Aviation Security

Registered Traveler Program Policy and Implementation Issues Gao ID: GAO-03-253 November 22, 2002

The aviation industry and business traveler groups have proposed the registered traveler concept as a way to reduce long waits in airport security lines caused by heightened security screening measures implemented after the September 11 terrorist attacks. In addition, aviation security experts have advocated this concept as a way to better target security resources to those travelers who might pose greater security risks. The Aviation and Transportation Security Act of November 2001 allows the Transportation Security Administration (TSA) to consider developing a registered traveler program as a way to address these two issues. GAO completed this review to inform Congress and TSA of policy and implementation issues related to the concept of a registered traveler program.

Under a variety of approaches related to the concept of a registered traveler program proposed by industry stakeholders, individuals who voluntarily provide personal background information and who clear background checks would be enrolled as registered travelers. Because these individuals would have been pre-screened through the program enrollment process, they would be entitled to expedited security screening procedures at the airport. Through a detailed literature review and interviews with stakeholders, GAO found that a registered traveler program is intended to reduce the inconvenience many travelers have experienced since September 11 and improve the quality and efficiency of airport security screening. Although GAO found support for this program among many stakeholders, GAO also found concerns that such a program could create new aviation security vulnerabilities. GAO also identified a series of key policy and program implementation issues that affect the program, including (1) Criteria for program eligibility; (2) Level of background check required for participation; (3) Security-screening procedures for registered travelers; (4) Technology options, including the use of biometrics to verify participants; (5) Program scope, including the numbers of participants and airports; and (5) Program cost and financing options. Stakeholders offered many different options on how best to resolve these issues. Finally, GAO identified several best practices that Congress and TSA may wish to consider in designing and implementing a registered traveler program. GAO concluded that a registered traveler program is one possible approach for managing some of the security vulnerabilities in our nation's aviation systems. However, decisions concerning key issues are needed before developing and implementing such a program. TSA felt that GAO's report offered a good overview of the potential and the challenges of a registered traveler program. The agency affirmed that there are no easy answers to some of the issues that GAO raised and that these issues need more study.

GAO-03-253, Aviation Security: Registered Traveler Program Policy and Implementation Issues This is the accessible text file for GAO report number GAO-03-253 entitled 'Aviation Security: Registered Traveler Program Policy and Implementation Issues' which was released on November 26, 2002. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products‘ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. Report to the Honorable Kay Bailey Hutchison, U.S. Senate: November 2002: AVIATION SECURITY: Registered Traveler Program Policy and Implementation Issues: GAO-03-253: GAO Highlights: Highlights of GAO-03-253, a report to the Honorable Kay Bailey Hutchison, U.S. Senate: Why GAO Did This Study: The aviation industry and business traveler groups have proposed the registered traveler concept as a way to reduce long waits in airport security lines caused by heightened security screening measures implemented after the September 11 terrorist attacks. In addition, aviation security experts have advocated this concept as a way to better target security resources to those travelers who might pose greater security risks. The Aviation and Transportation Security Act of November 2001 allows the Transportation Security Administration (TSA) to consider developing a registered traveler program as a way to address these two issues. GAO completed this review to inform Congress and TSA of policy and implementation issues related to the concept of a registered traveler program. What GAO Found: Under a variety of approaches related to the concept of a registered traveler program proposed by industry stakeholders, individuals who voluntarily provide personal background information and who clear background checks would be enrolled as registered travelers. Because these individuals would have been pre-screened through the program enrollment process, they would be entitled to expedited security screening procedures at the airport. Through a detailed literature review and interviews with stakeholders, GAO found that a registered traveler program is intended to reduce the inconvenience many travelers have experienced since September 11 and improve the quality and efficiency of airport security screening. Although GAO found support for this program among many stakeholders, GAO also found concerns that such a program could create new aviation security vulnerabilities. GAO also identified a series of key policy and program implementation issues that affect the program, including: * Criteria for program eligibility; * Level of background check required for participation; * Security-screening procedures for registered travelers; * Technology options, including the use of biometrics to verify participants; * Program scope, including the numbers of participants and airports; and: * Program cost and financing options. Stakeholders offered many different options on how best to resolve these issues. Finally, GAO identified several best practices that Congress and TSA may wish to consider in designing and implementing a registered traveler program. GAO concluded that a registered traveler program is one possible approach for managing some of the security vulnerabilities in our nation‘s aviation systems. However, decisions concerning key issues are needed before developing and implementing such a program. TSA felt that GAO‘s report offered a good overview of the potential and the challenges of a registered traveler program. The agency affirmed that there are no easy answers to some of the issues that GAO raised and that these issues need more study. Contents: Letter: Results in Brief: Background: A Registered Traveler Program Is Intended to Improve Airport Security While Reducing the Inconvenience of Security Screening: Key Policy and Implementation Issues Associated with a Registered Traveler Program: Key Principles to Guide Program Implementation: Concluding Observations: Agency Comments: Appendixes: Appendix I: Scope and Methodology: Appendix II: Interviews Conducted: Appendix III: Testing Results on Leading Biometrics: Types of Biometric Technologies: Appendix IV: Information about Existing Programs for Registered Travelers: Appendix V: GAO Contacts and Staff Acknowledgments: GAO Contacts: Acknowledgments: Table: Table 1: Important Features of Biometric Technologies: Abbreviations: ATA: Air Transport Association: DOT: Department of Transportation: FAA: Federal Aviation Administration: FBI: Federal Bureau of Investigation: INS: Immigration and Naturalization Service: SENTRI: Secure Electronic Network for Travelers‘ Rapid Inspection: TSA: Transportation Security Administration: TWIC: Transportation Worker Identity Credential: Letter November 22, 2002: The Honorable Kay Bailey Hutchison United States Senate: Dear Senator Hutchison: The terrorist attacks of September 11, 2001, highlighted gaps in aviation security and have continued to affect the ease with which Americans have traditionally traveled by air. Since the attacks, Congress has taken measures to enhance the security of our nation‘s air transportation system through passage of the Aviation and Transportation Security Act (the Act),[Footnote 1] which federalized passenger screeners, mandated the use of explosives detection equipment to screen all checked baggage, called for the reenforcement of cockpit doors, and expanded the federal air marshal program. More extensive screening of passengers and carry-on baggage at airport security checkpoints has been one of the most immediate and visible changes over the past year. The Act also allows for the consideration of other approaches to improve security, such as ’establish[ing] requirements to implement trusted passenger programs and use available technologies to expedite security screening of passengers who participate in such programs, thereby allowing security screening personnel to focus on those passengers who should be subject to more extensive screening.“ Under such a program--which is referred to as a ’trusted,“ ’known,“ or ’registered“ traveler program--those who voluntarily apply to participate in the program and successfully pass background checks would receive a unique identifier or card that enables them to be screened more quickly and promotes greater focus on those passengers who require more extensive screening at airport security checkpoints.[Footnote 2] Recently, discussion among Members of Congress and the aviation industry, at congressional committee hearings and elsewhere, has focused on a registered traveler program as one possible way to better manage security risks by targeting resources more effectively while at the same time reducing long waits at security checkpoints. You asked us to provide information on issues associated with developing and implementing a registered traveler program. As agreed with your office, this report includes information on (1) the potential purposes of a registered traveler program, (2) the key policy and implementation issues that have been raised by interested parties concerning how a registered traveler program might be designed and implemented, and (3) the basic principles that the Transportation Security Administration (TSA) might consider if it implements such a program. In obtaining this information, we conducted an extensive review of existing literature on registered traveler or similar programs, including key studies on issues associated with implementing a registered traveler program. In addition, we interviewed 22 key stakeholders, including officials from the federal government, airline industry, aviation security consulting groups, vendors developing and testing registered traveler applications, and organizations concerned with issues of data privacy and civil liberties. The intent of these interviews was to obtain the opinions and perspectives of officials from organizations that possess extensive awareness of the key issues related to such a program. We did not, however, attempt to empirically validate the information expressed by these officials. (See appendix I for information on our scope and methodology and appendix II for a complete list of interviewees.) We also visited and interviewed officials associated with registered traveler-type programs in two European countries. We will report later on ongoing work related to issues such as the nature and scope of similar programs already established in the United States and abroad and the potential costs, benefits, and alternatives to implementing a registered traveler program. We performed our work from July 2002 through October 2002 in accordance with generally accepted government auditing standards. Results in Brief: A registered traveler program offers potential for improving security and reducing inconvenience to participating travelers, but it raises several important policy and implementation issues. Our literature review, along with supporters of the program whom we interviewed, identified two primary purposes for such a program. First, it could improve security by better targeting security resources at passengers about whom little is known or who might present a greater security risk. In other words, the program could serve as a useful risk- management tool by selecting the appropriate level of security screening for a passenger according to a prior assessment of personal background information and of that individual‘s potential threat to security. In contrast, two stakeholders told us that they were worried about such a program‘s creating new security threats. Second, such a program might reduce the inconvenience some travelers have experienced as they go through airport security checkpoints, by reducing uncertainties about the length of delay and the level of scrutiny they would likely encounter. Proponents of the program believe that this benefit would encourage travelers, particularly business travelers, to fly more often and thus would help improve the economic health of the aviation industry. It could also benefit related industries that are linked to air travel, including aviation-related manufacturers, and tourism-related businesses, such as hotels and travel agents. Our literature review and discussions with stakeholders identified additional potential objectives of a registered traveler program, such as expediting customer check-in at the ticket counter, tracking miles for frequent fliers, and using demographic data on these travelers for marketing by airlines and others in the tourist industry. However, two representatives of civil liberties groups told us that they opposed such expanded uses of this information as an invasion of a traveler‘s privacy. Our review identified a number of key policy and implementation issues that might have to be addressed before a registered traveler program could be implemented. Stakeholders representing the aviation industry told us, for example, that many of the following policy questions should be left to the federal government to resolve: (1) What criteria should be established to determine eligibility to apply for the program? (2) What kinds of background checks should be used to certify that applicants are eligible to enroll in the program, and who should perform these? (3) Which security-screening procedures should registered travelers undergo, and how should these differ from those used for unregistered travelers? and (4) To what extent do equity, privacy, and liability issues have to be resolved prior to program implementation? Stakeholders offered a variety of options and opinions regarding these questions. For example, stakeholders indicated that the federal government should determine whether eligibility to apply for participation in a registered traveler program should be limited only to those who have held U.S. citizenship for a specified number of years, or whether citizens from other countries should be allowed to participate. Similarly, stakeholders differed in their views about whether background checks should be limited to credit checks and other publicly available information, or should also include checking an applicant‘s name against national databases of criminal records. In addition to these policy questions, several stakeholders we contacted raised a number of practical questions to consider when designing and implementing a program, including (1) What technology decisions have to be addressed in designing a registered traveler program? (2) How many airports and how many passengers should participate in a registered traveler program? and (3) How much will the program cost, and who will be responsible for its financing? For example, although most stakeholders we contacted agree that proven biometric identification technology is available and is a necessary component of a registered traveler program, they differ as to which technology should be used. Regardless of how these key policy and implementation issues are decided, we identified--based on our discussions with stakeholders and our review of pertinent literature and best practices for implementing new programs--the following basic principles to help TSA if it implements a registered traveler program: * Incorporate ’lessons learned“ from similar programs, especially those related to security procedures, technology, user acceptance, and costs. For example, the United States and Canada have implemented a program that accelerates the inspection of low-risk, pre-enrolled border crossers at ports of entry, while several airports in Europe have experimented with programs similar to that of a registered traveler program. * Initially test the program on a small scale to determine whether it would be feasible and effective, and whether enough travelers would be willing to participate. * Develop performance measures and a system to assess how effectively the program meets stated goals. * Use technologies that are interoperable among different airports and enrollment sites, and select technologies that can readily be updated to keep pace with new developments in security technology, biometrics, and data sharing. At a minimum, interoperability refers to using compatible technologies at different airport checkpoints across the country and, more broadly, could be seen as including other access control points, such as border crossings and ports of entry. Background: A safe and secure aviation system is a critical component to securing the nation‘s overall physical infrastructure and maintaining its economic vitality. Billions of dollars and a myriad of programs and policies have been devoted to achieving such a system. Critical to ensuring aviation security are screening checkpoints, at which screening personnel check over 2 million individuals and their baggage each day for weapons, explosives, and other dangerous articles that could pose a threat to the safety of an aircraft and those aboard it. All passengers who seek to enter secure areas at the nation‘s airports must pass through screening checkpoints and be cleared by screeners. In addition, many airline and airport employees, including flight crews, ground personnel, and concession vendors, have to be cleared by screeners. At the nation‘s 429 commercial airports that are subject to security requirements, screeners use a variety of technologies and procedures to screen individuals. These include x-ray machines to examine carry-on baggage, metal detectors to identify any hidden metallic objects, and physical searches of items, including those that cannot be scanned by x-rays, such as baby carriers or baggage that has been x-rayed and contains unidentified objects. In response to the terrorist attacks of September 11, 2001, the Federal Aviation Administration (FAA) and the air carriers implemented new security controls to improve security. These actions included increased screening of baggage and passengers at airport checkpoints with the use of explosives trace detection devices and hand-held metal detectors, the mandatory removal of laptop computers from carrying cases, and the removal of shoes. They included additional screening of randomly selected passengers at an airline‘s boarding gate. Although these initiatives have been a visible sign of heightened security procedures, they have also, in some instances, caused longer security delays, inconvenienced the traveling public, and raised questions about the merits of using these techniques on assumed lower-risk travelers, such as young children. Congress has also taken actions to improve aviation security. In November 2001, it passed the Aviation and Transportation Security Act, which transferred aviation security from FAA to the newly created TSA and directed TSA to take over responsibility for airport screening. The Act also left to TSA‘s discretion whether to ’establish requirements to implement trusted passenger programs and use available technologies to expedite security screening of passengers who participate in such programs, thereby allowing security screening personnel to focus on those passengers who should be subject to more extensive screening.“: In response to this Act, officials representing aviation and business travel groups have proposed developing a registered traveler program. Under their proposals, travelers who voluntarily provide personal information and clear a background check would be enrolled as registered travelers. These participants would receive some form of identification, such as a card that includes a unique personal characteristic like a fingerprint, which they would use at an airport to verify their identity and enrollment in the program. Because they would have been prescreened, they would be entitled to different security screening procedures at the airport. These could be as simple as designating a separate line for registered travelers, or could include less intrusive screening. Although TSA had initially resisted such a program because of concerns that it could weaken the airport security system, it has recently changed its position and has begun assessing the feasibility and need for such a program and considering the implementation of a test program. The concept underlying a registered traveler program is similar to one that TSA has been studying for transportation workers--a Transportation Worker Identity Credential (TWIC)--that could be used to positively identify transportation workers such as pilots and flight attendants and to expedite their processing at airport security checkpoints. TSA had been studying the TWIC program for several months. Initially, the agency had planned to implement the TWIC program first, saying that any registered traveler program would be implemented after establishing the TWIC program. In recent months, congressional appropriations restrictions have caused TSA to postpone TWIC‘s development. According to a senior agency official, however, TSA was still planning to go forward with studying the registered traveler program concept. A Registered Traveler Program Is Intended to Improve Airport Security While Reducing the Inconvenience of Security Screening: Although most of the 22 stakeholders we interviewed supported a registered traveler program, several stakeholders opposed it. Our literature review and supporters of the program whom we interviewed identified two primary purposes for such a program--improving the quality and efficiency of airport security and reducing the inconvenience that some travelers have experienced by reducing uncertainties about the length of delay and the level of scrutiny they are likely to encounter. The literature we reviewed and more than a half-dozen of the 22 stakeholders we contacted suggested that such a program could help improve the quality and efficiency of security by allowing security officials to target resources at potentially higher risk travelers. Several stakeholders also indicated that it could reduce the inconvenience of heightened security measures for some travelers, thus encouraging Americans to fly more often, and thereby helping to improve the economic health of the aviation industry. Representatives of air traveler groups identified other potential uses of a registered traveler program that were not directly linked to improving aviation security, such as better tracking of frequent flier miles for program participants. Many Stakeholders We Contacted Indicated That a Registered Traveler Program Could Potentially Improve Aviation Security and More Effectively Target Resources: Many of the 22 stakeholders we contacted and much of the literature we reviewed identified the improvement of aviation security as a key purpose for implementing a registered traveler program. Such a program would allow officials to target security resources at those travelers who pose a greater security risk or about whom little is known. This concept is based on the idea that not all travelers present the same threat to aviation security, and thus not everyone requires the same level of scrutiny. Our recent work on addressing homeland security issues also highlights the need to integrate risk management into the nation‘s security planning and to target resources at high-priority risks.[Footnote 3] The concept is similar to risk-based security models that have already been used in Europe and Israel, which focus security on identifying risky travelers and more appropriately matching resources to those risks, rather than attempting to detect objects on all travelers. For example, one study suggested that individuals who had been prescreened through background checks and credentialed as registered travelers be identified as low risk and therefore subjected to less stringent security. This distinction would allow security officials to direct more resources and potentially better screening equipment at other travelers who might pose a higher security risk, presumably providing better detection and increased deterrence. In addition, several stakeholders also suggested that a registered traveler program would enable TSA to more efficiently use its limited resources. Several of these stakeholders suggested that a registered traveler program could help TSA more cost-effectively focus its equipment and personnel needs to better meet its security goals. For example, two stakeholders stated that TSA would generally not have to intensively screen registered travelers‘ checked baggage with explosives detection systems that cost about $1 million each. As a result, TSA could reduce its overall expenditures for such machines. In another example, a representative from a major airline suggested that because registered travelers would require less stringent scrutiny, TSA could provide a registered traveler checkpoint lane that would enable TSA to use fewer screeners at its checkpoint lanes; this would reduce the number of passenger screeners from the estimated 33,000 that it plans to hire nationwide. In contrast, several stakeholders and TSA officials said that less stringent screening for some travelers could weaken security. For example, two stakeholders expressed concerns that allowing some travelers to undergo less stringent screening could weaken overall aviation security by introducing vulnerabilities into the system. Similarly, the first head of TSA had publicly opposed the program because of the potential for members of ’sleeper cells“--terrorists who spend time in the United States building up a law-abiding record--to become registered travelers in order to take advantage of less stringent security screening. The program manager heading TSA‘s Registered Traveler Task Force explained that the agency has established a baseline level of screening that all passengers and workers will be required to undergo, regardless of whether they are registered. Nevertheless, a senior TSA official told us that the agency now supports the registered traveler concept as part of developing a more risk-based security system, which would include a refined version of the current automated passenger prescreening system. While the automated prescreening system is used on all passengers, it focuses on those who are most likely to present threats. In contrast to a registered traveler program, the automated system is not readily apparent to air passengers. Moreover, the registered traveler program would focus on those who are not likely to present threats, and it would be voluntary. Some stakeholders we contacted said that a registered traveler program, if implemented, should serve to complement the automated system, rather than replace it. Some Believe That a Registered Traveler Program Could Potentially Reduce the Inconvenience of Security Screening Procedures: According to the literature we reviewed and our discussions with several stakeholders, reducing the inconvenience of security screening procedures implemented after September 11, 2001, constitutes another major purpose of a registered traveler program, in addition to potentially improving security. The literature and these stakeholders indicated that participants in a registered traveler program would receive consistent, efficient, and less intrusive screening, which would reduce their inconvenience and serve as an incentive to fly more, particularly if they are business travelers. According to various representatives of aviation and business travelers groups, travelers currently face uncertainty regarding the time needed to get through security screening lines and inconsistency about the extent of screening they will encounter at various airports. For example, one stakeholder estimated that prior to September 11, 2001, it took about 5 to 8 seconds, on average, for a traveler to enter, be processed, and clear a security checkpoint; since then, it takes about 20 to 25 seconds, on average, resulting in long lines and delays for some travelers. As a result, travelers need to arrive at airports much earlier than before, which can result in wasted time at the airport if security lines are short or significant time spent in security lines if they are long. Additionally, a few stakeholders stated that travelers are inconvenienced when they are subjected to personal searches or secondary screening at the gates for no apparent reason. While some stakeholders attributed reductions in the number of passengers traveling by air to these inconveniences, others attributed it to the economic downturn. Some literature and three stakeholders indicated that travelers, particularly business travelers making shorter trips (up to 750 miles), have as a result of these inconveniences reduced the number of flights they take or stopped flying altogether, causing significant economic harm to the aviation industry. For example, according to a survey of its frequent fliers, one major airline estimates that new airport security procedures and their associated inconveniences have caused 27 percent of its former frequent fliers to stop flying. Based on this survey‘s data, the Air Transport Association, which represents major U.S. air carriers, estimates that security inconveniences have cost the aviation industry $2.5 billion in lost revenue since September 11, 2001. Supporters of a registered traveler program indicated that it would be a component of any industry recovery and that it is particularly needed to convince business travelers to resume flying. To the extent that registered travelers would fly more often, the program could also help revitalize related industries that are linked to air travel, including aviation- related manufacturing and such tourism-related businesses as hotels and travel agencies. However, not all stakeholders agreed that a registered traveler program would significantly improve the economic condition of the aviation industry. For example, officials from another major U.S. airline believed that the declining overall economy has played a much larger role than security inconveniences in reducing air travel. They also said that most of their customers currently wait 10 minutes or less in security lines, on average--significantly less than immediately after September 11, 2001--and that security inconveniences are no longer a major issue for their passengers. Other Potential Uses for a Registered Traveler Program: In addition to the two major purposes of a registered traveler program, some stakeholders and some literature we reviewed identified other potential uses. For example, we found that such a program could be part of an enhanced customer service package for travelers and could be used to expedite check-in at airports and to track frequent flier miles. Some stakeholders identified potential law enforcement uses, such as collecting information obtained during background checks to help identify individuals wanted by the police, or tracking the movement of citizens who might pose criminal risks. Finally, representatives of air traveler groups envisioned extensive marketing uses for data collected on registered travelers by selling it to such travel-related businesses as hotels and rental car companies and by providing registered travelers with discounts at these businesses. Two stakeholders envisioned that these secondary uses would evolve over time, as the program became more widespread. However, civil liberties advocates we spoke with were particularly concerned about using the program for purposes beyond aviation security, as well as about the privacy issues associated with the data collected on program participants and with tracking their movements. Key Policy and Implementation Issues Associated with a Registered Traveler Program: Our literature review and discussions with stakeholders identified a number of policy and implementation issues that might need to be addressed if a registered traveler program is to be implemented. Stakeholders we spoke with held a wide range of opinions on such key policy issues as determining (1) who should be eligible to apply to the program; (2) the type and the extent of background checks needed to certify that applicants can enroll in the program, and who should perform them; (3) the security screening procedures that should apply to registered travelers, and how these would differ from those applied to other travelers; and (4) the extent to which equity, privacy, and liability issues would impede program implementation. Most stakeholders indicated that only the federal government has the resources and authority to resolve these issues. In addition to these policy questions, our research and stakeholders identified practical implementation issues that need to be considered before a program could be implemented. These include deciding (1) which technologies to use, and how to manage the data collected on travelers; (2) how many airports and how many passengers should participate in a registered traveler program; and (3) which entities would be responsible for financing the program, and how much it would cost. Most Stakeholders We Contacted Agreed That the Federal Government Should Address Key Policy Issues When Developing a Registered Traveler Program: Most stakeholders we contacted agreed that, ultimately, the federal government should make the key policy decisions on program eligibility criteria, requirements for background checks, and specific security- screening procedures for registered travelers. In addition, the federal government should also address equity, privacy, and liability issues raised by such a program. Stakeholders also offered diverse suggestions as to how some of these issues could be resolved, and a few expressed eagerness to work with TSA. Stakeholders Identified Differing Options for Program Eligibility: Although almost all the stakeholders we contacted agreed that a registered traveler program should be voluntary, they offered a wide variety of suggestions as to who should be eligible to apply to the program. These suggestions ranged from allowing any U.S. or foreign citizen to apply to the program to limiting it only to members of airline frequent flier programs. Although most stakeholders who discussed this issue with us favored broad participation, many of them felt it should be limited to U.S. citizens because verifying information and conducting background checks on foreigners could be very difficult. Several stakeholders said that extensive participation would be desirable from a security perspective because it would enable security officials to direct intensive and expensive resources toward unregistered travelers who might pose a higher risk. Several stakeholders indicated that it would be unfair to limit the program only to frequent fliers, while representatives from two groups indicated that such a limitation could provide airlines an incentive to help lure these travelers back to frequent air travel. Stakeholders Proposed Alternatives for Background Check Requirements: We also found differing opinions as to the type and extent of background check needed to determine whether an applicant should be eligible to enroll in a registered traveler program. For example, one stakeholder suggested that the background check should primarily focus on determining whether the applicant exists under a known identity and truly is who he or she claims to be. This check could include verification that an individual has paid income taxes over a certain period of time (for example, the past 10 years), has lived at the same residence for a certain number of years, and has a sufficient credit history. Crosschecking a variety of public and private data sources, such as income tax payment records and credit histories, could verify that an applicant‘s name and social security number are consistent. However, access to income tax payment records would probably require an amendment to existing law.[Footnote 4] Another stakeholder said that the program‘s background check should be similar to what is done when issuing a U.S. passport. A passport check consists, in part, of a name check against a database that includes information from a variety of federal sources, including intelligence, immigration, and child support enforcement data. In contrast, others felt that applicants should undergo a more substantial check, such as an FBI-type background check, similar to what current airline or federal government employees must pass; or a criminal background check, to verify that the applicant does not have a criminal history. This could include interviewing associates and neighbors as well as credit and criminal history checks. In this case, applicants with criminal histories might be denied the right to participate in a registered traveler program. No matter what the extent of these checks, most stakeholders generally agreed that the federal government should perform or oversee them. They gave two reasons for this: (1) the federal government has access to the types of data sources necessary to complete them, and (2) airlines would be unwilling to take on the responsibility for performing them because of liability concerns. One stakeholder also suggested that the federal government could contract out responsibility for background checks to a private company, or that a third-party, nonprofit organization could be responsible for them. A majority of stakeholders also agreed that the federal government should be responsible for developing the criteria needed to determine whether an applicant is eligible to enroll and for making the final eligibility determination. Some stakeholders also stated that background checks should result in a simple yes or no determination, meaning that all applicants who passed the background check would be able to enroll in the program and the ones who did not pass would be denied. Other stakeholders alternatively recommended that all applicants be assigned a security score, determined according to the factors found during the background check. This security score would establish the level of screening given an individual at a security checkpoint. TSA has indicated that, at a minimum, the government would have to be responsible for ensuring that applicants are eligible to enroll and that the data used to verify identities and perform background checks are accurate and up-to-date. Security Screening Procedures for Registered Travelers Would Differ from Procedures for Other Passengers: All the stakeholders we contacted agreed that registered travelers should be subjected to some minimum measure of security screening, and that the level of screening designated for them should generally be less extensive and less intrusive than the security screening required for all other passengers. Most stakeholders anticipated that a participant would receive a card that possessed some unique identifier, such as a fingerprint or an iris scan, to identify the participant as a registered traveler and to verify his or her identity. When arriving at an airport security checkpoint, the registered traveler would swipe the card through a reader that would authenticate the card and verify the individual‘s identity by matching him or her against the specific identifier on the card. If the card is authenticated and the holder is verified as a registered traveler, the traveler would proceed through security. Most stakeholders suggested that registered travelers pass through designated security lines, to decrease the total amount of time they spend waiting at the security checkpoint. If the equipment cannot read the card or verify the traveler‘s identity, or if that passenger is deemed to be a security risk, then the traveler would be subjected to additional security screening procedures, which might also include full-body screening and baggage searches. If the name on the registered traveler card matches a name on a watch-list or if new concerns about the traveler emerge, the card could be revoked. A common suggestion was that registered travelers would undergo pre- September 11th security-screening measures, which involved their walking through a magnetometer and the x-raying of their carry-on baggage. Moreover, they would not be subjected to random selection or additional security measures unless warranted, and they would be exempted from random secondary searches at the boarding gate. According to TSA officials, the agency is willing to consider some differentiated security procedures for program participants. As for security procedures for those not enrolled in such a program, several stakeholders agreed that nonparticipants would have to undergo current security screening measures, at a minimum. Current security measures involve walking through a magnetometer, having carry-on baggage run through an x-ray machine, and being subjected to random searches of baggage for traces of explosives, hand searches for weapons, and the removal of shoes for examination. Travelers may also be randomly selected for rescreening in the gate area, although TSA has planned pilot programs to determine whether to eliminate this rescreening. Other stakeholders suggested that travelers who were not enrolled in the registered traveler program should be subjected to enhanced security screening, including more stringent x-rays and baggage screening than are currently in place at the airports. These stakeholders thought that because little would be known about nonparticipants, they should be subjected to enhanced security screening measures. In addition, several stakeholders mentioned that a registered traveler program might be useful in facilitating checked-baggage screening. For example, one stakeholder suggested that the x-ray screening of registered travelers‘ baggage could be less intensive than the screening required for all other passengers, thus reducing the time it would take to screen all checked baggage. A few stakeholders even suggested that the most sophisticated baggage screening technology, such as explosives detection machines, would not be needed to screen a registered traveler‘s checked baggage. However, the 2001 Aviation and Transportation Security Act requires the screening of all checked baggage, and using a registered traveler program to lessen the level of the checked baggage screening would not be permissible under the requirements of the Act. Stakeholders Raised Equity, Privacy, and Liability Concerns: Finally, our research and discussions with stakeholders raised nonsecurity-related policy issues, including equity, privacy, and liability concerns that could impede implementation of a registered traveler program. With respect to equity issues, some stakeholders raised concerns that the federal government should carefully develop eligibility and enrollment criteria that would avoid automatically excluding certain classes of people from participating in the program. For example, requiring applicants to pay a high application or enrollment fee could deter some applicants for financial reasons. In addition, concern was expressed that certain races and ethnicities, mainly Arab-Americans, would be systematically excluded from program participation. Most stakeholders, however, did not generally view equity issues as being a major obstacle to developing the program, and one pointed to the precedent set by existing government programs that selectively confer known status to program participants. For example, the joint U.S./Canadian NEXUS pilot program, a program for travelers who frequently cross the U.S./Canadian border, is designed to streamline the movement of low-risk travelers across this border by using designated passage lanes and immigration-inspection booths, as well as some risk-management techniques similar to those proposed for use in a registered traveler program. With respect to privacy issues, civil liberties advocates we spoke with expressed concerns that the program might be used for purposes beyond its initial one and that participants‘ information would need protection. They were particularly concerned about the potential for such a program to lead to the establishment of a national identity card, or to other uses not related to air travel. For example, some suggested that there could be enormous pressure on those who are not part of the program to apply, given the advantages of the program, and this would therefore, in effect, lead to a national identity card. One stakeholder raised a concern about the card‘s becoming a prerequisite for obtaining a job that includes traveling responsibilities, or the collected information‘s being used for other purposes, such as identifying those sought by police. Others countered that because participation in a registered traveler program would be voluntary, privacy concerns should not be a significant issue. According to TSA attorneys, legal protections already in place to prevent the proliferation of private information are probably applicable, and additional safeguards for this program could be pursued. Through our review, we identified two particular liability issues potentially associated with the concept of a registered traveler program. First, it is uncertain which entity would be liable and to what extent that entity would be liable if a registered traveler were to commit a terrorist act at an airport or on a flight. Second, it is also unclear what liability issues might arise if an applicant were rejected based on false or inaccurate information, or the applicant did not meet the eligibility criteria. For the most part, stakeholders who addressed the liability issue maintained that, because the federal government is already responsible for aviation security, and because it is likely to play an integral role in developing and administering such a program, security breaches by registered travelers would not raise new liability concerns. Although the assumption of screening responsibilities has increased the federal government‘s potential exposure to liability for breaches of aviation security, TSA representatives were unsure what the liability ramifications would be for the federal government for security breaches or terrorist acts committed by participants of a registered traveler program. Fewer stakeholders offered views on whether there would be liability issues if an applicant were denied participation in a registered traveler program because of false or inaccurate information. However, some indicated that the federal government‘s participation, particularly in developing eligibility criteria, would be key to mitigating liability issues. One stakeholder said that the program must include appeal procedures to specify under what conditions an individual could appeal if denied access to the program, who or what entity would hear an appeal, and whether an individual would be able to present evidence in his or her defense. Other stakeholders, however, stressed the importance of keeping eligibility criteria and reasons for applicant rejection confidential, because they believe that confidentiality would be crucial to maintaining the security of the program. TSA maintained that if the program were voluntary, participants might have less ability to appeal than they would in a government entitlement program, in which participation might be guaranteed by statute. Some Stakeholders Also Identified Practical Implementation Issues to Consider: In addition to key policy issues, some stakeholders we spoke with identified a number of key program implementation issues to consider. Specifically, they involve choosing appropriate technologies, determining how to manage data collection and security, defining the program‘s scope, and determining the program‘s costs and financing structure. Stakeholders Differed on the Use of Biometric Technology in a Registered Traveler Program: Our research indicated that developing and implementing a registered traveler program would require key choices about which technologies to use. Among the criteria cited by stakeholders were a technology‘s ability to (1) provide accurate data about travelers, (2) function well in an airport environment, and (3) safeguard information from fraud. One of the first decisions that would have to be made in this area is whether to use biometrics to verify the identity of registered passengers and, if so, which biometric identifier to use. The term ’biometrics“ refers to a wide range of technologies that can be used to verify a person‘s identity by measuring and analyzing human characteristics. Identifying a person‘s physiological characteristics is based on data derived from scientifically measuring a part of the body.[Footnote 5] Biometrics provides a highly accurate confirmation of the identity of a specific person. While the majority of those we interviewed said that some sort of biometric identifier is critical to an effective registered traveler program, there was little agreement among stakeholders as to the most appropriate biometric for this program. Issues to consider when making decisions related to using biometric technology include the accuracy of a specific technology, user acceptance, and the costs of implementation and operation. Although there is no consensus on which biometric identifier should be used for a registered traveler program, three biometric identifiers were cited most frequently as offering the requisite capabilities for a program: iris scans (using the distinctive features of the iris), fingerprints, and hand geometry (using distinctive features of the hand). Although each of the three identifiers has been used in airport trials, there are disadvantages associated with each of them. (Appendix III outlines some of the advantages and disadvantages of each.): A few stakeholders also claimed that a biometric should not be part of a registered traveler program. Among the reasons cited were that biometric technology is expensive, does not allow for quick processing of numerous travelers, and is not foolproof. Some studies conducted have concluded that current biometric technology is not as infallible as biometric vendors claim. For example, a German technology magazine recently demonstrated that using reactivated latent images and forgeries could defeat fingerprint and iris recognition systems. In addition, one stakeholder stated that an identity card with a two- dimensional barcode that stores personal data and a picture would be sufficient to identify registered travelers. Such a card would be similar to those currently used as drivers‘ licenses in many states. Registered Traveler Program Raises Data Storage and Maintenance Issues: In addition to choosing specific technologies, stakeholders said that decisions will be needed regarding the storage and maintenance of data collected for the program. These include decisions regarding where a biometric or other unique identifier and personal background information should be stored. Such information could be stored either on a card embedded with a computer chip or in a central database, which would serve as a repository of information for all participants. Stakeholders thought the key things to consider in deciding how to store this information are speed of accessibility, levels of data protection, methods to update information, and protections against forgery and fraudulent use by others. One stakeholder who advocates storing passenger information directly on a ’smart“ card containing an encrypted computer chip said that this offers more privacy protections for enrollees and would permit travelers to be processed more quickly at checkpoints than would a database method. On the other hand, advocates for storing personal data in a central database said that it would facilitate the updating of participants‘ information. Another potential advantage of storing information in a central database is that it could make it easier to detect individuals who try to enroll more than once, by checking an applicant‘s information against information on all enrollees in a database. In theory, this process would prevent duplication of enrollees. Another issue related to storing participant information is how to ensure that the information is kept up-to-date. If participant information is stored in a database, then any change would have to be registered in a central database. If, however, information is stored on an identification card, then the card would have to feature an embedded computer chip to which changes could be made remotely. Keeping information current is necessary to ensure that the status of a registered traveler has not changed because of that person‘s recent activities or world events. One stakeholder noted the possibility that a participant could do something that might cause his or her eligibility status to change. In response to that concern, he stressed that a registered traveler program should incorporate some sort of ’quick revoke“ system. When that traveler is no longer entitled to the benefits associated with the program, a notification would appear the next time the card is registered in a reader. Stakeholders Had Different Opinions about the Scope of a Registered Traveler Program: Stakeholders differed in their opinions as to how many airports and how many passengers should participate in a registered traveler program. While some believe that the program should be as expansive as possible, others maintain that the program would function most efficiently and cost-effectively if it were limited to those airports with the most traffic and to those passengers who fly the most frequently. As for airports, some suggested that all 429 airports subject to security requirements in the United States should be equipped to support the program, to convince more passengers to enroll. Others contended that, because of equipment costs, the program should optimally include only the largest airports, such as the fewer than 100 airports that the FAA classifies as Category X and Category 1 airports, which the vast majority of the nation‘s air travelers use. There were also different opinions as to whether the program should limit enrollment to frequent travelers or should strive for wider enrollment to maximize participation. Representatives of a passenger group asserted that the program should be limited to passengers who fly regularly because one of the goals of the program would be to process known passengers more quickly, and that having too many enrollees would limit the time saved. Others, however, maintained that the program should enroll as many passengers as possible. This case is made largely based on security concerns--the more people who register, the more information is known about a flight‘s passengers. Views Differ on the Program‘s Costs and Financing: It is unclear who would fund any registered traveler program, although a majority of the stakeholders we contacted who discussed the issue expect that participants would have to fund most of its costs. Representatives of aviation traveler groups said that participants would be willing to bear almost all of the costs. One airline representative estimated that frequent passengers would be willing to pay up to $100 for initial enrollment and an additional $25 to $50 annually for renewal. For similar reasons, some stakeholders have suggested that the airlines bear some of the costs of the program, probably by offering subsidies and incentives for their passengers to join, since the aviation industry would also benefit. For instance, one stakeholder said that airlines might be willing to partially subsidize the cost if the airlines could have access to some of the participant information. A few stakeholders also expect that the federal government would pay for some of the cost to develop a registered traveler program. One stakeholder who said the government should pay for a significant portion of the program did so based on the belief that national security benefits will accrue from the program and so, therefore, funding it is a federal responsibility. Others maintained that significant long-term federal funding for the program is unrealistic because of the voluntary aspect of the program, the possibility that it might be offered only to selected travelers, and TSA‘s current funding constraints. In addition to the uncertainty about which entity would primarily fund a registered traveler program, there are also questions about how much the program would cost. None of the stakeholders who were asked was able to offer an estimate of the total cost of the program. A technology vendor who has studied this type of program extensively identified several primary areas of cost, which include but are not limited to background checks, computer-chip-enabled cards, card readers, biometric readers, staff training, database development, database operations, and enrollment center staffing. The fact that the costs of many of these components are uncertain makes estimating the overall program costs extremely difficult. For example, one stakeholder told us that extensive background checks for enrollees could cost as much as $150 each, while another stakeholder maintained that detailed, expensive background checks would be unnecessary. Therefore, the choice of what type of background check to use if a program is implemented would likely significantly influence the program‘s overall costs. Our research indicated that there are also significant price range differences in computer-chip-enabled cards and biometric readers, among other components. Key Principles to Guide Program Implementation: Regardless of the policy and program decisions made about a registered traveler program, we identified several basic principles TSA might consider if it implements such a program. We derived these principles from our discussions with stakeholders and from review of pertinent literature as well as best practices for implementing new programs. Chief among these is the principle that vulnerabilities in the aviation system be assessed in a systematic way and addressed using a comprehensive risk management plan. Accordingly, the registered traveler program must be assessed and prioritized along with other programs designed to address security vulnerabilities, such as enhancing cockpit security, controlling access to secure areas of the airport, preventing unsafe items from being shipped in cargo or checked baggage, and ensuring the integrity of critical air traffic control- computer systems. TSA officials also noted that the agency is responsible for the security of all modes of transportation, not just aviation. They added that a program such as registered traveler needs to be assessed in the broader context of border security, which can include the security of ports and surface border crossings overseen by a number of federal agencies, such as Customs, Coast Guard, and INS. TSA might consider the following principles if, and when, a registered traveler program is implemented: * Apply lessons learned from and experience with existing programs that share similarities with the registered traveler program. This information includes lessons related to such issues as eligibility criteria, security procedures, technology choices, and funding costs. * Test the program initially on a smaller scale to demonstrate its feasibility and effectiveness, and that travelers will be willing to participate. * Develop performance measures and a system for assessing whether the program meets stated mission and goals. * Use technologies that are interoperable across different enrollment sites and access-control points, and select technologies that can readily be updated to keep pace with new developments in security technology, biometrics, and data sharing. At a minimum, interoperability refers to using compatible technologies at different airport checkpoints across the country and, more broadly, could be seen as including other access-control points, such as border crossings and ports of entry. Apply Lessons Learned from Similar Programs: Using lessons learned from existing programs offers TSA an opportunity to identify key policy and implementation issues as well as possible solutions to them. Although not of the scope that a nationwide U.S. registered traveler program would likely be, several existing smaller programs, both in the United States and abroad, address some of the same issues as the registered traveler concept and still present excellent opportunities for policymakers to learn from real-life experiences. For example, in the United States, the INS already has border control programs both at airports and roadway checkpoints to expedite the entry of ’known“ border crossers. Internationally, similar programs exist at Ben Gurion Airport in Israel, Schiphol Airport in Amsterdam, and Dubai International Airport in the United Arab Emirates. In the past, similar pilot programs have also been run at London‘s Gatwick and Heathrow airports. All of these programs rely on credentialing registered travelers to expedite their processing and are candidates for further study. Finally, programs established by the Department of Defense and the General Services Administration that use cards and biometrics to control access to various parts of a building offer potential technology-related lessons that could help design a registered traveler program. (Appendix IV offers a brief description of some of the U.S. and foreign programs.) TSA‘s program manager for the Registered Traveler Task Force stressed that his agency has no role in these other programs, which are different in purpose and scope from the registered traveler concept. He added that these programs focus on expediting crossing at international borders, while the registered traveler concept focuses on domestic security. Test the Program to Demonstrate Its Feasibility, Effectiveness, and Acceptance : In addition to these programs, information could also be gleaned from a registered traveler pilot program. For example, the Air Transport Association has proposed a passenger and employee pilot program. ATA‘s proposed program would include over 6,000 participants, covering both travelers who passed a background check and airline employees. ATA‘s proposal assumes that (1) the appropriate pool of registered traveler participants will be based on background checks against the FBI/TSA watch list, and (2) airlines would determine which employees could apply, and would initiate background checks for them. ATA estimates that the pilot program would initially cost about $1.2 million to implement. To allow TSA and the airlines to evaluate the effectiveness of the program‘s technologies and procedures and their overall impact on checkpoint efficiency, ATA plans to collect data on enrollment procedures, including: the number of individuals who applied and were accepted, the reasons for rejection, and customer interest in the program; reliability of the biometric cards and readers; and checkpoint operational issues. In our discussions, the Associate Under Secretary for Security Regulation and Policy at TSA made it clear that he thought developing a registered traveler pilot program on a small scale would be a necessary step before deciding to implement a national program. TSA officials responsible for assessing a registered traveler program said that they hope to begin a pilot program by the end of the first quarter of 2003. They also noted that much of the available information about the registered traveler concept is qualitative, rather than quantitative. They added that, because the cost-effective nature of a registered traveler program is not certain, a financial analysis is needed that considers the total cost of developing, implementing, and maintaining the technology and the program. Along these lines, they believe that a pilot program and rigorous, fact-based analysis of the costs and benefits of this program will be useful for determining (1) whether the hassle factor really exists, and if so to what extent, (2) whether a registered traveler program will effectively address the need to expedite passenger flow or to manage risk, and (3) whether such a program would be the risk-mitigation tool of choice, given the realities of limited resources. Develop Performance Measures to Ensure the Program Is Achieving Its Goals: In addition to developing performance-based metrics to evaluate the effectiveness of a pilot program, TSA could consider developing similar metrics to measure the performance of a nationwide program if one is created. Our previous work on evaluating federal programs has stressed the importance of identifying goals, developing related performance measures, collecting data, analyzing data, and reporting results.[Footnote 6] Collecting such information is most useful if the data-gathering process is designed during the program‘s development and initiated with its implementation. Periodic assessment of the data should include comparisons with previously collected baseline data. The implementation of a registered traveler program could be helped by following those principles. For example, determining whether, and how well, the program improves aviation security and alleviates passenger inconvenience requires that measurements be developed and data collected and analyzed to demonstrate how well these goals are being met. Such information could include the success of screeners at detecting devices not allowed on airplanes for both enrollees and nonparticipants, or the average amount of time it takes for enrollees to pass through security screening. Use Technologies That Are Interoperable and That Can Be Upgraded in the Future: An effective registered traveler program depends on using technologies that are interoperable across various sites and with other technologies, and can be readily updated to keep pace with new developments in security technology, biometrics, and data sharing. Such a program is unlikely to be airport-or airline-specific, which means that the various technologies will have to be sufficiently standardized for enrollees to use the same individual cards or biometrics at many airports and with many airlines. Consequently, the technologies supporting the nationwide system need to be interoperable so that they can communicate with one another. The FAA‘s experience with employee access cards offers a good lesson on the dangers of not having standards to ensure that technologies are interoperable. As we reported in 1995,[Footnote 7] different airports have installed different types of equipment to secure doors and gates. While some airports have installed magnetic stripe card readers, others have installed proximity card readers, and still another has installed hand-scanning equipment to verify employee identity. As a result, an official from one airline stated that employees who travel to numerous airports have to carry several different identity cards to gain access to specific areas. Another important interoperability issue is the way in which the personal data associated with a registered traveler program relates to other existing information on travelers, most important of which is the automated passenger prescreening system information. Some stakeholders believe it will be crucial that the registered traveler program is integrated into the automated system. Given TSA‘s focus on developing and launching a revised automated passenger prescreening system, such integration will likely be essential. Integrating the data depends on finding a workable technology solution. Furthermore, TSA officials added that interoperability may extend beyond aviation to passengers who enter the United States at border crossings or seaports. They noted that ensuring the interoperability of systems across modes of transportation overseen by a variety of different federal agencies will be a complex and expensive undertaking. An equally important factor to consider is how easily a technology can be upgraded as related technologies evolve and improve. As stakeholders made clear to us, because technologies surrounding identification cards and biometrics are evolving rapidly, often in unpredictable ways, the technology of choice today may not be cost-effective tomorrow. To ensure that a registered traveler program will not be dependent on outdated technologies, it is essential to design a system flexible enough to adapt to new technological developments as they emerge. For example, if fingerprints were initially chosen as the biometric, the supporting technologies should be easily adaptable to other biometrics, such as iris scans. An effective way to make them so is to use technology standards for biometrics, data storage, and operating systems, rather than to mandate specific technology solutions. Concluding Observations: A registered traveler program is one possible approach for managing some of the security vulnerabilities in our nation‘s aviation and broader transportation systems. However, numerous unresolved policy and programmatic issues would have to be addressed before developing and implementing such a program. These issues include, for example, the central question of whether such a program will effectively enhance security or will inadvertently provide a means to circumvent and compromise new security procedures. These issues also include programmatic and administrative questions, such as how much such a program would cost and what entities would provide its financing. Our analysis of existing literature and our interviews with stakeholders helped identify some of these key issues but provide no easy answers. The information we developed should help to focus and shape the debate and to identify key issues to be addressed when TSA considers whether to implement a registered traveler program. Agency Comments: We provided the Department of Transportation (DOT) with a draft of this report for review and comment. DOT provided both oral and written comments. TSA‘s program manager for the Registered Traveler Task Force and agency officials present with legal and other responsibilities related to this program said that the report does an excellent job of raising a number of good issues that TSA should consider as it evaluates the registered traveler concept. These officials provided a number of clarifying comments, which we have incorporated where appropriate. Unless you publicly announce its contents earlier, we plan no further distribution of this report until 15 days from the date of this letter. At that time, we will send copies of this report to interested Members of Congress, the Secretary of Transportation, and the Under Secretary of Transportation for Security. We will also make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at http://www.gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-3650. I can also be reached by E-mail at dillinghamg@gao.gov. Key contributors are listed in appendix V. Signed by Gerald L. Dillingham: Gerald L. Dillingham, Ph.D. Director, Physical Infrastructure: [End of section] Appendixes: Appendix I: Scope and Methodology: To obtain and develop information on the purpose of a registered traveler program and the key policy and implementation issues in designing and implementing it, we conducted an extensive search of existing information and carried out interviews with key stakeholders. These interviews included officials from the federal government, the aviation industry, aviation security consultants, vendors developing and testing registered traveler applications, and organizations concerned with issues of data privacy and civil liberties. We conducted a literature search that identified existing studies, policy papers, and articles from the federal government, the aviation industry, and other organizations on numerous issues associated with designing and implementing a registered traveler program. These issues included the goals or purposes of a registered traveler program and policy and programmatic issues such as the potential costs, security procedures, and technology choices for such a program. We also identified existing studies and papers on specific items, such as the applicability of biometric technologies for use in a registered traveler program and the extent to which programs already exist in the United States and abroad (this detailed information is presented in appendix IV). This literature search also identified key stakeholders regarding designing and implementing a registered traveler program. Based on our literature search, we identified a list of 25 key stakeholders who could provide professional opinions on a wide range of issues involved in a registered traveler program. We chose these stakeholders based on their influence in the aviation industry as well as their expertise in such issues as aviation security, identification technologies, civil liberties, and the air-travel experience. In total, we conducted 22 interviews. We also visited and interviewed officials associated with registered traveler-type programs in two European countries. The intent of our interviews was to gain a further understanding of the issues surrounding a registered traveler program and specific information on such items as the potential costs for implementing a registered traveler program and the technology needs of such a program. In conducting our interview process, we developed a standard series of questions on key policy and implementation issues, sent the questions to the stakeholders in advance, and conducted the interviews. We then summarized the interviews to identify any key themes and areas of consensus or difference on major issues. We did not, however, attempt to empirically validate the information provided to us by stakeholders through these interviews. To identify basic principles that TSA should consider if it decides to implement a registered traveler program, we analyzed existing studies to identify overriding themes that could impact the policy or implementation of such a program. We also analyzed the results of our interviews, to generate a list of key principles. We performed our work from July 2002 through October 2002 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Interviews Conducted: As part of our review of the concept of a registered traveler program, we interviewed the following three aviation experts, each of whom spoke on his own behalf: Admiral Cathal Flynn, former FAA Associate Administrator for Civil Aviation Security Douglas Laird, aviation security consultant Robert Poole, transportation policy expert: We also interviewed representatives from the following 19 organizations: Air Line Pilots Association Airports Council International Air Transport Association Air Travelers Association American Civil Liberties Union Association of Corporate Travel Executives Continental Airlines EagleCheck (technology developer) Electronic Privacy Information Center EyeTicket (technology developer) ICTS International I/O Software (technology developer) Microsoft National Air Transportation Association National Safe Skies Alliance Northwest Airlines Transportation Security Administration Unisys United Airlines: [End of section] Appendix III: Testing Results on Leading Biometrics: The International Biometrics Group considers four types of biometric identifiers as the most suitable for air-travel applications. These identifiers are fingerprint recognition, iris recognition, hand geometry, and facial recognition. Each of these biometrics has been employed, at least on a small scale, in airports worldwide. The following information describes how each biometric works and compares their functionality. Types of Biometric Technologies: Fingerprint recognition: This technology extracts features from impressions made by the distinct ridges on the fingertips. The fingerprints can be either flat or rolled. A flat print captures only an impression of the central area between the fingertip and the first knuckle; a rolled print captures ridges on both sides of the finger. The technology is one of the best known and most widely used biometric technologies. Iris recognition: This technology is based on the distinctly colored ring surrounding the pupil of the eye. The technology uses a small, high-quality camera to capture a black-and-white high-resolution image of the iris. It then defines the boundaries of the iris, establishes a coordinate system over the iris, and defines the zones for analysis within that coordinate system. Made from elastic connective tissue, the iris is a very plentiful source of biometric data, having approximately 450 distinctive characteristics. Hand geometry: This technology measures the width, height, and length of the fingers, distances between joints, and shapes of the knuckles. The technology uses an optical camera and light-emitting diodes with mirrors and reflectors to capture three-dimensional images of the back and sides of the hand. From these images, 96 measurements are extracted from the hand. Hand geometry systems have been in use for more than 10 years for access control at facilities ranging from nuclear power plants to day care centers. Facial recognition: This technology identifies people by areas of the face not easily altered--the upper outlines of the eye sockets, the areas around the cheekbones, and the sides of the mouth. The technology is typically used to compare a live facial scan with a stored template, but it can also be used to compare static images, such as digitized passport photographs. Facial recognition can be used in both verification and identification systems. In addition, because facial images can be captured from video cameras, facial recognition is the only biometric that can also be used for surveillance purposes. Table 1: Important Features of Biometric Technologies: Technology: How it works; Fingerprint: Captures and compares fingertip patterns; Iris: Captures and compares iris patterns; Facial: Captures and compares facial patterns; Hand: Measures and compares dimensions of hand and fingers. Technology: Cost of device; Fingerprint: Low; Iris: High; Facial: Moderate; Hand: Moderate. Technology: Enrollment time; Fingerprint: About 3 minutes, 30 seconds; Iris: 2 minutes, 15 seconds; Facial: About 3 minutes; Hand: About 1 minute. Technology: Transaction time[A]; Fingerprint: 9 to 19 seconds; Iris: 12 seconds; Facial: 10 seconds; Hand: 6 to 10 seconds. Technology: False nonmatch rate[B]; Fingerprint: .2%-36%; Iris: 1.9%- 6%; Facial: 3.3%-70%; Hand: 0%-5%. Technology: False match rate (FMR)[C]; Fingerprint: 0%-8%; Iris: Less than 1%; Facial: 0.3%-5%; Hand: 0%-2.1%. Technology: User acceptance issues; Fingerprint: Associated with law enforcement, hygiene concerns; Iris: User resistance, usage difficulty; Facial: Potential for privacy misuse; Hand: Hygiene concerns. Technology: Factors affecting performance[D]; Fingerprint: Dirty, dry, or worn fingertips; Iris: Poor eyesight, glare, or reflections; Facial: Lighting, orientation of face, and sunglasses; Hand: Hand injuries, arthritis, swelling. Technology: Demonstrated vulnerability[E]; Fingerprint: Artificial fingers, reactivated latent prints; Iris: High-resolution picture of iris; Facial: Notebook computer with digital photographs; Hand: None. Technology: Variability with ages[F]; Fingerprint: Stable; Iris: Stable; Facial: Affected by aging; Hand: Stable. Technology: Commercial availability since; Fingerprint: 1970s; Iris: 1997; Facial: 1990s; Hand: 1970s. [A] Amount of time it takes to verify machine-read biometric versus stored biometric. [B] The probability that individuals who should be matched are not matched by a biometrics system. [C] The probability of an erroneous match in a single template comparison. [D] Human characteristics or measurement condition circumstances that could adversely affect accuracy of biometric systems. [E] Demonstrated methods of beating biometric systems that have been employed in tests. [F] Effects of age, if any, of individual on his or her biometric identifiers. Source: GAO analysis. [End of table] [End of section] Appendix IV: Information about Existing Programs for Registered Travelers: [See PDF for Image] [A] Please see appendix III for an explanation of hand geometry verification technology. Two-finger geometry is a variation on hand geometry. [B] The passport reader used in the IP@SS pilot program was being tested for the ability to read ink and proper passport dimensions only. Source: GAO‘s analysis of program information. [End of section] Appendix V: GAO Contacts and Staff Acknowledgments: GAO Contacts: Gerald L. Dillingham (202) 512-3650 Bonnie A. Beckett (202) 512-6525: Acknowledgments: Key contributors to this assignment were Jean Brady, David Dornisch, David Goldstein, David Hooper, Bob Kolasky, Heather Krause, David Lichtenfeld, and Cory Roman. FOOTNOTES [1] P.L. 107-71. [2] Several different names have been applied to this concept; for this report we refer to it as a registered traveler program. [3] Homeland Security: A Framework for Addressing the Nation‘s Efforts, GAO-01-1158T (Washington, D.C.: Sept. 21, 2001). [4] 26 U.S.C. 6103. [5] The term ’biometrics“ is commonly used to mean both biometric technologies and the characteristics themselves. [6] Managing for Results: Analytic Challenges in Measuring Performance, GAO/HEHS/GGD-97-138 (Washington, D.C.: May 1997). [7] Aviation Security: FAA Can Help Ensure That Airports‘ Access Control Systems Are Cost-Effective, GAO/RCED-95-25 (Washington, D.C.: Mar. 1995). GAO‘s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO‘s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select ’Subscribe to daily E-mail alert for newly released products“ under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: