Dan McCoy is the chief innovation officer at the United States Transportation Security Administration, or TSA. Welcome to Decoder.

Thank you for having me, Nilay. I am a listener, so this is exciting.

The experience is way different than listening, so you are in for a ride. It’s a great time to talk to you. The founding of the TSA is connected to a very pivotal moment in my life. It was founded right after September 11th in 2001. I was in my second year of college. It was formally made part of the Department of Homeland Security when that agency was created in 2003. We are basically right at the 20-year mark of these agencies, the DHS and the TSA. It feels like a good time to step back and think about what it is they do, how they work, and where they can go. Let’s just start with your role specifically, since I don’t think most people know that TSA has a chief innovation officer. What is it that you do?

So, what I do for innovation at TSA does perplex a lot of people. There are always these conceptions that I am very tech-focused and very experience-focused. A lot of government innovation groups have been really focused right now on emerging venture capital and emerging technology, and how to integrate them. I would best describe my role as chief facilitation officer for innovation. 

At that 20-year mark, how do you take a step back and ask, “Where do we want to purposefully innovate? How do we build the culture, the capacity, the manpower, and the assessment tools to actually let that innovation happen?” That could either be at the local airport level or based out of headquarters where we are now, but my job isn’t necessarily to run every innovation project at TSA.

There are some that we will obviously do because it needs the protection, top cover, and resources of my office, but what we really want to do is start to educate and empower our workforce all the way down to the officer, our international staff, our cargo screeners, and more. We want to say, “Hey, if you guys have an innovation, see something that you want to fix, or you have a problem statement that is dropped on your lap, we want to give you the tools to fix it.” A lot of these things have been challenges for years and now is the time to emerge and say, “What can creativity, design, and invention do to help solve that?”

I always joke that Decoder is fundamentally a podcast about org charts. You are describing a problem that I think every large organization has. There are a lot of decision-makers, a lot of priorities, and a lot of ideas that can improve things at every layer of the company that get lost in inertia or bureaucracy. How does that play out for you? How is the TSA structured and how do you navigate that to facilitate innovation as you are describing?

I don’t know if this is a Reed Hastings line somewhere, that ideas are great, but until you move them through the process and they actually start to add value, they are just ideas. We have thousands of ideas across the TSA. It always surprises people that as a regulator-operator, we have the checkpoint which everybody is aware of and everybody interacts with, but our regulatory scope extends into multimodal pipeline security and different parts of the aviation sector. The ideas canvas a really large ecosystem of transportation security. 

What my team is doing now — and this is part of the innovation doctrine that we are rolling out — is building that pipeline of ideas and centrally locating it, so that we can identify what ideas are really going to be impactful and are getting underrepresented in the groups they are in. Why are they getting underrepresented? Is it the structure of the organization? Is it a really operational-focused org, that culturally does not like to take risks or do things outside the standard procedure? Is it that they just do not have the tools to necessarily do it at the local level? Do we need to go drive training around design thinking, agile development, or lean model development into that specific area? We then let that natural diffusion of innovators, that 2% in that group, really take hold and say, “We are going to solve our own problems.” 

My role in that facilitation realm is to take the macro view of all of the challenges to innovate at TSA, and start to see where it is really getting bogged down so we can focus on removing those barriers. You are right, we have a lot of operational capacity and it generates a lot of ideas that we should be working to innovate around.

You are using a lot of familiar language around agile development, faster processes, or turning ideas into products. What is your background? How did you become the chief innovation officer of the TSA?

Prior to joining TSA, I was at a consulting firm where we were focusing on moving into new businesses and new markets with emerging technology. We said, “Government isn’t necessarily doing the best job right now. There are these strong pockets to adopt new VC-backed technology and emerging tech, so how do we help facilitate that process as a consulting group? Is it through white-labeling a solution? Do we provide startups with the insight and cloud space to migrate to an environment that the government is willing to accept? How do we move startups into that space and help them get government clients?” That was really where I started to understand, “Oh, there is this emerging tech space that has so much applicability in government.”

What’s shifted over the last 20, 30, 40 years is that as much buying power as the government has, there is emerging technology that does not necessarily look at us as their main client. Their 10-year roadmaps — their addressable market to keep them on the horizon for 10 years, to keep them relevant — do not include us. How do you now start pulling that technology in? 

That is where I started, but there are so many different concepts of what innovation looks like in government. There is just pure innovation management — ideas, tools, and education, and there are niche software factories, with idea platforms, crowdsourcing, ideation, and hackathons. For me, it was this idea of, “How do you bring that all together into one innovation portfolio? What agency really has the authorities in and of itself to go build that?” 

Luckily, the TSA is one of those agencies. We have a lot of autonomy given to our administrator to build things like that. It was an amazing opportunity to come in and say, “How do we build that really big innovation portfolio? How do we test what elements work better for us and which ones do not?” We have a pretty unique mission that we are going through and testing those different liabilities now.

I have to ask the big Decoder question. How is the TSA structured?

The main structure right now, I would say everybody interacts with the field. We have four large groups, two of which are generally support groups. There is operation support and enterprise support. If you think of it just by definition, the main focus of operation support is on the field, making sure that the checkpoints have all the new technology, intelligence, vetting services, things like that. Enterprise support focuses on IT and human capital all the way down the line. The mission focus — and where most people will likely interact with the TSA — is our security operations, which is in the field. That includes the folks that work in cargo screening and those who work multimodal. Any time you see a team’s TSA badge at Metro stops or Amtrak, that is that group. Our second operational group are the federal air marshals, who came over following the cut to TSA. 

My team sits within our front office. The key learning point from the first pass of innovation at TSA — I have one predecessor — was that the group has to be as close as possible to the administrator. A lot of times what we are doing is disruptive. Even if you look at mission model innovation, which is akin to business model innovation, there is not always an appetite to push back against the standard procedure.  It was pretty critical that we sit as close as we can to leadership for the projects for process development and new technology development, so that we have that background protection to get done what we need to get done. Which is an innovation in and of itself. It’s end user value, but sometimes it’s a little disruptive to the standard way that we do things.

You talked a lot about how you facilitate things, how you make things go, and how you are building models for innovation. What kinds of decisions do you make and how do you make decisions?

I know this is an old trope I hear people say on Decoder all the time, I try to make as few decisions as possible.

Oh yeah, this is the “get out of jail free” card.

It is.

“I run the whole place, but I don’t actually do anything.”

The team is the heart, it really is. It gets back to that idea of chief facilitation officer. The things that I decide on a daily basis are really working in concert with the rest of the TSA in my team. We kind of stole this idea from agile development. Specifically for the innovation team, they will come to me with blockers, and for intent. They might say, “Hey, we outlined this new thing that we want to get done. We have done customer discovery and we know it is going to add impact, but we are running into this barrier. Do you want to come in and try to remove it? Do you want us to work around it? Let’s have a discussion around that.” Not all of the decisions around innovation should be coming to me, which is good.

There is an old Defense Innovation Board publication on what a chief innovation officer does. It hits on this notion that a chief innovation officer pulling in all innovation projects defeats the purpose. Having one choke point for innovation really defeats the purpose of why you would want innovation throughout an ecosystem and why you would want it throughout your organization. I try to limit the decisions I make. If it comes to me it’s because we have hit a barrier, we have genuine enthusiasm around something, or it really does need some type of protection from my level. We might say, “Let’s keep this on the tracks and make sure it happens,” or we might make the decision to dial it back quickly when we need to.

This is the third time you have used the word “protection.” I think this is the first time anybody on Decoder has described their job as protection inside of an organization. What specifically do you mean by “protection?”

There are the three types of innovation that we look at. There is continuous process innovation, which is how we make things move a little bit better along the standard path and our standard op model. There is business model — or in our situation, mission model — innovation, which is how we may deliver in different ways. Then there is disruptive innovation, those ideas that are either new trainings or new opportunities that are outside the standard scope of TSA. How do we make sure that those take root?

I have probably sounded a little pejorative about it. What we are really here for is something like a design-thinking training, which is not necessarily within the standard operating scope of TSA but we have recognized the value of. How do you make sure such a program is resonating well with the workforce? How do you make sure that the outcomes of it still have the ability to grow, even when they go back to their home organization or move outside the innovation scope? How do you make sure that it takes root? That is really what I meant. It probably sounds a bit worse than it should, I apologize.

It makes sense. I think the idea that someone close to the boss protects a project from being killed is pretty normal in most organizations. I would say the government — whether rightly or wrongly — is often perceived as having more inertia and more resistance to change. I would also connect that to the idea that it is hard to know if the government is doing a good job. The big tech companies are public — you can see how many iPhones Apple’s sold, you can see what the stock price is doing. There are just all these public metrics of success or failure in a way the government cannot really provide. I think my key question here is how do you measure success at the TSA? How do I know it’s working?

I think every government group says that from an operational perspective, our failures are public and our successes are quiet. From the TSA perspective, as a whole, we ask if things are moving as they should. We break it down to our three main components: deter, detect, and disrupt. Are we doing that successfully? Are we disrupting attacks before they happen? Are we detecting anything at the checkpoint as our last line of defense? As those are moving along, I think that is the metric of success — at least for the public trust — that most resonates. We are catching firearms and potential explosives at the checkpoint. 

We do not want to get ahead of ourselves and sterilize the process for those KPIs and OKRs (key performance indicators and objective key results) we are trying to figure out right now for innovation and then have it end up as just, “Oh, you are going to do these five things.” As we sat down to put together our innovation doctrine — which is a multifaceted, new communication method to the field — the big thing we wanted to put in there was that these are not hard and fast rules. This is not a prescriptive way to do innovation. It is guidance. It is the idea that if you do these things, it will start to happen organically. 

What we look at as the success of that pipeline is ideas to velocity and volume to velocity. How many good ideas are we curating and then moving into the next phase? How quickly are we moving those ideas through the pipeline? Some of those are ideas that we kill. We may say, “This doesn’t have a fit in our enterprise. We don’t think this will actually add value.” We may think that it actually opens up a new security vulnerability. 

At the end of the day, we are still a security agency. It sometimes makes it hard to innovate in highly regulated spaces. We do have ideas that fall out of the pipeline, plainly because they open up some new risks that we were not anticipating. Our metric of success is how many of those ideas are getting life and getting oxygen and moving through this common process. We are not telling people exactly, “This is how thou shall innovate.” We are saying that if you do these activities, you will naturally move into an innovation space.

You mentioned the three pillars were, “deter, detect, and disrupt.”

Yes.

That sounds pretty good. You deter the bad guys, you detect them, and if they try to do something bad, you disrupt them. Are those the key metrics? Do you measure how well that is going? Is there a dashboard that is like, “15 deterred, 20 detected, one disrupted?”

It is a lot more micro than that. That is the macro view. This is where the divergence happens. Everybody listening should be really happy that there is still the operational side of the house that is doing the day to day, and then there is the innovation side. We do kind of share people, problem statements, and ideas back and forth, but that “deter, disrupt, detect” is really in the larger part of the TSA — our 60,000-person screening force — for those daily activities. 

I do not have a lot of insight into that. What we are doing is making sure that technology and processes are in place to allow people closest to the problem to innovate around and solve it. Then they naturally move it into transition where it does get refactored into the rest of the organization, which is again, mainly focused on those three elements.

Let’s talk about the actual experience of the TSA and how it might be innovated over time. This is going to be unfair, so I am just pre-apologizing for an unfairly reductive description of the airport.

Oh no.

I would say the only real innovation I have felt in the last 20 years of the TSA is PreCheck and Clear, and I’m signed up for both of them because I am a very impatient man who does not like to stand in line. Every time I go to the airport, I think, “I have allowed some amount of increased government surveillance of me because I am impatient.” I am uncomfortable with that balance every time, but then I get through the thing faster and I’m like, “Well, it was worth it.” That feels like the big innovation, that we have created two classes of travelers. One is okay with increased surveillance and the other is taking off their shoes. Is that something that we should innovate on? It feels like the ripest area at the customer experience that also keeps everybody safe.

I am just so happy you were the first one to bring up PreCheck as an innovation, because this is something that there was a lot of conversation about when I came into TSA. “What are we doing around new technology? How are we adopting artificial intelligence and machine learning? What is our policy going forward on IoT?” 

It had me saying, “Can everybody take a step back and acknowledge that the biggest breakthrough innovation we have had since inception is TSA PreCheck?” It is a process innovation, it is a network innovation, and it is a partner innovation. It is not tech-focused in how it is delivered, but it adds a tremendous amount of value to the traveling public and to TSA operations. We have a whole other class going through the checkpoint that we have additional information around. 

I understand your point about giving up more information, and the unease around it. We have worked so closely with civil liberties groups through PreCheck in the data collection we are doing. As we are doing more around biometrics and mobile driver’s licensing, that trust component is front and center in how we are rolling that out. That is second only to, “is it increasing security?” 

I always look at TSA PreCheck as an amazing opportunity to keep pushing innovation forward. What can you do in this space? Recently, a PreCheck lane has opened up in the Bahamas, which is another new innovation to move the boundaries of TSA out a little bit. Now we are doing our level of screening at another location, and we are allowing customers that option as they are leaving the Bahamas and repatriating back to the US.

How do you make PreCheck biometric only, with fingerprints and facial matching? I think it is a little bit similar to Clear, as you mentioned a second ago. Now when Nilay walks up with even less patience, the facial match is done and he can go about his day. You are not divesting any form of identity going forward. Building around that is a real opportunity for us to innovate. I think the TSA PreCheck program is a hallmark government innovation program.

How do you think about that balance? You only talked about it a little bit. If I step back — and I am old enough to remember what flying was like before September 11th — the goal was not tons of surveillance or identity verification. It was, “It would be cool if you didn’t have knives and guns on the plane.” How do you get back to that state? I look at the increased amount of surveillance as a net negative.

I think it is fascinating that you are talking about it as a net positive, like, “We will do more surveillance and your life will be easier. We, the government, will be able to trust that you are a secure person because we know you have not bought a bunch of fertilizer in the last six months.” What PreCheck is effectively doing is keeping tabs on you, so that when you get to the airport it knows your profile is safer than average. How do you get back to that place of, “What we are going to focus on is the scanners and the detection of what is in your bag. We do not have to surveil you, we just have to know that you in this moment do not pose a threat.”

This is definitely a hard one to answer from my part. From the innovation perspective, there is intelligence and analysis in the backend that is doing a lot of this work. We have partnerships with the FBI for those background investigations that you are talking about. If you ask an end user to design the best app, they want it to look slick and be frictionless as far as mobility and application development. That is only until you probe them with, “Well, do you want your data to be secure? Do you want to know that you are not being tracked?” I think that is what I equate the TSA process to. Most of my life, TSA has been the way that we go through the airport.

We want to maintain that level of security that we know we need in our post-9/11 environment. What we want to do is make sure that we are building that level of clear trust with passengers, that this is the data we have and we are working off of. What I think most passengers want is less friction going through the process and the backend understanding that data is safe and secure. If I can drive a point to your question, I do not know if we are ever going to go back to only a goal-line defense of screening for threats. 

We have seen the benefits of a multi-layered approach, which is to disrupt, deter, and detect. “Detect” is our goal line; it is an interception in the end zone on something that could have gone awry. The “deter” is that we have new technology, we have new capabilities, and we have trained officers. You probably should not try anything in the aviation space. Then the “disrupt” is the whole national security ecosystem saying, “We should think about what attack vectors and what vulnerabilities may be targeted, because we want to disrupt those where they are.” 

Innovation in those responses are one for one, in that the agility that we maintain is the only unwavering advantage we have going forward. We want to make sure that we are agile in developing new solutions and addressing new threats, that we are getting them out as fast as possible, so we can say security is growing in capability. Any time we see that this is a decision for somebody who is not Dan McCoy, chief innovation officer, we can peel back from some of those vetting services. I am sure that is always in discussion, but it is not something I’m really read into. It is not something I think a lot of people would even let me into the conversation for.

The reason I ask you directly is because innovation is not broadly just about new technologies, though I certainly want to talk about that as well. It is not just about machine learning and facial recognition, but it is how we do things. I would put innovating the balance between civil liberties and security squarely in that, which is the age-old tension of government. How many misattributed quotes about civil liberties and security can we listen to in our lives? I hear that you want to deter things early, but the criticism of the TSA has always been, “Well, that is just a lot of security theater and you are just scaring the bad guys away with ineffective things.” I just wonder, from your perspective as the innovation officer, do you ever think, “We can innovate on that and maybe get through the very difficult balance of privacy and security. Maybe we can find ideas from throughout the agency to make that equation better for people.” I think it has become more intrusive over time.

That’s fair, and it is the public’s take on the way we are working today. For what we have talked about, my role isn’t necessarily injecting my presence into that space. How are we rebalancing this? I can’t say I have been in a lot of the conversations around what the future of biometric looks like. What does the future of mobile look like? What are we doing with some of our background vetting systems as a party to those? 

My hope is that we can take a different approach to what you have laid out. Can we shift the scales back one way or another? I am not the decision-maker closest to that problem to know. What we want to have happen is that someone in that area has the lens, that they are our innovator in that space, to go, “Maybe it is time to disrupt this a little bit, or at least shift the mission model a little bit. There has been some change that we have seen at another agency in the industry.” 

FinTech is a really data-secure ecosystem where you give up a lot of data. If there is a change there, maybe it can apply to what we are doing. Our hope from the innovation team is that those people exist, are educated on what we want them to do, and are empowered to do it. We hope that those new approaches that are beneficial to the whole agency and traveling public will take place where they should, in that business unit.

Let’s talk about some of the new technologies here, because I think that might be a more useful way to talk about this balance I have been poking at. You mentioned facial recognition and biometrics several times. The dream is that you show up at the airport, which is an evolving system that knows who you are, and you just go about your business and get on a plane. That would be one dream, but that seems to require a massive government database of faces. I don’t know how you solve that problem. 

I know Clear has a database of faces; I don’t love it, but again, I am impatient. At least they are a private company. If they do something wrong, people can sue them. It feels like there is that check where if Clear blows it, they can lose their contract and that is existential for them. TSA doesn’t get to lose its contract. If you give the government the database of faces and they screw up, it feels like the remedies are less existential. How do you balance that as you think about, “We have to go out and find facial recognition vendors. We have to go build a system. This is the next generation of the TSA.”

We are doing it in a process right now. The first step in this direction is our one-to-one matching. You take your ID and insert it into the machine, and the face on this ID is Nilay. We match that Nilay has presented himself, so we are good here. That is our first level. 

Over time, we are moving to a one-to-end match, which today is in partnership with Customs and Border Patrol. They have a one-to-end system for reentry into the United States that they use that’s in a pilot phase. This is why the innovation process is so important, to not only get the technology right, but to get that trust right. We are in a pilot that we are constantly gathering feedback from civil liberties groups. We are constantly getting feedback from industry standards mechanisms, like the International Standards Organization (ISO) and National Institution of Standards and Technology (NIST), where they are coming in and assessing the trustworthiness of this system. 

I have always said this of a lot of things in emerging tech. If it isn’t trustworthy and you are going to lose participants because of that, then it isn’t effective. We need to ask if facial recognition and AI is trustable, securable, and locked up for cyber vulnerabilities. If it isn’t, then we are putting an ineffective system into the field. We would not do that when it comes to image scanning with CT, and we would not do that when it comes to on-person screening. Why do we think we would do it any differently with AIML or with facial recognition? If it does not hit that level of trust, that level of resiliency, then it is not effective and it doesn’t get fielded. 

You are right, if there is a breach at Clear, they are going to lose customers and that is going to be existential. We don’t necessarily have that, but what we do have is that those failures become incredibly public. We are aware of that. Again, we are making sure that this is getting piloted. We are gathering all the right information around it and we are working with groups dedicated to trust and resiliency. Until all of that lines up, if it is not effective, it doesn’t get fielded.

You mentioned earlier the concept of protection. You have this new pilot program that is going to do more biometrics. You know you have to trust it, but you need to protect any project or organization that gets it moving. At the same time, to make something like biometrics and facial recognition trusted, they need to be wildly transparent. There is already attention with groups like the ACLU, which is filing lawsuits about facial recognition records and how the systems work. You are never going to get started if you know the first thing that is going to happen is a lawsuit. You are never going to get all the way to the finish line, and be as transparent as you think you need to be to gain the trust, if releasing the documents results in bad faith attacks or something. For a government agency, that seems like a really difficult problem. How are you thinking about that?

It is an incredibly hard challenge. Maintaining that trust and the operational effectiveness of the program with our passengers — mainly our constituents, the rest of the US citizens — is incredibly important, but moving to this space does increase the security outcome that we are looking for. The promise of TSA is that the security is better today than it was yesterday, either through lessons learned, new technology, or enhanced processes going into effect. It sits right on that edge where we know the security benefits of biometrics. From our intelligence groups, we know that moving into this space we yield some type of security benefit.

Actually, can I just interrupt you? Can you give me the elevator pitch for the security benefits of biometrics?

We are moving to a place with technology that matching a face by a machine versus a person is starting to be better. For recognizing counterfeit documents, we are moving into a place where machines are doing it better. The biometric component adds that extra level of security that you are binding it to that document.

I understand the framework here, which is deter and detect. Why does that step confer additional security to me on the plane, that you know who everybody on the plane is? What that has to imply is you have also surveilled all those people and know who they are, as opposed to just making sure there are no dangerous materials on the plane.

I’m not sure exactly how much of this I can get into. I am really bad at not knowing exactly what I can talk up to and then going past that line.

It’ll be fine. It’s just you and me, man.

It’s only a few people that listen every week. That matching works a little bit better to make sure that the secure flight scan and who we are vetting against matches the person presenting themselves. Biometric is better at that than the traditional matching that we have today. It is really, for now, only a conversation around PreCheck or one-to-one match with the ID. I can get more of this from people way smarter on it. They send me out just smart enough to get myself into hot water, but hopefully enough to at least make it resonate with the public. It adds a security benefit to match the traveler to the vetting that we have done against them.

I don’t think this is controversial at all: If you are saying there is a security benefit to knowing who everybody on the plane is, then you have to know who they are. You can either say, “We have a block list or we have a no-fly list. We are going to make sure nobody on the no-fly list comes through.” Or you can say, “On the margins, we have surveilled everybody enough that we know all these people are safe and we know who they are.” So Nilay shows up at the airport, and we scan his face. We have some database of information about his behavior that says, “Even though he has a bag full of batteries, we are going to let him on this plane.” I always have a bag full of batteries. That is what that necessarily implies. I don’t think that is a controversial statement, that authenticating everyone’s identity allows you to then make sure they are either not on the bad list, or that you understand that the risks are low.

I would agree with that. If I missed that in your initial question, I apologize. Understanding who has made it to the sterile side is critically important for us. That now transitions to not just workers at the airport, but yes, folks on the flight. Understanding who has gone through and who is on the flight is a security requirement in the environment that we live in today.

Then I guess my question is if you can add biometrics, how do you let me — somebody who is worried about it — know that data is private? As you add vendors and software and security, that is a pretty complicated stack of things. You are personally trying to drive innovation at all of the layers of that stack, so things are changing. We are adding more computers to something and computers are a little dicey. How do you build my trust in that entire complicated network of computers?

We are adding computers to everything. I mean, what is a car today, but just a driving piece of chips?

That is a Decoder greatest hit.

I mean, cars are computers now, just on wheels. Technology is naturally matriculating into more of the checkpoint, as if it was not already there. That is good from the security standpoint. As for the trust element you are hitting on, I can say in our pilot programs that we are running that this is back to grassroots. This is communications with the public as they go through. 

There is always the opt-out version for biometrics, that is very clear. Our identity management team has worked with standards boards, they have worked with trust teams like the ACLU, to say there needs to be that opt-out strategy. That is well documented when you go to one of our pilot sites today. 

The other assurance is that we just need to verify who is making it to the other side of the sterile area. All of that information is gone the second you step away from the terminal. The picture of you that is captured on that device, we don’t need to save it. We have what we need to get, which is that Nilay presented himself, it was him, he is on a plane later today, and we know he is on that plane because 72 hours ago, we knew that he was going to get on that flight. All we need to know is that you have now been granted access to the sterile side. What is next is that continued layered detection apparatus. While it is odd that he has this bag of batteries in his carry-on bag — most of us have moved to like a rat’s nest of cords but he wants batteries — he can have them as long as they are not on the prohibited items list. Moving into either a walk-through metal detector or advanced imagery technology, does he have anything on his person? It’s that layered approach. 

We need to know you have entered the other side and we have matched you to the person we expected to be showing up today. We do not need the facial recognition or the background. The algorithms will be worked out through commercial vendors who are doing a lot more in algorithm development and facial recognition. Not necessarily for some of the other components of TSA that are a little bit more owned and operated by us, but for the facial recognition part, all of that data is gone the second you step away from the terminal.

It feels like once you add a step to the process, the step never goes away, even though you are adding more steps. I’ll just ask directly. Let’s say we assume there are facial recognition biometrics at every airport, can people stop taking their shoes off?

Layered approach.

You still need the shoes?

I knew it was coming. This is actually where we are moving to and this is the promise of the innovation team, the promise of the technology working on. We have a pilot program today. We have had an amazing partnership with one of our national laboratories to start rolling out a shoe scanner. 

The convenience of PreCheck today is that you are giving up some of that information so that you can have these conveyances as you go through the checkpoint. We are moving to make enhancements to the standard checkpoint as well. Shoe scanner technology is very nearly on the horizon, pending year-over-year budget requirements from the Hill. That is something that I hope will be coming out probably within the next two to three years, at least in its pilot phase. We are moving away from AT, which is our current X-ray machinery, and moving into CT, which is computed tomography. That gives us a 3D rendering of the bag, and it gives us a lot more insight into what is in it.

The core idea of moving to all of these technologies is that we want to provide a better environment for the officer to apply their main skillset, which is the security and assessment that we train them on. All this new technology will also mean that passengers will start to see some changes as they come through, as well. CT opens the door for fewer items on the prohibited items list. I don’t know exactly what that is going to look like, that is a risk calculation that gets done by other parts of TSA. Moving in that direction, and in bringing in new and improved technology, we will start to have people potentially leaving their shoes on. Hopefully one day, water bottles come through with you, because we will have better technology to scan them. 

I think one thing everybody should remind themselves about TSA is that we do not do all of this because we really want to. These actions are based on historical threats and attacks that we have had. We are always looking to make changes to that, both for the officer benefit and the traveling public benefit.

It does seem like there was one shoe guy and now we are all taking off our shoes. There have not been other shoe guys. It’s hard to attribute. Everyone knows the shoes are going to come off, so maybe the shoe guys are deterred, but it seems like the one guy made everybody take off their shoes forever. Is there a calculation in your innovation framework that says, “We are spending too much time here. We can get the time back elsewhere and potentially be safer and more effective.”

There are changes that we look at, of, “Where is there a model shift?” I think this would be one of them. If we make a change in the way we conduct business, there will be a benefit. To your point about the shoe bomb, I can’t say with positive or negative certainty or confirm any of this, but there was one public shoe guy. This is something I think Secretary Buttigieg said when he was on, that our successes are quiet. There was one public shoe guy, there is still the need for the shoe scan. Within the innovation process that we are looking at, what has been asked of me and our leadership and where I think it goes, is we want innovation at every level.

There is business model innovation that should not be living with me, it should be living in the business. People at that checkpoint, people in that space, are always thinking about, “Should we be making a change here to increase security or passenger efficiency? Has some type of threat vector shifted, such that this is no longer such a requirement going forward? Can we make this change? Yes, no?” That is being discussed within the innovation doctrine framework, but it is not something I necessarily prescribe directly as a project that we get involved with.

The challenging thing with all new technologies, especially ones that surveil people, is that you have no idea if they work equitably or fairly until you deploy them. Facial recognition is actually a great example. There are a lot of cases where we see facial recognition systems just have challenges with people of color.

Yep.

Seems to be down the line. Where are you balancing that out? Where are you saying, “In our pipeline, over the roadmaps we have, there has to be a checkpoint where we say we have enough data and we know this is fair.”

That is the pilot phase that I alluded to before. We have what the teams classified as the “triangle of trust” with mobile drivers’ licenses (mDL) and biometrics going between all of the groups that are involved with it — the TSA, the issuing authority, and the relaying party. That is in the specifics, but it gets back to that core point where if it is struggling with people of color or different genders, then it is not effective. We do not want to ever field an ineffective solution that is not going to yield the value that we aspire for it to, or is actually going to degrade what we are doing today. 

With that knowledge going into it, if this does not work on a large portion of the population, then it is not actually going to be effective in the field. It is going to produce longer wait times and the queues will back up as the machine fails in front of us. We will then have people divert to the standard process, we will have slower throughput time within the checkpoint itself. There is a lot of attention paid to how effective this platform is at actually increasing passenger throughput and increasing match rates. That is really what we are looking at: Is this a mechanism not only to increase security, but is this also a mechanism to decrease queue wait times and increase passenger throughput? 

A lot of attention is paid to that by the identity management team that is rolling it out. I think they published an identity management roadmap where this is very clearly addressed. How do we make sure it works for everybody? At the end of the day, we still serve everybody.

Again, this comes back to trust. Do you ever say, “In order to move faster, to get more new ideas off and running, to make things smoother, and to keep people safe, we should talk about that more?” My experience with TSA — and I think this is most people’s experience with TSA — is that it’s still fairly opaque. You still look at the one checkpoint. I will just tell you my personal experience. I fly with my wife and kid. She is a white lady, and I definitely get more random screens than she does. It’s like a joke now with us.

I do not know if the data is accurate. That is obviously an anecdote and I do have the bag full of batteries. I’m like, “I have a drone in my backpack. It feels like I’m going to get stopped.” That is still the perception, that I have brown skin and tend to get stopped at the checkpoint more than my wife, who has white skin. How do you combat that as you roll out technologies that have these known problems in their deployment in the early stages? How do you combat the civil rights organizations in a more adversarial posture with you?

I will hit on the latter point, but I do want to steer back to directly answer your question. I don’t know if I would call it adversarial. They have a position and we want to be as close to that position as we can. It is a partnership. They understand our mission scope; they understand where we are headed and why the TSA was born. I don’t like the idea of calling it adversarial, though it is a perception that I know people have. I view it much more as a partnership, where they are bringing the balanced perspective that we really do want to hear about these situations and about building trust. 

To your point around transparency, there are two main elements in the innovation doctrine we laid out, which is soon to be published across the ecosystem in the field. One is transparency. How are we making decisions around where we invest capital? How are we making decisions around what screening we do? How are we making decisions around our people movements and our staffing? All of that needs to be a little bit clearer in our decision framework, because it empowers more people in TSA and around TSA to also be transparent. This is the expectation; this is how we expect you to act and deliver. 

This is sometimes difficult, it is really familiar in industry and in tech, but failure has to be an option and available for us. “Move fast, break things” isn’t exactly how we can operate, but we need growing room to pilot and say, “This did not work, and here is why. Let’s pivot. This also did not work. Here’s why. Let’s pivot.”

In government, that is sometimes really hard. Your mission is aligned to Six Sigma, or your mission is aligned to zero negative outcomes, but that holds innovation back. We have to be able to cleanly run pilots and admit when something did not work. But all of our pilots need to be structured so that they are not driving such a negative impact that it damages the trust that we are trying to build, nor has a negative security outcome. It is nuanced, but how we run pilots is incredibly important within TSA. We need to be hitting that balancing act of effectually moving innovation forward, but allowing failure to happen in a safe, enclosed environment.

I want to come back to the notion of the civil rights organizations as partners versus adversarial. I’m describing them as adversarial because I think that is the natural relationship that you want, the harsh external critic that is really focused on one narrow aspect of the balance. You are describing them as partners. Do they think they are your partners?

I’m not going to move into that direction. I would hope that they would, but it is a fair question. My first thing I learned moving into TSA — though I had knowledge of it in the past — is how expansive this entire transportation system is. There are airport operators, civil rights groups, local law enforcement, tech vendors, the concessions groups within airports, multimodal. There are so many people involved that at times we do have to de-conflict something. It might be Pollyanna to think that everybody is a partner for us, because we all want to move in the right direction and we want it to be as effective, trustworthy, and secure as it can be. That is Dan’s opinion, that everybody we work with is a positive partner as we try to innovate forward in this space.

One of the big decisions that an agency decides the TSA can make is how to spend money, and in particular, what kinds of technologies you might spend money on. You said at the beginning, there are a lot of startups who might not know that you are a potential customer, but I’m looking at the numbers here. You mentioned the computed tomography scanners; that is a $781 million contract that got delivered to one company. Are you saying, “Okay, I am going to put out RFPs. Here is a capability we want. Someone will say yes and we will buy that one.” Or as the innovation officer with your team, are you looking at the bleeding edge of tech and saying, “Actually, we might be a customer for you. We just don’t know yet.” Or is it both? How does that work?

It is more the latter today, but it is both. The way that the government strategically does big acquisition purchases right now is years out from when we make that decision. This award has been the generation of 10 years of thinking, “Where is the technology going? How are we elevating the technology readiness level, the TRL? How is it getting done through R&D investment into the science? How is that being commercialized with other vendors?” 

My team is now starting to think through — again, we are relatively new in TSA — how we are approaching this. One thing we hear from startups and from venture capital is, “We would love to work with you. We think about your mission space and we understand your problem areas, but we don’t know how to work with you.” The traditional RFP process, as I outlined, can be years in the making and have these really high barriers of entry.

The government has given us opportunities, and it has given us authorities to go test new technology and engage with the startup ecosystem. I had mentioned previously, the Defense Innovation Unit uses a process called OTA’s, which is other transaction authority. It is a much more available pathway to bring in emerging technology, which is their key focus. 

How does that translate into TSA? Well, we have the same authority. What we need to do now is understand what companies we want to go after with our innovation pipeline. What are those emerging challenges that we want to use this method? If the message is in the medium, we want to go solve it in this manner. There are small business innovation research grants (SBIR) that DHS Science & Technology runs. The Air Force has been amazing at running those. If you look at everything they have done with advanced air mobility and counter-UAS [unmanned aircraft systems], all of that was really born from the process of SBIR.

We want to co-opt that model for TSA, and really make TSA a place where people and emerging tech come in and say, “I understand your mission space. I saw your small business innovation grant. I understand it is a really nuanced, nascent area that you want us to work in. Let’s do it. How can we help?” That is what we are building now through the doctrine. We are casting out that ecosystem and saying, “We are open for business. We want emerging tech to come in.” 

It is far too often people in agencies and the government say, “Well, if these companies just knew how to work with us, they would be at our front door.” We don’t always make ourselves the easiest group to work with and that is another key role of a chief innovation officer. How do you make the agency as a whole easier to work with for emerging technology, for academia, and for venture-capital-backed startups?

I talk to a lot of startup CEOs on the show. They are always failing and pivoting. It is just the story of any successful startup is a bunch of stumbles until you find a product-market fit. That doesn’t feel like the kind of startups you want. You want people who have an actual product that works, I’m hoping.

We haven’t picked the seed-round, the series A, the IP component of this. There is a risk tolerance in government. I came from this space in a prior life, when we would present companies to government clients. I even do it myself now that I have transitioned. The first question somebody usually asks is, “Where else have you worked in government?” It de-risks the process of bringing them on board.

There are companies that I think have never worked in TSA directly, but maybe are in the aviation space or the cyber space that we are trying to regulate. Maybe they’re in an AIML space that we are looking to grow into, or at least understand the concepts.

It will come down to where that pilot has them deployed. We might work with a startup technology in AI and data, where all we actually want them to do is help us better understand where we are treating data like exhausts, where we are capturing data, and how we can effectively use it. With those lessons learned, the longevity of a startup, we hope that we can keep them through that valley. We hope that we can provide funding to keep them alive and show their VCs that there is an addressable market here. 

We want to work with anybody who thinks that they have a solution to one of our problems. What we need to get a little bit better at on the innovation side is having that catalog, that early pipeline of challenges, curating them down, and then understanding where that ecosystem can help address some of them.

You mentioned the computed tomography scanners might change the entire experience in two to three years. What is the tech on the bleeding edge you are looking at right now that might change the experience over a longer time horizon?

This is the disruptive stuff that my group really is looking at. Everybody asks me, “When do I get Total Recall? When do I get the process of walking through the airport with scanning happening around me, but I don’t break stride or slow down? I only get pulled aside if there is an issue.” That is something that we are looking at as 5G now moves into 6G in IoT space. How can we work to have an array of sensors and sensor fusion that, over time, works either to replace or is integrated with our current technology? 

Computed tomography is really interesting, because it is an AI playground, in my opinion. We can have down to the voxel level artificial intelligence, looking at different items in a bag. It will be secure, it is masked, and it is not tied to any one person. It is an anonymous bag for the sake of this argument.

You can have that level of detection, where AI is now doing the automatic threat recognition and you are no longer stressing an officer. You have enough background information to say, with a high level of fidelity, “We think we know what this is, and we think it is a problem. So grab that bag.” That is going to have a tremendous impact on officers, how they spend their time, and security outcomes. 

The other big emergence that is in our line of sight right now — and this will not necessarily affect TSA’s delivery of security, but we need to be prepared for it — is advanced air mobility, AAM. You are going to now have a whole new conveyance of travel and the promise of it is to decarbonize, which we are all pushing to do. The promise of it is connecting disparate areas faster and reducing congestion. That is a whole new mission model for us. We do not have a one-for-one on how we would deliver against that.

Wait, I’m sorry. You’re describing electric air taxis banging you between cities?

Electric air taxis, advanced air mobility. That is moving interurbans. Miami is big on this, trying to understand how you can go from the airport or other parts. That is outside our current mission model. We have some overlap that we are looking at applying, but will we put checkpoints at these air taxi locations? Will we allow these air taxis to land directly on the secure side of TSA? We do not understand exactly what their business model is going to look like yet. I think they are still figuring that out as the technology grows, as they go through FAA certification.

What we want to do from an innovation standpoint is be as agile as they are. We want to pivot alongside them so that we are never in hindrance to the market, but ready to help bring in the security and safety aspect when that is finally ready to go live. This is probably true of a lot of emerging technology, you always hear that it is sooner than you expect. With air taxis and electrification, we are hearing it sooner than we expect. We are trying to be as ready as possible for that to come alive.

That is fascinating. I hope electric air taxis are sooner than we expect. I want to go back to, “We are going to fill the airports with 5G IoT sensors. It will be like Total Recall, where you walk through the wall and it is an X-ray of you and you can see everything.”

That is what everybody asks me for.

I will just connect this to a question I ask on Decoder all the time. Everybody wants AR glasses. I will buy them in one second if they can tell me people’s faces and names. To build that though, you need to build a worldwide facial recognition database. To do what you are saying, you need to turn the airport into a surveillance panopticon, where you are watching everybody at all times and you are looking into their bags at all times. That seems like a dystopian outcome, that you walk into the airport and dozens of cameras and computers are paying attention to you in a fairly intrusive way and cataloging your bag.

I don’t want to use the word cataloging, but I get the reference. It’s assessing. It’s funny, I brought it up and I almost now feel like I regret doing it. But everybody asks me when we jump on our design thinking cohorts, “When is it going to be Total Recall?” I applaud you, Nilay, for being the first person to go, “This is the dystopian view as compared to the frictionless view.” It is just the technology we have today, moving it around. If it is not hitting the same level of security and it is making it so people don’t want to use it, then we would never deploy it. It is something that we would pull back and say, “Whoa, this is creating a negative externality and an adverse reaction that we were not anticipating.”

The idea is people want to start going through the airport again with less friction. Obviously you are one of these people that is balancing the civil rights aspect and the privacy aspect of that, and those groups exist. What we really hear is that we want less friction, and that Total Recall anecdote is one way that we get there, but there would be layered protection on top of that. It is really out there in the future, and is still based on years of moving to that place with the idea that it is going to be trusted by the public. It is going to be just as secure, but it needs to be effective and trustworthy in general.

Let’s say you are an average citizen looking at the state of our government, which is all kinds of noise all the time, especially during an election year. You are listening to Decoder and it is the chief innovation officer of the TSA. How do you look into the future from that perspective and say, “Well, the two sides hate each other. All of this stuff might get thrown out the window every two years or every four years.” How should people listening to this think about the timelines you are talking about and whether they can trust them?

There are always parts of government timelines that revolve around who is taking control of the House or the White House. I will say from the TSA perspective and my experience in government, public servants deserve way more credit than they ever have received. I don’t know when the narrative shifted, but at some point it feels like it did. There are people here that transition between administrations, that transition between different parties, that are dedicated and focused on driving improved security and innovation forward. 

I am not a political appointee in this role. I am here as a career official with the focus on improving not just the innovations at the checkpoint, but really driving forward that culture of reinvention. Maybe we can have something akin to the Netflix model of constant reinvention, open transparency, and open discussion at all levels of the workforce. We are all here. There are constant squabbles at every level of the government, but rest assured there are public servants working here doing amazing work. They are doing it quietly with no oomph or hype around it, but it truly is amazing every day to watch this leviathan move as swiftly as it does. 

That is what we did with the innovation doctrine, and I know DOT has done it with their innovation principles. First order was pointing out the fact that a lot of this is what we do today. We are just elevating and calling attention to the fact that we have people every day across government driving innovation forward. If anything, I hope this conversation is an ode to those government innovators, so they know they are appreciated.

That’s great. This is an amazing place to leave it. Dan, thank you so much for coming on Decoder. I really appreciate it.

I appreciate it. Thanks, Nilay.