Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42ââ 11 Figure 1 Relationship Between Privacy Risk and Organizational Risk53 (1) digital identity; (2) identity management platform; (3) bio- metric ID verification; and (4) a trust framework. IATA and the International Civil Aviation Organization (ICAO) have worked to develop a certification process of electronic passports and digital identities. Implications of AI and video analytics, smartphone apps, IOT, and so on, each have important privacy considerations. In Section III below, we will review the primary use cases per- Figure 1: Relationship Between Privacy Risk and taining to privacy data used at airports today and present legal ÂOrganizational Risk53 considerations. These use cases are meant to be illustrative, but not exhaustive. The analysis below leverages the âIdentifyâ component of the III. AIRPORT DATA USE CASES NIST Privacy Framework54 to highlight and discuss common use cases being developed and deployed in the airport environ- Each year, data use cases within airports continue to grow ment. Additionally, the discussion demonstrates how to use the in number and complexity. Technology advancements generate framework to assess privacy risk for other techniques of collect- new opportunities to collect data for a variety of commercial, ing and processing privacy data not covered in this paper. operational, planning, and security purposes. These data col- The NIST Privacy Framework develops the organizational lection activities and data uses involve a wide range of airport understanding to manage privacy risk for individuals arising stakeholders and users. They also involve numerous types of from data processing. The categories and subcategories of analy- collection techniques from information gathered from websites sis include: and applications to the sensing of signals from passenger de- vices to the monitoring of movement through CCTV systems. 1. Inventory and Mapping: Defining data processing by sys- This section will discuss current and emergent airport data use tems, products, or services; cases to examine data management areas of interest. 2. Business Environment: Airport mission, objectives, For this discussion, a variety of use cases were preliminar- stakeholders, and activities are defined and prioritized; ily identified. They can be found in the Appendix. From those, this information is used to inform privacy roles, respon- five particular use cases were chosen for more in-depth analysis sibilities, and risk management decisions; in this section. Those cases are representative of most airport 3. Risk Assessment: Understand privacy risks to individuals privacy-data types and circumstances of collection and also and the organization implementing the use case; and present unique legal challenges. They include: 4. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions ⢠Passenger Pathway Analytics (PPA): video analytics as are established and used to support risk decisions.55 well as cellphone tracking; ⢠Biometrics: the use of biometrics in support of check-in, After setting the stage for the use case with the NIST Privacy screening, arrivals, and boarding; Framework, the case is analyzed applying the FIPPs principles.56 ⢠Automated License Plate Recognition (ALPR): both the Those nationally and internationally recognized principles in- administrative purpose of managing an airportâs com- form information privacy policies both within government and mercial curb as well as law enforcement purposes; in the private sector.57 ⢠Airport Digital Marketplace: websites, apps, Wi-Fi, and These use cases are designed to show the type of analysis customer relationship management (CRM) systems; and necessary to identify legal issues in the application of emerging ⢠Health Screening/Checks: thermal imaging for detecting technology by airport and airport stakeholders. The legal issues passengers or employees who are exhibiting a fever. require further investigation to complete the analysis as much of them are jurisdiction-specific and target specific technology or The use cases are analyzed within the NIST Privacy Frame- operational objectives. work.52 As Figure 1 shows, the NIST Privacy Framework offers a risk-based approach that relates privacy risk from a data pro- cessing problem to the potential harm and to the organization responsible for implementing and managing the use case. 53 â Id. at 4 (Figure 3). 54 â Id. at 20-21 (Appendix A). 52 â NIST Privacy Framework: A Tool for Improvising Privacy Through 55 â Id. Enterprise Risk Management, Natâl Inst. of Standards & Tech., U.S. 56 â See supra footnote 23, (Section II, Literature Review). Depât of Commerce, (Jan. 16, 2020), https://www.nist.gov/system/ 57 â See, e.g., Privacy Policy Guidance Memorandum, Depât of Home- files/documents/2020/01/16/NIST%20Privacy%20Framework_ land Sec. (Dec 29, 2008), https://www.dhs.gov/xlibrary/assets/Âprivacy/ V1.0.pdf. privacy_policyguide_2008-01.pdf (adopting the use of FIPPs by DHS).
12 ââ ACRP LRD 42 A. Use Case Domain #1âTechnology ServicesâPPA mation to help their customers better plan their travel. Accurate PPA data would have commercial value for them as well. PPA can be categorized as a surveillance capability, collect- ing data from sensors, sometimes including cameras, to quan- 1. Inventory and Mapping: tify passenger space use and model passenger rate of movement a. Systems, products, or services: PPAs have various ap- from one area of the airport to another. These kinds of capa- proaches including LIDAR, Stereo cameras, Wi-Fi, or bilities allow airports and their partners to plan and reorganize Bluetooth Low Energy (BLE) (see description below in real time to reduce queue times and redesign staffing and in section d. Data Actions). services to meet demand. The data can be provided to third- b. Owners or operators: Vendors often install and op- party service providers which inform passengers and provide erate these systems, delivering analytic services, and, enhanced services based on how long it will take to travel from upon request, data. Contracts should articulate the curb or parking through check-in, to screening, to concessions, airport and vendorâs ownership rights to the data col- to holding rooms, to baggage, and so on. This data offers im- lected and analytics produced. portant operational insights for airports as well as commercially c. Individuals or data subjects: The technologies attempt valuable information for airport stakeholders like airlines, ten- to track airport passengers as the primary data sub- ants, and concessions. jects. Airports often request that vendors differentiate PPA data is of significant commercial value to concession- employees from passengers in the analytics. aires and airports as it can indicate foot traffic rates and dwell d. Data actions: Generally, any information that could be times of passengers in relation to shopping and dining locations. characterized as PII is captured and processed at the For example, PPA data could be correlated with anonymized edge but not collected or retained by the system. Only point of sale data to create per passenger sales ratesâproviding anonymous data is transmitted to the cloud for added a performance metric that compares similar concessions (i.e., analytics. coffee shops) across locations. This information would be im- â Wi-Fi and BLE: For example, for a PPA system portant to both the airport and concessionaires in understand- using Wi-Fi and BLE, a MAC address is sensed and ing the sales performance of their locations. It can be presented encoded at the edge so that the number registered in with sufficient granularity by time of day, day of week, month the central repository is not identifiable to the original of year, so that better decisions can be made to optimize perfor- MAC address of the devices being tracked. This task mance. PPA also allows an airport to understand the value of can be done by capturing only the last few digits of its real estate in more granular terms of foot trafficâsetting the a MAC address and/or by hashing the MAC address. stage for pricing rental contracts based on foot traffic per stall vs. Thus, while the system may be capable of collecting a more generalized model. potential PII, NO PII data should be collected, main- PPA also provides insights that support airport operations. tained in, or, analyzed by the PPA system. Staff levels can be decided more accurately to meet a certain â Video Analytics: Similarly, with respect to CCTV level of service. For example, TSA can understand wait times based input into a PPA system, raw video data is not and make adjustments to meet the screening demand and make retained by the PPA system. Video footage is pro- adjustments against the regular schedule, as well as seasonal im- cessed to locate passengers in space and time and plications such as the impacts of cold weather clothes on passen- only an icon representing a passenger is maintained ger throughput capacity. Cleaning services can understand foot in the system. Using one method, PPA has dedicated traffic per restroom and organize cleaning based on the level Âcameras that capture and process video at the loca- of use. Maintenance services can understand demand for and tion of the camera, transmitting only anonymous data level of use for escalators, moving walkways, and elevatorsâ (reducing out the video footage). This method does prioritizing maintenance and recovery investments accordingly. not collect or retain PII as the video footage is never Accurate PPA data can also contribute significantly to im- processed to identify anyone from the video footage. proving the passenger journey. Airlines can use PPA data to Instead, this method strips out the data required for help understand wait and travel times and make more accurate analysis and nothing else is collected or retained in the determinations on how long it will take for a passenger to go PPA system. Another approach uses information from from check-in to the gate. This information is critical to helping existing CCTV systems. Using analytic software, im- airlines minimize delays and address missed flights. Similarly, ages are taken directly form CCTV cameras or from a this information can assist travelers and reduce their stress by video management system. The data is then analyzed helping them better understand their ability to catch flights and and only non-PII data necessary for PPA analysis is adjust their travel itineraries if needed. Provided to travel app. extracted. That data is then forwarded for PPA. The developers (e.g., Uber, Lift, Google Maps and/or Waze) insights raw video may be retained by the general CCTV sur- from PPA can support functionality to help travelers more effec- veillance system, but it is disconnected from the PPA tively manage their journey from doorstep to gate. Some airport analysis. hotels are already equipping their lobbies with this type of infor-
ACRP LRD 42ââ 13 â Light Detection and Ranging (LIDAR): LIDAR is a 3. Data Processing Ecosystem Risk Management: Airport detection system that works on the principle of radar priorities, constraints, risk tolerance, and assumptions but uses light from a laser. LIDAR is used for PPA by are established and used to support risk decisions. detecting people in a similar fashion as video, but (un- a. Data processing ecosystem parties: Vendor, airport, like video) does not collect features that would make data subjects, and airport stakeholders. people uniquely identifiable from the raw data. While b. Contracts considered: Typically, airports require there are intrinsic privacy benefits to using LIDAR Âvendors to comply with all federal, state, and local versus Video Analytics and Wi-Fi/BLE, LIDAR is ex- laws pertaining to PII. pensive and cannot confirm actual travel times from c. Interoperability frameworks: Bluetooth hosts Inter one area of the airport to another. LIDAR also does operability Prototype test events often and globally not support the CCTV public safety surveillance and protocol standardization is well developed.58 goals of an airport requiring the ability to identify d. Data processing ecosystem audits/evaluation: Through Âindividuals. transparent testing and experimentation, BLE is well e. Purpose of data actions: Data is analyzed in aggregate developed as a global technology. form to understand trends and not intended to iden- tify individual passengers. It is intended to allow air- 4 FIPPs Analysis: port operators and partners to understand travel and a. Notice and Awareness: Key to the issue of notice is processing times, traffic flows, and congestion areas an articulation of the purpose of data collection and from ticketing, through security, at baggage, and get- the techniques employed in collection. Since the PPA ting to and from transportation options. This data can system is designed to operate without the collection be used purely for operational purposes and/or sold as and use of PII, that fact should be explained as well. a commercial product. While some PPA systems are designed in a manner f. Data elements: Data elements consist of Wi-Fi or BLE similar to general CCTV surveillance systems, or in (MAC address); LIDAR (point cloud of person); or some cases extract data from those systems, the fun- video cameras (image of person). damental difference is that PII or even potential PII is g. Data processing environment: Normally a three-step not collected. Because there is no PII captured in PPAs process consisting of (1) capturing and (2) process- FIPPs notice requirements are not applicable.59 ing using edge computing techniques, cloud a nalytics, â While some jurisdictions may require notice of and API interface with business intelligence for general CCTV surveillance, this requirement is not (3) end customer consumption of analytics. universal, and with respect to systems in public places in most U.S. jurisdictions notice is not provided. This 2. Risk Assessment: Understand privacy risks to individuals contrasts sharply with international privacy pro- and the organization implementing the use case. tection regimes like GDPR, which require notice.60 a. Contextual Factors: Normally, PPA is a surveillance Where notice is not required for general CCTV sur- capability that senses people in a public space, analyz- veillance systems, which contain information that ing their movement for aggregate information about could be translated into PII, it is unlikely that notice flow, dwell times, travel times, and passenger space would be required for a PPA system, which does not use demand. contain PII. b. Analytics evaluated for typical biases: Bias in PPA â If an airport wishes to provide notice, then that is Ârelates to count and movement accuracy and not to commonly accomplished through signage in the areas accuracy related to the identity of a data subject. where PPA is being employed. Airports may also con- c. Problematic data actions identified: Unique identi- sider providing notice through posting information fiers for cellphones as they engage Wi-Fi and BLE about the PPA program and data collection on airport can potentially be associated with an individual, and websites or other communications channels. Even if stereo cameras may capture facial images associat- not legally required, providing notice can help foster ing an indiÂvidual with a time and place. Anonymiza- transparency in airport use of data. tion techniques can remove the unique identifier for b. Choice and Consent: Because the PPA system is not Âdevices and facial features from the process reduc- collecting PII and notice is not required under a FIPPs ing risk. While the system is not designed to collect, maintain, or analyze PII data, that type of data may be 58 â Interoperability Is Essential to All Bluetooth Technology Solutions, momentarily captured at the edge by the sensors and Bluetooth, https://www.bluetooth.com/specifications/interoperable- anonymized or discarded. prototype-test-events/. d. Problematic data actions prioritized: Prioritization is 59 â Luke Irwin, Does Your Use of CCTV Comply with the GDRP, it dependent on jurisdiction and an airportâs risk profile. governance (Oct. 3, 2019), https://itgovernance.co.uk/blog/does- The elimination of PII at the edge needs to be assured. your-use-of-cctv-comply-with-the-gdpr. 60 â See, e.g., id.
14 ââ ACRP LRD 42 Figure 2 Notional Biometric Passenger Experience Stakeholder Roles and Responsibilities62 analysis, consent is not required. Where an airport de- cides to provide notice, PPA collection consent could arguably be implied from a personâs continued use of the facility. c. Access and Participation: PPA systems must be de- signed and operated not to maintain any data pertain- ing to an individual passenger. Identifying data should Figure 2: Notional Biometric Passenger Experience be removed at the edge or otherwise excluded from ÂStakeholder Roles and Responsibilities62 analysis with the system storing only anonymized data. Where no PII is being collected and retained, the issue of access is not implicated. Access rights would be limited to ensuring that PII is not being collected or In June 2017, Delta Airlines launched a Âbiometrically en- retained. abled self-bag drop at Minneapolis/St. Paul  International d. Integrity and Security: The major data integrity and Airport (MSP).63 In January 2018, Los Angeles Inter security concern would be the removal of PII before national ÂAirport (LAX) launched biometric e-gates for board- data analysis and storage. ing flights departing the U.S.64 Both capabilities are provided e. Enforcement and Redress: Audit capabilities and data by third-Âparty vendors and supported by CBP TVS for bio- controls should be established to ensure that the PPA metric matching. ÂParallel to CBPâs TVS support services for system is operating without the collection or retention biometric matching. The CLEAR program,65 which is operated of PII. Where there is inconsistency between program by a private party, is currently operating at several U.S. airports requirements and the performance of the airport or a and provides biometric matching services in conjunction with vendor, there needs to be a process to ensure a return TSA screening operations. Airports and airport stakeholders to compliance. The notice should outline the process are exploring ways to incorporate biometric matching services for individuals to raise concerns about system opera- across the passenger pathway. This review addresses the cur- tions that ensure that PII is not being collected. rent federally authorized biometric uses at airports. B. Use Case Domain #2âSecurity and Terminal In all these cases, the biometric matching is performed by third-party software. The hardware that applies that software, OperationsâBiometrics check-in kiosks, baggage drops, or eGates, may be provided by Starting in 2007, the U.S. began issuing biometric-enabled airports or airlines, but the matching process and the databases passports standardized through the ICAO. Through this initia- queried for identification are owned by the federal government tive, biometrics has become well-established to support passen- or federally authorized vendors. ger screening at CBP checkpoints. Subsequently, private sector companies began operating biometric screening at airports as 1. Inventory and Mapping: well. a. Systems, products, and services: Biometric systems TSAâs 2016 Biometric Roadmap highlights an intent to roll Âleverage fingerprints, iris scans, and/or face geometry out biometric matching services to support automating iden- to automate identity verification processes in sup- tification processes for international and domestic travelers to port of self-service check-in, bag drop, screening, and include check-in, bag drop, checkpoints, and gate operations.61 boarding operations. The TSA provided the schematic depicted in Figure 2 to dem- b. Owners or operators: Typically, third-party vendors onstrate how the process would work and the stakeholders in- are contracted to install and operate the system in co- volved. operation with the airport, airlines, or border security or other security services. c. Individuals (or data subjects): Passengers. d. Data actions: For CBP TVS supported systems, the passengerâs photo is taken either by CBP-owned Âcameras or equipment provided by airlines or the air- 62 â Id. at 18. 63 â Delta Opens First Biometric Self-Service Bag Drop in U.S., (2020), https://news.delta.com/delta-opens-first-biometric-self-service-bag- drop-us. 64 â Successful Biometric E-Gate at LAX Blazes Trail for Commer- cial Aviation, Intâl Airport R. (Jan. 19, 2018), https://www. 61 â TSA Biometric Roadmap, For Aviation Security & the Passenger internationalairportreview.com/news/64154/biometric-e-gate-lax- Experience, Trans. Sec. Admin. (Sept. 2018), https://www.tsa.gov/ aviation/. sites/default/files/tsa_biometrics_roadmap.pdf. 65 â See Clear, https://www.clearme.com/.
ACRP LRD 42ââ 15 port. TVS compares the new photo with DHS hold- biometric data breaches pose a major privacy risk. The ings, which include photos previously taken from concept of a seamless travel experience requires ex- U.S. passports, visas, or other travel documents. For changes of portions of this data between commercial private sector systems such as CLEAR, a passenger is entities and governmental entities with differing inter- biometrically enrolled with fingerprint and iris scans ests, rules, and restrictions on handling information. in a proprietary system, and verification is performed This exacerbates the process of ensuring privacy pro- against these holdings by the company. tections. In processing the biometric data, it is impor- â With respect to processes like check-in, bag drop, tant that the hardware systems are designed and oper- and boarding, the processing systems replace human ated in such a way that no data is collected, retained, review of identification documents. A biometric char- or transmitted on the hardware except as specified in acteristic, usually facial geometry, serves in lieu of the program requirements. boarding pass and identification document(s). d. Problematic data actions prioritized: Prioritization â The CLEAR program is currently used only for depends on jurisdiction and an airportâs risk profile identity checks in connection with checkpoint screen- for how an airport is using biometrics. ing under the Registered Traveler Program. The program currently performs this function by using 3. Data Processing Ecosystem Risk Management: Airport fingerprint-based or retinal biometric processes. This priorities, constraints, risk tolerance, and assumptions âfront of the lineâ service allows for identity check are established and used to support risk decisions. after a voluntary biometric enrollment and screen- a. Data processing ecosystem parties identified: CBP ing process. Passenger identity is checked though TVS, hardware and service vendors, airport, b iometric bioÂmetric matching at kiosks supervised by CLEAR data subjects (passengers and employees). employees who then escort passengers to the front of b. Contracts considered: Federal regulation governs TSA lines for security screening.66 TSA/CBP use of biometric data. For private operat- e. Purpose of data actions: To automate and enhance ing systems like CLEAR, airports require vendors the identity verification process for both security and to comply with all applicable federal, state, and local commercial purposes consistent with the facilitation laws pertaining to biometrics. Use of CLEAR requires of passenger movement. amendment to the airportâs federally regulated secu- f. Data elements: Image of face, iris, or fingerprint, rity program. which is transformed by proprietary algorithms into c. Interoperability frameworks: The International Stan- a template that is compared and matched against an dards Organization (ISO) and the American National existing template. Standards Institute (ANSI) National Institute for Sci- g. Data processing environment: An optical sensor or ence and Technology (NIST) have standards pertain- scanner captures an image directly from a passenger ing to biometrics and interoperability (ISO/IEC JTC 1/ at the airport. SC 37,67 ANSI/NIST-ITL Standard.)68 d. Data processing ecosystem audits/evaluation: 2. Risk Assessment: Understand privacy risks to individuals Through ISO and ANSI/NIST, biometric system audit and the organization implementing the use case. functions are tested and standardized. a. Contextual Factors: Biometrics is an automated identity verification system used during passenger 4. FIPPs Analysis: Âprocessing. a. Notice and Awareness: Through biometric enroll- b. Analytics evaluated for typical biases: While facial ment and subsequent screening/verification, passen- image matching is most convenient for passengers, it gers should be clearly advised regarding the purposes is still currently controversial as it has shown varying of the program and the use that will be made of any efficacy rates for different ethnicities. Fingerprints and PII. The notice should explain the rights of access and iris scans are generally accepted as more reliable and methods to correct any inaccurate data. The notice less controversial but are more expensive and opera- should give contact information so that passengers tionally cumbersome. can exercise access and redress their rights. c. Problematic data actions identified: Imposter and b. Choice and Consent: Passengers and employees pro- spoof attacks are presented when someone compro- vide written consent to biometric enrollment and sub- mises someone elseâs biometric identity. Biometric sequent screening during enrollment. Once an enroll- identities must be stored for comparison reasons, and ment occurs, however, it is unclear with respect to the 66 â TSA Precheck vs. CLEAR: Reduce Security Time at Airports, 67 â ISO/IEC JTC 1/SC 37 Biometrics, Intâl Standards Org. (2002), Forbes (Oct. 29, 2018), https://www.forbes.com/sites/forbes-personal- https://www.iso.org/committee/313770.html. shopper/2019/10/29/tsa-precheck-vs-clear-reduce-security-time-at- 68 â ANSI/NIST-ITL Standard, Natâl Inst. of Sci. & Tech. (Nov. 27, airports/#483a5d244bd5. 2019), https://www.nist.gov/programs-projects/ansinist-itl-standard.
16 ââ ACRP LRD 42 ability of individuals to withdraw. While withdrawal a database of license plates, which can be compared to may be permitted from active participation in the other databases containing license plate data. privately operated programs, the ability to withdraw â The databases used for comparison can include a information from governmental databases would variety of government managed ones linked to PII. likely be limited. The scope of the consent should be Government databases could include motor vehicle explained at the time of enrollment. registration databases, warrant databases, and data- c. Access and Participation: Biometric program partici- bases of stolen vehicles. Comparison databases can pants must be able to examine the records maintained also include independently created databases, like a about themselves and understand the uses that have database of vehicle authorized for entry into certain been made of that data. While access to some data in areas (like commercial vehicles in airport pick-up or the possession of governmental entities like CBP and drop-off areas) or vehicles entering or leaving a park- TSA may be limited for security reasons, data subjects ing facility. These records may or may not be con- have a right to access biometric information about nected to PII. Comparison databases will likely have themselves. There also needs to be processes to cor- restrictions on the use of data for comparison based rect inaccurate data, and those processes need to be on the terms under which the databases are created. made available to data subjects. Information is then provided through a user interface, d. Integrity and Security: CBP TVS has established data which indicates the results of the comparison. integrity and security protocols. For private parties â Law enforcement ALPR systems are linked to such as Clear, best practices in data security must be criminal justice and governmental records databases assured through contracting as well as through audits. or other databases created to monitor specific vehi- e. Enforcement and Redress: The agreement that estab- cles and their movement. Access management ALPR lishes these programs should ensure audits are con- systems like those used for open toll roads detecting ducted to establish compliance with program require- authorized vehicles and tracking and reporting their ments. There also needs to be a process established presence or systems employed in parking facilities can to provide for redress in the event of noncompliance. be linked to vehicle information related to revenue Given the sensitivity of data gathered in biometric collection. These access management systems can also dataÂbases, remedies for data breach should be a strong involve the use of transponders that are frequently consideration. linked to billing and payment systems. For parking, ALPR is primarily used to track entry and exit from C. Use Case Domain #3âLandside Operationsâ parking structures and potentially to support âfind- Automated License Plate Recognition (ALPR) my-vehicleâ services. Access to license palate data col- lections will depend on the identity of the user (gov- ALPR, also known as Automated Number Plate Recogni- ernment or nongovernment) and the nature of the tion (ANPR), is currently employed at many airports to manage purpose for accessing the data (criminal investigation, Âvehicle access and/or for various law enforcement or govern- revenue collection, traffic planning). ment administrative purposes. For access management, ALPR b. Owners or operators: Typically, third-party vendors is used to track vehicles and, in some instances, work in support are contracted to install and maintain the system in of billing for programs like commercial vehicle use of airport cooperation with airport police or landside opera- drop-off or pick-up (DO/PU) zones as well as for parking lot tions. Sometimes those vendors provide operational management. With respect to law enforcement, ALPR is used support. Some systems, particularly law enforcement for traffic enforcement and for other investigative functions related ones, may require special certifications for such as detecting stolen vehicles or vehicles associated with Âaccess. persons wanted on warrants. Administrative uses of ALPR data c. Individuals or data subjects: Deciding whether there include gaining insights into traffic patterns for traffic manage- are data subjects besides the vehicles depends on ment purposes. In some jurisdictions, ALPR is used in conjunc- whether a system associates the owner or operators tion with revenue collection efforts like booting vehicles for out- with the vehicle. This association, common in law standing tickets. These uses of ALPR for law enforcement, traffic enforcement use of ALPR, often matches vehicles to management, and commercial activity are consistent with uses registration records. ALPR as a stand-alone capability that occur outside the airport environment. is designed to recognize and record license plate in- formation and does not necessarily need to associate 1. Inventory and Mapping: that information to an individual. For example, some a. Systems, products, and services: ALPR systems or ALPR systems in parking systems simply compare services are provided by companies that usually spe- the license plate number of a vehicle seeking to leave cialize in specific operational areas. The systems in- the garage with a database of vehicle plate numbers clude cameras capable of capturing license plate data. entering. The system does not check the identity of Software then interprets those video images to create
ACRP LRD 42ââ 17 the owner or the driver, it simply ensures the parking ticularly those used in revenue collection, generally charges are consistent with the duration of the vehi- have their own terms of use. cles entering and exiting the parking garage. Similarly, b. Analytics evaluated for typical biases: ALPR can analytic use of ALPR for functions of vehicle count- Âpotentially misidentify the letters or numbers in the ing or tracking dwell times does not require use of PII license plate. assoÂciated with the vehicle. c. Problematic data actions identified: Misidentification d. Data actions: Two primary methods are used to initi- could potentially erroneously record one vehicle as ate the capture of license plate data. Some systems use being present when it is not. Another potential error video analytics and others use a trigger device with a is the failure to correctly identify the vehicle that was still image. The video analytics approach is trending present. Collection of data over time can allow for as it requires less equipment and provides additional determination of patterns of vehicle use in the area insights. Video analytics algorithms identify license covered by the ALPR. Problems may also occur if plates in a video stream and capture an image from ÂdataÂbases for comparison are improperly accessed. that video stream. With a trigger device method, a ve- d. Problematic data actions prioritized: Prioritization hicle is detected, and an image is captured of the rear depends on jurisdiction and an airportâs risk profile in and front of the vehicle. The captured license plate accordance with how ALPR is being used. data is then compared to other databases for differing purposes (law enforcement, revenue collection, etc.). 3. Data Processing Ecosystem Risk Management: Airport e. Purpose of data actions: The purpose is primarily priorities, constraints, risk tolerance, and assumptions vehicle identification through license plate capture. are established and used to support risk decisions. However, more advanced systems can capture vehicle a. Data processing ecosystem parties identified: ALPR is color, type, make, model, etc. operated on airport property. Airport and ALPR sys- f. Data elements: Image of vehicle with derived descrip- tem vendors are primary operating parties; end users tive text (license plate number, plus vehicle color, type, may include law enforcement, landside operation per- make, model, etc.). The data elements of the systems sonnel, revenue personnel. Owners and operators of used for comparison vary based on the parameters motor vehicles and particularly public, private, and estabÂlished for that dataâs collection. commercial vehicles are the data subjects. Those sys- g. Data processing environment: Airports typically col- tems may compare data with other databases, which lect ALPR data along or above public roadways or at will have differing policies for use and access. entry/exit from the parking structures. The data can b. Contracts considered: Vendor contracts can be direct also be captured using mobile readers, which are procurement where the airport owns and operates the sometimes used in parking facilities to monitor usage. system directly, or a build-operate-transfer contract That data can be stored and processed on premises in where the vendor operates the system on behalf of the databases owned by the vendor or the airport, or/and airport. Most law enforcement-based ALPR systems it could be stored and processed through third-party will require operation by law enforcement or law en- cloud services such as Amazon Web Services, Google forcement certified personnel. Cloud, or Microsoft Azure. c. Interoperability frameworks: An examination of rel- evant standards organizations such as ISO and NIST 2. Risk Assessment: Understand privacy risks to individuals revealed no set interoperability framework for ALPR. and the organization implementing the use case. However, in most countries, there are standards and a. Contextual Factors: Video footage and images cap- guidance set at the national or sub-national level. The tured from the public roadway can potentially reveal UK National ANPR Standards69 is a good example of (from the raw footage) vehicle passenger passengers a national standard. The International Association of and drivers. ALPR systems do not normally include Chiefs of Police has promulgated operational guid- any features that automatically identifies a driver or ance for ALPR use.70 Use of ALPR in the United States passengers from the raw footage. The metadata from is generally governed by legislation and guidance set the systems can capture information like date, time, at the state level. The National Conference for State and location of the vehicle. The databases against Legislatures is a good source for a survey of state-level which captured license plate data is compared may have PII. The use of those databases should be ex- 69 â National ANPR Standards for Policing and Law Enforcement, Ver- amined to determine whether a particular use of the sion 2.0, U.K. Home Office, (Sept. 2020), https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/ dataÂbase is proper. For example, databases with war- file/913987/NASPLE_Version_2.0_September_2020.pdf. rant information can only be accessed by law enforce- 70 â David J. Roberts & Megan Casanova, Automated License Plate ment personnel and only in the context of criminal Recognition Systems, Policy and Operational; Guidance for Law Enforce- investigations. Independently created databases, par- ment, U.S. Depât of Justice (2012), https://www.ncjrs.gov/pdffiles1/nij/ grants/239604.pdf.
18 ââ ACRP LRD 42 legislation.71 Governmental standards generally apply system that is used to assess charges or impose penal- to law enforcement use of ALPR and not commercial ties. For ALPR in support of policing operations, ac- use. cess rights may be more limited. Certainly, however, if d. Data processing ecosystem audits/evaluation: Audit the law enforcement use of ALPR results in an adverse and evaluation for ALPR is oriented at the same action, the data subject should have the right to ac- jurisÂdictional levels as standards and regulations are cess the data. Data subjects need to be able to ensure Âdeveloped. that airports and/or their contractors are engaged in data retention and use practices consistent with stated 4. FIPPs Analysis: purposes tracking the notice and consent mandates. a. Notice and Awareness: Notice requirements for ALPR Accordingly, information on records retained con- vary greatly. The use of ALPR for police requirements cerning the vehicle and use made of the data needs to generally does not have any notice requirement. How- be available to the data subject. ever, utilization is quite limited. If an airport decides d. Integrity and Security: ALPR systems can be stand- to use ALPR for commercial purposes (like monitor- alone edge computing capabilities, networked and ing commercial vehicles for revenue and traffic con- databased, or serviced by cloud IT providers. Each trol purposes) then information about the parameters arrangement should follow industry best practices for of the program should be specified in the registration physical and data security. process for the vehicles being monitored. This speci- e. Enforcement and Redress: Audit capabilities and fication could be in a government database for com- rights should be implemented by airports and incor- mercial vehicles registered in the jurisdiction, like a porated in contracts with vendors requiring verifica- city revenue department where taxi or commercial tion that agreed data capabilities and processes are transport licenses are issued, or in an airport specific realized. Processes need to be established to correct database instances where commercial vehicles are inaccurate information in databases. Individuals need required to register to enter airport property. Where to be provided notice with respect to those processes. the use of ALPR is for traffic planning purposes, the This is true irrespective of the use of the data (e.g., a Âlicense plate data could be anonymized or not re- law enforcement database like a hot list or a commer- tained. In no event would traffic planning use for that cial one for billing). data require linkage to PII. Notice of ALPR monitor- ing could be provided by signage and/or posted on the D. Use Case Domain #4âAirport Digital Landscape airport website with an explanation of how it is used. (Websites, Mobile Apps, e-Commerce, Wi-Fi and Local state laws or ordinances need to be consulted to CRM) determine if such notice is required. With the advent of online e-commerce and smartphone b. Choice and Consent: Depending on the nature of the apps, airports like most of the economy are adjusting service of- use case and the notice provided, consent require- ferings to meet trends in customer engagement and to enhance ments will also vary. Generally, the consent for law the passenger experience with digital interfaces. Tailoring and enforcement to use ALPR is derived from the general personalizing information according to the profile and context legal requirements for vehicle licensure. The specific of the passenger requires uniquely identifying the passenger. In terms of the ALPR use for other than law enforcement airports, the primary methods of doing so are through a web should be specified in the registration process. Use interface, a smartphone app, or a Wi-Fi access point. These three of that data should be strictly limited to the specified points of engagement can be served by the same back-end CRM terms. If, for example, the airport is creating a data- system, or they can be managed separately, as is often the case. base to assess charges to commercial vehicles entering CRM is used to collect, manage, and protect customer in- the airport, then the airport must ensure that owners formation according to industry standards and best practices. or operators identified are consenting to that use of CRM systems can be used to personalize services such as smart data. Airport use of that data should be limited to the parking and loyalty programs that offer discounts or other perks terms of consent. for regular customers.72 For example, several airports already c. Access and Participation: ALPR systems typically offer some form of loyalty programs. These programs offer dis- allow operators to segregate data by data subject. Ac- counts and rewards to members for a range of airport related cordingly, owners and operators whose vehicles are services, like shopping, dining, Wi-Fi, access to lounges, and being captured by ALPR systems should have the right to access that data. This is particularly so for any 72 â See, e.g., Geoff Whitmore, Should You Join An Airport Rewards Program?, Forbes (Apr. 5, 2019) https://www.forbes.com/sites/Â 71 â Pam Greenberg, Automated License Plate Readers, Natâl Conf. geoffwhitmore/2019/04/05/should-you-join-an-airport-rewards- of State Legis. (Feb. 2015), https://www.ncsl.org/research/Â program/#282d341b1286; Ramsey Qubein, Why You Should Join an telecommunications-and-information-technology/automated-license- Airport Loyalty Program, Afar (Nov. 15, 2017) https://www.afar.com/ plate-readers.aspx. magazine/why-you-should-join-an-airport-loyalty-program.
ACRP LRD 42ââ 19 parking. These programs are sometimes offered by the airport f. Data elements: User profile information to include themselves or are offered in conjunction with airlines or other name, email, login credentials, address, credit card in- entities. formation, and/or location data. For websites, mobile apps, e-commerce and/or Wi-Fi ac- g. Data processing environment: Website, mobile apps, cess, âcookiesâ and other similar app features support person- and Wi-Fi login all operate in connection to devices alization of experience. Cookies are a small piece of encrypted owned or operated by the data subject. software, that a user downloads onto their device that collects and stores certain kinds of data. Cookies enable smoother, more 2. Risk Assessment: Understand privacy risks to individuals efficient internet use, by storing a userâs site-specific information and the organization implementing the use case. and preferences such as theme, language setting, privacy pref- a. Contextual Factors: Cookies and mobile apps Âtypically erences, and even user IDs and passwords. Performing these store the privacy data on the data subjectâs device. tasks ensures that a user does not need to reset these features However, if an organization is collecting information each time they visit a new page or leave and return to the site or from a user to be stored in a CRM system, then this app. On e-commerce sites, cookies also store your shopping cart data will be collected and stored either by a vendor on contents, payment information, and even quick checkout op- behalf of an airport or by the airport itself. tions (including delivery addresses). Some cookies can be used b. Analytics evaluated for typical biases: The data pre- to track the user across multiple web sites (tracking cookies), sented by the user can be text based and could be in- enabling, for example, advertisements for a product the user has correctly entered. recently viewed on a totally different site. c. Problematic data actions identified: Identity com- Cookies can be used by the website operator (first-party promise is a persistent challenge for cookies and any cookies) or may also be installed by other parties providing ser- software that hosts identity or credential informa- vices to the website or app (third-party cookies). Cookie data tion. Additionally, erroneous identity information can also be sold to or otherwise be used by third parties. Under- could be presented by the data subject who seeks to be standing why cookies are being used and by whom is important. Âmisidentified. Additionally, some websites and mobile apps tap into GPS d. Problematic data actions prioritized: Prioritization locations or IP addresses to learn the userâs current location to depends on jurisdiction and an airportâs risk profile in present the user with information tailored for their current loca accordance with how cookies and LBS is being used. tion. Using location to customize the user experience is com- monly known as Location-Based Services (LBS). A good exam- 3. Data Processing Ecosystem Risk Management: Airport ple of this is an app with a terminal map that uses an individualâs priorities, constraints, risk tolerance, and assumptions current location to show where the person is and provide direc- are established and used to support risk decisions. tions to nearby shopping options. a. Data processing ecosystem parties identified: Website, In any of these methods of collecting and using a userâs PII, Mobile App, Wi-Fi, and CRM vendors, airport, and a privacy notice and consent process should be presented to data subjects (passengers and employees). the user prior to downloading cookies or accessing other PII b. Contracts considered: Often third-party vendors held on a userâs device. These notice and consent processes are develop and operate airport websites and apps. Pro- normally presented to the user in a header or footer banner, a visions to safeguard user privacy data should con- corner box, or a persistent pop-up. sider such evolving national and international legal developments,73 and any other appropriate legislation. 1. Inventory and Mapping: c. Interoperability frameworks: Cookies and other web- a. Systems/products/services: Websites, Mobile Apps, site and app support techniques have standard norms Wi-Fi Login. and interoperability language dependent on the native b. Owners or operators: Typically, third-party vendors format of the website or app in consideration. are contracted to install and operate the system in d. Data processing ecosystem audits/evaluation: Website cooperation with the airport, airlines, and/or conces- cookies and mobile app compliance is well developed sionaires. and there are even automated third-party audit capa- c. Individuals (or data subjects): Passengers and airport bilities now on the market.74 employees. d. Data actions: Data subject downloads cookies or ac- 73 âAmanda R. Lawrence, Sasha Leonhardt, & Magda Gathani, cepts the terms and conditions of app usage, which Insight: Website Cookies and Privacy-CDPR CCPA and Evolving Stan- allows the website, mobile app, or Wi-Fi service to ac- dards for Online Consent, Bloomberg Law (Nov. 14, 2019), https:// news.bloomberglaw.com/privacy-and-data-security/insight-website- cess and store data entered by the data subject directly cookies-and-privacy-gdpr-ccpa-and-evolving-standards-for-online- or collected from the device (i.e., GPS information). consent. e. Purpose of data actions: To smooth and enable per- 74 â See, e.g., Cookiebot, https://www.cookiebot.com/en/?gclid= sonalization of information and experience. CjwKCAjw9vn4BRBaEiwAh0muDIralzbl6eccJrsGf3xM5kXd- FlQ6q8DEAVHi2Uj5kzbp_eRMhqe1VxoCiD4QAvD_BwE.
20 ââ ACRP LRD 42 4. FIPPs Analysis: E. Use Case Domain #5âHealth Checksâ a. Notice and Awareness: Notice can appear in several Temperature Screening forms depending on jurisdictional requirements for specificity and consent requirements. Sometimes it Responding to the threat of the COVID-19 pandemic, many may simply appear in the text of a privacy policy. In U.S. airports are investigating the use of health-related tech- those cases, it is generally assumed that acceptance of nologies to mitigate some of the risk of communicable diseases. cookies is implied by continued use of the website or One such measure is the use of temperature screening to de- application. Notice may also appear through banners tect fever, a symptom of COVID-19. Such screening has previ- or pop-ups. This presentation of notice is growing in ously been employed at airports outside the United States, on acceptance and is particularly appropriate where an other occasions. Temperature screening was used in 2003 for action to accept cookie use is sought. Some jurisdic- the ÂSevere Acute Respiratory Syndrome (SARS) epidemic75 tions require the scope of notice to indicate the type of and again in 2014 for the Ebola outbreak.76 This use case was information sought, the purpose of collection, and the chosen as it addresses medically sensitive information, and the duration. These notices should apply to third-party privacy and legal parameters on this kind of data are of special cookie use. Notice should also address any disclosure consideration. It is currently an open question as to whether requirements under applicable open records laws. the airport, airlines, or federal government are best situated to b. Choice and Consent: Consent can be achieved in undertake this data collection,77 though some U.S. airports are three ways. First, some systems simply provide written already piloting technology to do so.78 This case study exam- notice of the policy imply consent to the announced ines a video/Âthermal imaging-based screening process, though cookie polices from continued use. Second, the grow- there are other models for screening available using handheld or ing use of banners and pop-ups requires users to in- kiosk based thermal screening technologies.79 Additionally, as dicate a consent to cookie policies before proceeding. health screening technologies refine, airports, airlines and even Those systems can provide for an opt-in or opt-out some airport concessionaires are developing and implementing election. Third, in some jurisdictions, the use of pre- programs for airport-based COVID-19 testing for travelers80 as checked boxes with respect to acceptance of cookie policies can raise questions with respect to consent. c. Access and Participation: Websites and apps often 75 â Clorth-Chuan Tan, SARS in Singapore-Key Lessons form and Epi- demic, 35 Annals Acad. of Med. 345 (May 2006) http://annals.edu.sg/ allow users to proceed with limited functionality use pdf/35VolNo5200606/V35N5p345.pdf. for those who opt-out of using cookies, LBS, or other 76 â Jonathan M Read, et al., Effectiveness if Screening for Ebola at Air- personalization techniques. Denial of access for fail- ports, 385 The Lancet 23 (Jan. 3, 2015), https://www.thelancet.com/ ure to accept cookies may raise issues as to whether journals/lancet/article/PIIS0140-6736(14)61894-8/fulltext. consent is fully voluntary. With respect to participa- 77 â Runway to Recovery: The United States Framework for Airlines tion, the data subject needs to be provided with in- and Airports to Mitigate Public Health Risks of Coronavirus, U.S. formation on where to obtain information on what Depâts of Transp., Homeland Sec., & Health & Human Servs. (July 2020), https://www.transportation.gov/sites/dot.gov/files/2020- information has been collected and to raise concerns. 07/Runway_to_Recovery_07022020.pdf; see, Steve Dickson, FAA Withdrawal and consent may warrant their own spe- Administrator âLetter to Captain Joseph G. De Porte, President, Air- cific procedures. lines Pilot Association, Internationalâ, (Apr. 14, 2020) (Declining to d. Integrity and Security: Cookie, LBS, and other app exercise FAA preemption authority for aviation safety with respect to personalization techniques have well-developed stan- health screening for COVID-19), http://www.alpa.org/-/media/ ALPA/Files/pdfs/news-events/letters/041420-faa-dickson-reply- dards of security. Organizations using these tools covid-19.pdf. need to ensure that privacy and data security stan- 78 âHannah Sampson, LAX is Testing Fever-Detecting Cameras as dards are met. Detailed provisions need to be made to Passengers Depart and Arrive, L.A. Times (June 23, 2020), https://www. address potential data breaches of sensitive financial washingtonpost.com/travel/2020/06/22/lax-is-testing-fever-detecting- Âinformation. cameras-passengers-depart-arrive/. e. Enforcement and Redress: Audit capabilities and 79 â See e.g., Hugo Martin, Airports are Testing Thermal Cameras rights are typically used by airports in contracts with and Other Technology to Screen Travelers for COVID-19, L.A. Times (May 13, 2020), https://www.latimes.com/business/story/2020-05-13/Â vendors requiring verification that agreed data capa- airports-test-technology-screen-covid-19. bilities and processes are realized. Procedures should 80 â COVID-19 Testing for Air Travel, Intâl Air Travelers Assoc. be in place to address concerns of data subjects with (June 16, 2019), https://www.airlines.iata.org/news/covid-19-testing- respect to any claims of misuse of data. Both federal for-air-travel. See also Michelle Baran, These U.S. and International Air- and state requirements also need to be considered and ports Have COVID-19 Testing Facilities, AFAR (Nov. 5, 2020), https:// accounted for with respect to potential data breach www.afar.com/magazine/these-us-airports-to-have-covid-19-testing (documenting COVID-19 testing being conducted at the John F. occurrences, particularly ones involving sensitive PII ÂKennedy International Airport, LaGuardia Airport, Newark Interna- like financial information. tional Airport, Dallas Fort Worth International Airport, Boston Logan International Airport, Tampa International Airport, and San Francisco International Airport).
ACRP LRD 42ââ 21 well as plans to screen airport employees .81The rapid growth exposure to heat outside, and the variance of tem- in COVID-19 testing programs at airports is a stark example perature at the point of screening. Techniques, such of the ability of technology and data solutions to quickly adapt as targeting the temperature at the tear-duct of the and deploy to address airport-related concerns. In the face of subject, have provided improvements in performance. the growing range of differing technologies to collect health However, most processes require a secondary screen- data at airports caused by the COVID-19 pandemic, the legal ing to determine temperature more accurately and to and regulatory systems are moving to address developing con- request additional health information from the data cerns. Balancing the need to collect traveler health data with the subject. need to protect privacy and ensure the security of that sensitive c. Problematic data actions identified: Understanding data, the legal environment is quickly evolving. This presents the collection risks highlighted in the âContextual significant challenges for airport operators and stakeholders. Factorsâ section above is important to understand- and stakeholders. ing how a system should be designed and managed. AssoÂciating a data subject to his or her screening re- 1. Inventory and Mapping: port, storing, and potentially leaking this information. a. Systems/products/services: Visible video, thermal im- Response actions of personnel with respect to indi aging camera, and AI. viduals identified with elevated temperatures. b. Owners or operators: Typically, third-party vendors d. Problematic data actions prioritized: Prioritization are contracted to install and operate the system in depends on jurisdiction and an airportâs risk profile. cooperation with the airport, airlines, and/or border security services. 3. Data Processing Ecosystem Risk Management: Airport c. Individuals (or data subjects): Passengers and priorities, constraints, risk tolerance, and assumptions Âemployees. are established and used to support risk decisions. d. Data actions: Temperature screening often uses a vis- a. Data processing ecosystem parties identified: Airport, ible camera with AI to recognize a person, as well as hardware and service vendors, airport, and health a thermal imaging camera to measure temperature checks data subjects (passengers and employees). pixel by pixel. b. Contracts considered: If a third-party vendor installs e. Purpose of data actions: To enhance processing pas- and operates the temperature screening capability, air- sengers with additional health checking capabilities. ports must ensure contracts require vendors to com- To prevent febrile passengers from traveling with ply with all federal, state, and local laws pertaining to other passengers. To help restore confidence in the health information. safety of air travel c. Interoperability frameworks: The Health Insurance f. Data elements: Visible video footage, thermal imaging Portability and Accountability Act (HIPAA) and the footage, and assessment report. Health Information Technology for Economic and g. Data processing environment: Typically, in a con- Clinical Health Act (HITECH) include national stan- trolled space at the entrance to a terminal, at check-in, dards for the privacy of protected health information, or at TSA screening checkpoint areas. the security of electronic protected health informa- tion, and breach notification to consumers. 2. Risk Assessment: Understand privacy risks to individuals d. Data processing ecosystem audits/evaluation: and the organization implementing the use case. HITECH also requires HHS to perform periodic  a. Contextual Factors: Processing is normally done at the audits of covered entity and business associate com- camera level and in the cloud. AI recognition and tem- pliance with HIPAA Privacy, Security, and Breach perature measurement algorithms assess core body NotificaÂtion Rules. HHS Office for Civil Rights (OCR) temperature. Audible and visual alarms are raised if enforces these rules, and in 2011, OCR established a any subject exhibits a core body temperature above pilot audit program to assess the controls and process- the fever threshold. Additional health checks are con- es covered entities have implemented to comply with ducted if a passenger exhibits a fever temperature. It them. is not necessary that the identity of the data subject is linked to the health checkâs assessment Âreport, though 4. FIPPs Analysis: the visible image captured would show his or her face. a. Notice/Awareness: As with other video systems, Ânotice b. Analytics evaluated for typical biases: Temperature of health screening can be achieved through the posit- can be impacted by the data subjectâs level of activity, ing of signage in the area where this screening occurs and/or by screening personnel operating the process. Unlike general CCTV surveillance, health screen- 81 â SFO is First U.S. Airport to Launch Rapid COVID Testing for Air- port Employees, S.F. Airport (Aug. 24, 2020), https://www.flysfo.com/ ing use of this technology seems reasonably likely to media/press-releases/sfo-first-us-airport-launch-rapid-covid-testing- capture PII, given the fact individuals can and likely airport-employees.
