According to a solicitation to potential contractors published last week, the Transportation Security Administration (TSA) wants to outsource its current questioning of airline passengers without ID, and its decisions about which travelers without ID to allow to travel and which to prevent from flying, to a fee-based system operated through a cellphone app provided by a private contractor and based on (secret) commercial databases.

There’s some good news and some bad news in the TSA’s posting of this Request for Information.

First, the good news:

1. The TSA admits that people can and do fly without ID.

According to the TSA’s Request for Information:

Prior to the COVID-19 National Emergency, TSA encountered over 2.5 million passengers a day and, on average, 600 instances of passengers without acceptable ID. These individuals are able to verify their identity via telephone through our National Transportation Vetting Center (NTVC).

That’s almost three times the average daily number of airline travelers without ID disclosed in the most recent of the TSA’s belated and still-incomplete responses to our Freedom of Information Act (FOIA) requests for records of travelers without ID.

2. You will still be able to fly without ID, even after the TSA “implements” and “enforces” the REAL-ID Act.

In their most recent notice of postponement of their REAL-ID threats, the TSA and the Department of Homeland Security (DHS) have said that they plan to fully implement and enforce the REAL-ID Act, with respect to airline travel, beginning October 1, 2021.

The TSA and DHS have repeatedly claimed that after that date, all air travelers will “need” to show ID that the DHS deems compliant with the REAL-ID Act in order to fly. And the TSA has previously indicated — in 2016 and again in May of 2020 —  that it intended to modify its current ID verification procedures to (illegally) deny passage through TSA checkpoints to would-be travelers who don’t present REAL-ID Act compliant ID cards.

But the TSA is now soliciting information preparatory to soliciting bids for a contract to provide outsourced “identity verification” services for air travelers without ID.

The TSA wouldn’t be preparing to solicit bids for a system to deal with air travelers without ID if the TSA planned, in a little more than a year, to stop allowing those people to fly at all.

And the TSA says that the contractor’s ID verification system for flyers without ID must “be able to process thousands of transactions per hour per day [sic] distributed across the TSA enterprise of airports.”  Whether the TSA means “thousands per hour” or “thousands per day”, that’s several times more than the current number of travelers without acceptable ID.

The only plausible explanation for the expected many-fold increase in the number of travelers without acceptable ID is that the TSA’s implementation of the REAL-ACT will result in many more air travelers’ ID’s being deemed unacceptable, and that the outsourced system is the one the TSA plans to use for travelers without REAL-ID compliant ID.

The TSA is looking for a new system for dealing with travelers without ID only because it has been forced to abandon its original plan to prevent all such people from flying.

The most important takeaway from the TSA’s latest notice is that the TSA is (still) lying about what REAL-ID Act enforcement and implementation will mean. You will not need a compliant ID to fly. The procedures may change, but you will still be able to fly without ID.

This is a major victory for our legal objections and for the potential of popular resistance.

The TSA has implicitly acknowledged that — either because it lacks legal authority to prevent everyone without “acceptable” or REAL-ID Act compliant ID from flying, or because doing so would cause riots at airports or other forms of popular resistance, or both — it  won’t be able to stop travelers without ID or without compliant ID from flying.

The bad news is the nature of the TSA’s contemplated new procedures for flyers without ID (or without “acceptable” ID).

Currently, the TSA leaves the final decision on whether or not to allow airline passengers without ID to pass through TSA or contractor-operated checkpoints to the discretion of the Federal Security Director (FSD) or their designee on duty at the individual airport.

That decision can be based on what the FSD thinks of the traveler’s looks, the nature of any “unacceptable” ID they present, whether they are willing to complete and sign the illegal TSA Form 415, and their responses to questions relayed via the TSA’s Identity Verification Call Center (IVCC) from the TSA National Transportation Vetting Center (NTVC) based on information in records about the traveler held by the commercial data broker Accurint.

The new process apparently being considered by the TSA would outsource the questioning of travelers without ID or with unacceptable ID to a private for-profit contractor, with that questioning to be administered through a smartphone app. The questions would be based on some aggregation of government and commercial data, and the answers would be assessed according to some secret algorithm to generate a binary pass or fail result.

An identity thief (or ‘bot) with access to the commercial database used as the basis for “pass/fail” determinations would be better able to answer questions about the information in that database than would a real person who is unprepared for this questioning and who has no way to know (or to correct) what misinformation is contained in the database.

A traveler who shows up at a TSA checkpoint would, it appears, be told they have to install the mobile app, pay a fee through the app (which presumably would require a credit or debit card or bank account),  complete the in-app questioning, and show a “pass” result from the app to the TSA staff or contractors in order to “complete screening” and proceed through the checkpoint.

• No cellphone? No fly. (We’ve seen this already in Hawaii.)
• Your cellphone isn’t a smartphone? No fly.
• Your smartphone has a different OS that can’t run the contractor’s app? No fly.
• No charge in your cellphone battery? No fly.
• No signal in the airport? No fly.
• No credit or debit card? No fly.
• Don’t know what misinformation is in data brokers’ records about you? No fly.
• Your record fits a “fail” profile in the contractor’s secret algorithms? No fly.

According to the TSA’s Request for Information, “The system shall be able to identify if the mobile phone has been or is being ‘spoofed’ or had its Subscriber Identification Module (SIM) card swapped”. We’re not sure what that’s supposed to mean, but it suggests that you might not be allowed to use a cellphone with an open-source operating system not rooted to Apple or Google, such as LineageOS, or a SIM purchased anonymously.

Algorithmic profiling is required: “The process shall use data modeling/algorithms to identify multiple risk indicators of stolen, synthetic, or otherwise fraudulent identities….  Indicators may be associated with a collected identity attribute and/or linked from
the third parties’ database based on the collected attribute(s).”

Air travel by people without acceptable ID could be arbitrarily and illegally rationed by the TSA: “The system shall be able to use a unique non-PII identifier to track and/or help create a configurable rule to potentially limit how many times a passenger can attempt to use this solution.”

From the start, we’ve raised questions about the lack of legal basis for the TSA’s fly/no-fly decision-making procedures, and the apparent violation of multiple Federal laws in these practices. The TSA has for years delayed responding to our objections or submitting the current collection of information from travelers without ID for approval by the Office of Management and Budget, as required by the Paperwork Reduction Act (PRA).

Meanwhile, the DHS is trying to get Congress to exempt these programs from the notice-and-comment requirements of the PRA and the Administrative Procedure Act. But it’s not certain that Congress will be wiling to give the TSA an explicit exemption from these laws.

Rather than comply with the law, the TSA is looking for other ways to evade transparency and due process.

The main reason for the TSA to outsource the questioning of travelers and scoring of answers is to evade the rules applicable to collection and use of personal data by Federal agencies. The Privacy Act and the PRA are, at least arguably, inapplicable to data collected by commercial third parties and not passed on to any Federal agency.

This, we presume, is why the TSA’s ‘s Request for Information stipulates that “Third parties’ platform(s) or information systems shall not interface within the boundaries of TSA’s information systems.” The only information to be passed on to checkpoint staff would be whether the identity verification contractor’s secret algorithms, based on the contractor’s secret databases, generated a “pass” or “fail” score: “The objective is to display to a Transportation Security Officer (TSO) that a passenger has a ‘pass’ or a ‘fail’ status.”

The nominal “fly/no-fly” decision will still be made by the TSA, not the contractor. But that “decision” will be a rubber-stamp approval or disapproval based solely on whether the app shows a “pass” or “fail” score,  or whether the would-be traveler doesn’t have a suitable smartphone or is otherwise unable or unwilling to complete the app-based process.

The real question, if the TSA follows through in the outsourcing proposal, is not so much whether outsourcing questioning and scoring of answers can evade the requirements of Federal privacy statutes. The more substantial issues that will probably have to be litigated will be whether a Federal agency (or its checkpoint contractors) can lawfully deny an individual their right to travel by common carrier on the basis of (1) a “fail” message from a private company based on criteria and data that are not disclosed to the subject of that adverse decsion,  (2) a would-be traveler’s unwillingness or inability to answer questions from a commercial third party, or (3) a traveler having used the identity-verification app more than the TSA’s arbitrarily-assigned maximum number of times.

Responses to the TSA’s s Request for Information by prospective contractors are due by August 28, 2020. We’ll be requesting copies of the responses pursuant to the Freedom Of Information Act, but given the TSA’s usual FOIA foot-dragging, responses could take years.

[Thanks to Gary Leff of View from the Wing and Brandi Vincent of Nextgov for calling our attention to the TSA’s Request for Information.]