Secure Flight: Additional Actions Needed to Determine Program Effectiveness and Strengthen Privacy Oversight Mechanisms

What GAO Found

Since 2009, the Transportation Security Administration’s (TSA) Secure Flight program has changed from a program that identifies passengers as high risk solely by matching them against the No Fly List, composed of individuals who should be precluded from boarding an aircraft, and the Selectee List, composed of individuals who should receive enhanced screening at the airport security checkpoint, to one that assigns passengers a risk category: high risk, low risk, or unknown risk. Secure Flight has established program goals that reflect these new program functions; however, current program performance measures do not allow Secure Flight to fully assess its progress toward achieving all of its goals. Furthermore, TSA lacks timely and reliable information on all known cases of Secure Flight system matching errors.

TSA has processes in place to implement Secure Flight screening determinations at airport checkpoints, but could take steps to enhance these processes. TSA information from May 2012 through February 2014 indicates that screening personnel have made errors in implementing Secure Flight determinations at the checkpoint. However, TSA does not have a process for systematically evaluating the root causes of these screening errors. Evaluating the root causes of screening errors, and then implementing corrective measures, in accordance with federal internal control standards, to address those causes could allow TSA to strengthen security screening at airports.

The Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP) affords passengers who may have been incorrectly matched to or listed on high-risk lists based on the Terrorist Screening Database (TSDB)—the U.S. government’s consolidated list of known and suspected terrorists—an opportunity to seek redress. Passengers who, through the redress process, are determined to have been misidentified to a TSDB-based high-risk list are added to the TSA Cleared List, which allows them to be cleared (not identified as high risk) nearly 100 percent of time. In fiscal year 2013, DHS TRIP began working to reduce processing time for its redress and appeals cases. Specifically, DHS has reduced its target for average number of days for redress cases to be closed and has established a performance goal for the appeals process.  DHS TRIP plans to periodically review its progress in achieving its appeals performance goal and determine by February 2015 whether further changes to the appeals process are warranted.

TSA has taken steps to implement several of the privacy oversight mechanisms it planned to establish when Secure Flight implementation began in 2009, but additional actions could allow TSA to sustain and strengthen its efforts. TSA has implemented privacy training for new Secure Flight staff, and all DHS employees receive annual privacy training. However, existing Secure Flight staff do not receive job-specific privacy refresher training consistent with Office of Management and Budget (OMB) requirements. Providing job-specific privacy refresher training could further strengthen Secure Flight’s protection of personally identifiable information. TSA also documents some aspects of its Secure Flight privacy oversight mechanisms, such as scheduled destructions of passenger data. However, TSA does not have a mechanism to comprehensively document and track key privacy-related issues and decisions that arise through the development and use of Secure Flight.

As requested, this testimony summarizes the findings from two reports GAO issued in September 2014, about the Secure Flight program: Secure Flight: TSA Should Take Additional Steps to Determine Program Effectiveness (GAO-14-531) and Secure Flight: TSA Could Take Additional Steps to Strengthen Privacy Oversight Mechanisms (GAO-14-647). This testimony summarizes the findings of those reports. For those reports, GAO analyzed TSA documents and data related to performance measures, screener performance at airport checkpoints, the redress process, and privacy protections, and interviewed relevant officials.