint records, or which of those fields might be used by the TSA for ID “verification”. But here’s a list of all of the questions that were reported somewhere in these 4800 PDF pages as forming the basis for denial of passage through a TSA checkpoint:

  • Names of Other Residents at Address? (What business is it of the TSA or Accurint who you live with? Do they know? Do they have it right?)
  • Neighbor’s Names? (Do you know the last names of the next-door neighbors with whom you are on a first-name basis? Do they have the same last name? Do you know or care? Do you know whose name is on the deed or lease, and who is merely a live-in lover? And what if you live in a city and your building, or the one next door, is a large apartment building? Residents of large public housing projects, where the actual residents aren’t necessarily those whose names are on leases, might be especially unlikely to be able to match their answers to what’s in Accurint’s files.)
  • Names of Associates (“Associates” is apparently a field in some Accurint databases. But what does it mean? How does Accurint “associate” people with each other? And how can government interrogation about who you are “associated” with not violate your freedom of association?)
  • Phone Number? (Which phone number? People who mainly use a cellphone may not even know the number of the landline they have only for DSL or because it’s required for the apartment building or condo complex intercom and entry system.)
  • Judicial District (How many people in Los Angeles know that they are, counterintuitively, in the Central District of California, not the Southern District?)
  • County of Residence? Previous County of Residence? (In states where counties have power neither to tax nor to legislate, mnay people have no idea what county they are in.)
  • Previous Address? Other States of Residence? (How complete and accurate are Accurint’s personal histories of old addresses?)
  • Company Worked? Name of Past Employer? Employment History? (What if you worked for a temp agency or intermediary, or as a freelancer or indepndent contractor, so the name of your actual employer didn’t show up in IRS records?)
  • Sporting License?
  • Recreational License?
  • Mother’s Middle Name and DOB? (My mother was born abroad, and my grnadfather got the date wrong when he later reported her birth to the US consulate. So all her US government records have an erroneous date. How would I know if Accurint has her real birthday, or the date in US government files?)
  • Mother’s Occupation? (What if she has had different jobs at different times, or her multiple jobs didn’t or don’t fit into any single “occupation”?)
  • Father’s Name and DOB?
  • Names of Relatives? Relative’s Dates of Birth? (Do you know which of your relatives changed their legal names when they got married or divorced, or to what new names?)
  • City of Relative’s Residence? (Do you remember which suburb of Chicago they live in? Didn’t think so — even if Accurint has it right.)
  • Vehicles Registered?
  • Mother’s Vehicles? (Does your mother always tell you right away if she gets a new car? And do you know which vehicle is registered to her, and which to her unmarried partner?)
  • Relative’s Motor Vehicle Information? (You’re kidding, right? I wouldn’t have a clue what vehicles each of my siblings drive. And what about the vehicles registered in their names that are actually being driven by nieces and nephews?)
  • Make and Model of Vehicle? (Both Accurint and the TSA seem obsessed with vehicles as personal identifiers. “You are what you drive.”)

Some geographic questions don’t appear to be come directly from Accurint. It seems possible either that Accurint is generating these queries from some other commercial street-map dataabses, or that IVCC staff are looking at addresses on some digital map (we all know how infallible they are) to ask these questions:

  • Highway Near Residence?
  • Name of Lake Near Residence?
  • Parks Near Residence?
  • Hospital Near Residence?
  • Cross Streets?
  • Nearby Crossroads?
  • Closest Intersection to Residence? (Especially on a rural road where it’s a long way between intersections, how sure are you in which direction it’s a shorter distance to the next intersection? And on a road with minor unimproved lanes or private roads, which count as “intersections”?)
  • Names of Landmarks Near Residence? (What do you consider a “landmark”?)

This isn’t too long a list of data to memorize. An identity thief who has gotten access to Accurint data about you is more likely to be able to give answers consistent with the data in the Accurint file about you than you are as the real subject of the file.

4 Responses to “How does the TSA decide if you are who you say you are?”

  1. Eddie Says:

    Is Accurint required, under the Fair Credit Reporting Act, to tell me what data they have about me?

  2. How to Stop Mysterious Plane Crashes and What the TSA Knows About You - View from the Wing Says:

    […] Here’s how TSA identifies you when you don’t have your ID at the security checkpoint […]

  3. Cecil Says:

    They are also required to be in an accessible format (see section 508) . Mostly 508 deals with things procured by the fed, but it also includes things provided by the fed to consumers. That is why blind/deaf/etc can apply for federal employment, soc sec, ssi, file taxes, etc… Image based pdf’s do not comply with section 508. So yes, it’s just another law they’re breaking but hey, at some point they will have to account.

  4. Papers, Please! » Blog Archive » IDP comments on TSA proposal to require ID to fly Says:

    […] if you (1) fill out and sign the obscure TSA Form 415, (2) satisfy the TSA with your answers to a bunch of questions about what’s the file about you obtained by the TSA from the commercial data broker Accurint, […]

Leave a Reply