Testimony of Timothy D. Sparapani, ACLU Legislative Counsel, On Secure Flight and Registered Traveler Before the US Senate Committee on Commerce, Science and Transportation
Statement of Timothy D. Sparapani
American Civil Liberties Union
Washington Legislative Office
Secure Flight and Registered Traveler:
A Flawed Assumption that Behavior is Predictable Leads to New Security Weaknesses while Threatening Civil Liberties and Privacy
U.S. Senate Committee on Commerce, Science, and Transportation
Hearing Regarding the U.S. Transportation Security Administration’s Aviation Passenger Pre-Screening Programs
Dirksen Senate Office Building, Room 562
American Civil Liberties Union
Testimony Regarding the U.S. Transportation Security Administration’s Aviation Passenger Pre-Screening Programs
Secure Flight and Registered Traveler: A Flawed Assumption that Behavior is Predictable Leads to New Security Weaknesses while Threatening Civil Liberties and Privacy
Before the U.S. Senate Committee on Commerce, Science, and Transportation
Submitted by Timothy D. Sparapani
Dirksen Senate Office Building, Room 562
I. Introduction and Summary of Requests for Committee Action
The Honorable Chairman Stevens and Ranking Member Inouye, the American Civil Liberties Union (“ACLU”), representing its nearly 600,000 members, respectfully submits this testimony in opposition to the Secure Flight and Registered Traveler programs.
After four and one-half years, nearly $200 million wasted tax dollars, several name changes, and repeated, unsuccessful reformulations of the underlying proposals, Secure Flight and Registered Traveler are no closer to implementation than when they were first proposed shortly after the tragic events of September 11, 2001. First introduced as CAPPS II and Trusted Traveler, Secure Flight and Registered Traveler remain predicated on the unproven, theoretical, and flawed premise that the government can predict whether an individual will at some future date commit a terrorist act. The Secure Flight Working Group, convened by the Transportation Security Administration (“TSA”) to provide it with advice, concluded that “. . . there is not sufficient available intelligence to determine what characteristics indicate someone will be a threat.” Secure Flight Working Group Rep., presented to the TSA, Sept. 19, 2005, at 3. This premise, akin to alchemy and astrology in its scientific accuracy, has led TSA to misdirect its resources towards establishing two passenger pre-screening programs that will not make us any safer but will make us less free. Attempts to establish these programs have served as massive diversions that to this day prevent TSA screeners from accomplishing their core mission. Congress can only draw one conclusion from the failure to build Secure Flight and the inherent weaknesses of Registered Traveler: authorizations for both programs must be terminated expressly, and Congress must force TSA to refocus on achieving its core mission by keeping known terrorists who are threats to aviation security off planes, and – for the first time – screening all carry-on bags, luggage, and cargo for weapons and explosives.
The ACLU requests that this Committee and Congress explicitly revoke authorization for both Secure Flight and Registered Traveler, no matter what they are called, and instead insist that the Department of Homeland Security’s (“DHS”) TSA focus its passenger pre-screening on accomplishing two goals: (1) paring the No-Fly and Selectee Lists maintained by the Federal Bureau of Investigation’s Terrorist Screening Center (“TSC”) down to known terrorists who personally pose a specific threat to aviation security only; and (2) simply comparing passenger manifest lists to this refocused list.
If the TSA attempts to implement Registered Traveler, the ACLU requests that Congress expressly block the privatization of Registered Traveler and prevent the use of commercial data concerning applicants to determine whether a would-be flyer is qualified to sign up for Registered Traveler. Neither the government, nor companies should assign individuals a risk assessment based on commercial data, because the consequences of a wrongful determination could lead to many future deprivations of the exercise of rights and privileges. However, it is significantly more inappropriate to allow private companies to perform a governmental role to determine whether a passenger constitutes a threat and the Government still must act in a Constitutional manner, even if it has outsourced its responsibilities to the private sector. Companies cannot be trusted to make such determinations accurately. The consequences of such a negative determination would likely add the rejected applicant to a new third list – similar to the No Fly List or Selectee List – of undesirable flyers who are virtually certain to be subject to, at a minimum, extra scrutiny every time they attempt to fly, and, at worst, a permanent bar from flying altogether. As is discussed in greater detail below, this new third list of “Un-Register-Able travelers” would likely be shared with other Registered Traveler companies, the TSA, TSC, and, likely, other government agencies. Further, as Congress recognized last fall when it expressly prohibited the TSA from utilizing commercial data to pre-screen passengers for Secure Flight, commercial data contains enormous error rates, is unreliable, and is not useful as a tool to predict whether a would-be flyer is a threat to aviation security.
II. Secure Flight: A Dangerously Flawed Proposal that Should Be Terminated
Secure Flight, regardless of its form, permits unacceptable security weaknesses, while threatening civil liberties and personal privacy. It is hard to say for sure what Secure Flight will ultimately do since TSA has still not finalized a working plan, flow chart or business model for the concept. However, it appears that Secure Flight would:
1) Require TSA to gather passenger name record (“PNR”) data from the airlines and travel agents who book tickets;
2) Require TSA to forward this information to the Federal Bureau of Investigation’s Terrorist Screening Center (“TSC”), to compare the names of the ticket purchasers to those names on the No-Fly and Selectee Lists;
3) Require TSC to inform TSA whether a person attempting to fly is on either list; and
4) Require TSA to tell its airport screeners to (a) allow the person to fly unimpeded except for normal screening, (b) select the person for some additional and more intrusive screening, such as opening bags, patting the person down, screening for explosive residue, and/or detaining the person for questioning, or (c) inform the would-be passenger that their name is similar to that of someone on the No-Fly list and they are barred from flying.
While this concept appears easy to implement, it suffers from numerous and intractable problems.
A. Security Weaknesses Render Secure Flight Unwise
Secure Flight is fatally flawed from a security standpoint. To support Secure Flight, a person must accept the dubious premise that terrorists will attempt to book a ticket and board a flight under their own names. This is a simplistic approach and one upon which we cannot allow our airline security to rely. Again, no terrorists will be prevented from boarding airplanes unless a terrorist both attempts to book a ticket and shows up to board a plane under his or her own name and documents. The ease with which identity theft and document fraud is accomplished renders this premise highly suspect, however. The U.S. Federal Trade Commission estimated in 2003 that “over a one-year period nearly 10 million people - or 4.6 percent of the adult population - had discovered that they were victims of some form of identity theft.” Prepared Statement of the Federal Trade Commission before the Committee on Banking, Housing, and Urban Affairs, U.S. Senate on Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, Deborah Platt Majoras, Chair of the Federal Trade Commission, March 10, 2005, available at http://www.consumer.gov/idtheft/pdf/ftc_03.10.05.pdf.
The intelligence community presumes that the nation’s enemies, such as Al Qaeda, are: (1) patient; (2) well-funded; (3) capable of committing identity theft with remarkable ease; and (4) capable of producing high-quality, forged identification documents that allow a terrorist to purchase tickets and present virtually undetectable papers under an assumed name. This programmatic weakness leads to what security experts dub False Negatives, an inability of Secure Flight to detect actual terrorists. If the system is not able to identify known terrorists, TSA’s screening will have failed.
Again, the ACLU does not oppose the TSA vetting passenger lists against a narrowly constructed list of known terrorists who pose a specific threat to aviation security. If a wanted terrorist is foolish enough to fly under his or her own name, the government should immediately arrest the suspect or monitor the terrorist’s activities while preventing the terrorist from committing acts of terror and violence.
The problem from a security and civil liberties perspective is that both the No Fly and Selectee Lists, which are at the heart of the Secure Flight proposal, are bloated with names of individuals who have absolutely no connection to terror and do not have the capability of threatening aviation security. This leads to numerous cases of False Positives, which distract TSA from finding the actual terrorists. False positive stories are ubiquitous. Each Senator who is a Member of this Committee likely has innocent constituents who have been unnecessarily harassed, delayed or outright denied the ability to fly. The ACLU has collected complaints from 1,000 of such constituents, 740 of which were gathered through our internet intake process, but we will highlight just four:
- Passenger David XXXXX (Aug. 16, 2005) was surrounded by armed police with guns drawn at the ticket counter when he was mistakenly identified as being on the No Fly List. Moreover, when he arrived at the gate, his checked luggage was brought to him, and he was forced to witness the search of his belongings at the gate, the whole process taking two hours.
- Passenger Gregory XXXXX (May 9, 2005), after having his luggage thoroughly searched, was separated from his five-year-old son who was hysterically crying and escorted into a private room where he was subjected to a cavity search and genital inspection. Gregory has been wrongly delayed overnight on five separate occasions and whoever is accompanying him is also subject to delays and searches.
- Passenger, Mary XXXXX (May 16, 2005) was forced by TSA screeners to be screened with a machine (Smiths Detection Ionscan Sentinel II), which she was told checked “to see if I have a bomb inside me.” This machine photographed her and TSA denied her repeated requests to view the picture or be provided a copy.
- Passenger Hussein XXXXX (July 23, 2005) is a Lebanese citizen who has been a legal resident of the U.S. since 1992. During his layover in Minneapolis, Minnesota while flying from Lebanon to Seattle, Washington, he was escorted off the plane by five security officers to a room away from the gate. He was questioned about his family, extended family, how he files taxes, his business, his real estate holdings and so forth. Additionally, the officers demanded he give them access to his computer, which he initially refused because it contained confidential information about his clients. After five hours of interrogation, he was exhausted and delirious so the officers gave him a choice of either being detained overnight and being questioned the following day or having an appeal inspection in Seattle. He was scheduled to appear at the U.S. Customs and Border Protection Office in Seattle on July 25, 2005. In the past, he has had similar experiences. For example, on October 3, 2004, he was stopped in Portland, Oregon on his way to Frankfurt, Germany by U.S. Customs who interrogated him. He was given no medical attention when he fainted, and security officers laughed at him while they waited until he regained consciousness.
At least four Members of Congress – the Honorable Senator Ted Kennedy (D-MA), and the Honorable Congressmen Darrell Issa (R-CA), John Lewis (D-GA) and Don Young (R-AK) -- have names similar to those of individuals on those bloated Lists. The Honorable Congresswoman Zoe Lofgren (D-CA) reported in Congressional hearings last summer that her husband has been repeatedly selected for additional security screening. Nuns and infants have been found on the No Fly List. To be effective, the Lists must be paired down only to known terrorists – not criminals, not deadbeat dads, not drug dealers. The advice provided by an independent panel of experts to the Department of Homeland Security concurs:
Secure Flight should be narrowly focused.
TSA should limit Secure Flight’s mission to correctly identify individuals in the traveling public who are on the Do Not Fly and Selectee lists. The case has not been made for any expansion of the mission of Secure Flight beyond identification of individuals on those lists.
Department of Homeland Security Data Privacy and Integrity Advisory Committee: Recommendation on the Secure Flight Program Rep., Adopted Dec. 7, 2005, at 2 (emphasis in original). Limiting the names on the list is the only way that TSA can focus on its core mission: preventing another terrorist attack on an airplane. Senator Kennedy (D-MA) revealed at a Senate hearing that due to the fact an “E. Kennedy” was on the No Fly List, Senator Kennedy repeatedly was selected for additional screening. Every minute spent treating Senator Kennedy like a potential terrorist is one less minute that could be spent catching the next Mohammed Atta.
B. Civil Liberties: Secure Flight Leads to a Denial of the Right to Travel in Extreme Cases and Leads to Racial Profiling
In addition to being fatally flawed from a security standpoint, Secure Flight also is flawed from a civil liberties standpoint. First, using a bloated No Fly List to prevent innocent people from flying wrongly deprives them of their constitutionally protected Right to Travel. The United States Supreme Court has stated that:
The word “travel” is not found in the text of the Constitution. Yet the “constitutional right to travel from one State to another” is firmly embedded in our jurisprudence. United States v. Guest, 383 U.S. 745, 757, 86 S.Ct. 1170 (1966). Indeed, as Justice Stewart reminded us in Shapiro v. Thompson, 394 U.S. 618, 89 S.Ct. 1322 (1969), the right is so important that it is “assertable against private interference as well as governmental action ... a virtually unconditional personal right, guaranteed by the Constitution to us all.” Id., at 643, 89 S.Ct. 1322. (concurring opinion).
Saenz v. Roe, 526 U.S. 489, 498-99 (1999). We suspect that TSA will soon begin to apply the Secure Flight concept to those who travel by train, interstate bus, boat and ferry. Some Americans living in remote regions of Alaska, or on the islands of Hawaii and Puerto Rico simply cannot drive to conduct their business, so the consequence for someone who is wrongly put on the No Fly List is severe and could force them to move to conduct their daily affairs.
Second, as too many Americans have experienced, people who are wrongly put on either list have no guarantee that they will be able to ever get off and stay off the lists. Establishing a transparent, workable redress procedure to help people wrongly listed should have been the first and easiest thing TSA accomplished. TSA has provided numerous promises that such a redress process would be provided but, to date, has still not accomplished this goal:
- “CAPPS II will include a comprehensive redress process for those passengers who have questions concerning their experience. TSA will appoint an Ombudsman to handle any inquiries. These capabilities will result in improved resource scheduling and other operational efficiencies.” (March 7, 2003) Congressional briefing by Ben H. Bell, III, Dir. Office of National Risk Assessment (“ONRA”) TSA, available at http://www.acte.org/initiatives/CAPPS_II_CongressBriefing.pdf.
- “CAPPS II will also include a comprehensive redress process for passengers. TSA will appoint a Passenger Advocate to work with our current Ombudsman program, to handle any inquiries or complaints raised by passengers with regard to the CAPPS II system. Where a passenger - of any nationality - believes that he or she is being improperly singled out for heightened scrutiny, this will be the place for this passenger to turn to have his or her concerns addressed. This is more than a matter of fairness - because CAPPS II is also a resource allocation tool, it is in TSA’s interest to know where we are making mistakes. The Passenger Advocate will thus not only promote fairness and privacy and passenger confidence, but system effectiveness and efficiency.” (May 6, 2003) Statement of Stephen McHale to the European Parliament, Dep. Admin., TSA, available at http://www.europarl.eu.int/comparl/libe/elsj/events/hearings/20030506/mchale_speech.pdf.
- “The redress system is based on having an ombudsman and a passenger advocate designated and a process in place so that when an individual finds that they are being repeatedly selected as a secondary screenee during their transit through the airport that they will have an opportunity then to contact TSA, the ombudsman, and the passenger advocate and then we will have the capability to have a decision made at the TSA level concerning going in on that individual and then adjusting the criteria for that individual after we verify their name, date of birth, address to [sic] for into that and make these decisions, we think, in a rapid matter so that it is not a bureaucratic system of waiting forever to get a response. Our goal is to have a redress system that has flexibility in it and speed and scratches the itch for the traveling public regarding frustrations over being selected repeatedly.” (March 17, 2004) David M. Stone before House of Representatives Transportation Committee, Subcommittee on Aviation, available at http://www.house.gov/transportation/aviation/03-17-04/stone.pdf.
- “In addition, the new program [Secure Flight] will also include a redress mechanism through which people can resolve questions if they believe they have been unfairly or incorrectly selected for additional screening.” (August 26, 2004) TSA Press Release, available at http://www.tsa.gov/public/display?theme=44&content=09000519800c6c77.
- “Before implementing a final program, however, TSA will create a robust redress mechanism to resolve disputes concerning the Secure Flight program.” (June 17, 2005) Lisa S. Dean, TSA Privacy Officer, Secure Flight Test Phase Privacy Impact Assessment, available at http://www.tsa.gov/interweb/assetlibrary/Secure_Flight_SORN_PIA.pdf.
- “In conjunction with the Secure Flight program, TSA has charged a separate Office of Transportation Security Redress to further refine the redress process under the Secure Flight program. The redress process will be coordinated with other DHS redress processes as appropriate. Utilizing current fiscal year funding, resources have been committed to this Office to enable it to increase staffing and to move forward on this important work. TSA recognizes that additional work remains to ensure that there is a fair and accessible redress process for persons who are mistakenly correlated with persons on the watch lists, as well as for persons who do not in actuality pose a security threat but are included on a watch list. (June 29, 2005) Statement of Secure Flight Assistant Administrator Justin Oberman to House of Representatives Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity, available at http://homeland.house.gov/files/TestimonyOberman.pdf.
Yet, four and one-half years later, TSA has still not managed to accomplish this goal. Congressional frustration over this failure led, in part, to the express requirement codified in both the FY 2005 and 2006 DHS Appropriations bills, Pub. L. No. 108-774 § 522(a), (d)-(f) (2004) and Pub. L. No. 109-90 § 518(a)-(b) (2005) that the Government Accountability Office (“GAO”) certify the establishment of a working, fair redress procedure before Secure Flight can be implemented. As the GAO’s March 28, 2005 report regarding Secure Flight stated, TSA has failed to accomplish even this simple matter. U.S. Government Accountability Office Rep., Aviation Security, Secure Flight Development and Testing Under Way, but Risks Should be Managed as System is Further Developed (“GAO Report”), March 28, 2005, at 1. Just three weeks ago, DHS Secretary Chertoff and Secretary of State Rice issued a joint statement pledging the rollout of a workable redress process. “‘One Stop’ Redress for Travelers. Sometimes mistakes are made. Travelers need simpler ways to fix them. Therefore, DHS and State will accelerate efforts to establish a government-wide traveler screening redress process to resolve questions if travelers are incorrectly selected for additional screening.” Rice-Chertoff Joint Vision: Secure Borders and Open Doors in the Information Age. Dep’t. of Homeland Security, Dep’t. of State: Joint Press Release, Jan. 17, 2006, available at http://www.state.gov/r/pa/prs/ps/2006/59242.htm (emphasis in original). As too many Americans have experienced, and reported to the ACLU, the “passenger identity verification form” process TSA now utilizes is inadequate and does not guarantee that passengers will not be delayed or denied when trying to fly in the future. As the GAO reported, “. . . the effectiveness of the current redress process is uncertain,” and “[t]he draft redress process documentation does not address a means for passengers who are inappropriately denied boarding to seek redress.” GAO Report at 56, 58. Thus, people whose names are wrongly added to the lists – or, more likely, have names similar to others on the Lists – are perpetually doomed to – at best – unnecessary harassment, embarrassment and delays every time they fly. At worst, they will be denied the ability to fly at all. Congress should ask: If TSA cannot build a redress process after nearly four and one-half years for Secure Flight to prevent against civil liberties violations, how can TSA be trusted to build an effective, civil liberties-respecting passenger pre-screening program?
Secure Flight will likely lead to impermissible racial profiling. The names most likely to be on the No Fly and Selectee Lists that will be utilized for Secure Flight are likely to be those of Muslims, or people of Arab or Middle Eastern dissent. Thus, a disproportionate number of people who are wrongly selected for additional screening or barred from flying outright will be those of these classes. Congress must guard against allowing a program designed to increase security from becoming a tool for racial profiling. Such profiling wastes precious resources and ignores the fact that the next terrorists may draw from those demographics that are the majority races, religions or ethnic backgrounds in this country.
C. Privacy: TSA’s Failures to Safeguard Personal Data for Secure Flight Unacceptably Threaten Personal Privacy
As demonstrated by the tortured attempts to test the viability of CAPPS II and Secure Flight, Secure Flight, if implemented, unacceptably threatens personal privacy. Testing of Secure Flight has led to two high profile and massive privacy violations. In 2003, JetBlue Airways gave 5 million actual passenger itineraries to Torch Concepts, a Defense Department contractor, which was attempting to study whether the government could prescreen passengers to determine who was a high-risk customer. Bruce Mohl, Airlines Weigh Privacy Issues, Boston Globe, Oct. 12, 2003. In a separate incident last summer, the GAO reported that TSA had violated the Privacy Act of 1974, Pub. L. No. 93-579 (1974), codified at 5 USC § 552, by giving personally identifiable information on millions of people without giving legally required public notice. As stated by Senators Collins and Lieberman in a July 22, 2005 press release and letter to Secretary of the U.S. Department of Homeland Security Michael Chertoff, the GAO reported that “TSA failed to comply fully with the Privacy Act when it ‘collected and stored commercial data records even though TSA stated in its privacy notices that it would not do so.’” That letter further stated that a private contractor had “obtained more than 100 million records from commercial data aggregators in violation of the Privacy Act.” Senators Collins and Lieberman Criticize TSA for Violating Privacy Laws While Testing Passenger Prescreening System: GAO Findings Conclude TSA Failed to Comply with the Privacy Act, July 22, 2005, available at http://hsgac.senate.gov/index.cfm?Fuseaction=PressReleases.Detail%PressRelease_id=106.
Further, TSA has not learned from its privacy breaches; it has not yet even fully assessed the impact of implementing Secure Flight on passengers’ personal privacy despite a Congressional mandate. The GAO’s report regarding Secure Flight concluded that “TSA has not yet clearly defined the privacy impacts of the operational system or all of the actions TSA plans to take to mitigate potential impacts.” GAO Report, at 1. If past experience is the best guarantee of future performance, TSA cannot be trusted with the sensitive, private data it will demand from each passenger. The inability of the TSA to adequately safeguard sensitive, personally identifiable information about actual passengers during testing of the program’s efficacy and viability provides no assurance that should the program be implemented each passenger’s information will be safeguarded. Indeed, if Secure Flight is implemented, the personal information of 1.8 million passengers on 30,000 flights will be electronically transferred from airlines and ticketing companies to TSA and TSC every single day. This will lead to numerous data breaches that dump sensitive information into the public sphere. For identity thieves, it will be like taking candy from a baby.
D. Track Record of Failure: Past TSA Failures Suggest Future Launch Efforts Will Not Be Better for Secure Flight
Regardless of the security, civil liberties and privacy risks raised by what TSA’s public statements concerning Secure Flight suggest, the program remains wholly conceptual more than four years after passage of the Aviation and Transportation Security Act, Pub. L. No. 107-71 (2001), that authorized its creation. Slippage of deadlines has been the rule for Secure Flight and its predecessor CAPPS II:
- “TSA expects to test CAPPS II this spring and implement it throughout the U.S. commercial air travel system by the summer of 2004.” TSA Press Release, March 11, 2003, available at http://www.tsa.gov/public/display?theme=44&content=09000519800193c2.
- “Of note, the terrorist screening center remains on schedule to bring the first version of the consolidated terrorist screening database on line by March 31, 2004, and achieve full operation capability by the end of the year.” Testimony of David M. Stone, before Hearing of House of Representatives Comm. on Transportation, Subcomm. on Aviation on status of CAPPS II, March 17, 2004, available at http://www.house.gov/transportation/aviation/03-17-04/stone.pdf.
- “‘We’re in great shape as we enter the testing phase’ of the program, Oberman said. He said if all goes according to plan, the new system will go into operation in late spring or early summer of 2005.” Wash. Post, Nov. 13, 2004, available at http://www.washingtonpost.com/wp-dyn/articles/A46610-2004Nov12.html.
Every review by a government agency or independent commission in the last year found Secure Flight to be woefully undefined because of the myriad conceptual and practical flaws, no matter how the program is modified.
On March 28, 2005, the GAO summarized “TSA’s Status in Addressing Ten Areas of Congressional Interested included in Public Law 108-334,” finding that TSA had only achieved one of the ten requirements – establishing an internal oversight board – and had not yet even finalized a “draft concept of operations.” GAO Report, at 4.
- On September 19, 2005, TSA’s Secure Flight Working Group concluded that:
Congress should prohibit live testing of Secure Flight until it receives . . . a written statement of the goals of Secure Flight signed by the Secretary of DHS that only can be changed on the Secretary’s order. Accompanying documentation should include: (1) a description of the technology, policy and processes in place to ensure that the system is only used to achieve the stated goals; (2) a schematic that describes exactly what data is collected, from what entities, and how it flows through the system; (3) rules that describe who has access to the data and under what circumstances; and (4) specific procedures for destruction of the data.
Report of the Secure Flight Working Group, Presented to the TSA, Sept. 19, 2005, at 32.
- In August 2005, the Department of Justice’s Inspector General issued a report, which said that TSC could not plan to assist in Secure Flight because TSA failed to even establish a working flow chart for Secure Flight. “The TSC’s difficulties in estimating the costs for Secure Flight are exacerbated by the TSA’s failure to specifically define the scope of each implementation phase. As a result, the TSC has been unable to adequately project its resource requirements for responding to the expected increase in workload.” Review of the Terrorist Screening Center’s Efforts to Support the Secure Flight Program, U.S. Department of Justice Office of the Inspector General, at (ix). Further, the report concluded that “. . . TSC is trying to plan for a program that has several major undefined parameters. Specifically, the TSC does not know when Secure Flight will start, the volume of inquiries expected and the resulting number of resources required to respond, the quality of data it will have to analyze and the specific details of the phased-in approach for taking the program from ‘pre-operational testing’ in September 2005 to full operational capability in FY 2007.” Id. at (ix).
- On December 7, 2005, a panel of independent experts advising DHS found that “. . . the program is not yet fully defined . . .” and recommended that “. . . there must be an overall system description that addresses all aspects of the Secure Flight system including external supporting systems, policies, applications and infrastructures, as well as related business processes managed by entities external to the Secure Flight program office.” Dep’t. of Homeland Security Data Privacy and Integrity Advisory Comm. Rep., Recommendation on the Secure Flight Program, Adopted Dec. 7, 2005, at 1, 2.
As the ACLU stated at the outset, this program – like Registered Traveler – is a moving target, which leads to only one conclusion: the testing thus far has been unable to demonstrate that Secure Flight can predict those flyers who are potential terrorists and/or identify and prevent known terrorists from flying. No modification can change the conclusion that Secure Flight simply will not work, the ACLU recommends that Congress:
1) Direct the TSC only to maintain a short list of known terrorists who pose a specific threat to aviation security and dispense with the bloated No Fly and Selectee Lists.
2) Explicitly repeal the authorization for Secure Flight or any similar program, and, instead, use TSA and TSC to compare names of would-be passengers to the pared down list of known terrorists who pose a specific threat to aviation security.
3) Utilize the funds saved by eliminating Secure Flight to invest in programs that will greatly enhance physical screening including the introduction of appropriate new technologies and the screening of all carry-on bags, luggage and cargo for explosives and weapons.
4) If Congress decides to allow Secure Flight testing to continue, it should insist that TSA comply with the spirit and letter of the law expressed in both the FY 2005 and FY 2006 DHS Appropriations laws. Congress should insist expressly that TSA not implement the program, even on a test basis impacting actual passengers, unless and until the GAO certifies first that all ten of the Congressionally mandated criteria have been satisfied.
II. Registered Traveler: The Misalignment of Profit and Security Trades the Promise of Speed for Personal Privacy and the Illusion of Enhanced Security
Like Secure Flight, TSA’s proposed Registered Traveler program should be blocked from implementation. The Registered Traveler concept, whether entirely government run or partially privatized, trades the promise of speedy screening for the illusion of enhanced security. This concept misaligns the profit motive with the country’s need for safety. The ACLU does not believe that security should be traded for expediency. The ACLU therefore recommends that Congress eliminate TSA’s authorization to develop Registered Traveler. If Congress does proceed with Registered Traveler, the ACLU recommends that TSA not privatize Registered Traveler. If Congress does allow TSA to privatize Registered Traveler, the ACLU recommends that the government – not commercial companies – undertake background checks on program applicants, and that Congress expressly prohibit private companies from accessing third-party companies’ commercial data to determine applicants’ risk assessments.
Registered Traveler also remains largely undefined, but the TSA’s public pronouncements suggest the basic parameters of the program. Frequent flyers would be granted some combination of alternating security screening benefits, which would induce them to undergo an extensive background check to pre-clear them for flying. Passengers would be required to provide extensive amounts of sensitive, personally identifiable information to qualify. The information provided is likely to include, but not be limited to, financial and credit information, residence history, and biometrics such as an iris scan or fingerprint. If the background check – either undertaken by the government or a private sector company – raises no red flags, the applicant would either (depending on the airport) be permitted to cut to the front of the security screening lines (as has been done in the Orlando, Florida pilot program), or would be ushered into a screening lane dedicated solely for Registered Traveler participants.
A. Security: Registered Traveler Wrongly Assumes Background Data can Predict a Person’s Future Behavior
Like Secure Flight, Registered Traveler rests on a dangerously flawed premise, which causes it to provide the illusion of greater security without actually making airlines safer. Registered Traveler will be vulnerable to “sleeper cells”, i.e., terrorists with no previously known or detectable ties to terror who could establish themselves as unremarkable members of society. To support Registered Traveler, one must accept the untested premise that by checking a would-be flyer’s background, the government (or a commercial enterprise) can identify terrorists and predict a flyer’s future behavior. This premise is fatally flawed. The data that will be provided for a background check may allow a credit card company to determine whether a person is a credit risk, but it cannot identify someone harboring a dangerous plan and a willingness and capability to undertake a terrorist attack that causes a threat to aviation. No one knows what criteria will allow the government to ferret out the innocent traveler from the sleeper cell participant waiting for instructions to carry out a terrorist attack. For example, the four men who bombed the London, England subway system on July 7, 2005 reportedly had no prior known ties to terror. Thus, no amount of data could have uncovered their sympathies or plans. Similarly, the 9/11 terrorists spent many months in this country, demonstrating that Al Qaeda is patient and well funded. Congress should expect that similar cells of innocent-seeming individuals could be sent to this country to establish lives that would allow them to pass the Registered Traveler background checks. This would allow them to avoid suspicion until they later receive instructions to conduct terrorist attacks. Because glaring loopholes exist in the nation’s physical screening, no amount of “layered security” will detect these sleeper cells.
Further, while background checks look at people’s data histories, they only provide a review at one moment in time. Thus, they cannot predict future behavior. Simply because a person has not, to date, demonstrated indicia of adherence to a dangerous ideology does not mean that a person’s ideology will not evolve. No one could have predicted the rapid transformation of John Walker Lindh from college student to disgruntled Taliban fighter. Further, TSA must not focus solely on Al Qaeda. Lone, disgruntled individuals may lose their minds and some may attempt to commit a terrorist attack on aviation. If that person has previously been an upstanding member of society, there would be nothing to prevent them from participation in Registered Traveler and its lessened security screening.
B. Privatization of Registered Traveler is Dangerous: Registered Traveler Misaligns Profit Motive with Security
Registered Traveler will make Americans less safe because it misaligns profit incentives with the national security needs of this country. Corporations exist to make profit for their owners and shareholders. That legal reality creates an incentive to optimize and cut corners where possible. Thus, privatization of such a program will make us less safe in two different ways.
First, to attract participants, companies will offer the fastest possible screening lanes, while maximizing profits. This will require hiring low-cost, low-skill laborers who will go through the motions of screening Registered Traveler participants for weapons and explosives. The government’s TSA screeners already routinely fail to identify such dangerous contraband during routine testing. Private screeners, overseen by managers who are intent on maximizing the attractiveness of the Registered Traveler screening lanes, will have a disincentive to go the extra mile to identify items that could bring down a plane or harm the crew and passengers; doing so slows down screening and eliminates the one advantage for participants. Furthermore, the same company will take applications for Registered Traveler, conduct the background checks on applicants, gather the biometric data to issue pass cards, and then may perform screenings at the airports. This streamlined, profitable vision does not provide for sufficient security oversight. If a terrorist fools the one company the terrorist applies to, the terrorist will be given a Registered Traveler pass providing them with reduced physical screening at the airport every time they attempt to fly.
Second, offering “advantages” to decrease screening time per flyer, such as those TSA has publicly promised -- i.e., not forcing individuals to have their shoes, jackets and laptop computers screened -- creates vulnerabilities. If there is a security value in screening for these items, then all flyers – whether they are in the regular screening lanes or the dedicated Registered Traveler screening lanes – should be forced to comply. Congress should expect that Al Qaeda or other enemies of this nation will detect the weaker security protocols for Registered Travelers and will attempt to exploit them to carry out future attacks.
C. Civil Liberties: Reliance on Flawed Commercial Data Leads to the Wrongful Placement on a List of Un-Register-able Travelers with Unknown Consequences
Registered Traveler also impermissibly threatens civil liberties. The background checks will rely on commercial data, which is notoriously inaccurate. Data errors are common in every database. Numbers and names get transposed. While there can be only one Senator Ted Stevens, data about people with similar names, like T. Stevens, Teddy Stevens or Theodore Stevens could be wrongly merged with the Senators files collected by various companies. The data aggregators who are most likely to provide the commercial data, like ChoicePoint, do not audit the accuracy of their dossiers of information. Thus, either the government or a private company will assign a risk assessment to Registered Traveler applicants that could be fundamentally wrong. Current law does not give consumers the right to access, review, and correct errors in files maintained by commercial enterprises.
In the fall of 2005, Congress decided this risk was unacceptable and passed a law expressly prohibiting TSA from using commercial data to pre-screen passengers for Secure Flight. Congress codified this understanding in the FY 2006 Department of Homeland Security Appropriations bill. During the Senate Appropriations Committee’s mark-up of the bill, Ranking Member Robert Byrd (D-WV) said that:
. . . the bill contains an important protection for the privacy rights of Americans. We need always to keep these rights in mind. I thank Chairman Gregg for his support of language that I recommended concerning Secure Flight, the Department’s proposed new airline passenger profiling system. The language would prohibit the use of commercial databases for confirming the identity of airline passengers. Such commercial databases are unreliable and potentially invade people’s privacy.
Transcript of Senate Appropriations Committee Mark of H.R. 2360, the FY 2006 DHS Appropriations bill, July 7, 2005 (emphasis added). On January 20, 2006, TSA demonstrated that it did not get the message when it announced that the newly reformulated Registered Traveler program would have private companies screen data collected by other private companies concerning applicants. The ACLU, therefore, requests that Congress again expressly prohibit by statute TSA – or companies with which TSA contracts to perform Registered Traveler services – from utilizing commercial data to assess applicants for Registered Traveler.
No one – not Congress, TSA, the companies wishing to operate Registered Traveler programs, or the ACLU – knows what it will mean for someone to be wrongly denied when they apply for Registered Traveler. If a third list of Un-Register-able Travelers is created from those blocked from joining Registered Traveler, there may be other consequences such as that list being used to deny the applicant a government security clearance necessary for a job, or to prevent the applicant from entering a government building. Several questions about the consequences should be considered:
1) Will those denied registration be put into a third list of undesirable flyers – the “Un-Register-able Travelers?”
2) If so, will they be automatically selected for additional, intrusive screening every single time they fly?
3) If private companies, essentially functioning as government actors, wrongly determine that an applicant poses a risk, what legal recourse will the flyer have to challenge that finding if it is used to create a third list?
Moreover, those denied the chance to be Registered Travelers will be forever required to pass through the “slow” screening lanes for all flyers. There, they will be subjected to more invasive screening than the Registered Travelers. Finally, those denied are likely to be disproportionately poor, minorities, and women; these groups simply are less likely to have the lengthy data trail and credit standing to guarantee participation. Congress will need to ensure that this program cannot create a de facto second-class status for would-be flyers whose commercial data is not as clean as that of wealthy businessmen.
D. Privacy: Frequent Travelers Should Not be Forced to Choose Between their Sensitive, Private Information and Speed of Screening
Registered Traveler also poses an unacceptable inducement that causes business and other frequent travelers to involuntarily forego their personal privacy for the promise of speed and efficiency in screening. This is a choice that Congress should not ratify. No one should be forced to choose between privacy and speed. When screening lanes are taken from the mass of the flying public and dedicated for Registered Travelers, the lines for everyone else get significantly longer. This creates a scarcity of time and screening lanes. Inevitably, the occasional traveler or privacy-sensitive traveler will be induced to undergo extensive background checks and share their most sensitive, personally identifiable information to migrate to the faster lanes. Given a truly equal choice, almost no one would voluntarily share his or her private information. But when the TSA turns screening into a chokepoint at airports, it forces people to override their instincts. This enforced scarcity renders the choice to share private information involuntary.
E. Speed and Efficiency Benefits Negligible, Unproven and Possibly Illusory
Ironically, the benefits of participation in Registered Traveler remain unclear and will likely prove illusory as the program grows and increasing numbers of people are registered for the “fast lane”. To date, the TSA has not published any studies demonstrating that either dedicating screening lanes for Registered Traveler participants, or allowing Registered Traveler participants to jump to the front of the line, will not make the lines for the mass of the flying public longer. A small percentage of frequent flyers constitute a disproportionate percentage of the individual screening interactions. Therefore, simply removing them from the “slow” screening lines will not necessarily translate into faster screening lanes for Registered Travelers. If we assume that the vast majority of all the targeted frequent flyers participate, then the dedicated lines for Registered Travelers will be lengthy at peak flying times. During off-peak hours, the lines are not likely to be long in either the normal screening lanes or the Registered Traveler lanes. Similarly, some airports do not experience the lengthy lines that would push people to apply for Registered Traveler. Finally, TSA promises to occasionally modify the screening protocols for Registered Travelers to avoid predictability by terrorists. This will erode or eliminate any of the already negligible speed and efficiency gains and it does little for frequent flyers eager to fly during peak hours. The ACLU, therefore, wonders how TSA can guarantee Registered Traveler participants any benefits at all.
The ACLU recommends that Congress expressly eliminate the authorization for Registered Traveler and ensure that all flyers be treated efficiently during screening. The ACLU further recommends that Congress utilize the funds saved to redesign some airports to permit for more screening lanes to be used by all flyers, purchase more screening equipment and hire more TSA screeners.
IV. Conclusion: Secure Flight and Registered Traveler are Not Ready for Take Off and Congress Must Take Action
The ACLU has shown that Secure Flight and Registered Traveler pose unacceptable risks to security, civil liberties and privacy. For too long, TSA has wasted money attempting to launch programs predicated on a flawed assumption that a flyer’s behavior can be predicted by reviewing information collected about their past. Since TSA cannot demonstrate the benefits of these programs Congress should:
- Expressly eliminate the statutory authorization for TSA to test and implement these programs, irrespective of the programs’ names.
- Request that the TSC scrap the bloated No Fly and Selectee Lists and instead maintain a pared down list of known terrorists who pose a specific threat to aviation security. TSA and TSC should then be directed to compare passenger manifest lists to the names of those terrorists who buy tickets and attempt to fly under their own names.
- If Congress permits Registered Traveler to proceed, Congress should insist that it be solely government run and operated.
- If Congress insists that Registered Traveler be partially privatized, it should prohibit expressly Registered Traveler companies, or any companies performing background checks, from utilizing commercial data about applicants obtained from other company.
 During Fiscal Years 2002 through 2006, Congress has appropriated a total of $162.3 million for the combined CAPPS II and Secure Flight program, and $30 million for Registered Traveler. The President’ FY 2007 budget requests an additional $40 million for Secure Flight.
 The ACLU does not oppose the federal government’s keeping and maintenance of a list of terrorists known to pose a threat to aviation security. Keeping such a list, limited only to known terrorists, focuses the nation’s anti-terror efforts to prevent against another attack on a passenger airline. Coupling a refocused list with (1) improved physical screening of all carry-on bags, luggage and cargo; and (2) the introduction of new technologies that are narrowly tailored to search for threats such as plastic explosives which cannot be detected by current metal detectors, will substantially improve the safety of domestic commercial air flights, while eliminating infringements on civil liberties and privacy. Where, in the rare instance, people attempting to fly have names similar to such known threats to aviation security, TSA and TSC could request the submission of the bare minimum of additional personally identifiable information – such as three part name and date of birth – that will distinguish innocent travelers from terrorists. TSA and TSC also should be forced to provide a means for permanently removing these innocent people from suspicion, perhaps through the government’s provision of a unique identifier.
 See, H.R. Conf. Rep. No. 109-241, at 54 (2005). (“The provision also prohibits the use of commercial data.”); and Pub. L. No. 109-90 § 518(e), (“None of the funds provided in this or previous appropriations Acts may be utilized for data or a database that is obtained from or remains under the control of a non-Federal entity: Provided, That this restriction shall not apply to Passenger Name Record data obtained from air carriers.”).
 The ACLU fears that unless Congress acts, the principle of information sharing will lead to the migration of the No Fly and Selectee Lists to other government agencies, which may use the lists to wrongly deny innocent individuals access to government buildings. It would be unacceptable for these Lists, which should be used only to find and stop those who threaten aviation, to be used to prevent innocent people from accessing government buildings. Members do not want veterans wrongly denied access to Veterans Affairs offices or senior citizens wrongly denied access to Social Security Administration buildings. Furthermore, circulation of these lists – once pared down to one list consisting solely of those known threats to aviation security – make it far more likely that terrorists will know the government is looking for them by name. Thus, national security concerns suggest that the revised List be kept close and used only for passenger pre-screening. Therefore, the ACLU recommends that Congress should explicitly mandate that the No Fly and Selectee lists not metastasize and migrate to be used by other federal, state and local governments. Section 522 provides in pertinent part
(a) None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Computer Assisted Passenger Prescreening System (CAPPS II) or Secure Flight or other follow on/successor programs, that the Transportation Security Administration (TSA), or any other Department of Homeland Security component, plans to utilize to screen aviation passengers, until the Government Accountability Office has reported to the Committees on Appropriations of the Senate and the House of Representatives that -- (1) a system of due process exists whereby aviation passengers determined to pose a threat are either delayed or prohibited from boarding their scheduled flights by the TSA may appeal such decision and correct erroneous information contained in CAPPS II or Secure Flight or other follow on/successor programs;
(2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;
(3) the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II or Secure Flight or other follow on/successor programs and has demonstrated that CAPPS II or Secure Flight or other follow on/successor programs can make an accurate predictive assessment of those passengers who may constitute a threat to aviation;
(4) the Secretary of Homeland Security has established an internal oversight board to monitor the manner in which CAPPS II or Secure Flight or other follow on/successor programs are being developed and prepared;
(5) the TSA has built in sufficient operational safeguards to reduce the opportunities for abuse;
(6) substantial security measures are in place to protect CAPPS II or Secure Flight or other follow on/successor programs from unauthorized access by hackers or other intruders;
(7) the TSA has adopted policies establishing effective oversight of the use and operation of the system;
(8) there are no specific privacy concerns with the technological architecture of the system;
(9) the TSA has, pursuant to the requirements of section 44903 (i)(2)(A) of title 49, United States Code, modified CAPPS II or Secure Flight or other follow on/successor programs with respect to intrastate transportation to accommodate States with unique air transportation needs and passengers who might otherwise regularly trigger primary selectee status; and
(10) appropriate life-cycle cost estimates, and expenditure and program plans exist.
(d) None of the funds provided in this or any previous appropriations Act may be utilized to test an identity verification system that utilizes at least one database that is obtained from or remains under the control of a non-Federal entity until TSA has developed measures to determine the impact of such verification on aviation security and the Government Accountability Office has reported on its evaluation of the measures.
(e) TSA shall cooperate fully with the Government Accountability Office, and provide timely responses to the Government Accountability Office requests for documentation and information.
(f) The Government Accountability Office shall submit the report required under paragraph (a) of this section no later than March 28, 2005.
 Section 518 provides in pertinent part:
(a) None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Secure Flight program or any other follow on or successor passenger prescreening programs, until the Secretary of Homeland Security certifies, and the Government Accountability Office reports, to the Committees on Appropriations of the Senate and the House of Representatives, that all ten of the elements contained in paragraphs (1) through (10) of section 522(a) of Public Law 108–334 (118 Stat. 1319) have been successfully met. (b) The report required by subsection (a) shall be submitted within 90 days after the certification required by such subsection is provided, and periodically thereafter, if necessary, until the Government Accountability Office confirms that all ten elements have been successfully met. 603 E:\HR\OC\HR241.XXX HR241
 This is a similar issue to that, discussed above, that reportedly plagued U.S. Senator Ted Kennedy.