Public Transportation Passenger Security Inspections: A Guide for Policy Decision Makers (2007)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

40 Introduction One of the important security decisions transit agencies face is whether to deploy PSIs as a countermeasure to protect their systems against terrorism. When used as a part of an overall systems security approach, PSIs can offer significant benefits that provide a more secure operating environment, even in the open access framework that typifies transit systems. Of course, transit agencies face security risks throughout their systems, not just to those assets that are routinely accessed by passen- gers. There are also security risks associated with the business activities of private entities providing goods or services at tran- sit stations. For example, the delivery to vendors of foods and other retail products can create security problems at loading docks. Further, because such private businesses may have their own security functions or are able to set different security standards than those to which a public entity must adhere, transit agencies are encouraged to explore the options of coordinating security efforts with the private sector. However, the types of threat that this chapter is focused on are those posed by would-be terrorists mingling with regular passengers as a means to attack a transit system. The decision model presented in this chapter is aimed at assisting agencies in deciding whether to institute PSIs to address such threats, and if PSIs are instituted, how to deploy them. In this decision-making model, PSIs refer to inspections conducted without warrants or individualized suspicion. Generally, such inspections are legally permissible only if they can be justified under exceptions to the Fourth Amendment’s warrant and individualized suspicion requirements. When individualized suspicion exists, inspections are subject to normal policing procedures, and such inspections are not covered by the decision-making model. There are a number of tools and methods for carrying out PSIs, including the following: • Behavioral assessments, • Radiation detection pagers, • Explosives detection canines, • Visual/physical bag inspection, • Visual/physical car inspection, • Handheld detectors, • Magnetometers, • Walk-through detection portals (including puffer portals), • Table-top detectors,96 • Baggage scanners, • Explosives detection vans (for ferry operations), and • Detectors integrated into ticket machines and turnstiles (under development/testing). PSI methods can be divided into those that are based on technology and those that aren’t. PSIs that are based on tech- nology require assessment and selection of technology, which requires time and resources. Technologies available for carrying out inspections include the following: • Bulk detection technologies – X-ray – Backscatter X-ray – Millimeter wave imaging – Terahertz imaging • Trace detection technologies – Ion mobility spectrometry (IMS) – Mass spectrometry (MS) – MS variants (emerging) – MS + chromatography, automated MS, environmental monitoring – Surface acoustic wave (SAW) – Optical sensors – Chemical luminescence C H A P T E R 4 PSI Decision-Making Model 96 Note that trace detection technologies can be housed in a table-top scanner often called a document scanner; however, samples can be obtained from any surface, including bags. Trace detection technologies can also be housed in a portable handheld detector.

41 • Intelligent video technology – Facial recognition – Gait/behavior detection (emerging) – Integrated with radiological detection (emerging) • Liquid detection technologies (emerging) • Biosensors – Canine – Molecular biology – Wasps (emerging) • Micro-electro-mechanical systems (MEMS) sensor • Lie detectors At present, use of ionizing radiation is one of the key dis- tinguishing features among technologies because members of the public may object to the use of ionizing radiation, and equipment using ionizing radiation may be subject to state and local regulation. The technology-based methods can be further broken down by certain general characteristics that may be deemed critical for first instance evaluation: footprint, portability, use of ionizing radiation, and maturity of the technology. Given the present state of technology and history of terrorist threats, the decision-making model is primarily focused on explosives as a means of attack, rather than radi- ological, chemical, or biological attacks. However, where relevant information about these other types of threats has been identified, references have been made to PSIs that address these other, overlapping attack risks. Similarly, although the PSIs considered here are primarily aimed at explosives detection, the capability of particular models to detect additional threat types is a significant consideration for deciding between specific equipment models. Deciding whether to institute PSIs can involve a complex mix of political, economic, operational, and legal elements. The benefits of instituting PSIs, in addition to deterring terrorist attacks, may include an increased perception of security on the part of customers; this perception, in turn, has the potential secondary benefits of maintaining or increasing ridership and enhancing the general public’s per- ception of the security of their community. Nonetheless, such additional benefits cannot on their own provide a legal rationale for conducting PSIs. The overarching rationale for determining when to deploy PSI countermeasures must be based on an assessment of the agency’s risk of terrorist attack. The decision-making model presented here is designed to assist transit agencies in sorting through the complexities while maintaining a focus on risk reduction, elimination, or mitigation. It is recommended that the PSI decision be made with the components of the transit agency’s written security plan in mind. If the agency has not yet developed a written security plan, then the decision about whether to institute PSIs should be made in the context of developing an overall system security plan. Fortunately, there are a significant number of transit systems that face a low risk of terrorist attack. For these agencies, conducting PSIs is probably not a good use of resources. In other cases, operational restrictions or limita- tions or budgetary constraints may cause transit agencies to determine that PSIs are either impossible to perform or inappropriate. When an agency makes this decision, a writ- ten record of the reasoning behind the decision not to con- duct PSIs may prove useful—either to explain the decision to the public or to mitigate liability should some sort of terror- ist event in fact take place. (See Appendix D for a discussion of the liability risks of not instituting a PSI program. In real- ity, there are several decision points at which a transit agency may determine that PSIs are not appropriate in its system. It is recommended that regardless of the decision point, the agency document that determination.) However, even when an agency determines that the current risk of attack is low, it is recommended that a contin- gency plan be maintained that sets forth actions that could be taken in case of elevated risk, so that acceptable inspection parameters are known ahead of time. The activities that could be undertaken in support of the contingency plan include the following: conducting legal analysis to support inspections; identifying resources available for rapid deployment; and writing protocols for inspections that would take place at higher levels of alert or in the event of a specific threat of attack. In addition, it may be useful to identify promising technologies under development that could be deployed as they become available.97 Furthermore, having such a plan may enhance the ability to access the resources of DHS. When the decision is made to proceed with PSIs, the type of inspection chosen and how it is implemented will have further operational and legal ramifications. Protocols that are well thought out and appropriate training are crucial to smooth operations and mitigation of any potential liability. Decision–Making Model The methodology presented here provides an overarching model for decision-making. For ease of presentation, the model assumes a decision-making process with three phases: 1. Determining whether the risk of attack is sufficient to create a compelling government need for deterring or detecting attacks and, if so, further evaluating PSIs that could be used to address that need; 97 Explosive detectors deployable on transit vehicles could be developed. See C. Bennett, “Senator Suggests Bomb Detectors for the Subway,” MassTransit web- site. www.masstransitmag.com/article/article.jsp?siteSection=4&id=1199#.

42 2. If inspections are to be instituted, establishing the policy and developing accompanying protocols; and 3. Assessing inspection methods and alternatives for implementation. If PSIs are to be instituted, the transit agency should conduct customer outreach before actual deployment. Outreach is not just a good customer relations strategy; in many instances, cus- tomer outreach is also necessary to ensure the constitutionality of the program. In addition, outreach can be used to develop additional passive surveillance through encouraging the local community to alert law enforcement to suspicious activity or to suspicious persons trying to gain access to the system. Finally, it is recommended that transit agencies conduct a review of their PSI determination annually to examine whether circumstances require commencing, modifying, or terminating PSIs. The authors recognize that transit agencies may not follow the presented methodology step by step. Therefore, to facili- tate understanding, certain steps—for example, prompts for legal analysis—are referred to and repeated more than once. Transit agencies can use these repeated references to assist them in working through the various phases of the decision- making model. Overview of Phase 1—Risk Assessment The Phase 1 sequence follows and is displayed graphically in Figures 1 and 2. As a starting point, transit agencies should consider the risk of attack by asking the following questions: • How likely are terrorists to attack the system? • If the system were attacked, what are its most vulnerable assets? • Of the most vulnerable assets, which are most critical to operations? • How could the agency best protect those assets? It is assumed that most transit agencies have previously answered these questions in whole or in part by conducting one or more prior risk assessments that have taken into account the risk analysis aspects of threat, vulnerability and criticality. Such an analysis is the necessary underpinning of a system security program (as discussed in the FTA’s list of rec- ommended top 20 security measures).98 It is also vitally important that the risk assessment be maintained and updated on a continuing basis. “Resources for Conducting Risk Assess- ments” (see below) provides ready references for accomplish- ing risk analysis. The risk assessment will generate a prioritized list of threats that need to be addressed. The transit agency should gather information through various sources regarding the current threat situation, especially any specific threats against its system or neighboring systems. The agency should then use this information to determine which countermeasures or combination of countermeasures to deploy. The PSI method chosen should be appropriate for addressing the threat, the perpetrator, and the threat material. Perpetrators may be working alone, in coordination with others, or with a terrorist organization. Agencies should institute mitigation efforts against the lone perpetrator with a bomb in a backpack as well as against a terrorist cell seeking to target multiple transit locations simultaneously. Also, perpetrators’ knowledge of transit operations and their level of sophistication regarding threat materials can vary signifi- cantly. Information about terrorist organizations and other perpetrators that may be operating within a particular region can be obtained by the transit agency from state and federal intelligence sources. Because the threat environment is constantly changing, transit agencies need to keep in continuous contact with federal sources to obtain up-to-date intelligence informa- tion and ensure that their threat mitigation efforts are appropriate. Threats against transit systems can range from explosives to cyber attacks. The primary threats are identi- fied and described in this section. While the bulk of PSI focus and effort has been directed at identifying explosives such as improvised explosive devices (IEDs), other threats must be (and are being) taken into account by transit agencies. Major Threats Facing Transit Systems The following the major threats facing transit systems are discussed in this section: arson, explosives, weapons of mass destruction (WMDs), violent confrontations/hostage situa- tions, tampering, power loss, transit vehicle as a weapon, and network failure/cyber attack.99 Arson Arson is an intentionally set fire. It can destroy transit assets within a facility, cause structural damage to the facility itself, cause electrical and mechanical systems failure, and cause 98 FTA, “Top 20 Security Program Action Items for Transit Agencies.” http:// transit-safety.volpe.dot.gov/security/SecurityInitiatives/Top20. 99 Research and Special Programs Administration, John A. Volpe National Transportation Systems Center, Transit Security Design Considerations, FTA- TRI-MA-26-7085-05, DOT-VNTSC-FTA-05-02 (prepared for FTA Office of Research Demonstration and Innovation and FTA Office of Program Manage- ment) (Washington, DC: FTA, November 2004). http://transit-safety.volpe.dot. gov/Security/SecurityInitiatives/default.asp.

43 injuries or fatalities. Toxic fumes produced by burning fuel, oil, plastics, and some paints are a serious health threat and may cause death. Smoke can reduce visibility, obscuring exit path- ways and making escape more difficult for victims. Fires may be intentional or accidental, and countermeasures for either will be relevant for both types. Arson and explosion-related fires, however, may cause more severe damage because they tend to target or cluster around critical systems and equipment. Explosives An explosion is an instantaneous or almost instantaneous chemical reaction resulting in a rapid release of energy. The energy is usually released as rapidly expanding gases and heat, which may be in the form of a fireball. The expanding gases compress the surrounding air, creating a shock wave or pres- sure wave. The pressure wave can cause structural damage to a structure while the fireball may ignite other building materials, leading to a larger fire. Explosives can cause the destruction of assets within a facility, structural damage to the facility itself, and injuries or fatalities. Explosions may start a fire, which may inflict additional damage and cause additional injuries and fatalities. The type and amount of explosive material used and the location of the explosion will determine the overall impact of the explosives. WMDs WMDs are nuclear, radiological, chemical, and biological weapons capable of inflicting mass casualties. Radioactive materials and other contaminants in forms such as powders, liquids, gases, and dirty bombs that are intended to harm large numbers of people are also examples of WMDs. The hazards of WMDs are fatalities, negative health effects, and permanent or temporary contamination of a facility. Because many WMD materials have few discernable physical characteristics, symptoms are the first sign of an attack. In addition, some chemical and biological agents will not produce symptoms for hours or days after the attack has occurred. Determine likely risk of terrorist attack on passenger-vulnerable assets, considering likelihood of attack and potential damage in event of attack. Identify key threats to transit system. (See “Resources for Conducting Risk Assessments.”) No: Include written determination to that effect in security plan. Yes: Proceed to evaluate PSI methods. Consider whether attacks on vulnerable assets might be reasonably deterred or detected by PSIs of any kind. Factors include the nature of vulnerable assets and types of PSIs appropriate at projected level of risk. (See Table 1.) Determine whether current/foreseeable risks of attack on passenger-vulnerable assets merit further consideration of PSIs. (See Table 1.) No: Include written determination to that effect in security plan. Yes: Proceed with analysis. Consider the mix of detection and deterrence and the weight given to each. (Goes to required scope of inspections.) Figure 1. Risk assessment.

44 Violent Confrontations/Hostage Situations Violent confrontations and hostage situations are common on transit systems throughout the world. These confrontations include assaults and robberies within transit vehicles or at tran- sit facilities, which may result in casualties, property loss and damage, and hostage taking. Easy access, remoteness of the vehicle, and available civilians make transit vehicles especially vulnerable to hostage situations. Attackers may use a variety of weapons, including small arms, assault rifles, shoulder- mounted rocket-propelled grenades, knives or other bladed weapons, and small explosives. Tampering Malicious tampering can facilitate the accomplishment of an attack; for instance, tampering with subway track can cause derailment. Transit infrastructure may be damaged by a truck, boat, or airplane carrying explosives to induce structural damage and fatalities and injuries to transit users. Tampering with electrical systems can cause power loss, wreaking havoc on transit operations (especially subway/rail operations, which rely on electrical power). Power Loss Local or regional loss of, or disturbances to, electrical power can significantly disrupt transit service and operations by causing diminished or suspended operations control and signal systems, computer-aided dispatch, and radio systems. Loss of power may be caused by an intentional or uninten- tional event aimed at the transit system or nearby targets. Power losses can affect not only transit operations but also other activities in the vicinity. Transit Vehicle as a Weapon Transit vehicles can become weapons as well as targets. For instance, terrorists may steer a transit vehicle into a building, bridge, or transit infrastructure, or they may plant explosives in a transit vehicle in the storage yard in hopes of detonating it at a later time. A retired transit vehicle may also be an attractive weapon or vehicle for carrying out terrorist opera- tions because of its familiar and innocuous nature. Network Failure/Cyber Attack Network failures and cyber attacks can cause major disruptions to transit service and operations. As more and more transit systems deploy ITS technologies such as AVL and traveler information, the consequences of even small- scale cyber attacks can be serious and cause significant economic damage. There has been more than one case of hackers illegally accessing a transit agency’s control center network and altering displays on electronic message signs. Network failure may also be caused by faulty or damaged internal components and a general computer virus. In any event, to assess the need for and usefulness of PSIs, agencies will often be required to consider factors not previ- ously taken into account. These additional factors relate specifically to identifying operation-critical assets that could be threatened by passengers. As the agency conducts this assessment, the intrusion posed by the PSI under considera- tion must be balanced against the severity of the threat to be guarded against. The intrusion and duration of the inspection itself must be taken into account (how extensive is the inspection? How long does it take?) as well as the intrusion such inspections pose throughout the transit system (Will they be conducted daily or only keyed to fixed indicators? Will they occur everywhere in the system or at fixed points only?). Thus, when an agency determines that assets through- out the entire system face a high risk of attack by passengers, they may choose to conduct PSIs daily throughout the system (as is done in New York City). When an agency determines that specific assets face a high risk of attack by passengers for Perform legal analysis Analyze countermeasures under consideration for current or future use (See “Legal Ramifications of PSI Methods” and “State Law Issues Associated with PSIs.”) Conduct initial operational evaluation What are the operational parameters that PSIs must meet? (See “Parameter Checklist.”) Decide whether to use PSIs Based on operational and legal evaluation of PSI methods, determine whether there are PSI countermeasures to be used either currently or under specified future circumstances. Filter choices Compare PSI operational features to operational parameters to determine whether there are types of PSI methods that the transit agency will not use, regardless of legal analysis. (See Tables 2–6 and “Operational Assessments and Equipment Assessment Checklist.”) Compare PSI methods Compare PSI methods across evaluation criteria. No: Include written determination to that effect in overall security plan. Yes: Proceed to Phase 2. Figure 2. Evaluation of PSI methods.

45 a limited time, that agency may consider conducting PSIs in a limited range of stations for a limited period of time (as in Boston in 2004).100 Following the initial risk assessment, the transit agency may determine that the risk to passenger-vulnerable assets is so low—both currently and under any reasonably foreseeable future circumstances—as to warrant no further action con- cerning PSIs. If so, it is recommended that the agency include information about that determination in its overall security plan. Unless it has been determined that PSIs do not need to be considered, it is recommended that the agency move on to a preliminary evaluation of whether any PSI methods would protect the identified assets by detecting, deterring, or apprehending would-be terrorists. If it conducts such a review, the agency should make a written determination of the circumstances, if any, under which PSIs might be appropriate in its system. In conducting this preliminary assessment, the agency should keep in mind the primary purposes of conducting PSIs: detection and deterrence. The assessment should anticipate that a PSI program aimed at detection will demand continuity and a pervasive presence (e.g., inspections throughout the system all the time). Such a program could be established using a single PSI method throughout the system or a combination of methods—for example, using explosives detection equip- ment in some areas of the system, officer inspections in other areas, and canine teams in still other areas. On the other hand, the New York City Transit model (assuming other federal courts adopt the reasoning of the Second Circuit Court of Appeals) suggests that a PSI program aimed at deterring attacks need not have inspections every- where in the system all the time, so long as the presence is rou- tine yet unpredictable (see Appendix D). Thus, a deterrent program could strategically locate a mix of resources through- out the system, varying locations and times for inspections. Accordingly, it is recommended that the transit agency con- sider the number of vulnerable assets and the types of spaces it needs to protect first in evaluating the usefulness of PSIs as a tool and again in evaluating particular PSI methods. Once the determination is made that there are circumstances under which PSIs may be appropriate, the transit agency must examine whether there are specific PSI countermeasures that should be deployed and the operating conditions associated with their use. Aside from legal analysis, the transit agency may determine that specific countermeasures are unacceptable from an operational perspective or, alternatively, that none of the PSIs are acceptable. However, assuming that operationally appropriate PSI countermeasures are identified, the agency must then con- duct a legal analysis of those methods. The agency can then determine whether there are PSI methods that it can deploy to guard against terrorist attack. Overview of Phase 2—Policy/Protocol Development Once the transit agency has determined that there is suffi- cient justification to deploy PSIs as a countermeasure to combat terrorism, the next step is to establish a policy to govern inspections. The agency should also develop protocols and procedures for personnel to follow in implementing the policy. In the event that the agency decides not to implement inspections immediately, the agency should identify particu- lar threat levels or other indicators that will control when inspections will take place. As a part of this contingency plan- ning, those countermeasures that can be rapidly deployed in response to changing conditions should be prioritized. Indi- cators will also be identified for intensifying existing inspec- tion methods. Figure 3 shows the steps in the policy/protocol development process. Policy and protocol will specify how the set of people or objects to be inspected will be selected for primary inspec- tions and whether there will be varying inspection levels based on passenger volumes. Policy and protocol should also specify how decisions on inspection dates, times, and loca- tions will be made. Additionally, the agency also must specify who is in charge of the inspection process, who will make the required decisions, and who has the authority to make changes to the protocol. 100 The Mineta Transportation Institute (MTI) has suggestions for different threat conditions. See B. M. Jenkins and B. R. Butterworth, Selective Screening of Rail Passengers, MTI Report 06-07 (San Jose, CA: Mineta Transportation Insti- tute, February 2007), 47–51. Develop basic protocols for implementation, including indicators for PSI methods to be used in the future or under specified circumstances. (See “Protocol Issues” and Table 7.) Proceed to Phase 3 Develop contingency plans for future deployment. (See “Contingency Plans.”) Figure 3. Policy/protocol development.

46 The PSI method to be used for primary inspections and the PSI method to be used for secondary inspections should be described in detail in the agency’s policy and protocol. Primary and secondary inspections may or may not include PSI technologies. If PSI technologies are to be used, technol- ogy description, specification, usage guidelines, and required training will be described. If applicable, any steps that can be taken to minimize radiation-related risks to transit person- nel and customers should be clearly indicated. The protocol will state how alarms will be handled if they are not resolved after a secondary inspection or if threat material or contra- band is found. In addition, if there is the possibility of in- nocuous but valid substances triggering an alarm, a list of those materials should be provided in the protocol. If a per- son leaves the area on encountering the inspecting person- nel, a decision on whether or not to follow or detain the per- son needs to be made. This issue should also be addressed in the protocol. The number of transit security personnel and their duties as well as the number of units of detection equipment and the number of canines that will be required for each inspection station should be specified in the protocol. It is also recom- mended that training information (e.g., training content, how security staff will be trained, and how many hours), perfor- mance evaluation, and monitoring procedures be included. Overview of Phase 3—Assessment of PSI Methods Once the transit agency identifies PSI countermeasures deemed appropriate on operational and legal grounds, it must consider whether there are further options for deploy- ment (see Figure 4). For example, if the agency selects canine inspections, it will have to determine what opportunities exist for receiving assistance and support from DHS and/or TSA or whether to acquire the canines through other means. If the canines are not acquired through DHS or TSA, the agency will have to decide between in-house and contracted provi- sion of services, which will require evaluation of training methods and procurement sources. Should the agency select a technology-based method, such as trace detection, it will have to evaluate different models of the equipment. In the case of officer inspections, there may be options in terms of whether to contract with outside security firms to perform the inspections. These additional options may necessitate refinements in the protocols developed in Phase 2. Once deployment options are selected, the agency will have to finalize its performance standards and plan a training curriculum. Phase 1—Risk Assessment The first step is to consider the likelihood that terrorists will attack the system, the features most vulnerable to attack, the most operation-critical vulnerable features, and how best to protect those operation-critical vulnerable features. The results of such considerations should identify the risk of attack by passengers to vulnerable features and include an assessment of the extent to which vulnerable features are operation critical. Important factors in assessing risk are the number of potential casualties and the scope of potential damage. Thus, multimodal facilities and facilities with significant ancillary functions, such as movie theatres or retail stores, should be considered as being at higher risk of attack than small stations. Risk should be considered both for current conditions and reasonably foresee- able future conditions. For example, the agency may determine that there is no current risk of attack, but that the system’s par- ticular profile (e.g., the size of the city in which it is located, the importance of the transit system to local and national economy, or the impact of a terrorist attack), could make it a likely target in the future. It is also important to consider whether an iden- tified risk is ongoing or of limited duration. Resources for Conducting Risk Assessments Resources are available to assist a transit agency in con- ducting such a risk assessment. Some of these resources are the following: • TSA/FTA Security and Emergency Management Action Items for Transit Agencies. (http://transit-safety.volpe.dot. gov/Security/SecurityInitiatives/ActionItems/default.asp) • “Risk Management: An Essential Guide to Protecting Critical Assets” (November 2002). (http://transit-safety. volpe.dot.gov/security/securityinitiatives/top20/2%20– %20security%20problem%20identification/8%20–%20 Canine Options Consider in house v. contracted out and sources for each. (See “Canine Team Evaluation Resources” and “Canine Explosives Detection Team Issues.”) Equipment Options Evaluate models for selected technology. (See “Equipment Evaluation Resources” and “Equipment Checklist.”) Performance Standards (See “Performance Measures.”) Training and Performance Monitoring (See “Training Needs” and “Performance Monitoring.”) Officer Bag Inspections/ Behavioral Assessments Consider in house v. contracted out. Figure 4. Selecting deployment options.

47 threat%20and%20vulnerability%20assessment/additional/ nipc_risk_management_process.pdf) • Jenkins, B. M. Protecting Public Surface Transportation Against Terrorism and Serious Crime: An Executive Overview. MTI Report 01-14. Mineta Transportation Insti- tute, October 2001. (http://transweb.sjsu.edu/mtiportal/ research/publications/summary/0114.html) • TSA Security Analysis and Action Programs, TSA technical assistance for risk assessments, and TSA security training. (http://www.tsa.gov/approach/risk/assessment_tools.shtm) • Sandia National Laboratories. (http://www.sandia.gov/ mission/homeland/factsheets/index.html) • Parsons Brinckerhoff (D. B. Ham and Stephen Lockwood) and Science Applications International Corporation. “National Needs Assessment for Ensuring Transporta- tion Infrastructure Security.” Prepared for the AASHTO Transportation Security Task Force. AASHTO, October 2002. (http://www.transportation.org/sites/security/docs/ NatlNeedsAssess.pdf) • Homeland Security Comprehensive Assessment Model (HLS-CAM). (https://www.dhssaver.info/actions/docu ment.act.aspx?type=file&source=view&actionCode=sub mit&id=3079) • Transportation Research Board, security publications. (www.TRB.org/SecurityPubs) • Department of Energy Information Bridge. (http://www. osti.gov/bridge/basicsearch.jsp) • Department of Homeland Security—Transportation Risk Assessment and Vulnerability Evaluation Tool (http:// www.tsa.gov/approach/risk/editorial_1733.shtm) • NCHRP Project 20-59(17), “Guide to Risk Management of Multimodal Transportation Infrastructure” (scheduled for completion November 2007). (http://www.trb.org/ TRBNet/ProjectDisplay.asp?ProjectID=637) Following the risk assessment, the agency should consider the types of inspections that may be appropriate to its partic- ular level of risk. When the risk of attack is low, inspections should be minimally intrusive, have a low impact on passen- ger operations, pose few (if any) risks of civil liability, and be relatively inexpensive. At the other end of the scale, when the risk of attack is higher, agencies should assess the need for in- spections to be more intrusive. In general, when the risk of terrorist attack is higher, passengers are likely to be more will- ing to tolerate delays or inconveniences, the agency may be willing to run greater legal liability risks, and there may be a willingness to devote more resources to the inspection method. From a constitutional perspective, when the risk of attack is higher, more intrusive inspection methods can be justified. This applies to the absolute intrusiveness of the PSI method and its duration (a continuing threat is more likely to justify continuing inspections). The first decision that must be made is whether there are any circumstances under which PSIs should be used as a countermeasure to protect operation-critical assets. If the agency determines that no such circumstances exist, it should include that written determination in its overall security plan. However, even when an agency identifies little or no current risk of terrorist attack, it should consider PSI methods that can be quickly and easily deployed to meet future threats. If the agency determines that there may be circumstances under which PSIs may be appropriate, it should evaluate PSI methods to determine their appropriateness for deployment. This determination should depend primarily on a considera- tion of the assets identified as vulnerable and the particular purpose of the inspections, for instance, detection or deter- rence. In the latter case, it is important for the agency to consider that PSIs need not—and indeed, under many circumstances, should not—be performed daily throughout its system. The list below shows what kinds of inspection are appropriate for low, medium, and high levels of risk, respec- tively (see also Table 1): • Low level of risk—Use of radiation detection pager, environmental monitors, screening of suspicious or aban- doned packages. Passive measures Contingency plan for heightened alert/specific intelligence Passive measures Low-level inspections Contingency plan for heightened alert/specific intelligence Passive measures Visual/physical inspections Technology-based inspections Plans for intensified screening in case of heightened alert/specific intelligence Note. When the risk of terrorist attack is low, it may still be appropriate to deploy numerous noninspection security measures, such as CCTV and customer awareness programs. Low Medium High Table 1. Types of inspection to consider for high, medium, and low risk of terrorist attack.

48 • Medium level of risk—Use of canine teams; behavioral assessments by trained security personnel and transit staff (e.g., token booth clerks, bus operators, and cleaners); intelligent video, including facial recognition; abandoned package recognition; and atypical behavior recognition. • High level of risk—Use of random manual and elec- tronic inspections. (The inspection percentage and num- ber of locations should be adjusted based on the actual level of risk; if the level of risk is very high at a particular location, the inspection procedure may be changed from random to more frequent or to screening of all passen- gers. However, it is important to avoid counterproduc- tive operating conditions by conducting inspections at such a high percentage that crowds are formed.) Equip- ment that may be used for the inspections includes por- tals, trace detection in ticket machines or turnstiles, handheld devices, desk-top trace detectors, and baggage scanners. Assessing Operational Parameters In order to evaluate PSI methods, the transit agency should first assess its operational parameters. If the particular system contains more than one mode of transit, the agency is likely to have to assess parameters for each mode. The parameter checklist below may be useful in assessing operational param- eters. Note that the priority of the checklist questions may vary. One of the analytical steps is to prioritize the questions. This will help with later steps in the analytical process. Parameter Checklist The parameter checklist includes assessment in five areas: equipment, personnel, passenger services impact, cost con- siderations, and miscellaneous issues. Equipment Issues to consider regarding equipment are the following: • What locations in the system are available for deploying inspections? • What space is available for inspection equipment? • What are the portability aspects of inspection equipment? • What facilities are available to secure and store inspection equipment? • Is there a preference for technology-based or non- technology-based methods? • Is the operating environment clean or dirty from an equip- ment maintenance perspective? Are there concerns about use of ionizing radiation? • What is the administrative tolerance for managing emerg- ing technologies? Personnel Issues to consider regarding personnel are the following: • How many personnel are available to perform inspection duties? • Who will supervise and manage the inspection programs? • What is the level of technical knowledge required to oper- ate the equipment? • How much training would be required to maintain opera- tor proficiency? • What operational or administrative support will be required to conduct the inspections? • What duration of inspections can be maintained based on staffing levels? Passenger Services Impact Issues to consider regarding passenger services impact are the following: • What is the maximum time to inspect that can be tolerated? – Consider peak and off-peak tolerance – Consider operational perspective and passenger per- spective101 – Consider difference between day-to-day delays and delays for inspections done during a limited period of time in order to meet a specific threat • What space is available for passengers waiting to go through a PSI? • Are there inspection alternatives available for persons with disabilities? Cost Considerations Issues to consider regarding cost are the following: • What is the budget for inspection methodologies (consider acquisition, training, operation [including labor], and maintenance)? • Is there an opportunity cost associated with the inspec- tions? Miscellaneous Issues Miscellaneous issues to consider are the following: • What operational trade-offs will be necessary? – Performance versus operational feasibility 101 The agency may want to survey customers concerning their perceptions of the threat of terrorism, their tolerance for security-related delays at present, and their tolerance for security-related delays in the event of a specific threat of attack.

49 – Performance versus customer acceptance – Operational feasibility versus customer acceptance • Are there defined access points for the system at which inspection personnel or devices can be stationed? – Systems that operate on the honor method do not have turnstiles and could have difficulty implementing cer- tain PSI methods. Operational Assessments and Equipment Assessment Checklist Once operational parameters have been assessed, the tran- sit agency should compare its parameters to the location cri- teria of various inspection methods (see Table 2). There are a number of factors that an agency should consider, such as where in its system PSIs could be conducted, whether there are types of inspection that are unsuitable because of space limitations, and how easily PSI methods can be redeployed. Ability to redeploy is of interest because it is possible to construct a deterrence model that deploys PSIs in varying, selected portions of the system (i.e., it is not always necessary to inspect everywhere every day). While it is recommended that the initial assessments focus on operational issues, legal considerations relevant to deter- mining where to deploy PSIs may be of interest even at this early stage. In some cases, the location of the inspection may affect its intrusiveness, an important factor in assessing constitutionality. More specifically, location may affect both randomization (reduces intrusiveness) and the ability of passengers to decline inspection (reduces intrusiveness)— important constitutional factors. Randomness is important from legal, operational, and security standpoints. To reduce legal liability, it is better to inspect either all passengers or to inspect passengers at random. Operationally, for most transit systems, inspecting all passen- gers is not feasible; therefore, random inspections would be the most logical choice. Inspections that are random both in terms of who will be inspected and where the inspections will take place are a strong deterrent to terrorists, who try to avoid uncertainty. Accordingly, before deploying a non-suspicion-based102 PSI method that may result in Fourth Amendment concerns, an agency should consider whether the inspection could be carried out in a random, nondiscretionary manner, and whether passengers have an ability to decline the search. If the answer to either question is no, the risk of the inspection method being held unconstitutional will increase. In some cases, whether a passenger understands that he or she is free to leave the scene may also be constitutionally significant. Table 3 shows the effect of location on the relative ability of a passenger to decline an inspection and leave the scene, as well as the effect of location on the randomness of the inspections. Randomness is also relevant to preventing racial profiling. PSI methods can be divided into those that are not based on technology and those that are (see Table 4). Most of the technology-based methods will require resources for testing Requires significant space for inspectio n Can be deploye d virtually anywhere in system Best deployed at entry-point to system Easily moved to differen t points in system Canine s No Yes Not necessarily Yes Detection pagers No Yes Not necessarily Yes Visual/physica l bag inspections by officers No Yes Not necessarily Yes Ticket scanners No No Not necessarily No Handheld scanners No Yes Not necessarily Yes Desktop equipment No Yes (assuming availability of power) Not necessarily Yes Magnetometers Yes No Yes No Portals Yes No Yes No Note. The criteria in Table 2 do not reflect legal considerations. Table 2. Location criteria for PSI methods. 102 Behavioral assessments, which are based on suspicion of prohibited behavior, require a different sort of analysis. See “Legal Ramifications of PSI Methods” below.

50 and evaluation of particular models before actual deployment, which may make it difficult to deploy those methodologies quickly. It is highly recommended that even technologies that are proven in airports and other environments be tested under the agency’s specific operating conditions. For some agencies, the use of technology may be viewed as a strong positive or strong negative; thus, dividing methods into technology- based and non-technology-based categories may serve as an initial means of sorting them. Technology-based PSI methods can be further categorized by several general characteristics that can be easily ascertained and that may eliminate them from further consideration. These categories are footprint, portability, use of ionizing radiation, and maturity of the technology (see Table 5). Radiation is particularly significant, as technologies used in airports are not necessarily deployable in all states; use of radiation in transit environments is subject to state health regulations. (See Appendix D.) Once the agency has evaluated a location, taking into con- sideration operational and legal issues and the previously mentioned health regulations, it may proceed to do a more general operational assessment of any PSI method not already eliminated. Table 6 lists various operational criteria that should be considered in the adoption of a PSI method. As dis- cussed in “Phase 3—Assessment of PSI Methods,” there are additional criteria that should be considered in selecting equipment models. Once the agency has compared PSI operational features to the agency’s operational parameters, it may be useful to then evaluate targeted inspection methods using the Equipment Assessment Checklist. The Equipment Assessment Checklist, which can be used to perform an operational assessment of technology types, includes the following criteria: • Space requirements • Impact on passenger throughput • Power – Power source requirements – Availability of appropriate power source • Environmental effects on equipment – Fumes produced by commuter railroad trains and subways – Dust or vapors from construction work – Cleaning fluids • Accessibility to disabled passengers • Accuracy (see Appendix A in for a description of differ- ences among trace technologies) At entry point Within terminal On platform At interior bus stop At exterior bus stop On conveyance Ability to decline search High Medium Medium Medium Medium Low Ability to leave scene High Medium-Low Medium-Low Medium-Low Medium-Low Low Ability to ensure randomness High Medium-Low Medium-Low Medium-Low Medium-Low Low Table 3. Effect of inspection location on significant constitutional issues. PSI method Non-technology-based Technology-based Behavioral assessments X Radiation detection pagers X Ticket-machine scanners X Explosives detection canines X Visual/physical bag inspection X Handheld detectors X Desktop detectors X Portals X Baggage scanners X Z backscatter vans X Table 4. Non-technology-based and technology-based PSI methods.

51 – False acceptance rate – False alarm rate • Health issues – Whether equipment emits any radiation or in any way affects health of operators or persons inspected – Whether state law allows nonmedical use of radiation equipment on people – Whether state law requires licensing of technicians to operate the type of equipment being evaluated – Whether state law requires certification and subsequent inspections of the type of equipment being evaluated • Cost – Unit cost – Installation – Life cycle – Operation and maintenance – Labor – Training – Infrastructure modification • Maintenance requirements – Ease of use, including number of personnel required for operation and training required for proficiency Based on the parameter assessment and review of the operational ramifications of various PSI methods, the agency may then determine whether certain types of PSI methods should be eliminated from consideration. Such methods need not be subject to legal analysis, although it is recommended that the agency document its reasons for eliminating meth- ods from consideration. Analysis of Legal Ramifications After the operational assessments have been conducted, it is important to analyze the legal ramifications of deploying various PSI methods. As noted in Appendix D, significant constitutional and tort issues may come into play in deploying PSIs. (Agencies should conduct analysis of specific PSI meth- ods of interest under relevant state laws, with particular atten- tion to potential health restrictions. In the transit environ- ment, state and local laws concerning deployment of devices that use ionizing radiation may also be controlling. See “State Law Issues Associated with PSIs” below.) Finally, the proto- cols for deploying the PSI methods may affect legal liability. (See Table 3 and “Protocol Issues” below.) 1“Mature technology” here means a technology that has been well tested in both laboratory and field settings and has been available for deployment for explosives detection use for at least several years. 2 IMS=Ion mobility spectrometry. MS=Mass spectrometry. Airports appear to be experiencing difficulty with this technology. See E. Lipton, “Faces, Too, Are Searched at U.S. Airports,” New York Times, August 17, 2006, Late Edition—Final, sec. A, p. 1, col. 3, www.nytimes.com/2006/08/17/washington/17screeners.html (article available for purchase at this URL). Footprint Portable Uses ionizing radiation Mature technology1 Radiation detection pagers Small Yes No No Ticket-machine scanners Small No Yes No Handheld trace detectors Small Yes IMS/MS2- based do IMS, yes, otherwise no Handheld metal detectors Small Yes No Yes Desktop trace detectors Medium Yes IMS/MS-based do IMS, yes, otherwise no Puffer portals Large No IMS/MS-based do IMS, yes, otherwise no Magnetometers Large No No Yes Z backscatter vans Large Yes Yes No Backscatter X-ray scanners Large No Yes No Baggage scanners Large No Yes Yes Table 5. Technology-based PSI methods categorized by four characteristics.

52 Below, in “Legal Ramifications of PSI Methods,” general potential legal liability for each potential PSI method and ways to mitigate such exposure are summarized. For each method, training on necessary protocols is likely to mitigate liability. For each suspicionless method, Fourth Amendment liability is likely to be mitigated by tying the inspections to clearly articulated threats, providing adequate notice, affording the opportunity for persons to avoid inspection, and limiting the scope of the inspection to the threat. “Notice” refers to announcing that passengers may be subject to inspection. 1 Based on the following definitions: Very low ≤ $25,000, Low = $25,000–$70,000, Medium = $70,000–$300,000, High > $300,000. Handheld and portable metal and trace detectors are typically low in acquisition costs while trace and bulk detection portals are moderate and bulk detection conveyor equipment is expensive. 2 Operation and maintenance costs are generally estimated to be 5–10% of the acquisition cost. The estimates in this table are based on this rule-of-thumb; however, because precise operation and maintenance costs differ by vendor, additional cost-related research should be performed by the decision-maker. The cost per passenger trip will depend on the total number of daily trips. In New York City, canines, X-rays, and metal detectors would cost about $0.40 cents per trip, while in Cleveland, which provides far fewer trips, the cost would amount to $3.45 per trip. 3 Based on the following definitions: Low ≤ 10 sec, Medium = 10–30 sec, High > 30 sec. Analysis time is generally low, 10 sec or less for most technologies; however, the total transaction time (including the time needed for officers to explain the procedure to the passenger) can vary. 4 Bulk detectors experience lower rates of “nuisance” alarms because they do not sound an alarm for residues that could have been from an innocuous source. Another benefit of bulk technology is that new explosive materials would not be detected by trace detectors, while bulk technologies make it possible for operators to identify suspicious items. Threat material may be more difficult to detect if sampling misses an area contaminated with traces of explosive. At the same time, false alarms and innocuous true positives may occur more frequently when trace detection equipment is used. Effectiveness and accuracy are higher for MS than IMS technology and higher for backscatter X-ray than X-ray. False acceptance rates and false rejection rates should typically be in the range of 1–5%. Finally, it should be noted that these manufacturer-stated accuracy rates should be backed up with operational testing in the transit environment. 5 While all equipment requires calibration and understanding start-up and testing procedures, the portable metal and trace detectors are easier to operate than the larger equipment. Portable equipment would require a minimum of 1 day of training, while other equipment would require longer training periods. To operate trace detectors (including handheld trace detectors) the operator must know what areas and how to sample. Bulk detection equipment that relies on images would also require quite a bit of training—operators need to know what images look suspicious and what images do not. 6 Tests have shown no major differences in reliability among the technologies. Even the handheld detectors were shown to be reliable in both indoor and outdoor temperature ranges and varying humidity levels. 7 Canines tend to tire easily; some become ineffective after 30 min. Therefore, canines will require frequent breaks. Further, it is not always possible to tell when they are “off-duty.” Metho d Acquisition cost 1 Operation an d maintenance cost s 2 Inspectio n (analysis ) time 3 Effectiveness/ accuracy 4 Amount of training required 5 Reliabilit y 6 Accessible to individuals with disabilities Canines Medium Medium Low High 7 High High 7 N/A Behavioral assessmen t N/A N/A N/A High High N/A N/A Radiation detection pagers Low Low N/A High Low High Yes Officer visual/ physical bag search N/A Low Low High Medium N/A N/A Ticket-machine scanners Unknown Unknown Designed to be low Unknown Unknown Unknown Possibly not Handheld trace detectors Low Low Low High Relatively low High Yes Handheld magnetometers Very low Low Low High Low High Yes Desktop scanners Low Low Low High Low - medium High Yes Magnetometers Medium Medium Low High High High Possibly not Puffer portals Medium Medium Low Medium-high High N/A Possibly not Backscatter X-ray Medium Medium Low N/A High N/A Possibly not Car-bomb screener High High Low N/A High N/A Possibly not Baggage scanners High High Low High High High N/A Table 6. General operational criteria for assessing PSI methods.

53 Notice does not include divulging operational aspects of the program, such as precisely when inspections will take place or the standards the agency uses to set inspection intervals or locations. Even for suspicion-based inspections, tying the inspections to clearly articulated threats and limiting the scope of the inspection to the threat should serve to mitigate Fourth Amendment liability. The summaries in “Legal Ramifications of PSI Methods” highlight legal issues relevant to the deployment of PSI countermeasures. However, the list is not intended to be all inclusive. Each agency will have to individually assess its own inspection program activities based on applicable federal and state laws and its own tolerance for risk. The deployment of PSI countermeasures may result in the apparent detection of a suspicious substance that turns out to be innocuous after secondary screening. Thus, there is always the potential for a passenger claiming that he or she has been treated in an unfair/unlawful manner. This risk is mitigated by training inspecting officers on the appropriate response to the appar- ent need for secondary screening. However, certain PSI methods are more susceptible than others to producing false/innocuous positives, and those methods are identified in “Legal Ramifications of PSI Methods.” Legal Ramifications of PSI Methods The legal ramifications of several PSI methods are dis- cussed below. For each method, potential constitutional issues, tort issues, and Americans with Disabilities Act (ADA) issues are described. Major risks are also listed, as well as strategies for mitigating major risks. Some PSI methods discussed also include consideration of other ramifications. Behavioral assessments. Police officers can be trained to assess behavior to identify potential terrorists, just as they can be trained to identify potential drug traffickers. On the basis of their training in identifying potential terrorists, police officers can stop and ask questions of passengers who meet the protocol indicators to either dispel or confirm reasonable suspicion. Ramifications of this method are the following: • Constitutional—There is no Fourth Amendment impact to merely striking up a conversation or requesting identi- fication, so long as it is clear that the person subject to request is free to decline (or merely ignore the request). At bus stops, in terminals, and on platforms it should be rel- atively clear that the person subject to the request is not being detained. But there may be greater risk of constitu- tional violation should the request be made on the con- veyance itself. The Fourth Amendment (and state consti- tutions, which may have more stringent requirements) requirement of reasonable suspicion must be met absent clear consent. In at least some states, the use of racial/ ethnic characteristics as behavioral assessment indicators is likely to be deemed illegal. • Tort—Potential basis for constitutional tort claim (Fourth and Fourteenth Amendment and, where permitted under state law, corollary state provisions). Potentially basis for invasion of privacy claim, risk extremely low. No apparent health risks. • ADA—No apparent ADA ramifications. • Major risk—Risk of claims of constitutional violations, including unlawful detention (constitutional and tort). Potential for claims of racial profiling. Risk may vary depending on state law governing racial profiling. • Mitigation of major risks—Protocol that relies on objec- tive indicators to extent feasible, does not rely exclusively on racial/ethnic characteristics, clearly delineates behavior required to establish reasonable suspicion, reasonably circumscribes officer’s discretion in conducting behavioral assessment. Protocol requiring that absent reasonable suspicion, if person declines to provide ID or answer ques- tions, officer will take no further action. Training on protocol and racial profiling. Radiation detection pagers. These pagers are small enough to be worn on a belt clip and sensitive enough to detect radiation without being in close proximity to passen- gers; thus, no active inspection occurs unless the pager alarms. Ramifications of this method are the following: • Constitutional—Possibly not an inspection for Fourth Amendment purposes, because passengers are not indi- vidually approached unless the device alarms, at which point reasonable suspicion is present. • Tort—Potentially a basis for an invasion of privacy claim, although the risk is extremely low. Possible claims based on treatment following false positive/innocuous true positive. • ADA—No apparent ADA implications. • Major risk—Passengers detained based on inaccurate/mis- leading results may file suit. • Mitigation of risks—Protocol requiring positive results as cause for suspicion, not evidence of guilt, and process ac- cordingly in conducting secondary screening. Awareness of possibility that medical treatment may set off radiation detection pagers. Trace detector integrated into ticket machine. This screening occurs during the ordinary course of business, prior to passenger entry into the transit system. Ramifications of this method are the following: • Constitutional—Possible Fourth Amendment concerns exist. Given that the scanner only checks for prohibited substances and that it does so in the course of a passenger-

54 initiated transaction, this kind of inspection should be considered minimally intrusive for Fourth Amendment purposes. • Tort—Potentially basis for invasion of privacy claim, risk extremely low. Possible claims based on treatment follow- ing false positive/innocuous true positive. Scanners employing IMS/MS technology may pose health risks. • ADA—Need to ensure that machine is ADA-compliant or must provide secondary screening. • Other—Scanners employing IMS/MS technology may be illegal in some states; may require certification, licensing of inspectors in some states. • Major risk—Passengers detained based on inaccurate/ misleading results may file suit. Claims based on health risks. • Mitigation of risks—Protocol requiring positive results as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Provide notice that the ticket machine contains a scanner in order to allow passengers the option of avoiding even minimally intrusive inspection. Scrupulously maintain radiation components. Nonintegrated (desktop) document scanner. Passenger is asked to touch a card that can capture traces of explosives; the card is then scanned and analyzed. For some models, the operator swabs the surfaces of objects that may have come into contact with the passenger, and the swab is analyzed by the scanner. Ramifications of this method are the following: • Constitutional—Possible Fourth Amendment concerns exist, but as officer does not inspect contents of bag, and scanner only checks for prohibited substances, inspection should be considered minimally intrusive for Fourth Amendment purposes. More intrusive than scanner inte- grated into ticket machine, as it does require that the pas- senger stop activity for inspection. • Tort—Potentially basis for invasion of privacy claim, risk low. Possible claims based on treatment following false positive/innocuous true positive. Scanners employing IMS/MS technology may pose health risks as all desktop trace detection models use ionizing radiation. • ADA—No apparent ADA ramifications. • Other—Scanners employing IMS/MS technology may be illegal in some states; may require certification, licensing of inspectors in some states. • Major risk—Passengers detained based on inaccurate/mis- leading results may file suit. Claims based on health risks. • Mitigation of risks—Protocol requiring positive results as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupu- lously maintain radiation components. Explosives detection canines. Dogs patrol/are stationary and alert when they detect explosives. They are also used fre- quently for secondary screening inspections. Ramifications of this method are the following: • Constitutional—Virtually no federal constitutional impact on bag inspections, particularly if passengers are not stopped in order to conduct inspection. (Compare with Illinois v. Caballes,103 where the issue was whether the mo- torist had been detained. See discussion in Appendix D.) When a passenger is stopped so that a canine may sniff either the passenger or the passenger’s bag, the stop may be considered a seizure under the Fourth Amendment, thus requiring constitutional justification. Even detection of explosives on passenger (rather than in bag) is likely to be deemed minimal intrusion outweighed by compelling gov- ernment need. Absent faulty training or officer miscon- duct, no danger of racial profiling. Cross training for ex- plosives and drug detection could give rise to pretexting claims, which, depending on the factual situation, could also give rise to racial profiling claims. • Tort—Possible basis for claims related to canine behavior. Possible claims based on treatment following false posi- tive/innocuous true positive. No apparent health risks. • ADA—No apparent ADA ramifications. • Major risks—Passengers attacked by canines may file suit; passengers detained based on inaccurate/misleading re- sults may file suit. • Mitigation of major risks—Appropriate training, certifica- tion (e.g., TSA certification). Protocol requiring that passen- ger stops for purposes of allowing canine to sniff be con- ducted according to inspection protocol and that positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Visual/physical bag search. Officers inspect passenger bags by looking inside and possibly physically manipulating bag contents for better visibility. Ramifications of this method are the following: • Constitutional—Significant Fourth Amendment ramifica- tions to this PSI method. Justified where government need is compelling, intrusion is minimized, and protocol design is effective. • Tort—Potentially basis for invasion of privacy claim, risk relatively low. No apparent health risks. • ADA—No apparent ADA ramifications. • Major risks—Fourth Amendment challenges, invasion of privacy claims. • Mitigation of major risks—Efforts to minimize intrusion by limiting scope particularly critical for mitigating Fourth Amendment liability for this method. Directing officers 103 543 U.S. 405 (2005).

55 not to read any material in passenger bags will minimize privacy claims as well as intrusiveness. Handheld trace detectors. A sample is taken from the outside of a bag by swipe or vapor analysis. Ramifications of this method are the following: • Constitutional—Fourth Amendment implicated, but should be considered to be a minimally intrusive inspec- tion, as officer does not inspect contents of bag. • Tort—Potentially basis for invasion of privacy claim, risk extremely low. Scanners employing IMS/MS technology may pose health risks. • ADA—No apparent ADA ramifications. • Other—Scanners employing IMS/MS technology may be illegal in some states; may require certification, licensing of inspectors in some states. • Major risks—Fourth Amendment challenges, invasion of privacy claims, health claims. • Mitigation of major risks—Scrupulously maintain radia- tion components. Handheld magnetometers. Officers inspect passengers/ bags with a wand that detects the presence of metal. Ramifi- cations of this method are the following: • Constitutional—Possible Fourth Amendment concerns exist. Inspection considered more intrusive than magne- tometer because of physical proximity between officer and passenger. Wand inspection of bag less intrusive than visual/physical bag inspection because officer does not in- spect contents of bag, wand inspection of passenger arguably more intrusive than visual/physical bag inspection because of physical proximity between officer and passenger. • Tort—Potentially basis for invasion of privacy claim, risk relatively low. • ADA—No apparent ADA ramifications. • Major risks—Fourth Amendment challenges. • Mitigation of major risks—Using as secondary PSI method should mitigate intrusiveness of physical approach to pas- senger, as there would be some grounds for suspicion. Backscatter X-Ray machine. When the passenger steps onto the machine, backscatter signals interact with explosives, plastics, and metals and present the shapes of the objects to screeners. Ramifications of this method are the following: • Constitutional—Fourth Amendment concerns exist. Likely to be considered far more intrusive than magne- tometer because of revealing nature of image. • Tort—Potentially basis for invasion of privacy claim, risk possibly higher than for any other inspection method detailed in this report. Possibly significant health risks. • ADA—Machine must be ADA-compliant or agency must provide secondary screening. • Other—May be illegal in some states; may have certifica- tion, licensing requirements where legal. • Major risks—Fourth Amendment challenges, invasion of privacy claims, health risks. • Mitigation of major risks—Privacy claims may be miti- gated by concealing sensitive body areas or reducing image details and also by ensuring that images are not displayed to anyone but the inspectors. Destroying images once they are reviewed for security purposes should also mitigate risk of privacy claims. Health claims may be mitigated by proper maintenance and operation. Millimeter wave imaging scanners. Millimeter wave holographic imaging systems are capable of imaging through clothing to detect contraband, metal, plastic, or ceramic weapons. Ramifications of this method are the following: • Constitutional—Possible Fourth Amendment concerns exist. Not as intrusive as backscatter X-ray machine. • Tort—Possible claims arising from false positives. Possible health risk, relatively low risk. • ADA—Machine must be ADA-compliant or agency must provide secondary screening. • Major risks—Fourth Amendment challenges. • Mitigation of major risks—Health claims may be miti- gated by proper maintenance and operation, as well as pro- tocol to ensure appropriate handling of positive results. Puffer portals. The portal uses puffs of air to dislodge any residue on the passenger; the residue is then analyzed using an ionizing radiation source. Ramifications of this method are the following: • Constitutional—Should be considered search for Fourth Amendment purposes. Not as intrusive as backscatter X-ray machine. • Tort—Possible claims arising from false positives. Health risk. • ADA—Machine must be ADA-compliant or agency must provide secondary screening. • Other—May be illegal in some states; may require certifi- cation, licensing in some states. • Major risks—Fourth Amendment challenges, health claims. • Mitigation of major risks—Health claims may be miti- gated by proper maintenance and operation and protocol to ensure appropriate handling of positive results. Baggage X-Ray scanners. Carry-on bags are put through machines that screen for explosives using X-rays. Ramifica- tions of this method are the following: • Constitutional—Certainly considered search for Fourth Amendment purposes. In airport context this has been considered a minimally intrusive search.

56 • Tort—Potentially basis for invasion of privacy claim; risk relatively low. Possible health risks. • ADA—Machine must be ADA-compliant or agency must provide secondary screening. • Other—May have certification requirements in some states. • Major risks—Fourth Amendment challenges, health risks. • Mitigation of major risks—Health claims may be miti- gated by proper maintenance and operation. Z backscatter van. The van contains explosives detection technology using backscatter X-rays. This technology is suitable for use in ferry terminals, where the van can move alongside vehicles waiting to board the ferry. Ramifications of this method are the following: • Constitutional—Should be considered search for Fourth Amendment purposes. • Tort—Possible health risk, particularly if van used on vehicles with passengers in them. • ADA—No apparent ADA ramifications. • Other—May require certification in some states. To extent it exposes passengers to X-rays may be illegal in some states. • Major risks—Fourth Amendment challenges. • Mitigation of major risks—Health claims may be miti- gated by proper maintenance and operation and ensuring that van only inspects vehicles without passengers in them. State Law Issues Associated with PSIs It is imperative that the transit agency research the law of its own jurisdiction on the legal issues associated with any particular PSI. (See Appendix D.) The following checklist of jurisdictional laws, legal definitions, and legal issues may prove helpful with this research: • Racial profiling; • Search and seizure law; • Whether canine sniff of person is a search; • Whether canine sniff of property is a search; • Whether an agency can be subject to tort liability; • Exceptions to tort liability (governmental/proprietary or discretionary/ministerial); • Tort implications of purchase of liability insurance; • Public duty rule; • Tort liability for state constitutional violations; • Tort liability for invasion of privacy; • Duty of care owed to prevent terrorist attack, including duty to warn of danger of attack; • Tort liability for dog exposure; • Tort liability for health hazards of screening equipment; • Tort liability for false/innocuous true positives; and • Restrictions on use of particular technologies (whether humans may be exposed to ionizing radiation for non- medical purposes, possible restrictions on millimeter wave imaging scanners, and whether equipment must be regis- tered or technicians licensed). Comparing Methods across Evaluation Criteria When compared with each other across a set of criteria, in- spection methods will differ. One method may be minimally intrusive, but pose more than minimal tort risks. Another may be minimally intrusive but expensive. Once the transit agency has considered both the operational and legal aspects of specific PSI methods, it may find it useful to compare particular methods across various legal and operational criteria. The criteria that the agency may want to consider in- clude intrusiveness of the PSI, risk of liability for invasion of privacy, risk of liability for health hazards, risk of liability for false/innocuous true positives, state law requirements for certification/licensing (including whether a particular tech- nology is legal for proposed use), effect on passenger throughput, capital cost to acquire, operational costs, main- tenance costs, and training costs. Based on the foregoing operational and legal assessments, the transit agency can determine whether it would be appro- priate to deploy any PSI methods either currently or under specified future circumstances. If the agency determines that it is not appropriate to deploy any PSI methods, a determi- nation to that effect should be included in its overall security plan. If the agency determines that it could appropriately deploy one or more PSI methods in its system, the agency should proceed to “Phase 2—Policy/Protocol Development.” Phase 2—Policy/Protocol Development Once the transit agency has determined that it could appropriately deploy PSI methods as a measure to combat terrorism, it is highly recommended that the transit agency’s PSI policy be put in writing, including a clear articulation of both the legal and operational purposes of conducting PSIs. In order for an agency to deploy a non-suspicion-based inspection method that does not create a concern about a potential violation of Fourth Amendment rights, the risk of terrorist attack must be great enough to create a compelling government interest in deterring or detecting such an attack. It is advisable that the agency’s legal analysis demon- strate the government need/danger faced, the need to pro- ceed without individualized suspicion, and the minimal nature of the privacy intrusion created by the inspection method chosen.

57 It is critical to note that the purpose need not be the actual apprehension of terrorists. The New York City Container Inspection Program (CIP)—the most sweeping PSI program to date and the first to be reviewed at the federal appellate court level—was designed primarily for deterrent purposes. Carrying out inspections in an unpredictable yet routine fashion, the program design obstructs the terrorist goal of hitting predictably vulnerable targets. In other words, a deterrent effect may be obtained even though inspections are not carried out continuously, so long as they occur regularly and in patterns not predictable to someone planning an attack. TSA also emphasizes unpredictability (see www.tsa. gov/approach/unpredictability.shtm). In addition, the policy should describe—and limit—the scope of the inspections. The risk assessment should have iden- tified the type of threat the agency thinks is possible and wants to guard against; the scope of the inspection should relate to that threat, that is, the policy should tie inspection parameters to fac- tors likely to deter or detect the threat. For example, if the threat requires looking for 20-pound explosives, the protocols might prohibit inspecting small bags and small pockets in big bags. Having articulated both the purposes of conducting PSIs and the preferred PSI countermeasures to deploy, the agency should develop protocols for implementation, including indicators for PSI methods to be used in the future or under specified circumstances. For example, the agency may develop a protocol for inspecting passenger bags at various intervals of time. Intervals may ordinarily vary according to passenger traffic and available personnel, and may vary at a specified number of stations depending on station layout and operat- ing characteristics. The protocol should specify under what conditions intervals and numbers of stations might increase. The agency should also consider what countermeasures could be taken to rapidly respond to newly developed intelli- gence information or to a change in threat levels. Possible indicators include transportation-related terrorist attacks elsewhere in the world or specific intelligence regarding one of the agency’s own transit systems. It is critical that selection criteria not violate applicable law concerning racial profiling. (See Appendix D for legal background.) Major issues that a transit agency may want to take into account in formulating its policy, including protocol development, follow. Protocol Issues Purpose of the PSI Program Clearly the PSI program must advance a substantial gov- ernment interest separate from general crime control efforts. If the inspections are too closely interwoven with general law enforcement, they could be held invalid. For example, coor- dination with narcotics units could be problematic. Similar concerns may exist when officers engaged in behavioral assessments pursue general law enforcement while conduct- ing antiterrorism assessments. Keying PSIs to articulated threat warnings or other articu- lated indicators (see “Contingency Plans,” below) could help to differentiate them from routine law enforcement, provided that the type of threat warning is in fact related to a relatively specific danger. Similarly, employing an inspection method that targets only terrorism-related threats, such as explosives, should also help distinguish the policy from general law enforcement. Calibrating the Inspection to Discover the Identified Threat The scope of the inspection should be no broader than required to discover the identified threat, but must, at the same time, be broad enough to discover the identified threat. For ex- ample, assume that the identified goal of the policy is to pre- vent terrorists from bringing enough explosives into a system to cause significant injury or death or to prevent the breech of the hull of a moving conveyance. In such a case, the selected in- spection countermeasure should be designed, if possible, to de- termine the likely bulk or weight of the explosives that would be required to inflict such damage, and the protocol should limit inspections to containers, or portions of containers, large enough or heavy enough to contain that quantity of explosives. Credible Support for Program Design It does not appear that statutory authority is required to de- sign and implement a PSI program. However, some credible source attesting to the validity of program design is advisable. For example, evaluation by counterterrorism experts as to the effectiveness of a design aimed at deterrence could be help- ful.104 Alternatively, when agencies are considering the use of behavioral assessment, it may be advisable to ensure that the protocol is consistent with expert advice concerning the efficacy and accuracy of such assessments for identifying potential terrorists. Implementing the Policy as Written The PSI selected should be deployable as set forth in the policy/protocol. The resources cited should indeed be avail- able. It is important to keep in mind that, for example, a method that can be constitutionally deployed in one area of the system may not be constitutional if deployed elsewhere. Procedural Safeguards There are a number of procedural safeguards that may, depending on state law, minimize the intrusiveness of the 104 Agency counsels are urged to review MacWade v. Kelly, Docket No. 05-6754-cv (2d Cir. August 11, 2006).

58 inspections and thereby enhance their constitutionality. These include the following: • Having a designated screening area—a separate, but open, clearly visible area (courts should consider that such an arrangement reduces passengers’ apprehension and the stigma of being searched); • Having at least two officers present, including a supervisor; • Documenting all inspections; and • Providing a complaint procedure for deviations from the protocol. Determining the Inspection Protocol Where the protocol is defined (at the command or line level) and how it is executed (ministerially or with discre- tion) will have enormous implications for its constitution- ality. The inspection policies upheld in Boston and New York were defined at the command level and executed ministerially. In order to be executed ministerially, a policy must have guidelines on what to inspect, how to inspect, and what constitutes prohibited items. This does not mean that the inspecting officers must be totally devoid of discretion, but there should be reasonable limits on any exercise of discre- tion. For example, the protocols could specify that different inspection methods be deployed depending on the number of passengers waiting in line. In the case of behavioral assess- ment, the more subjective the indicators, the greater the risk that there will be allegations of abuse of discretion, if not actual occurrences of abuse of discretion. For example, indi- cators such as “appears nervous” require more subjective assessment than “photographing transit system features” (which may be legitimate) or “attempts to access restricted areas.” Generally the number of, and location of, inspections may be determined daily based on the anticipated volume of passengers, DHS alerts, and specific threat intelligence. Occurrence of special events, such as political conventions, may also justify instituting inspections, varying inspection methodology, or varying inspection frequency for the duration of the event.105 It is possible to use computer software to generate random numbers for selecting passen- ger inspection intervals, which enhances the randomness of the intervals. Decisions about the conduct of inspections should be made by supervisors following written policy. These decisions should then be communicated to inspect- ing officers. Inspecting People versus Inspecting Packages In some cases, the decision about whether to inspect peo- ple or packages may be made when the PSI method is selected. However, to the extent that the selected PSI method could be deployed to inspect passengers or their packages, the transit agency should keep in mind that inspecting passengers will be considered more intrusive than searching packages and thereby may require greater justification—including, but not limited to, reasonable suspicion. Inspecting passengers, as opposed to their packages, on a nonrandomized basis may be considered profiling, and, to the extent that it focuses on the characteristics of any protected class, will be subject to intensified scrutiny. Inspecting packages may raise some Fourth Amendment/ state constitution concerns, but it is subject to lower stan- dards than inspecting passengers. Targeting packages based on size, weight, or some other factor related to the purpose of the inspection should not have the same constitutional im- plications as selectively inspecting passengers. When the policy requires baggage inspections only, the protocol could provide for exempting passengers not carry- ing baggage from passing through security checkpoints. Inspection Location Some questions about location are answered when the PSI method is selected, as some methods can be deployed only in certain locations. Nonetheless, inspection location remains an important issue in structuring the protocol. To the extent that the PSI method allows for various inspection locations, an initial decision must be made as to whether in- spections will be conducted within the system or at en- trances to the system only. As noted above, inspections within the system may be more difficult to conduct in a truly randomized, nonarbitrary fashion, which of course has implications for the constitutionality of the inspections and could require a different standard for justifying them. Even behavioral assessments, which are not random, may be less susceptible to challenge if they occur before passengers enter the system, or at least before they board conveyances. Even a policy that only allows inspections at entrances to the system is likely to have selection issues, either as to loca- tion or time of day. Concerns include not creating a pattern discernible to a potential terrorist (which goes to the efficacy of the policy) and not disproportionately affecting certain segments of the population (which may raise equal protection issues, as conducting inspections may have an effect on transit service). If the threat is not confined to a particular part of the system, or time of day, the agency should examine whether the checkpoint selection is randomized except as to the objective threat. Further, as noted above, building sufficient unpre- dictability into the protocol is key to establishing deterrence. Clearly, the protocol must specify criteria for selecting and 105 See, for example, M. Fickes, “Preventing Mass Transit Terror Attacks,” Gov- ernment Security: Technology Solutions in Defense of the Homeland,” October 1, 2005. http://govtsecurity.com/mag/preventing_mass_transit/.

changing inspection locations and not leave that decision to the inspecting officers’ discretion. Providing Adequate Notice/Opportunity to Avoid Inspection Notice of the inspection and opportunity to avoid it will enter into an assessment of the reasonableness of the inspec- tion. Two aspects to consider are timing, whether notice of the policy is adequate to allow people to make other plans, and prominence, whether notice is clearly visible in the system before payment is required. The protocol may provide that once passengers proceed past a certain designated point, they may no longer decline the inspection. If so, notice of that requirement should be clearly provided in advance. In addi- tion, passengers should be provided with notice that re-entry after declining inspection is prohibited. Secondary Inspections The protocol should specify when an initial (apparent) pres- ence of a prohibited substance or a behavioral assessment in- dicator calls for secondary inspections. Such inspections may consist of verbal questioning or more intrusive inspections, including, in some instances, searches of the passenger. The protocol should specify the conditions under which such secondary inspections occur, such as the indicators for such inspections, how the secondary inspections are to be carried out (which may be dictated by the indicators), when to request additional officers, and so forth. Secondary inspections may be a recurring issue when the PSI method is susceptible to false positives or innocuous true positives. For example, radiation pagers may react to passengers undergoing radiation treat- ment. In order to minimize liability, it is important not only that the protocol be clear regarding how such passengers are to be treated, but that officer training (see “Performance Moni- toring” below) emphasizes the possibility of such initial results. Invasion of Privacy Despite the difficulty in most jurisdictions of a plaintiff mounting a successful invasion of privacy action arising from a PSI (see Appendix D), it is recommended that the protocol mandate steps to ensure against invading a passenger’s privacy more than necessary to accomplish the purpose of the inspection. For example, a protocol governing visual/ physical inspections by officers could direct inspecting offi- cers not to read any material in bags selected for inspection. When the PSI method involves potentially revealing images or other sensitive information, it is recommended that the protocol specify who shall have access to the information and whether and for how long the transit agency shall retain the information. Protocols governing the use of handheld de- vices, which require the officer to be in close physical prox- 59 imity to passengers, could include guidance for minimizing any unnecessary physical contact with passengers. Accessibility The PSI protocol should account for the accessibility of any technology-based inspection method. The deployment of any technology that is not accessible to disabled passengers will require the use of secondary screening to accommodate those passengers. Allowing all disabled passengers to avoid inspec- tion because inaccessible inspection technology would not only undermine the inspection’s operational effectiveness but also its legal rationale. Other It is further recommended that the agency develop policies for the following: • Dealing with passengers who decline screening and attempt re-entry; • Explaining when the inspection crosses the threshold from administrative inspection to suspicion-based search (still allowed); • Handling the discovery of contraband; and • Announcing threats to the public. Contingency Plans Transit agencies may determine that while current or immediately foreseeable circumstances do not warrant con- ducting PSIs, there are reasonably foreseeable future circum- stances—such as changes in operations or special events—that warrant PSIs. If that is the case, it is advisable to develop con- tingency plans. Such plans will be similar to a current PSI policy, with less attention to operational detail and more at- tention to how to deploy resources rapidly. The following is a checklist for agencies developing a contingency plan: • Identify circumstances under which PSIs would be neces- sary and/or advisable (e.g., attack on surface transportation anywhere in the world, attack on transportation system in the United States, preplanning surveillance detected at U.S. transportation systems, high terror alert for U.S. trans- portation systems, and specific intelligence about the system being analyzed); • Prioritize inspection needs/measures that would be desir- able based on operational compatibility; • Conduct a legal analysis of desirable inspection methods; • Finalize a list of contingency inspection methods; • Develop protocols for conducting PSIs; • Identify possible sources for quick deployment such as TSA, FTA, and/or a loan from another transit system; and

60 • Specify training that could be delivered in a cost-effective way before the need to deploy inspection. Mitigation Measures As indicated above, in developing its protocols, the transit agency should consider measures that will mitigate any potential legal liability. Table 7 summarizes suggested mitiga- tion measures for the primary risks posed by various PSI methods. In all cases, training on the PSI protocol is suggested to enhance mitigation measures. Also, it is important to recognize that Fourth Amendment liability is likely to be mitigated by linking inspections to clearly articulated threats, providing adequate notice, affording the opportunity to avoid the inspections, and limiting the scope of the inspection to the threat being addressed. (See Appendix D.) Notice refers to announcing that passengers may be subject to inspection. It does not include divulging operational aspects of the program, Mitigation of intrusion Mitigation of privacy concerns Mitigation of claims with respect to unreasonable detention, etc. Mitigation of health risks Behavioral assessments Use, to extent feasible, of objective indicators; reasonable limitations on officer’s discretion; extreme caution in using racial/ethnic characteristics. Same as for intrusion. Same as for intrusion. N/A Radiation detection pagers Not a primary risk. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Not a primary risk. Trace detector integrated into ticket machine Provide notice that ticket machine contains a scanner to allow passengers option of avoiding even minimally intrusive inspection. Not a primary risk Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components. Non-integrated (desktop) scanner Minimally intrusive for Fourth Amendment purposes. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components. Explosives detection canine Not a primary risk. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. N/A Visual/physical bag search Protocols and inspection policies and procedures must be documented and followed. Inspections are based on compelling government need. Directing officers not to read any material in passenger bags will minimize privacy claims as well as intrusiveness. Not a primary risk. N/A Handheld trace detector No additional measures. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and Scrupulously maintain radiation components. process accordingly in conducting secondary screening. Handheld magnetometers Use as secondary PSI method should mitigate intrusiveness of physical approach to passenger, as there would be some grounds for suspicion. Not a primary risk. Not a primary risk. Not a primary risk. Backscatter X-ray Conceal sensitive body areas or reduce image details. Also ensure that images are not displayed to anyone but the inspectors. Destroying images once they are reviewed for security purposes should also mitigate risk. Conceal sensitive body areas or reduce image details. Also ensure that images are not displayed to anyone but the inspectors. Destroying images once they are reviewed for security purposes should also mitigate risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components. Millimeter wave imaging scanner Not a primary risk. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components. Puffer portal Not a primary risk. Not a primary risk. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components. Baggage X-ray Not a primary risk. Not a primary risk. Not a primary risk. Scrupulously maintain radiation components. Z backscatter van Avoid scanning vans with passengers. Avoid scanning vans with passengers. Require positive results be treated as cause for suspicion, not evidence of guilt, and process accordingly in conducting secondary screening. Scrupulously maintain radiation components; avoid scanning vans with passengers. Table 7. Mitigation measures.

61 such as precisely when inspections will take place or the stan- dards the agency uses to set inspection intervals or locations. Deploying explosives detection canines also poses the risk that the canine may attack a passenger. This risk may be mitigated by appropriate training of canines and officers, as well as by certification by a recognized authority such as TSA. It is recommended that the agency carefully evaluate its chosen mitigation measures under state law to determine if they will work in its particular circumstances and if additional mitigation measures are advisable. Phase 3—Assessment of PSI Methods Once the transit agency identifies PSI countermeasures deemed appropriate on operational and legal grounds, it must consider whether there are further options for deployment. For example, should the agency select canine inspections, it will have to determine whether to apply to receive assistance from the TSA for its deployment or to acquire the canines through other means. If the canines are acquired through other means, the agency will have to decide between in-house and con- tracted provision of services, requiring evaluation of training methods and procurement sources. Should the agency select a technology-based method, such as trace detection, it will have to evaluate different models of the equipment. Canine Inspections In addition to TSA, transit agencies with established canine explosives detection teams may be an excellent resource to consult on the question of whether to outsource canine in- spections, training, and performance standards. See “PSI Using Canines” in Chapter 2 of this report for more information. Issues to consider in selecting a vendor include the trainer’s experience with canines and explosives, whether the canines supplied have been cross-trained for patrol and explosives detection, whether the trainer focuses exclusively on explo- sives detection canines (which suggests a greater degree of expertise), and whether the trainer has worked with canines in a transit environment as opposed to airport or other security environments (as differences in environments can be significant to the canine). Canine Team Evaluation Resources Several resources are available for those agencies interested in exploring the use of a canine explosives detection team: • TSA’s National Explosives Detection Canine Team Program (provides dog and training, www.tsa.gov/lawenforcement/ programs/editorial_1886.shtm) – Training is located at Lackland Air Force Base in San Antonio, Texas – Training takes 10 weeks – Training includes partial funding for handler salaries, care and feeding of the canines, and veterinary costs and other costs associated with canines on teams’ return to home base • Transit agencies that have completed the TSA canine program – Massachusetts Bay Transportation Authority (MBTA) – San Francisco Bay Area Rapid Transit District (BART) – Southeastern Pennsylvania Transportation Authority (SEPTA) – Washington Metropolitan Area Transit Authority (WMATA) – Port Authority Trans-Hudson Corporation (PATH) – Chicago Transit Authority (CTA) – Los Angeles County Metropolitan Transportation Authority (Metro) – Maryland Transit Administration (MTA) – San Francisco Municipal Railway (Muni) – San Diego Trolley, Inc. (SDTI) • Transit agencies that have non-TSA-trained canine teams – New York City Transit (NYCT) – New Jersey Transit (NJ TRANSIT) – Metropolitan Atlanta Rapid Transit Authority (MARTA) – Metropolitan Transportation Authority of Harris County (Houston METRO) – Niagara Frontier Transportation Authority (NFTA) – Tri-County Rail – Amtrak • Associations – International Police Work Dog Association (offers cer- tification) (www.ipwda.org) – North American Police Work Dog Association (offers workshops) (www.napwda.com/) – National Narcotics Detector Dog Association (offers certification for explosive detection) (www.nndda.org/) • Examples of private vendors (these vendors have not been evaluated) – American K9 Interdiction, Inc. (www.ak9i.com/) – Explosive Countermeasures International, Inc. (www. nobombs.net/expl_dog.shtml) – Detection Support Services (www.dssbombdogs.com/) – Explosive Labs K-9 Services (www.xlk-9.com) – GSS Security Services K9 Division (www.nybombdogs. com) – Michael Stapleton Associates (www.mikestapleton. com/index.html) – Work Dogs International (www.bombdogdetection. com/index.html) • Literature – TCRP Report 86: Public Transportation Security—Vol- ume 2: K9 Units in Public Transportation: A Guide for

62 Decision Makers (includes recommendations for put- ting together proposals for outsourcing canine teams and sample standards)106 (http://www.trb.org/news/ blurb_detail.asp?id=900) – “Observations and Recommendations Regarding Train- ing, Record Keeping, and Deployment of Explosive De- tection Canine Teams” (www.fiu.edu/~ifri/Observations %20and%20Recommendations.pdf#search=%22 Canine%20%2B%20%22explosive-detection%22%20% 2B%20report%22) Canine Explosives Detection Team Issues It is recommended that agencies instituting a canine ex- plosives detection team consider the following issues: • Liability for injuries caused by canines – State dog bite laws should be reviewed – In-house program generally has greater liability than contracted service – Meeting federal certification and training standards may reduce risk of liability – Steps taken to establish reasonableness of canine search policy may affect liability—be sure to clearly state the authority for the program, document performance standards, and establish use-of-force and bite policies • Constitutional – To preserve reasonableness of inspections under Fourth Amendment, care should be taken in associat- ing explosives detection canines with regular law enforcement • Standards for team qualifications – Trainer or vendor qualifications and accreditations – Dog selection policy – Dog breeder qualifications – Handler selection policy – General orders for canine unit – Reports and assignments – Basic training – In-service training – Substances trained to detect • Unique canine issues – Feeding – Housing – Sanitation Equipment Assessment If a transit agency has identified a preferred PSI method or several methods that involve the use of specific equipment, the transit agency must select specific models. As noted earlier, vendor-quoted accuracy levels and other performance levels should be viewed circumspectly. Equipment should be tested in an operational setting for a sufficient period of time to establish actual performance (end-to-end performance) as well as performance of the actual device. Factors such as vendor assistance in training should also be taken into consideration. See “PSI Technologies” in Chapter 2 and Appendix B. Equipment Evaluation Resources Some resources for agencies evaluating PSI technologies include the following: • Evaluation of a Test Protocol for Explosives Trace Detectors Using a Representative Commercial Analyzer (NIJ Report 100-99)107 (www.ncjrs.gov/pdffiles1/nij/178261.pdf), • Guide for the Selection of Commercial Explosives Detection Sys- tems for Law Enforcement Applications (NIJ Guide 100-99)108 (www.ncjrs.gov/pdffiles1/nij/178913.pdf ), and • TCRP Report 86: Public Transportation Security—Volume 6: Applicability of Portable Explosive Detection Devices in Tran- sit Environments109 (http://onlinepubs.trb.org/onlinepubs/ tcrp/tcrp_rpt_86v6.pdf ). Equipment Checklist The following criteria can be used to assess competing types of technology: • Space requirements • Impact on passenger throughput • Accessibility to disabled passengers • Accuracy – False acceptance rate – False alarm rate 106 J. Balog, J. Strongin, A. Boyd, and D. C. Mitchell, TCRP Report 86: Public Transportation Security—Volume 2: K9 Units in Public Transportation: A Guide for Decision Makers (Washington, DC: Transportation Research Board of the National Academies, 2002). 107 G. A. Eiceman, C. M. Boyett, J. E. Parmeter, Evaluation of a Test Protocol for Explosives Trace Detectors Using a Representative Commercial Analyzer, NIJ Report 100-99, prepared for the National Institute of Justice (Washington, DC: U.S. Department of Justice, September 1999). 108 C. L. Rhykerd, D. W. Hannum, D. W. Murray, J. E. Parmeter, Guide for the Selection of Commercial Explosives Detection Systems for Law Enforcement Applications, NIJ Guide 100-99, prepared for the National Institute of Justice (Washington, DC: U.S. Department of Justice, September 1999). 109 S. G. Haupt, S. Rowshan, W. C. Sauntry, TCRP Report 86: Public Transporta- tion Security—Volume 6: Applicability of Portable Explosive Detection Devices in Transit Environments (Washington, DC: Transportation Research Board of the National Academies, 2004).

63 • Availability (reliability) – Mean-time-between-failure and is calculated by using the following formula: uptime/(uptime + downtime) – Downtime would include critical and noncritical fail- ures and any recalibration procedure that is needed to restart the equipment • Cost – Unit cost – Installation – Life cycle – Operation and maintenance – Labor – Training – Infrastructure modification • Maintenance requirements • Ease of use – Number of personnel required for operation – Training required for proficiency  Level of complication  Assistance provided by manufacturer • Portability – Dimensions – Weight – Typically considered portable if one person is able to transport • Power – Capabilities  Necessity for electrical or other power sources  Battery needs – Loss recovery capability (if there is a power disruption, equipment should be able to store, retrieve, and recali- brate itself to correct setting) – Needs  Input power should have adequate voltage and fre- quency tolerance  Power and data cables should be secured and pro- tected from tampering  Portable equipment should have batteries capable of extended operation • Controls and displays – Access to operator controls should be secure – Power and device status information should be clearly displayed – User interface should be intuitive • Test function (built-in test function should be activated during start-up of equipment) • Safety (equipment should comply with all applicable safety requirements including electrical and ergonomic safety) • Alarm capability – Type of alarm (audio and/or visual) – Effectiveness • Detection states – Vapor – Aerosol – Liquid • Start-up time (time required to set up equipment includ- ing calibration requirements, if any) • Resistance to interferants (substances able to deactivate the detection capability of the equipment by implementing some type of countermeasure). System should also be resistant to attempts by terrorists and criminals to hide threat materials • Substances detected (high number of detected threats in- creases the usefulness and cost-effectiveness of the system) – Types of explosives – Biological agents – Chemical agents • Operational environment – Environment under which equipment is able to operate – Conditions that could affect detection capability in- clude excessive moisture (rain, high humidity), temper- ature extremes, presence of diesel fuel, smoke, and other vapors. • Durability (ability of the equipment to tolerate rough usage, including shock event, impact, and bumps). This is particularly relevant for frequently moved equipment • Potential health issues – Equipment that emits any ionizing radiation or in any way affects health of operators or persons inspected – State laws governing nonmedical use of ionizing radia- tion equipment on people – State laws governing licensing of technicians to operate ionizing radiation equipment – State law requiring certification and subsequent inspec- tions of ionizing radiation equipment Once PSI methods have been determined and specific models, delivery options, etc. have been selected, the agency must consider training needs and performance standards. These will vary by PSI method. Performance and Training Performance Measures Canines. Professional associations such as the Interna- tional Police Work Dog Association (www.ipwda.org) and National Narcotics Detector Dog Association (www.nndda. org/) provide certification standards. TSA also provides stan- dards. Washington State Police Canine Association provides performance standards for canine handlers (www.wspca.com/ Explosive_Standards_4-23-06.pdf#search=%22Canine%20% 2B%20%22explosive-detection%22%20%2B%20report%22).

64 Physical inspections. NYCT and NJ TRANSIT have ex- perience with measuring performance. The Massachusetts Bay Transportation Authority and TSA have experience in training officers in behavioral assessment. Equipment operators. TSA performance measures provide points of comparison to what may be needed in the transit environment. These measures include the following: percentage of screeners achieving a specific score on their an- nual recertification testing on their first attempt; the percent- age of screeners scoring above the national standard level on threat image projection (TIP) performance; and the number of passengers screened, by category. As a matter of compari- son, the 1996 GAO goal for airport screening was 6 passengers per minute; currently, airport screening operates at 7 to 10 passengers per minute, or 6 to 9 seconds per passenger. Transit agencies may wish to establish standards for time to inspect per passenger. There should also be a planned system for responding to complaints or criticisms associated with the conduct of inspections. A record of the type and number of complaints received should be maintained by the agency. Equipment standards. General performance measures for the equipment itself include the number of false negative rate/percentage of threats detected, false positive rate for innocuous–valid and innocuous–not valid materials, uptime, and average scan time. These measures are as follows: • False positive rate, innocuous–valid materials; • False positive rate, innocuous–not valid materials; • Percentage of time the equipment is operational; • Average transaction time per passenger, primary inspec- tions; and • Average transaction time per passenger, secondary inspec- tions. Other measures, such as start-up time, may be based on the assessment criteria listed in Appendix B. A number of organizations have established, or are attempt- ing to establish performance standards for explosives detection equipment. See, for example, The InterAgency Board (IAB) 2005 Annual Report and 2006 Standardized Equipment List (SEL) (www.iab.gov/download/AnnualReport2005.pdf#search= %22Canine%20%2B%20%22explosive-detection%22%20% 2B%20report%20%2B%20%22performance%20standard% 22%22). In addition, FAA standards for EDSs can be used. The National Research Council has made numerous recommen- dations at the behest of the FAA on the certification of EDSs and the verification of performance levels of new and existing systems; these recommendations can be applicable to transit systems. The recommendations include configuration management guidance. Configuration management involves change con- trol and documentation and ensures that any changes made to the equipment are evaluated before implementation and then tracked so that the configuration of the equipment is known at all times. Performance verification tests the equip- ment to ensure that performance does not degrade due to the changes that have been made. According to Configuration Management and Performance Verification of Explosives-Detection Systems: A quality system that adheres to quality standards, such as the ISO 9000, is recommended. The system should have the follow- ing attributes: • A definition of the critical parameters and the tolerances, pro- cedures, and processes to be monitored • Documented evidence of an internal quality system • A definition of the methods for controlling and verifying changes to procedures and processes • A definition of an internal audit program • A provision for a third-party audit of conformance with the quality system.110 Configuration Management and Performance Verification of Explosives-Detection Systems recommends that the FAA ensure that the equipment is the product of an implemented and documented manufacturing quality system. Also, subse- quent units must be produced according to the same quality. It is recommended that the FAA have its own quality system for pre-certification, certification testing, standards develop- ment and maintenance, and testing for maintaining certifica- tion. Each manufacturer should receive a periodic audit in- cluding a configuration audit.111 In order to make changes to the equipment, configuration control boards would be established to determine which changes should be implemented and the implementation and testing conditions that will be imposed.112 The panel for Configuration Management and Performance Verification of Explosives-Detection Systems recommended seven types of testing: • Precertification to determine if the technology is ready for certification testing; • Certification to determine if the technology performance is at certification level; • Qualification to verify the performance of a unit to qualify for deployment (it would take place at the manufacturing site); 110 Panel on Technical Regulation of Explosives Detection Systems, Commission on Engineering and Technical Systems, National Materials Advisory Board; Con- figuration Management and Performance Verification of Explosives-Detection Sys- tems; NMAB-482-3 (Washington, DC: National Research Council, National Academy Press, 1998) 47. 111 Ibid., 48. 112 Ibid., 40.

65 • Verification to verify the performance of a deployed unit (it would be performed in the airport); • Monitoring to verify critical system parameters (monitor- ing would be done at specified intervals using test articles to ensure that unit performance is unchanged); and • Self-diagnosis to verify that subsystem parameters are operating according to specifications.113 Standard sets of bags are used for testing purposes—one with explosives to measure detection performance and another without explosives to measure false alarm rates. Other types of bags are also used to test specific equipment models.114 According to Configuration Management and Performance Verification of Explosives-Detection Systems: For trace detection devices, a performance verification testing protocol would ideally consist of the following: • Sample collection—determines if, during normal operation, the operators adequately sample simulated carry-on luggage that has known amounts of explosives placed on specific areas of the luggage. • Sample transfer—determines the efficiency with which the sample collection techniques transfer the material for detec- tion from a surface known to be contaminated with a known amount of explosive. • Sample analysis—determines if the trace detection device adequately maintains the required detection limit while func- tioning continuously.115 Training Needs In the transit industry, the development of security training standards and a certification and recertification system are essential. Consistency of security training content and quality and appropriate and effective training delivery mechanisms are needed to maintain the highest levels of competence and preparedness among transit personnel. A system of certifica- tion and oversight is also important in ascertaining that the expected level of learning has taken place for each transit employee. Recertification, along with refresher training, will provide transit personnel with up-to-date security-related information and motivate personnel to keep using their knowledge of applicable security-enhancing techniques. Additional measures to ensure continued operationalization of the techniques can be taken by transit agencies, including the covert observation of transit staff and announced and unannounced exercises. The absence of standards and a certification system creates additional challenges for transit agencies in determining what kind of training to provide to their personnel, how much training to deliver, and the methods of providing the instruc- tion. Transit agencies may look at training programs for air- port screeners, maritime workers, and commercial drivers for guidance in establishing appropriate standards. In addition, transit agencies may look to other transit agencies that have successfully established training programs. In addition, National Incident Management Systems (NIMS) and Incident Command System training would pro- vide a thorough working knowledge of the communications procedure, chain of command, and protocol during major incidents. Training needs are addressed below. Training needs that apply generally are listed first, and specific needs based on the inspection method follow. General training needs. In general, inspection personnel will need training in the following: • Customer selection procedure; • Response to alarm; • Secondary inspection procedures; • Response to apparent discovery of prohibited items; • Response to discovery of other contraband; • Recordkeeping procedures; and • Customer relations training, including communicating the purpose of PSIs to customers and addressing typical questions. Practice runs are essential. Written exams can be used to test trainees’ knowledge of the training material. Performance monitoring is also important in determining a trainee’s understanding and whether or not a trainee has been able to put course materials into operation. (See “Performance Monitoring” below.) Canines. If the canine team is in house, there will be ini- tial training needs for both the officers and the dogs, which can be met by working with TSA, commercial vendors, or possibly other transit agencies that have experienced teams. TSA training takes 10 weeks on site at the TSA facility. (See “Canine Team Evaluation Resources.”) It may take several weeks for the trainer and canine to become accustomed to each other. TSA training may need to be supplemented with additional in-house or contracted-out training focusing on a specific transit environment because TSA training is geared toward the airport environment. The program should include dog care and handling guidance and customer rela- tions guidance, including the steps to be taken if a customer displays anxiety or if the dog becomes agitated because of the 113 Ibid., 35. 114 Ibid., 43. 115 Ibid., 47.

66 presence of another dog. Once trained, the team will need to continue in-service training and also conduct training exer- cises to maintain proficiency and certification. Officers conducting physical inspections. In addition to the general requirements noted above, officers conducting vi- sual/physical bag inspections will need to be trained on the protocol for conducting safe inspections and on inspection procedures. Personnel conducting behavioral assessments. In addi- tion to the general requirements noted above, personnel con- ducting behavioral assessments will need to be trained on the protocol for behavioral analysis, with an emphasis on avoiding racial profiling unless specifically allowed under protocol. Nonsecurity staff conducting behavioral assessments will need to be trained in when and how to call for security personnel. Equipment. In addition to general requirements noted above, operators will need to be trained to operate the equip- ment. Training on operating the equipment is usually con- ducted by the manufacturer. Because there are no existing transit security training standards, vendor training and refresher training are especially important. Different tech- nologies and equipment models will require different types of training; for instance, trace detection using the swab method will require knowledge of the prime areas where explosives residue may be found. The training standards for airport screeners are a useful point of reference for deter- mining the amount of equipment training necessary for transit screening equipment operators: airport screeners must undergo 40 hours of classroom instruction, 60 hours of on-the-job training, 3 hours (on average) per week of re- fresher training, and remedial training if an operational test is failed. Licensing may also be required. Equipment operators will need to be assessed. Once again, the standards for airport screeners can be instructive: airport screeners are subject to proficiency reviews, covert testing, and use of the TIP system. Technicians will need to be trained to maintain equip- ment. Training on maintaining the equipment is usually conducted by the manufacturer. Because there are no exist- ing transit security training standards, vendor training and refresher training are especially important. Equipment should be monitored for number of breakdowns and other reliability issues. Performance Monitoring Covert testing is an important aspect of performance mon- itoring. While the percentage or number of deterred attacks can never be measured, the covert use of realistic threat sim- ulants can be used to monitor the performance of transit security personnel. Related measures include the number of covert tests conducted and the results of covert tests (the number of false negatives as a percentage of threats detected). Covert observations of transit security personnel are also recommended. Weak performance may be corrected through additional training or discussions with the personnel. Mea- sures that can be generated from the observations include the number of security-related violations by PSI staff/officers (an example of a security-related violation that may also be a pro- cedural violation is disregarding an alarm and not performing secondary inspections when warranted) and the number of procedural violations by PSI staff/officers (an example of a pro- cedural violation is disregarding random number criterion). To ensure that sufficient training has occurred, training- related measures include training hours per PSI staff/officer and scores obtained on written exams and trial runs. Customer surveys and complaint analysis may assist agen- cies in determining the effectiveness of their customer relations training programs and the performance of individual security personnel. The following measures may be useful: • Number of complaints (total, and per transit staff member); • Number of commendations (total, and per transit staff member); and • Customer satisfaction (overall, and specifically with the PSI program). To ensure that racial profiling is not taking place, records of the ethnicities of searched passengers may be examined for irregularities. In addition, to ensure the efficiency of the PSI process, records of the number of passengers being screened should be examined.