Passenger Screening In No-Fly Zone

Terrorism. Privacy. The Information Age. Big Business. At the intersection of these four grand boulevards of the modern world in the first decade of the 21st century lies the Transportation Security Administration’s (TSA’s) proposed Computer Assisted Passenger Prescreening System, known as CAPPS II, a more aggressive iteration of the current CAPPS I. And not surprisingly, given the traffic and the interests involved at this crucial intersection, the system has run into roadblocks. It is uncertain whether TSA will be able to keep CAPPS II on the road to implementation or whether opposition will cause permanent gridlock.

Objectives. CAPPS II is designed to assess and categorize passengers according to the risk they may pose. As DHS Chief Privacy Officer Nuala Kelly said at a press roundtable earlier this year, CAPPS II is based on identity verification, as opposed to CAPPS I, which she called a “static, rules-based system” in which passenger activities are checked against established rules, such as buying a one-way ticket or paying in cash.

CAPPS I also flags passengers whose names are similar to those of known terrorists. One of the drawbacks of the CAPPS I system is that a person who poses no risk but shares a name with a terrorist can be repeatedly flagged for screening because the person’s identity is not actually verified, notes Mark Hatfield, director of the Office of Communications and Public Information at the TSA.

The CAPPS II system will assign each passenger an overall score that will be used to place the traveler in one of three categories: low risk (green), elevated or unknown risk (yellow), or specific identifiable terrorist threat (red). The program will arrive at these scores by cross-referencing the personal information that prospective travelers provide during the reservation process, including name, date of birth, address, and phone number—all included as part of each airline or reservation system’s passenger name record or PNR—with other government and public data, such as watch lists of known terrorists, suspected terrorists, and persons with outstanding state or federal warrants for a violent crime. The system may also draw on other data points that are part of the PNR, like credit card number, contact persons, dietary preferences, and remarks by airline staff, to verify a passenger’s identity. The TSA’s Hatfield says that this system will significantly reduce false positives.

Hatfield says that the airlines will only be required to provide the four basic elements of a PNR (name, date of birth, address, and phone number); they may provide more at their discretion, but TSA won’t be required to identify the information it is using or even disclose the specific sources from which information will be drawn. The information will then be compared to two commercial databases to further confirm identity.

Once the system becomes operational, it will be set up so that an airline representative can access the risk category determination for each passenger at the counter as that person checks in—but no data other than name, date of birth, phone number, and address plus the rating will be revealed. If the passenger is deemed an acceptable risk or unknown risk, his or her boarding pass is encoded with the appropriate risk level.

Those of unknown risk will be subject to additional security checks. Anyone posing an unacceptable risk will be denied a boarding pass and turned over to law enforcement. Law enforcement will then determine whether the person can board or must be questioned or taken into custody.

Information is to be kept only until a passenger’s travel is complete, at  which time it is to be destroyed. A new prescreening process takes place each time a passenger flies.

Hurdles. CAPPS II has been stalled by the concerns of lawmakers, privacy advocates, airlines, consumer groups, and others. But political opposition is not the only hurdle the system has to overcome. Getting the technology to work as promised is a tall order in and of itself.

A February 2004 report from the GAO noted that CAPPS II is behind schedule in “testing and developing initial increments” (the program is to be phased in via nine increments), largely due to lack of passenger data. The lack of data is a function of airlines’ concerns about passenger privacy. Two airlines, JetBlue and Northwest, that did voluntarily share passenger data for testing now face class-action lawsuits, and this potential consequence has led other airlines to back away from any voluntary data sharing. And recently, American Airlines revealed that in 2002 it released passenger data to research companies that were angling for TSA contracts.

Admiral David Stone, acting administrator of the TSA, testified in March before the House Committee on Transportation and Infrastructure, Subcommittee on Aviation, that the agency would eventually issue a security directive ordering airlines to supply data after subsequent meetings with airline representatives.

More recently, the TSA’s Hatfield said that while a security directive to airlines is possible, or even probable, it might be issued concomitantly with a Notice for Proposed Rulemaking, to allow for public input on the process. “The agency feels very strongly that public dialog is a very important part of this,” Hatfield says. At the same time, TSA may pursue a negotiated settlement to get airlines to provide data, he adds. After such information is obtained, a timeline for testing and implementation can be rolled out; the TSA is hoping that testing can occur before the end of the year. “But we won’t rush it,” Hatfield says. “We need the public’s confidence first, which must be built slowly and deliberately.”

Privacy puzzle. Given that the government is not disclosing exactly what CAPPS II will entail, privacy advocates can only guess. As expressed in a recent statement by the American Civil Liberties Union (ACLU), “The biggest problem with CAPPS II is that, simply put, we have no idea what it will do.”

In the 2003 Department of Homeland Security Appropriations Act, Congress identified eight issues that TSA would have to address before CAPPS II could be federally funded and deployed. The GAO’s recent report pointed out that seven of them haven’t been fully addressed, but many of these will fall into place after a framework is developed for airlines to transmit passenger data to the TSA, Hatfield says.

These issues constitute many of the battlefield topics being debated by program proponents and detractors. Various other concerns have been raised as well. Altogether, the most contentious issues remaining are: efficacy, privacy, database accuracy, redress, operational safeguards, mission creep, and the program’s financial cost and administrative burden.

Efficacy. Has CAPPS I worked and is CAPPS II likely to work? Answers to the former question are a mixed bag. Doug Laird, a security consultant who helped develop the precursor of today’s CAPPS I program for Northwest Airlines (see sidebar, page 64), points out that several of the 19 9-11 hijackers were identified by CAPPS I as posing a high risk; the National Commission On Terrorist Attacks Upon the United States puts the number at 9. But once they were identified by the system, that didn’t mean they got additional personal scrutiny. CAPPS I was tied to checked baggage—the concern before 9-11 being bombs in checked suitcases—and the hijackers either had not checked bags or were found to have “clean” bags. Therefore, the hijackers were able to board their planes even after CAPPS I flagged them.

So can the problem be solved with CAPPS II? Laird is skeptical. “I would challenge anyone to find a system in use in the world that does that kind of job without violating anyone’s privacy,” he says.

Other experts question whether CAPPS I is actually effective at identifying passengers who present a threat, despite its having flagged many of the 9-11 terrorists. Arnold Barnett, an aviation security expert and professor at the Sloan School of Management at the Massachusetts Institute of Technology (MIT), says that the evidence isn’t so clear. A statistical analysis shows that the system’s performance is much closer to random guessing than to perfect prediction, Barnett explains.

Likewise, critics have expressed doubts that CAPPS II will be as effective as envisioned even if privacy considerations are ignored for the sake of security. “If CAPPS II does go forward, it is possible that it will do so in a way that does more harm than good,” comments Barnett, because profiling often yields false negatives. Extensive profiling in the Washington sniper incident in 2002, he says, concluded that the suspects were likely white men in a white van or box truck. They turned out to be two black men in a dark blue Chevrolet Caprice. As a result of the inaccurate profile, which misdirected the focus of law enforcement personnel, the snipers were able to get through several encounters with police officers during the manhunt.

In addition, Barnett says, with profiling “the assumption is that a past pattern will continue into the future.” In fact, he notes, “The next terrorist may be completely different.”

Another concern is that the system could be gamed. In May 2002, two MIT students published a paper showing how terrorists—or anyone—could elude CAPPS I. The students contended that random searches were more effective. As Kevin P. Mitchell, chairman of the Business Travel Coalition, testified to the Aviation Subcommittee, “Of concern is that a U.S.-based al Qaeda sleeper cell could throw 50 members at a CAPPS II until it identified 10 that were color-coded green.”

Barnett adds his concern that TSA’s intent is to reduce the number of flyers categorized as high risk; Stone has said that TSA intends to winnow from 300,000 to 75,000 the number of travelers who will receive enhanced screening. For those categorized as yellow, Barnett fears, screening won’t be any more stringent than it is today, but screening for “greens” might actually decrease. “The danger is that if they believe that CAPPS II is more reliable than CAPPS I, greens will get less scrutiny.”

Even if the program’s color-coded categorization works flawlessly, terrorists could simply assume the identity of someone who poses only a low risk, worries John Thorn, regional manager and CAPPS II expert for travel-risk company iJet. Specifically,  terrorists could simply place their own  photo on another person’s valid ID.

“Identity theft is the single greatest threat in terms of vulnerability of the CAPPS program,” says Thorn, pointing out that in the vast majority of cases, the victim is unaware of the theft until a fraud occurs, such as use of a credit card. Worse yet, current enforcement varies widely. Thorn says he himself was a victim of identity theft and that his reporting attempts were turned away by federal and Maryland authorities. Even at the local level, a police officer told him “it was not worth his time to fill out a report,” Thorn recalls.

The GAO’s Norman J. Rabkin, managing director of homeland security and justice issues, told Congress that TSA officials have conceded that CAPPS II won’t “detect all instances of identity theft without implementing some type of biometric indicator, such as fingerprinting or retinal scans.” The Catch-22, of course, is that privacy advocates strongly oppose the introduction of a biometric identifier.

While acknowledging that the “identity theft problem is somewhat more intractable” than other problems facing CAPPS II, Paul Rosenzweig, senior legal research fellow at the Heritage Foundation’s Center for Legal and Judicial Studies, testified that it is surmountable. He contends that the TSA can adopt best practices as they are perfected by commercial database companies, which have a financial incentive to minimize identity theft. He points out, for example, that identity verification works well to detect cheats in Las Vegas. (In fact, the government is working with at least one software company that helps casinos to see how the company’s relational database software could help the TSA refine passenger profiling.)

Privacy. Probably the most frequent and voluble charge leveled at CAPPS II is that it will compromise a person’s privacy if more personal data is analyzed or viewed by security personnel or airline staff as a part of passenger screening. Some of these concerns had already surfaced with CAPPS I. And they have been raised both in the United States and in Europe.

The TSA has attempted to address these concerns. For example, some privacy controls would be in place—including plans to destroy most passenger information within a few days after travelers complete their journeys. In addition, commercial data providers would be prohibited from using TSA information for commercial purposes.

The TSA’s Stone has also pointed out that the agency is in the process of hiring a privacy officer to make sure that the program complies with the Privacy Act. In addition, he testified in March that the information gathered by CAPPS will be “far less detailed” than what data aggregators provide in the open market.

But many privacy concerns remain unaddressed. In its February report, the GAO noted that the TSA is attempting to exempt the CAPPS II records from seven provisions of the Privacy Act of 1974, which regulates the government’s use of personal information. For example, the GAO reports that the TSA “plans to exempt CAPPS II from the Privacy Act’s requirements to maintain only that information about an individual that is relevant and necessary to accomplish a proper agency purpose.”

Those exemptions raise concerns among civil libertarians. According to David Sobel, general counsel of the Electronic Privacy Information Center, this exemption “will serve only to increase the likelihood that CAPPS II will become an error-filled, invasive repository of all sorts of information bearing no relationship to its stated goal of increasing aviation security.”

Violations of privacy have already been noted. For example, the Department of Homeland Security’s own privacy office released a finding in February that TSA employees “acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974” when they encouraged the transfer of passenger data from JetBlue in 2001 and 2002.

Some observers, however, contend that privacy issues have been overblown. The Heritage Foundation’s Rosenzweig, for example, says that CAPPS II “is not necessarily a decrease in privacy,” merely a tradeoff between data privacy and physical privacy. Rosenzweig refers to the TSA’s plans to reduce from 300,000 to 75,000 the number of passengers that get more thorough physical inspection at the airport. “CAPPS II,” he has testified, “may also have the salutary effect of reducing the need for random searches and eliminate the temptation for screeners to use objectionable characteristics of race, religion, or national origin as a proxy for threat indicators.” Reliance on racial profiling has been a major concern raised by opponents of CAPPS I and II.

Europe. CAPPS II won’t work if the data is limited to U.S. airlines and passengers, of course, so Congress has given the TSA authority to require that all airlines operating in the United States supply passenger data. As of the time of this writing, TSA had not done so, however.

The European Union (EU) has objected to this use of its citizens’ data, even for flights wholly within U.S. borders, citing its extensive data protection provisions. In December, the EU and the United States entered into a data-transfer agreement. But in late March the European Parliament passed a resolution opposing this deal and threatening legal action. Without this data, the functional success of CAPPS II is in doubt. As Rep. Bill Pascrell (D-NJ) put it to the TSA’s Stone during the March hearing, “I can’t see the effectiveness of the system unless the Europeans make it seamless with their data.”

Database accuracy/access. The GAO observed that the TSA hasn’t determined the accuracy of government and commercial databases that will be used by CAPPS II. The TSA is, however, developing accuracy tests for commercial databases, comparing limited data known to be accurate against the databases. In addition, the TSA plans to use multiple databases “in a layered approach to authenticating a passenger’s identity,” according to the GAO report.

But the TSA and commercial database providers have conceded that even acceptable databases will inevitably contain errors. And because passengers can’t see those errors, they won’t be given the opportunity to correct the record. According to the Privacy Act of 1974, citizens have the right to access government records containing information about them and to have errors corrected. But that is one of the seven provisions that TSA has requested CAPPS II be exempt from.

Travelers may infer an error if they are continually subjected to intense screening at airports, as has happened to several persons with names similar to or the same as those on government watch lists under CAPPS I. In fact, the ACLU has filed a class-action suit on behalf of seven travelers who were publicly singled out by TSA.

No process for correcting the problem currently exists, raising the question: “How would a passenger challenge his risk assessment score and how long would it take to correct inaccuracies in one’s profile?” That question is posed by the Business Travel Coalition’s Mitchell, whose organization represents corporate travel buyers. He’s skeptical about the TSA’s ability to allow timely redress.

The TSA’s response thus far has been to create a Passenger Advocate to deal with passenger concerns. Passengers unsatisfied with these ombudsmen can appeal to the DHS privacy office. But critics call these measures superficial gestures. As EPIC’s Sobel testified in March, TSA maintains “the discretion to correct erroneous information upon a passenger’s request” but is not obligated to do so.

Moreover, as CAPPS II now stands, passengers lack the right to appeal TSA determinations in a judicial court. “Denying citizens the right to ensure that the system contains only accurate, relevant, timely, and complete records will increase the probability that CAPPS II will be an error-prone, ineffective means of singling out passengers as they seek to exercise their constitutional right to travel,” Sobel testified to Congress.

In addition, the GAO noted other concerns relating to redress. For example, there is a conflict in TSA’s plans to delete passengers’ data shortly after their travel ends and passengers’ ability to access and correct that data later if they suspect errors. Moreover, the TSA has not determined which data the Passenger Advocate will be able to share with complainants.

Safeguards/access control. According to Stone, the system’s infrastructure will be on a private, dedicated network, not accessible via the Internet. The infrastructure will be protected by a multitiered firewall, and data will be encrypted. Other layers of security will be present at the application level. Access to CAPPS II, he adds, will be granted based on right-to-know and extent of authorization. In addition, a 24-hour audit trail will monitor anyone accessing or attempting to access the system.

Despite these plans, at the March hearing, the GAO’s Rabkin testified that CAPPS II lacks many of the key elements of an effective information system security program, namely a security policy, a security plan, a risk assessment, and certification and accreditation of the system.

The TSA indicates, however, that these elements are being developed. The agency told Congress that it has a draft security plan that should be final by the time CAPPS II is operational. However, Rabkin testified, the risk assessment and certification have not been scheduled due to “the uncertainty regarding the system’s development schedule.”

Mission creep. Another concern is that TSA will ultimately use the program for more than passenger profiling. As iJet’s Thorn explains, concerns center around the discussion of expanding CAPPS II outside of its original bounds to such venues as railroad stations and bus terminals.

Others express similar views. “It is no exaggeration to say that CAPPS II may represent the first step towards pervasive internal border controls that would subject all citizens to invasive government scrutiny every time they attempted to travel,” the Electronic Frontier Foundation has said in a statement on the subject.

Civil libertarians have publicly aired concerns that mission creep would proceed to such an extent as to create a de facto reinstatement of the Total Information Awareness program, which Congress scuttled because of privacy concerns. A bipartisan group of 22 members of Congress expressed that specific fear to the TSA’s Stone in February.

Additionally, notes Thorn, privacy advocates fear the use of CAPPS II to “track, limit, and control certain ‘undesirable elements,’” such as peace activists and government protesters. It’s been reported, in fact, that a peace activist (and nun) from Milwaukee was flagged by CAPPS I and questioned by police before being allowed to board her plane.

 “They’re trying to turn CAPPS II into the silver bullet for every law enforcement and intelligence agency in the world,” Laird says of the TSA. Instead of simply safeguarding flights from terrorists, for example, the agency is now hunting for terrorists and other criminals who don’t necessarily pose risks to a flight. “At the end of the day, the real goal is to fly an airplane from A to B and make sure there is no threat of sabotage aboard that aircraft,” he says.

Cost/burden. According to Nancy Holtzman, executive director of the Association of Corporate Travel Executives, a conservative estimate of CAPPS II’s cost to the commercial aviation industry over time will be $2 billion. This, she fears, will be passed on to corporate America.

Getting CAPPS II running has already required a significant government investment. In the first quarter of 2004 alone, developing CAPPS II cost the U.S. government $14 million, Stone told a congressional committee. Jack Schulze of the GAO’s homeland security department says the agency’s auditors will be conducting an inquiry in the near future as to the cost of CAPPS II to both government and industry. On the flip side, the TSA’s Stone has maintained that, once implemented, CAPPS II will ultimately reduce costs and administrative burdens.

Other less obvious expenses that potentially loom large are the cost of litigation and any resulting judgments or settlements. At the March hearing, Eleanor Holmes-Norton (D-DC), a law professor who serves as the shadow senator for the nation’s capital, wondered who would bear the cost if a person wrongly categorized as high risk were held from a flight and missed out on a million-dollar deal.

Business has its own concerns with the regulatory burden. Industry experts expect an increased administrative burden on the airlines, many of which are already operating with bare-bones staffs. James C. May, president and CEO of the Air Transport Association of America, says that airline reservation systems, as well as online reservation systems and global distribution systems, will have to be reprogrammed in light of the new information-collection requirements. The result, he predicts, will be “substantial new resource demands” on airlines and other reservation providers.

Despite the many political, technical, and financial concerns, most experts interviewed for this story believe that the system will ultimately be implemented, though not as originally conceived. Thorn, for one, predicts it will be a “greatly enhanced” version of CAPPS I. “It certainly won’t come out as the grandiose program that everyone had hoped for,” says Laird.

The program will probably undergo some additional modifications to address privacy concerns before it flies. No one can predict, however, what that will ultimately mean for its ability to prevent future terrorist incidents.

---

Michael A. Gips is a senior editor of Security Management.