Testimony of Timothy D. Sparapani, ACLU Legislative Counsel, On Secure Flight and Registered Traveler Before the US Senate Committee on Commerce, Science and Transportation (2/9/2006)
Statement of
Timothy D. Sparapani
Legislative Counsel
American Civil Liberties
Union
Washington Legislative Office
Secure
Flight and Registered Traveler:
A Flawed Assumption that Behavior is
Predictable Leads to New Security Weaknesses while Threatening Civil Liberties
and Privacy
U.S.
Senate Committee on Commerce, Science, and
Transportation
Hearing Regarding the U.S.
Transportation Security Administration’s Aviation Passenger Pre-Screening
Programs
Dirksen Senate Office
Building, Room 562
American Civil Liberties Union
Testimony Regarding the U.S. Transportation Security
Administration’s Aviation Passenger Pre-Screening Programs
Secure Flight and Registered Traveler: A Flawed Assumption that
Behavior is Predictable Leads to New Security Weaknesses while Threatening Civil
Liberties and Privacy
Before the U.S. Senate Committee on Commerce, Science, and
Transportation
Submitted by
Timothy D. Sparapani
Legislative
Counsel
Dirksen Senate Office Building, Room 562
I. Introduction and Summary of Requests for Committee Action
The Honorable
Chairman Stevens and Ranking Member Inouye, the American Civil Liberties Union
(“ACLU”), representing its nearly 600,000 members, respectfully submits this
testimony in opposition to the Secure Flight and Registered Traveler
programs.
After four and
one-half years, nearly $200 million wasted tax dollars,[1] several name
changes, and repeated, unsuccessful reformulations of the underlying proposals,
Secure Flight and Registered Traveler are no closer to implementation than when
they were first proposed shortly after the tragic events of September 11,
2001. First introduced as CAPPS II
and Trusted Traveler, Secure Flight and Registered Traveler remain predicated on
the unproven, theoretical, and flawed premise that the government can predict
whether an individual will at some future date commit a terrorist act. The Secure Flight Working Group,
convened by the Transportation Security Administration (“TSA”) to provide it
with advice, concluded that “. . . there is not sufficient available
intelligence to determine what characteristics indicate someone will be a
threat.” Secure Flight Working
Group Rep., presented to the TSA, Sept. 19, 2005, at 3. This premise, akin to alchemy and
astrology in its scientific accuracy, has led TSA to misdirect its resources
towards establishing two passenger pre-screening programs that will not make us
any safer but will make us less free.
Attempts to establish these programs have served as massive diversions
that to this day prevent TSA screeners from accomplishing their core mission.
Congress can only draw one conclusion from the failure to build Secure Flight
and the inherent weaknesses of Registered Traveler: authorizations for both programs must be
terminated expressly, and Congress must force TSA to refocus on achieving its
core mission by keeping known terrorists who are threats to aviation security
off planes, and – for the first time – screening all carry-on bags, luggage, and
cargo for weapons and explosives.
The ACLU
requests that this Committee and Congress explicitly revoke authorization for
both Secure Flight and Registered Traveler, no matter what they are called, and
instead insist that the Department of Homeland Security’s (“DHS”) TSA focus its
passenger pre-screening on accomplishing two goals: (1) paring the No-Fly and
Selectee Lists maintained by the Federal Bureau of Investigation’s Terrorist
Screening Center (“TSC”) down to known terrorists who personally pose a specific
threat to aviation security only; and (2) simply comparing passenger manifest
lists to this refocused list.[2]
If the TSA attempts to implement Registered Traveler, the ACLU requests
that Congress expressly block the privatization of Registered Traveler and
prevent the use of commercial data concerning applicants to determine whether a
would-be flyer is qualified to sign up for Registered Traveler. Neither the government, nor companies
should assign individuals a risk assessment based on commercial data, because
the consequences of a wrongful determination could lead to many future
deprivations of the exercise of rights and privileges. However, it is significantly more
inappropriate to allow private companies to perform a governmental role to
determine whether a passenger constitutes a threat and the Government still must
act in a Constitutional manner, even if it has outsourced its responsibilities
to the private sector. Companies
cannot be trusted to make such determinations accurately. The consequences of
such a negative determination would likely add the rejected applicant to a new
third list – similar to the No Fly List or Selectee List – of undesirable flyers
who are virtually certain to be subject to, at a minimum, extra scrutiny every
time they attempt to fly, and, at worst, a permanent bar from flying altogether.
As is discussed in greater detail below, this new third list of
“Un-Register-Able travelers” would likely be shared with other Registered
Traveler companies, the TSA, TSC, and, likely, other government agencies. Further, as Congress recognized last
fall when it expressly prohibited the TSA from utilizing commercial data to
pre-screen passengers for Secure Flight, commercial data contains enormous error
rates, is unreliable, and is not useful as a tool to predict whether a would-be
flyer is a threat to aviation security.[3]
II.
Secure Flight: A Dangerously Flawed Proposal that Should Be Terminated
Secure Flight, regardless of its form, permits unacceptable security
weaknesses, while threatening civil liberties and personal privacy. It is hard to say for sure what Secure
Flight will ultimately do since TSA has still not finalized a working plan, flow
chart or business model for the concept.
However, it appears that Secure Flight would:
1)
Require TSA to gather passenger name record (“PNR”) data from the
airlines and travel agents who book tickets;
2)
Require TSA to forward this information to the Federal Bureau of
Investigation’s Terrorist Screening Center (“TSC”), to compare the names of the
ticket purchasers to those names on the No-Fly and Selectee Lists;
3)
Require TSC to inform TSA whether a person attempting to fly is on either
list; and
4)
Require TSA to tell its airport screeners to (a) allow the person to fly
unimpeded except for normal screening, (b) select the person for some additional
and more intrusive screening, such as opening bags, patting the person down,
screening for explosive residue, and/or detaining the person for questioning, or
(c) inform the would-be passenger that their name is similar to that of someone
on the No-Fly list and they are barred from flying.
While this concept
appears easy to implement, it suffers from numerous and intractable problems.
A. Security Weaknesses Render Secure Flight Unwise
Secure Flight is
fatally flawed from a security standpoint.
To support Secure Flight, a person must accept the dubious premise that
terrorists will attempt to book a ticket and board a flight under their own
names. This is a simplistic
approach and one upon which we cannot allow our airline security to rely. Again, no terrorists will be prevented
from boarding airplanes unless a terrorist both attempts to book a ticket and
shows up to board a plane under his or her own name and documents. The ease with which identity theft and
document fraud is accomplished renders this premise highly suspect,
however. The U.S. Federal Trade
Commission estimated in 2003 that “over
a one-year period nearly 10 million people - or 4.6 percent of the adult
population - had discovered that they were victims of some form of identity
theft.” Prepared Statement of the
Federal Trade Commission before the Committee on Banking, Housing, and Urban
Affairs, U.S. Senate on Identity Theft: Recent Developments Involving the
Security of Sensitive Consumer Information, Deborah Platt Majoras, Chair of the
Federal Trade Commission, March 10, 2005, available at http://www.consumer.gov/idtheft/pdf/ftc_03.10.05.pdf.
The intelligence
community presumes that the nation’s enemies, such as Al Qaeda, are: (1) patient; (2) well-funded; (3)
capable of committing identity theft with remarkable ease; and (4) capable of
producing high-quality, forged identification documents that allow a terrorist
to purchase tickets and present virtually undetectable papers under an assumed
name. This programmatic weakness
leads to what security experts dub False
Negatives, an inability of Secure Flight to detect actual terrorists. If the system is not able to identify
known terrorists, TSA’s screening will have failed.
Again,
the ACLU does not oppose the TSA vetting passenger lists against a narrowly
constructed list of known terrorists who pose a specific threat to aviation
security. If a wanted terrorist is
foolish enough to fly under his or her own name, the government should
immediately arrest the suspect or monitor the terrorist’s activities while
preventing the terrorist from committing acts of terror and violence.
The problem from
a security and civil liberties perspective is that both the No Fly and Selectee
Lists, which are at the heart of the Secure Flight proposal, are bloated with
names of individuals who have absolutely no connection to terror and do not have
the capability of threatening aviation security. This leads to numerous cases of False
Positives, which distract TSA from finding the actual terrorists. False positive stories are
ubiquitous. Each Senator who is a
Member of this Committee likely has innocent constituents who have been
unnecessarily harassed, delayed or outright denied the ability to fly. The ACLU has collected complaints from
1,000 of such constituents, 740 of which were gathered through our internet
intake process, but we will highlight just four:
- Passenger
David XXXXX (Aug. 16, 2005) was surrounded by armed police with guns drawn at
the ticket counter when he was mistakenly identified as being on the No Fly
List. Moreover, when he arrived at
the gate, his checked luggage was brought to him, and he was forced to witness
the search of his belongings at the gate, the whole process taking two
hours.
- Passenger Gregory XXXXX
(May 9, 2005), after having his luggage thoroughly searched, was separated from
his five-year-old son who was hysterically crying and escorted into a private
room where he was subjected to a cavity search and genital inspection. Gregory has been wrongly delayed
overnight on five separate occasions and whoever is accompanying him is also
subject to delays and searches.
- Passenger, Mary XXXXX
(May 16, 2005) was forced by TSA screeners to be screened with a machine (Smiths
Detection Ionscan Sentinel II), which she was told checked “to see if I have a
bomb inside me.” This machine
photographed her and TSA denied her repeated requests to view the picture or be
provided a copy.
- Passenger
Hussein XXXXX (July 23, 2005) is a Lebanese citizen who has been a legal
resident of the U.S. since 1992.
During his layover in Minneapolis, Minnesota while flying from Lebanon to
Seattle, Washington, he was escorted off the plane by five security officers to
a room away from the gate. He was
questioned about his family, extended family, how he files taxes, his business,
his real estate holdings and so forth. Additionally, the officers demanded he
give them access to his computer, which he initially refused because it
contained confidential information about his clients. After five hours of
interrogation, he was exhausted and delirious so the officers gave him a choice
of either being detained overnight and being questioned the following day or
having an appeal inspection in Seattle.
He was scheduled to appear at the U.S. Customs and Border Protection
Office in Seattle on July 25, 2005.
In the past, he has had similar experiences. For example, on October 3, 2004, he was
stopped in Portland, Oregon on his way to Frankfurt, Germany by U.S. Customs who
interrogated him. He was given no
medical attention when he fainted, and security officers laughed at him while
they waited until he regained consciousness.
At least four
Members of Congress – the Honorable Senator Ted Kennedy (D-MA), and the
Honorable Congressmen Darrell Issa (R-CA), John Lewis (D-GA) and Don Young
(R-AK) -- have names similar to those of individuals on those bloated
Lists. The Honorable Congresswoman
Zoe Lofgren (D-CA) reported in Congressional hearings last summer that her
husband has been repeatedly selected for additional security screening. Nuns and infants have been found on the
No Fly List. To be effective, the
Lists must be paired down only to known terrorists – not criminals, not deadbeat
dads, not drug dealers. The advice
provided by an independent panel of experts to the Department of Homeland
Security concurs:
Secure Flight should be
narrowly focused.
TSA should limit Secure Flight’s mission to correctly
identify individuals in the traveling public who are on the Do Not Fly and
Selectee lists. The case has not
been made for any expansion of the mission of Secure Flight beyond
identification of individuals on those lists.
Department of Homeland Security
Data Privacy and Integrity Advisory Committee: Recommendation on the Secure
Flight Program Rep., Adopted Dec. 7, 2005, at 2 (emphasis in original). Limiting the names on the list is the
only way that TSA can focus on its core mission: preventing another terrorist attack on
an airplane. Senator Kennedy (D-MA)
revealed at a Senate hearing that due to the fact an “E. Kennedy” was on the No
Fly List, Senator Kennedy repeatedly was selected for additional screening. Every
minute spent treating Senator Kennedy like a potential terrorist is one less
minute that could be spent catching the next Mohammed Atta.
B. Civil
Liberties: Secure Flight Leads to a
Denial of the Right to Travel in Extreme Cases and Leads to Racial Profiling
In addition to being fatally flawed from a security standpoint, Secure
Flight also is flawed from a civil liberties standpoint. First, using a bloated No Fly List to
prevent innocent people from flying wrongly deprives them of their
constitutionally protected Right to Travel. The United States Supreme Court has
stated that:
The
word “travel” is not found in the text of the Constitution. Yet the
“constitutional right to travel from one State to another” is firmly embedded in
our jurisprudence. United States v. Guest, 383 U.S. 745, 757, 86 S.Ct.
1170 (1966). Indeed, as Justice
Stewart reminded us in Shapiro v. Thompson, 394 U.S. 618, 89 S.Ct. 1322
(1969), the right is so important that it is “assertable against private
interference as well as governmental action ... a virtually unconditional
personal right, guaranteed by the Constitution to us all.” Id., at 643, 89 S.Ct. 1322.
(concurring opinion).
Saenz
v. Roe,
526 U.S. 489, 498-99 (1999). We
suspect that TSA will soon begin to apply the Secure Flight concept to those who
travel by train, interstate bus, boat and ferry. Some Americans living in remote regions
of Alaska, or on the islands of Hawaii and Puerto Rico simply cannot drive to
conduct their business, so the consequence for someone who is wrongly put on the
No Fly List is severe and could force them to move to conduct their daily
affairs.[4]
Second, as too many Americans have experienced, people who are wrongly
put on either list have no guarantee that they will be able to ever get off and
stay off the lists. Establishing a
transparent, workable redress procedure to help people wrongly listed should
have been the first and easiest thing TSA accomplished. TSA has provided numerous promises that
such a redress process would be provided but, to date, has still not
accomplished this goal:
- “CAPPS II will include
a comprehensive redress process for those passengers who have questions
concerning their experience. TSA will appoint an Ombudsman to handle any
inquiries. These capabilities will result in improved resource scheduling and
other operational efficiencies.” (March 7, 2003) Congressional briefing by Ben H. Bell,
III, Dir. Office of National Risk Assessment (“ONRA”) TSA, available at http://www.acte.org/initiatives/CAPPS_II_CongressBriefing.pdf.
- “CAPPS II will also
include a comprehensive redress process for passengers. TSA will appoint a
Passenger Advocate to work with our current Ombudsman program, to handle any
inquiries or complaints raised by passengers with regard to the CAPPS II system.
Where a passenger - of any nationality - believes that he or she is being
improperly singled out for heightened scrutiny, this will be the place for this
passenger to turn to have his or her concerns addressed. This is more than a
matter of fairness - because CAPPS II is also a resource allocation tool, it is
in TSA’s interest to know where we are making mistakes. The Passenger Advocate
will thus not only promote fairness and privacy and passenger confidence, but
system effectiveness and efficiency.”
(May 6, 2003) Statement of
Stephen McHale to the European Parliament, Dep. Admin., TSA, available at http://www.europarl.eu.int/comparl/libe/elsj/events/hearings/20030506/mchale_speech.pdf.
- “The redress system is
based on having an ombudsman and a passenger advocate designated and a process
in place so that when an individual finds that they are being repeatedly
selected as a secondary screenee during their transit through the airport that
they will have an opportunity then to contact TSA, the ombudsman, and the
passenger advocate and then we will have the capability to have a decision made
at the TSA level concerning going in on that individual and then adjusting the
criteria for that individual after we verify their name, date of birth, address
to [sic] for into that and make these decisions, we think, in a rapid matter so
that it is not a bureaucratic system of waiting forever to get a response. Our goal is to have a redress system
that has flexibility in it and speed and scratches the itch for the traveling
public regarding frustrations over being selected repeatedly.” (March 17,
2004) David M. Stone before House
of Representatives Transportation Committee, Subcommittee on Aviation, available
at http://www.house.gov/transportation/aviation/03-17-04/stone.pdf.
- “In
addition, the new program [Secure Flight] will also include a redress mechanism
through which people can resolve questions if they believe they have been
unfairly or incorrectly selected for additional screening.” (August 26,
2004) TSA Press Release, available at http://www.tsa.gov/public/display?theme=44&content=09000519800c6c77.
- “In
conjunction with the Secure Flight program, TSA has charged a separate Office of
Transportation Security Redress to further refine the redress process under the
Secure Flight program. The redress process will be coordinated with other DHS
redress processes as appropriate.
Utilizing current fiscal year funding, resources have been committed to
this Office to enable it to increase staffing and to move forward on this
important work. TSA recognizes that additional work remains to ensure that there
is a fair and accessible redress process for persons who are mistakenly
correlated with persons on the watch lists, as well as for persons who do not in
actuality pose a security threat but are included on a watch list. (June 29, 2005) Statement of Secure Flight Assistant
Administrator Justin Oberman to House of Representatives Subcommittee on
Economic Security, Infrastructure Protection, and Cybersecurity, available at http://homeland.house.gov/files/TestimonyOberman.pdf.
Yet,
four and one-half years later, TSA has still not managed to accomplish this
goal. Congressional frustration over this failure led, in part, to the express
requirement codified in both the FY 2005 and 2006 DHS Appropriations bills, Pub.
L. No. 108-774 § 522(a), (d)-(f) (2004)[5] and Pub. L.
No. 109-90 § 518(a)-(b) (2005)[6] that the
Government Accountability Office (“GAO”) certify the establishment of a working,
fair redress procedure before Secure Flight can be implemented. As the GAO’s March 28, 2005 report
regarding Secure Flight stated, TSA has failed to accomplish even this simple
matter. U.S. Government
Accountability Office Rep., Aviation Security, Secure Flight Development and
Testing Under Way, but Risks Should be Managed as System is Further Developed
(“GAO Report”), March 28, 2005, at 1.
Just
three weeks ago, DHS Secretary Chertoff and Secretary of State Rice issued a
joint statement pledging the rollout of a workable redress process. “‘One Stop’ Redress
for Travelers. Sometimes
mistakes are made. Travelers need
simpler ways to fix them.
Therefore, DHS and State will accelerate efforts to establish a
government-wide traveler screening redress process to resolve questions if
travelers are incorrectly selected for additional screening.” Rice-Chertoff Joint Vision: Secure Borders and Open Doors in the
Information Age. Dep’t. of Homeland Security, Dep’t. of State: Joint Press Release, Jan. 17, 2006,
available at http://www.state.gov/r/pa/prs/ps/2006/59242.htm (emphasis in original). As
too many Americans have experienced, and reported to the ACLU, the “passenger
identity verification form” process TSA now utilizes is inadequate and does not
guarantee that passengers will not be delayed or denied when trying to fly in
the future. As the GAO reported, “.
. . the effectiveness of the current redress process is uncertain,” and “[t]he
draft redress process documentation does not address a means for passengers who
are inappropriately denied boarding to seek redress.” GAO Report at 56, 58. Thus, people whose names are wrongly
added to the lists – or, more likely, have names similar to others on the Lists
– are perpetually doomed to – at best – unnecessary harassment, embarrassment
and delays every time they fly. At
worst, they will be denied the ability to fly at all. Congress should ask: If TSA cannot build a redress process
after nearly four and one-half years for Secure Flight to prevent against civil
liberties violations, how can TSA be trusted to build an effective, civil
liberties-respecting passenger pre-screening program?
Secure Flight will likely lead to impermissible racial profiling. The names most likely to be on the No
Fly and Selectee Lists that will be utilized for Secure Flight are likely to be
those of Muslims, or people of Arab or Middle Eastern dissent. Thus, a disproportionate number of
people who are wrongly selected for additional screening or barred from flying
outright will be those of these classes. Congress must guard against allowing a
program designed to increase security from becoming a tool for racial
profiling. Such profiling wastes
precious resources and ignores the fact that the next terrorists may draw from
those demographics that are the majority races, religions or ethnic backgrounds
in this country.
C.
Privacy: TSA’s
Failures to Safeguard Personal Data for Secure Flight Unacceptably Threaten
Personal Privacy
As
demonstrated by the tortured attempts to test the viability of CAPPS II and
Secure Flight, Secure Flight, if implemented, unacceptably threatens personal
privacy. Testing of Secure Flight
has led to two high profile and massive privacy violations. In 2003, JetBlue Airways gave 5
million actual passenger itineraries to Torch Concepts, a Defense Department
contractor, which was attempting to study whether the government could prescreen
passengers to determine who was a high-risk customer. Bruce Mohl, Airlines Weigh Privacy Issues, Boston Globe, Oct. 12, 2003. In
a separate incident last summer, the GAO reported that TSA had violated the
Privacy Act of 1974, Pub. L. No. 93-579 (1974), codified at 5 USC § 552, by
giving personally identifiable information on millions of people without giving
legally required public notice. As
stated by Senators Collins and Lieberman in a July 22, 2005 press release and
letter to Secretary of the U.S. Department of Homeland Security Michael
Chertoff, the GAO reported that “TSA failed to comply fully with the Privacy Act
when it ‘collected and stored commercial data records even though TSA stated in
its privacy notices that it would not do so.’” That letter further stated that a
private contractor had “obtained more than 100 million records from commercial
data aggregators in violation of the Privacy Act.” Senators Collins and Lieberman Criticize
TSA for Violating Privacy Laws While Testing Passenger Prescreening System: GAO Findings Conclude TSA Failed to
Comply with the Privacy Act, July 22, 2005, available at http://hsgac.senate.gov/index.cfm?Fuseaction=PressReleases.Detail%PressRelease_id=106.
Further, TSA
has not learned from its privacy breaches; it has not yet even fully assessed
the impact of implementing Secure Flight on passengers’ personal privacy despite
a Congressional mandate. The GAO’s
report regarding Secure Flight concluded that “TSA has not yet clearly defined
the privacy impacts of the operational system or all of the actions TSA plans to
take to mitigate potential impacts.”
GAO Report, at 1. If past
experience is the best guarantee of future performance, TSA cannot be trusted
with the sensitive, private data it will demand from each passenger. The inability of the TSA to adequately
safeguard sensitive, personally identifiable information about actual passengers
during testing of the program’s efficacy and viability provides no assurance
that should the program be implemented each passenger’s information will be
safeguarded. Indeed, if Secure
Flight is implemented, the personal information of 1.8 million passengers on
30,000 flights will be electronically transferred from airlines and ticketing
companies to TSA and TSC every single day.
This will lead to numerous data breaches that dump sensitive information
into the public sphere. For
identity thieves, it will be like taking candy from a baby.
D. Track
Record of Failure: Past TSA
Failures Suggest Future Launch Efforts Will Not Be Better for Secure Flight
Regardless of
the security, civil liberties and privacy risks raised by what TSA’s public
statements concerning Secure Flight suggest, the program remains wholly
conceptual more than four years after passage of the Aviation and Transportation
Security Act, Pub. L. No. 107-71 (2001), that authorized its creation. Slippage of deadlines has been the rule
for Secure Flight and its predecessor CAPPS II:
- “Of
note, the terrorist screening center remains on schedule to bring the first
version of the consolidated terrorist screening database on line by March 31,
2004, and achieve full operation capability by the end of the year.” Testimony of David M. Stone, before
Hearing of House of Representatives Comm. on Transportation, Subcomm. on
Aviation on status of CAPPS II, March 17, 2004, available at http://www.house.gov/transportation/aviation/03-17-04/stone.pdf.
Every review by a government agency
or independent commission in the last year found Secure Flight to be woefully
undefined because of the myriad conceptual and practical flaws, no matter how
the program is modified.
On March 28, 2005, the GAO summarized “TSA’s Status in Addressing
Ten Areas of Congressional Interested included in Public Law 108-334,” finding
that TSA had only achieved one of the ten requirements – establishing an
internal oversight board – and had not yet even finalized a “draft concept of
operations.” GAO Report, at 4.
- On September 19, 2005, TSA’s Secure Flight Working Group concluded
that:
Congress should prohibit live
testing of Secure Flight until it receives . . . a written statement of the
goals of Secure Flight signed by the Secretary of DHS that only can be changed
on the Secretary’s order.
Accompanying documentation should include: (1) a description of the
technology, policy and processes in place to ensure that the system is only used
to achieve the stated goals; (2) a schematic that describes exactly what data is
collected, from what entities, and how it flows through the system; (3) rules
that describe who has access to the data and under what circumstances; and (4)
specific procedures for destruction of the data.
Report of the Secure
Flight Working Group, Presented to the TSA, Sept. 19, 2005, at 32.
- In August 2005, the Department of Justice’s Inspector General
issued a report, which said that TSC could not plan to assist in Secure Flight
because TSA failed to even establish a working flow chart for Secure
Flight. “The TSC’s difficulties in
estimating the costs for Secure Flight are exacerbated by the TSA’s failure to
specifically define the scope of each implementation phase. As a result, the TSC has been unable to
adequately project its resource requirements for responding to the expected
increase in workload.” Review of
the Terrorist Screening Center’s Efforts to Support the Secure Flight Program,
U.S. Department of Justice Office of the Inspector General, at (ix). Further, the report concluded that
“. . . TSC is trying to plan for a program that has several major
undefined parameters. Specifically,
the TSC does not know when Secure Flight will start, the volume of inquiries
expected and the resulting number of resources required to respond, the quality
of data it will have to analyze and the specific details of the phased-in
approach for taking the program from ‘pre-operational testing’ in September 2005
to full operational capability in FY 2007.” Id. at (ix).
- On December 7, 2005, a panel of independent experts advising DHS
found that “. . . the program is not yet fully defined . . .” and
recommended that “. . . there must be an overall system description that
addresses all aspects of the Secure Flight system including external supporting
systems, policies, applications and infrastructures, as well as related business
processes managed by entities external to the Secure Flight program
office.” Dep’t. of Homeland
Security Data Privacy and Integrity Advisory Comm. Rep., Recommendation on the
Secure Flight Program, Adopted Dec. 7, 2005, at 1, 2.
As the ACLU stated at the
outset, this program – like Registered Traveler – is a moving target, which
leads to only one conclusion: the
testing thus far has been unable to demonstrate that Secure Flight can predict
those flyers who are potential terrorists and/or identify and prevent known
terrorists from flying. No
modification can change the conclusion that Secure Flight simply will not work,
the ACLU recommends that Congress:
1) Direct the TSC only to maintain a short list of known terrorists who pose
a specific threat to aviation security and dispense with the bloated No Fly and
Selectee Lists.
2) Explicitly repeal the authorization for Secure Flight or any similar
program, and, instead, use TSA and TSC to compare names of would-be passengers
to the pared down list of known terrorists who pose a specific threat to
aviation security.
3)
Utilize the funds saved by eliminating Secure Flight to invest in
programs that will greatly enhance physical screening including the introduction
of appropriate new technologies and the screening of all carry-on bags, luggage
and cargo for explosives and weapons.
4) If Congress decides to allow Secure Flight testing to continue, it should
insist that TSA comply with the spirit and letter of the law expressed in both
the FY 2005 and FY 2006 DHS Appropriations laws. Congress should insist expressly that
TSA not implement the program, even on a test basis impacting actual passengers,
unless and until the GAO certifies first that all ten of the Congressionally
mandated criteria have been satisfied.
II. Registered Traveler: The
Misalignment of Profit and Security Trades the Promise of Speed for Personal
Privacy and the Illusion of Enhanced Security
Like Secure Flight, TSA’s proposed Registered Traveler program should be
blocked from implementation. The
Registered Traveler concept, whether entirely government run or partially
privatized, trades the promise of speedy screening for the illusion of enhanced
security. This concept misaligns the profit motive with the country’s need for
safety. The ACLU does not believe
that security should be traded for expediency. The ACLU therefore recommends that
Congress eliminate TSA’s authorization to develop Registered Traveler. If Congress does proceed with Registered
Traveler, the ACLU recommends that TSA not privatize Registered Traveler. If Congress does allow TSA to privatize
Registered Traveler, the ACLU recommends that the government – not commercial
companies – undertake background checks on program applicants, and that Congress
expressly prohibit private companies from accessing third-party companies’
commercial data to determine applicants’ risk assessments.
Registered Traveler also remains largely undefined, but the TSA’s public
pronouncements suggest the basic parameters of the program. Frequent flyers would be granted some
combination of alternating security screening benefits, which would induce them
to undergo an extensive background check to pre-clear them for flying. Passengers would be required to provide
extensive amounts of sensitive, personally identifiable information to
qualify. The information provided
is likely to include, but not be limited to, financial and credit information,
residence history, and biometrics such as an iris scan or fingerprint. If the background check – either
undertaken by the government or a private sector company – raises no red flags,
the applicant would either (depending on the airport) be permitted to cut to the
front of the security screening lines (as has been done in the Orlando, Florida
pilot program), or would be ushered into a screening lane dedicated solely for
Registered Traveler participants.
A. Security: Registered Traveler Wrongly Assumes
Background Data can Predict a Person’s Future Behavior
Like Secure
Flight, Registered Traveler rests on a dangerously flawed premise, which causes
it to provide the illusion of greater security without actually making airlines
safer. Registered Traveler will be vulnerable to “sleeper cells”, i.e.,
terrorists with no previously known or detectable ties to terror who could
establish themselves as unremarkable members of society. To support Registered Traveler, one must
accept the untested premise that by checking a would-be flyer’s background, the
government (or a commercial enterprise) can identify terrorists and predict a
flyer’s future behavior. This
premise is fatally flawed. The data
that will be provided for a background check may allow a credit card company to
determine whether a person is a credit risk, but it cannot identify someone
harboring a dangerous plan and a willingness and capability to undertake a
terrorist attack that causes a threat to aviation. No one knows what criteria will allow
the government to ferret out the innocent traveler from the sleeper cell
participant waiting for instructions to carry out a terrorist attack. For example, the four men who bombed the
London, England subway system on July 7, 2005 reportedly had no prior known ties
to terror. Thus, no amount of data could have uncovered their sympathies or
plans. Similarly, the 9/11
terrorists spent many months in this country, demonstrating that Al Qaeda is
patient and well funded. Congress
should expect that similar cells of innocent-seeming individuals could be sent
to this country to establish lives that would allow them to pass the Registered
Traveler background checks. This
would allow them to avoid suspicion until they later receive instructions to
conduct terrorist attacks. Because
glaring loopholes exist in the nation’s physical screening, no amount of
“layered security” will detect these sleeper cells.
Further, while
background checks look at people’s data histories, they only provide a review at
one moment in time. Thus, they
cannot predict future behavior.
Simply because a person has not, to date, demonstrated indicia of
adherence to a dangerous ideology does not mean that a person’s ideology will
not evolve. No one could have
predicted the rapid transformation of John Walker Lindh from college student to
disgruntled Taliban fighter.
Further, TSA must not focus solely on Al Qaeda. Lone, disgruntled individuals may lose
their minds and some may attempt to commit a terrorist attack on aviation. If that person has previously been an
upstanding member of society, there would be nothing to prevent them from
participation in Registered Traveler and its lessened security screening.
B. Privatization
of Registered Traveler is Dangerous:
Registered Traveler Misaligns Profit Motive with
Security
Registered Traveler will
make Americans less safe because it misaligns profit incentives with the
national security needs of this country.
Corporations exist to make profit for their owners and shareholders. That legal reality creates an incentive
to optimize and cut corners where possible. Thus, privatization of such a program
will make us less safe in two different ways.
First, to attract
participants, companies will offer the fastest possible screening lanes, while
maximizing profits. This will
require hiring low-cost, low-skill laborers who will go through the motions of
screening Registered Traveler participants for weapons and explosives. The government’s TSA screeners already
routinely fail to identify such dangerous contraband during routine
testing. Private screeners,
overseen by managers who are intent on maximizing the attractiveness of the
Registered Traveler screening lanes, will have a disincentive to go the extra
mile to identify items that could bring down a plane or harm the crew and
passengers; doing so slows down screening and eliminates the one advantage for
participants. Furthermore, the same
company will take applications for Registered Traveler, conduct the background
checks on applicants, gather the biometric data to issue pass cards, and then
may perform screenings at the airports.
This streamlined, profitable vision does not provide for sufficient
security oversight. If a terrorist
fools the one company the terrorist applies to, the terrorist will be given a
Registered Traveler pass providing them with reduced physical screening at the
airport every time they attempt to fly.
Second, offering
“advantages” to decrease screening time per flyer, such as those TSA has
publicly promised -- i.e., not forcing individuals to have their shoes,
jackets and laptop computers screened -- creates vulnerabilities. If there is a security value in
screening for these items, then all flyers – whether they are in the regular
screening lanes or the dedicated Registered Traveler screening lanes – should be
forced to comply. Congress should
expect that Al Qaeda or other enemies of this nation will detect the weaker
security protocols for Registered Travelers and will attempt to exploit them to
carry out future attacks.
C. Civil
Liberties: Reliance on Flawed
Commercial Data Leads to the Wrongful Placement on a List of Un-Register-able
Travelers with Unknown Consequences
Registered
Traveler also impermissibly threatens civil liberties. The background checks will rely on
commercial data, which is notoriously inaccurate. Data errors are common in every
database. Numbers and names get
transposed. While there can be only one Senator Ted Stevens, data about people
with similar names, like T. Stevens, Teddy Stevens or Theodore Stevens could be
wrongly merged with the Senators files collected by various companies.[7] The data aggregators who are most likely
to provide the commercial data, like ChoicePoint, do not audit the accuracy of
their dossiers of information. Thus, either the government or a private company
will assign a risk assessment to Registered Traveler applicants that could be
fundamentally wrong. Current law
does not give consumers the right to access, review, and correct errors in files
maintained by commercial enterprises.
In the fall of 2005,
Congress decided this risk was unacceptable and passed a law expressly
prohibiting TSA from using commercial data to pre-screen passengers for Secure
Flight. Congress codified this
understanding in the FY 2006 Department of Homeland Security Appropriations
bill. During the Senate
Appropriations Committee’s mark-up of the bill, Ranking Member Robert Byrd
(D-WV) said that:
. . .
the bill contains an important protection for the privacy rights of
Americans. We need always to keep
these rights in mind. I thank
Chairman Gregg for his support of language that I recommended concerning Secure
Flight, the Department’s proposed new airline passenger profiling system. The language would prohibit the use of
commercial databases for confirming the identity of airline passengers. Such commercial databases are
unreliable and potentially invade people’s privacy.
Transcript of Senate Appropriations
Committee Mark of H.R. 2360, the FY 2006 DHS Appropriations bill, July 7, 2005
(emphasis added). On January 20,
2006, TSA demonstrated that it did not get the message when it announced that
the newly reformulated Registered Traveler program would have private companies
screen data collected by other private companies concerning applicants. The ACLU, therefore, requests that
Congress again expressly prohibit by statute TSA – or companies with which TSA
contracts to perform Registered Traveler services – from utilizing commercial
data to assess applicants for Registered Traveler.
No one – not
Congress, TSA, the companies wishing to operate Registered Traveler programs, or
the ACLU – knows what it will mean for someone to be wrongly denied when they
apply for Registered Traveler. If a
third list of Un-Register-able Travelers is created from those blocked from
joining Registered Traveler, there may be other consequences such as that list
being used to deny the applicant a government security clearance necessary for a
job, or to prevent the applicant from entering a government building. Several questions about the consequences
should be considered:
1) Will those denied registration be put into a third list of undesirable
flyers – the “Un-Register-able Travelers?”
2)
If so, will they be automatically selected for additional, intrusive
screening every single time they fly?
3)
If private companies, essentially functioning as government
actors, wrongly determine that an applicant poses a risk, what legal recourse
will the flyer have to challenge that finding if it is used to create a third
list?
Moreover,
those denied the chance to be Registered Travelers will be forever required to
pass through the “slow” screening lanes for all flyers. There, they will be subjected to more
invasive screening than the Registered Travelers. Finally, those denied are likely to be
disproportionately poor, minorities, and women; these groups simply are less
likely to have the lengthy data trail and credit standing to guarantee
participation. Congress will need
to ensure that this program cannot create a de facto second-class status
for would-be flyers whose commercial data is not as clean as that of wealthy
businessmen.
D.
Privacy: Frequent Travelers Should Not be Forced
to Choose Between their Sensitive, Private Information and Speed of Screening
Registered
Traveler also poses an unacceptable inducement that causes business and other
frequent travelers to involuntarily forego their personal privacy for the
promise of speed and efficiency in screening. This is a choice that Congress should
not ratify. No one should be forced
to choose between privacy and speed.
When screening lanes are taken from the mass of the flying public and
dedicated for Registered Travelers, the lines for everyone else get
significantly longer. This creates
a scarcity of time and screening lanes.
Inevitably, the occasional traveler or privacy-sensitive traveler will be
induced to undergo extensive background checks and share their most sensitive,
personally identifiable information to migrate to the faster lanes. Given a truly equal choice, almost no
one would voluntarily share his or her private information. But when the TSA turns screening into a
chokepoint at airports, it forces people to override their instincts. This enforced scarcity renders the
choice to share private information involuntary.
E. Speed and Efficiency Benefits
Negligible, Unproven and Possibly Illusory
Ironically, the benefits
of participation in Registered Traveler remain unclear and will likely prove
illusory as the program grows and increasing numbers of people are registered
for the “fast lane”. To date, the
TSA has not published any studies demonstrating that either dedicating screening
lanes for Registered Traveler participants, or allowing Registered Traveler
participants to jump to the front of the line, will not make the lines for the
mass of the flying public longer. A
small percentage of frequent flyers constitute a disproportionate percentage of
the individual screening interactions.
Therefore, simply removing them from the “slow” screening lines will not
necessarily translate into faster screening lanes for Registered Travelers. If
we assume that the vast majority of all the targeted frequent flyers
participate, then the dedicated lines for Registered Travelers will be lengthy
at peak flying times. During
off-peak hours, the lines are not likely to be long in either the normal
screening lanes or the Registered Traveler lanes. Similarly, some airports do not
experience the lengthy lines that would push people to apply for Registered
Traveler. Finally, TSA promises to
occasionally modify the screening protocols for Registered Travelers to avoid
predictability by terrorists. This
will erode or eliminate any of the already negligible speed and efficiency gains
and it does little for frequent flyers eager to fly during peak hours. The ACLU, therefore, wonders how TSA can
guarantee Registered Traveler participants any benefits at all.
The ACLU
recommends that Congress expressly eliminate the authorization for Registered
Traveler and ensure that all flyers be treated efficiently during
screening. The ACLU further
recommends that Congress utilize the funds saved to redesign some airports to
permit for more screening lanes to be used by all flyers, purchase more
screening equipment and hire more TSA screeners.
IV. Conclusion: Secure Flight
and Registered Traveler are Not Ready for Take Off and Congress Must Take
Action
The ACLU has shown that Secure Flight and Registered Traveler pose
unacceptable risks to security, civil liberties and privacy. For too long, TSA has wasted money
attempting to launch programs predicated on a flawed assumption that a flyer’s
behavior can be predicted by reviewing information collected about their
past. Since TSA cannot demonstrate
the benefits of these programs Congress should:
- Expressly eliminate the
statutory authorization for TSA to test and implement these programs,
irrespective of the programs’ names.
- Request that the TSC
scrap the bloated No Fly and Selectee Lists and instead maintain a pared down
list of known terrorists who pose a specific threat to aviation security. TSA and TSC should then be directed to
compare passenger manifest lists to the names of those terrorists who buy
tickets and attempt to fly under their own names.
- If
Congress permits Registered Traveler to proceed, Congress should insist that it
be solely government run and operated.
- If
Congress insists that Registered Traveler be partially privatized, it should
prohibit expressly Registered Traveler companies, or any companies performing
background checks, from utilizing commercial data about applicants obtained from
other company.
Endnotes
[1] During Fiscal Years 2002
through 2006, Congress has appropriated a total of $162.3 million for the
combined CAPPS II and Secure Flight program, and $30 million for Registered
Traveler. The President’ FY 2007
budget requests an additional $40 million for Secure Flight.
[2] The ACLU does not oppose
the federal government’s keeping and maintenance of a list of terrorists known
to pose a threat to aviation security.
Keeping such a list, limited only to known terrorists, focuses the
nation’s anti-terror efforts to prevent against another attack on a passenger
airline. Coupling a refocused list
with (1) improved physical screening of all carry-on bags, luggage and cargo;
and (2) the introduction of new technologies that are narrowly tailored to
search for threats such as plastic explosives which cannot be detected by
current metal detectors, will substantially improve the safety of domestic
commercial air flights, while eliminating infringements on civil liberties and
privacy. Where, in the rare
instance, people attempting to fly have names similar to such known threats to
aviation security, TSA and TSC could request the submission of the bare minimum
of additional personally identifiable information – such as three part name and
date of birth – that will distinguish innocent travelers from terrorists. TSA and TSC also should be forced to
provide a means for permanently removing these innocent people from suspicion,
perhaps through the government’s provision of a unique identifier.
[3] See, H.R. Conf. Rep.
No. 109-241, at 54 (2005). (“The provision also prohibits the use of commercial
data.”); and Pub. L. No. 109-90 § 518(e), (“None of the funds provided in this
or previous appropriations Acts may be utilized for data or a database that is
obtained from or remains under the control of a non-Federal entity: Provided, That this restriction shall
not apply to Passenger Name Record data obtained from air
carriers.”).
[4] The
ACLU fears that unless Congress acts, the principle of information sharing will
lead to the migration of the No Fly and Selectee Lists to other government
agencies, which may use the lists to wrongly deny innocent individuals access to
government buildings. It would be
unacceptable for these Lists, which should be used only to find and stop those
who threaten aviation, to be used to prevent innocent people from accessing
government buildings. Members do
not want veterans wrongly denied access to Veterans Affairs offices or senior
citizens wrongly denied access to Social Security Administration buildings. Furthermore, circulation of these lists
– once pared down to one list consisting solely of those known threats to
aviation security – make it far more likely that terrorists will know the
government is looking for them by name.
Thus, national security concerns suggest that the revised List be kept
close and used only for passenger pre-screening. Therefore, the ACLU recommends that
Congress should explicitly mandate that the No Fly and Selectee lists not
metastasize and migrate to be used by other federal, state and local
governments.[5] Section 522 provides in
pertinent part
(a) None of the funds provided by this or
previous appropriations Acts may be obligated for deployment or implementation,
on other than a test basis, of the Computer Assisted Passenger Prescreening
System (CAPPS II) or Secure Flight or other follow on/successor programs, that
the Transportation Security Administration (TSA), or any other Department of
Homeland Security component, plans to utilize to screen aviation passengers,
until the Government Accountability Office has reported to the Committees on
Appropriations of the Senate and the House of Representatives that -- (1) a system of due process
exists whereby aviation passengers determined to pose a threat are either
delayed or prohibited from boarding their scheduled flights by the TSA may
appeal such decision and correct erroneous information contained in CAPPS II or
Secure Flight or other follow on/successor programs;
(2) the underlying error
rate of the government and private data bases that will be used both to
establish identity and assign a risk level to a passenger will not produce a
large number of false positives that will result in a significant number of
passengers being treated mistakenly or security resources being diverted;
(3) the TSA has
stress-tested and demonstrated the efficacy and accuracy of all search tools in
CAPPS II or Secure Flight or other follow on/successor programs and has
demonstrated that CAPPS II or Secure Flight or other follow on/successor
programs can make an accurate predictive assessment of those passengers who may
constitute a threat to aviation;
(4) the Secretary of
Homeland Security has established an internal oversight board to monitor the
manner in which CAPPS II or Secure Flight or other follow on/successor programs
are being developed and prepared;
(5) the TSA has built in
sufficient operational safeguards to reduce the opportunities for abuse;
(6) substantial security
measures are in place to protect CAPPS II or Secure Flight or other follow
on/successor programs from unauthorized access by hackers or other intruders;
(7) the TSA has adopted
policies establishing effective oversight of the use and operation of the
system;
(8) there are no specific
privacy concerns with the technological architecture of the system;
(9) the TSA has, pursuant to
the requirements of section 44903 (i)(2)(A) of title 49, United States Code,
modified CAPPS II or Secure Flight or other follow on/successor programs with
respect to intrastate transportation to accommodate States with unique air
transportation needs and passengers who might otherwise regularly trigger
primary selectee status; and
(10) appropriate life-cycle
cost estimates, and expenditure and program plans exist.
(d) None of the funds
provided in this or any previous appropriations Act may be utilized to test an
identity verification system that utilizes at least one database that is
obtained from or remains under the control of a non-Federal entity until TSA has
developed measures to determine the impact of such verification on aviation
security and the Government Accountability Office has reported on its evaluation
of the measures.
(e) TSA shall cooperate
fully with the Government Accountability Office, and provide timely responses to
the Government Accountability Office requests for documentation and
information.
(f) The Government
Accountability Office shall submit the report required under paragraph (a) of
this section no later than March 28, 2005.
[6] Section 518 provides in
pertinent part:
(a) None of the funds provided by this or
previous appropriations Acts may be obligated for deployment or implementation,
on other than a test basis, of the Secure Flight program or
any other follow
on or successor passenger prescreening programs, until the Secretary of Homeland Security
certifies, and the Government Accountability Office reports, to the Committees
on Appropriations of the Senate
and the House of Representatives, that all ten of the elements contained in
paragraphs (1) through (10) of section 522(a) of Public Law 108–334 (118 Stat.
1319) have been successfully met. (b) The
report required by subsection (a) shall be submitted within 90 days after the
certification required by such subsection is provided, and periodically
thereafter, if necessary, until the Government Accountability Office confirms
that all ten elements have been successfully met. 603
E:\HR\OC\HR241.XXX HR241
[7] This is a similar issue to
that, discussed above, that reportedly plagued U.S. Senator Ted
Kennedy.
|
