The Four Biggest Problems With the "Secure Flight" Airline Security Program
ABOUT SECURE FLIGHT
Make a Difference
Your support helps the ACLU defend privacy rights and a broad range of civil liberties.
Secure Flight is an airline security program that has been proposed by the Tranportation Security Administration, a part of the U.S. Department of Homeland Security.
Secure Flight is the successor program to the Computer Assisted Passenger Pre-screening System (CAPPS II) program, which was which was abandoned as unworkable, ineffective, overly invasive of privacy. However, Secure Flight is largely a renamed and slightly modified version of CAPPS II (click here for a comparison of Secure Flight and CAPPS II).
As best as we can piece together from official notices published by the government in the Federal Register and public comments by program officials, Secure Flight would consist of four essential steps:
- Collection of information by the airlines. The airlines will be required to begin collecting additional information from every passenger. The agency is testing the kinds of information that it believes it will need, but they are reportedly considering requiring passengers to provide their dates of birth. (The airlines may also pass along other information that is part of individuals' travel records, some of it potentially sensitive.)
- Authentication check. TSA will send passengers' names and dates of birth (or whatever other information is collected) to commercial data services - companies like Choicepoint or Acxiom that are in the business of compiling extensive dossiers about the lives of most Americans. The commercial data services will report back to the TSA whether the information provided by the passenger via the airline matches the information in the company's own records.
- Watchlist check. TSA will run the passenger through watchlists maintained by the government's Terrorist Screening Center (TSC), which is supposed to aggregate the many scattered terrorist watchlists that the government was discovered to be holding after 9/11.
- Action at the gate. The results of this process will then be forwarded to security personnel at the airport. Law enforcement authorities would be notified if the system determines that a passenger is on the watchlist.
PROBLEMS EVERY STEP OF THE WAY
We lack much of the crucial detail that would be needed to fully evaluate the potential effect of Secure Flight on privacy and other civil liberties. However, there are clear problems with the proposal at every step in the process described above. Let us walk through the program and look at what the problems are with each step:
1. Collection of information by the airlines.
In the first step of Secure Flight, the airlines will collect additional information from every passenger such as date of birth.
It may seem like a minor matter to require the airlines to begin collecting new information about their passengers, such as their dates of birth. In fact, it is not. The independent contractors that handle reservations for most airlines, and the other computer systems to which they connect - from Web sites to travel agencies to the airlines themselves - are simply not equipped to routinely collect names and dates of birth (and/or other information) for all travelers. Currently, even names are not even required to make a reservation - many people travel under group reservations, for example, in which a block of seats is reserved under just one name. And there is not even a field for date of birth in the existing database systems - and it is no simple matter to add one in the complex and sometimes antiquated tangle of interlocking computer systems that make up the current reservations system.
The cost to airlines, travel agents and the traveling public of rebuilding the reservations systems would be enormous. No systematic study has been done, not even by the government, but the well-known travel writer Edward Hasbrouck has estimated the cost at $1 billion, and the International Air Transport Association reported estimates of more than $2 billion. The TSA has never explained who will bear this expense or even sought to detail it. And of course the money laid out for rebuilding the world's computer reservations systems is only the beginning of the cost of building and running Secure Flight; the cost to travelers of new hassles and frustrations must also be taken into account.
2. Authentication check.
In the second step of the Secure Flight process, the TSA will make use of the information stores held by ""commercial data aggregators who provide services to the banking, home mortgage and credit industries"" in order to ""identify passenger information that is incorrect or inaccurate.""
There are several problems with this step, including the unreliable nature of the commerical databases, the gaping holes in the system from a security standpoint, and the strong possibility of discriminatory effects against minorities.
Garbage in, garbage out
Under this system, one would presumably be penalized if one gives a name and date of birth that do not match up against the name and DOB contained in one's files at Choicepoint or another data company. A person's date of birth and other information become, in effect, a password that travelers must provide to prove they are who they say they are. Except that tThe ""correct"" password is not necessarily a traveler's real date of birth, but that data as it appears in the databases of a private company - a corporation that customers have no direct business relationship with, in an industry notorious for inaccuracy.
Credit-scoring companies and data aggregators have long been known to be extremely careless and sloppy with the facts of individuals' lives. Individuals who have obtained their records from the database company Choicepoint, for example, have found them to be riddled with wild inaccuracies - including children that were never born, marriages that never took place, addresses where they never lived, neighbors they never had - and crimes they never committed.
A Maginot line
One of the most gaping holes in the Secure Flight proposal is that even a known, wanted terrorist could sail right through this system simply by committing identity theft (which is all too easy today) and obtaining a false driver's license or passport (which is even easier). That would allow a terrorist to present a driver's license with his own photograph, but the name, DOB, and other information of an innocent person.
A Federal Trade Commission report issued Sept. 3, 2003 reported that nearly 10 million Americans, or nearly 5 percent of U.S. adults, had been victimized by identity theft in 2002. The ACLU conducted its own inquiry and discovered that in less than an hour it was able to purchase online the name, address, phone number, and birth date of volunteers on our staff for less than $50. And once such information was obtained, it would not be hard for a terrorist to put it on a driver's license - even a ""real"" one - with their own photo. An undercover investigation by the General Accounting Office (made public Sept. 9, 2003) found that it was exceedingly easy to fraudulently obtain a real driver's license by presenting birth certificates and other documents that were intentionally made to be obviously counterfeit.
This system is like a Maginot line - the heavily fortified defensive frontier constructed by the French before World War II, which was rendered useless when Hitler's army simply went around it.
The gaping holes in the security logic behind the Secure Flight proposal are not being acknowledged by the government now, but once this system is put in place, they will inevitably be pointed out by a raft of internal government reports, news articles, and television news exposés. Then we will start hearing about how we need an inviolable, cradle-to-grave national ID database and tracking system to prevent individuals from obtaining identity documents as imposters. Yet we are not hearing about that system now because the government knows that it would be rejected. Its creation would be - and has been repeatedly judged by the American people to be - highly undesirable due to the privacy violations and government intrusions such a system would bring.
Finally, there are strong reasons to believe that the commercial databases on which Secure Flight will rely may contain biases against particular groups. For example, when it comes to credit scores, minority populations on average have lower scores and are more likely to have no credit record. Even if these databases are used only to compare basic information such as names and dates of birth, it is possible that the companies possess this data for a fewer proportion of minorities than they do for non-minorities, or contain more inaccuracies for such individuals. This could be true because, for example, African-Americans and Hispanics tend to move more often than non-Hispanic whites, and would therefore be more likely to find that the information held about them by the data services is out of date.
3. Watchlist check.
In the third step of Secure Flight, the TSA will check the passenger against watchlists maintained by the Terrorist Screening Center (TSC).
A faulty foundation
Because of the central role that Secure Flight assigns to watch lists, Secure Flight cannot work if those lists are not managed properly. Yet all evidence indicates that in the years since 9/11 they have been mismanaged. After 9/11, security officials to begin trying to centralize the government's many disparate terrorist watch lists. In April 2003, the GAO was still finding a ""decentralized and nonstandard"" approach to the lists in the government, including 12 separate watch list systems maintained by 9 federal agencies. An August 2004 report by the DHS's own Inspector General found a chain of problems that continued to bedevil the government's attempts to create a unified watch list, including the DHS's continued failure to assume responsibility for creating the list, as well as ""an absence of central oversight and a strategic approach to watch list consolidation.""
Internal documents obtained by the ACLU through Freedom of Information Act requests reveal much confusion and lack of leadership in the management of watch lists. In one e-mail, an FBI agent, apparently reacting to a TSA official's rationale for the lists, wrote that ""Unfortunately, eggheaded thinking like this muddies the waters to the point where the no-fly list and selectee lists become virtually worthless (garbage in, garbage out)."" In another e-mail, an FBI agent complained that ""These lists are not comprehensive and not centralized. Some subjects appear on one list but not the others. Some of the lists are old and not current. We are really confused.""
The problems with watch lists have been starkly demonstrated by the disastrous experience that many Americans have had since 9/11 in their encounters with the TSA's current ""no-fly"" and ""selectee"" lists (which restrict individuals from boarding aircraft, or single them out for particularly intense security screening, respectively). Hundreds if not thousands of innocent passengers have been routinely stopped, questioned and searched while trying to fly. Many have been detained and humiliated in front of other passengers. These lists famously scooped up such individuals as Massachusetts Senator Edward Kennedy and other members of Congress, ""Peace Train"" author Yusuf Islam (aka Cat Stevens), as well as untold numbers of Americans with common names such as David Nelson, Michelle Green, and Mohamed Ibrahim.
Worst of all, these Americans have been unable in many cases to get themselves removed from these secret government blacklists.
Redress: Who will watch the watch lists?
The lack of a meaningful means for innocent individuals is one of the most serious problems with Secure Flight. There is no reliable means for victims to find out what the problem is - whether they are a victim of the inaccuracies that riddle government and private databases, have been falsely accused of wrongdoing by someone, or have been discriminated against because of their religion, race, ethnic origin, or political beliefs - and get themselves removed from the watch list.
There is no doubt that the task facing security agencies is challenging indeed, and there is nothing wrong with trying to identify genuine terrorists and keep them off aircraft. But in actual practice, it is clear that the government's lists will inevitably sweep in many innocent people - so adequate protections for innocent individuals are vital. In a democratic society, the act of maintaining a list of people who are considered suspect and are denied some of the freedoms of others must be scrutinized closely. The power to impose denial of access to common-carrier services such as airlines (which are integral to the free and normal conduct of life for many in today's society) as well as the government's power to stigmatize individuals through the authority and credibility that its designations can hold within a community make it vital that checks and balances be instituted to govern the power to enforce a watch list.
TSA officials have repeatedly claimed that they have an adequate process for adjudicating the problems caused by the selectee and no-fly lists, yet individuals have had means of appealing to an independent body outside the DHS, and those who have tried to follow TSA's procedures - filling out forms, providing multiple copies of identification documents, and so on - receive no response from the TSA and continue to be flagged by the No-Fly list.
In fact, documents (3) obtained by the ACLU through the Freedom of Information Act (and a lawsuit that had to be filed to force compliance therewith) have made it clear that a tangle of bureaucratic rules involving multiple agencies is involved in removing a person from the No-Fly list, and that placement on and removal from the list is a highly subjective process subject to enormous discretion by invisible, unaccountable security workers.
Secure Flight fails to include the key elements of a meaningful system of redress:
- Meaningful due process. Individuals must be provided with a meaningful, participatory process by which they can challenge their inclusion on a watch list in an adversarial proceeding before a neutral arbiter.
- Access to and a right to challenge the data on which inclusion on a list is based. Before any individuals lose the rights and privileges that other members of society enjoy (such as the right to travel by air) then they must have the same rights to confront their accuser and be told of the charges being leveled against them as individuals currently possess in criminal proceedings. (In some circumstances genuinely justified by true national security imperatives, it may be necessary for data to be reviewed in camera by a neutral arbiter.)
- Tight criteria for adding identities to watch lists. Security officials must be tightly constrained in their ability to add names to watch lists, and the natural incentive to add a name to a list (""better safe then sorry"") must be institutionally counterbalanced.
- Rigorous procedures for removing names from watch lists. When the government begins keeping lists of individuals for the purposes of lessening those individuals' freedom, it assumes the responsibility to keep that list up to date by regularly reviewing and reassessing each person's inclusion on that list.
Without such controls, the inevitable result will be a capricious and unpredictable security bureaucracy that will trample on individuals, leaving them no recourse and accepting no accountability.
""List bloat"" is bad for security and for liberty
To be effective, terrorist watch lists must be exactly that: lists focused on true terrorists who pose a genuine threat of taking over or taking down an aircraft. Watch lists become bloated because security workers have every incentive to add names, and no incentives to clear them. Everyday bureaucratic bungling and pure sloppiness is inevitably a factor. But lists can also grow too large because the agencies that maintain them have lost sight of the scope of such lists and the purposes for which they are being maintained.
Of the 12 watch lists reported by the GAO in its April 2003 report, only one (the State Department's TIPOFF database) was purely a terrorist watch list. The other databases included other information - on violent gangs, individuals suspected of drug trafficking, and other non-terrorist criminals and perceived threats. We do not know how all this extraneous information is being handled as terrorism information is ostensibly being combined into a single repository at the TSC. Consolidation of 12 bloated, inaccurate, out-of-date watch lists would only lead to a single bloated, inaccurate, out-of-date watch list. The fact that the TSA's own no-fly and selectee lists are also being added to the TSC database, despite the rampant problems with those lists, further undermines confidence in the composition of the watch list that will lie at the core of Secure Flight.
Bloated watch lists are bad not only because they cast many innocent travelers as suspected terrorists, but also because they dissipate the focus that those screeners should be keeping on true terrorists. A terrorist watch list that is discrete and focused has a greater chance of being productive, and a lesser chance of being unfair; not only is it better for civil liberties, but more likely to provide a security benefit. False accusations hassle and humiliate individuals; false positives divert security resources. This is truly a case where good security and civil liberties are aligned.
A poor foundation for Secure Flight
The DHS has not even gotten its own house in order on watch lists, and yet is proposing to hurdle forward with the construction of giant machinery that will extend the reach and impact of watch lists outward into everyday American life to an unprecedented degree. The lists at the core of Secure Flight appear to be utterly unready for that role. The result is prospect that Secure Flight will simply serve to throw inaccurate lists at hapless passengers as well as the frontline security personnel who must interact with them and deal with the consequences of bad data.
4. Action at the airport.
In the fourth step of Secure Flight, the results of the authentication and watchlist checks are forwarded to airport and/or security personnel at the airport, with flagged individuals subjected to extra security measures or blocked from boarding their flight.
Once created, Secure Flight will inevitably expand beyond the airport gate. TSA officials have explicitly indicated that the agency envisions expansion of passenger screening beyond airports to other transportation hubs such as ports. And the 9/11 Commission called for a border security system that ""should be integrated into a larger network of screening points that includes our transportation system and access to vital facilities."" It is not difficult to anticipate that what begins as Secure Flight will quickly spread to train stations, bus stations, sea ports, ""vital facilities,"" secure office buildings, concert arenas, and so on.
In addition to geographical expansion, the system will also likely expand in terms of the purposes for which it is used. Even as a proposal, CAPPS II was expanded from a program that was to focus purely on international terrorists into one that also swept in domestic terrorists and criminals (even as the definition of ""domestic terrorist"" is expanding). Under Secure Flight, the public is being assured that the program will not be used for anything other than preventing terorrism. But there is no assurance that that policy will last. Once this system is put into place, what reason will its operators give - under the bright glare of the media, perhaps - for refusing to deploy it in the search for a high-profile escaped felon? How long before the system is expanded to flag con-artists, gang members, deadbeat dads, and other suspects? After all, no politician is going to stand up to defend deadbeat dads.
 National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report: Final Report (New York, W.W. Norton & Co., 2004), p. 387.