The U.S. government is spending $25 million this fiscal year to road test a universal secure identity card loaded with biometric and personal data and tied to government "watch lists." Though the program is aimed at simplifying the security checks that airport personnel and other transportation workers must go through, privacy experts are warning of unintended consequences.
The card, known as the Transportation Worker Identity Credential (TWIC), will allow workers at the nation's railways, ports, mass transit agencies and airports to carry a single card to access secure areas within these facilities. Currently, many of these workers have to carry several individual cards.
"Anyone who needs unescorted access to secure areas of [a transporation facility] would need a TWIC card," a TSA spokesman said.
The credit-card sized device will contain fingerprints, an iris scan, palm geometry and a digital photo. It will have microchip and magnetic strip technology, along with holographic images and ultraviolet printing for added security. Think of it as a kind of universal remote of secure IDs or, if you’re more inclined to a Middle Earth meme, this is the “one card to rule them all.”
The biometric and personal data will be tied to various government “watch lists” that contain the names and data of known or suspected terrorists, according to the Transportation Security Administration, which is overseeing the testing.
“The TWIC will be issued to transportation workers after thorough screening for ties to terrorism and will utilize a biometric to eliminate the use of fraudulent credentials,” said TSA chief David Stone.
A key factor of the card is improved "resource management," TSA said in a statement about the card's rollout. "By positively identifying 'known' transportation workers, the TWIC allows TSA to focus resources on 'unknown' individuals who present a greater threat risk," TSA said.
The rollout of the card for real world use marks the third phase of testing for TWIC. The card was put into use recently at the Port of Long Beach, Calif. Over the next seven months, the card’s use will be expanded to 34 sites in Florida, New Jersey, New York, Pennsylvania and Delaware.
By the end of the phase III testing, TSA hopes to have enrolled some 200,000 transportation workers in the program. Participation is voluntary, a TSA spokesman said.
But just because a worker holds a TWIC doesn’t automatically grant him or her access to secure areas.
“Local facilities are responsible for granting or denying access to their facilities,” Stone told Congress in his response questions during his June confirmation hearings.
Card faces hurdles
Although the card is being narrowly targeted for use by transportation workers, privacy groups are closely watching its implementation.
One concern is that the card may be the victim of “mission creep” and turned into something outside the scope of its original intent, such as becoming the forerunner of a national ID card.
Although the use of TWIC has been “narrowly drawn to transportation security, some provisions require close attention” to ensure that the card doesn’t fall “in the traps of unintended uses,” said the Electronic Privacy Information Center, in formal comments filed to the TSA in October.
And because the TSA intends to hold all the data collected for administering the TWIC in a centralized database, privacy groups caution that such a system could be vulnerable to compromise and mismanagement.
For its part, TSA acknowledges that rolling out the card is a tricky process.
“TWIC is a complex project that needs to balance three key goals: improving security, enhancing commerce, and protecting personal privacy,” Stone told a congressional panel during his confirmation hearings. “Similar to other large integrated projects, TWIC has inherent management and technology challenges as well as program-specific challenges in the fields of identity management systems, information technology, information security, advance credential technology, biometrics, encryption, and physical and logical access control technologies.”
It’s just that laundry list of potential hurdles that worries privacy groups. Because such a large amount of personal information is gathered and made accessible to a large number of people, the potential for compromise is high.
“The information TSA gathers ... has the potential to pose a serious threat to personal privacy and the stated goals of the programs if it is used in ways unrelated to transportation security,” EPIC said in its comments to TSA. “The inclusion of the Social Security Number is especially problematic because it was never intended to be used as an identifier, and its disclosure gives rise to the risk of identity theft,” the center said.
After the prototype phase is complete, a full review of the card’s use under real world circumstances will be done, TSA said. Recommendations for rolling out the card nationwide --or killing the program altogether -- will then be made to the Homeland Security secretary.